Free IAPP CIPP-C Exam Questions

Question 1

Which of the following types of information would an organization generally NOT be required to disclose to

law enforcement?

A : formation about medication errors under the Food, Drug and Cosmetic Act

B : ney laundering information under the Bank Secrecy Act of 1970

C : formation about workspace injuries under OSHA requirements

D : rsonal health information under the HIPAA Privacy Rule

Answer: D

Question 2

SCENARIO

Please use the following to answer the next QUESTION:

A US-based startup company is selling a new gaming application. One day, the CEO of the company receives

an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an

EU resident, the letter describes an ongoing investigation by a supervisory authority into the retailer’s data

handling practices.

The complainant accuses the retailer of improperly disclosing her personal data, without consent, to parties in

the United States. Further, the complainant accuses the EU-based retailer of failing to respond to her

withdrawal of consent and request for erasure of her personal data. Your organization, the US-based startup

company, was never informed of this request for erasure by the EU-based retail partner. The supervisory

authority investigating the complaint has threatened the suspension of data flows if the parties involved do not

cooperate with the investigation. The letter closes with an urgent request: “Please act immediately by

identifying all personal data received from our company.”

This is an important partnership. Company executives know that its biggest fans come from Western Europe;

and this retailer is primarily responsible for the startup’s rapid market penetration.

As the Company’s data privacy leader, you are sensitive to the criticality of the relationship with the retailer.

Upon review, the data privacy leader discovers that the Company’s documented data inventory is obsolete.

What is the data privacy leader’s next best source of information to aid the investigation?

A : ports on recent purchase histories

B : tabase schemas held by the retailer

C : ts of all customers, sorted by country

D : terviews with key marketing personnel

Answer: C

Question 3

What important action should a health care provider take if the she wants to qualify for funds under the Health Information Technology for Economic and Clinical Health Act (HITECH)?

A : ke electronic health records (EHRs) part of regular care

B : ll the majority of patients electronically for their health care

C : nd health information and appointment reminders to patients electronically

D : ep electronic updates about the Health Insurance Portability and Accountability Act

Answer: A

Question 4

Global Manufacturing Co’s Human Resources department recently purchased a new software tool. This tool

helps evaluate future candidates for executive roles by scanning emails to see what those candidates say and

what is said about them. This provides the HR department with an automated “360 review” that lets them

know how the candidate thinks and operates, what their peers and direct reports say about them, and how well

they interact with each other.

What is the most important step for the Human Resources Department to take when implementing this new

software?

A : king sure that the software does not unintentionally discriminate against protected groups.

B : Ensuring that the software contains a privacy notice explaining that employees have no right to privacyas long as they are running this software on organization systems to scan email systems.

C : Confirming that employees have read and signed the employee handbook where they have been advisedthat they have no right to privacy as long as they are using the organization’s systems, regardless of theprotected group or laws enforced by EEOC.

D : Providing notice to employees that their emails will be scanned by the software and creating automatedprofiles.

Answer: A

Question 5

Which of the following best describes an employer’s privacy-related responsibilities to an employee who has

left the workplace?

A : An employer has a responsibility to maintain a former employee’s access to computer systems andcompany data needed to support claims against the company such as discrimination.

B : An employer has a responsibility to permanently delete or expunge all sensitive employment records tominimize privacy risks to both the employer and former employee.

C : An employer may consider any privacy-related responsibilities terminated, as the relationship betweenemployer and employee is considered primarily contractual.

D : An employer has a responsibility to maintain the security and privacy of any sensitive employmentrecords retained for a legitimate business purpose.

Answer: B