All Questions

Question 1

What are the goals of a privacy program manager?

Answer 1

• identify privacy obligations for the org
• identify business, employee and customer privacy risks
• identify existing documentation, policies and procedures
• create, revise and implement policies and procedures that effect positive practices and together comprise a privacy program

Question 2

What is accountability?

Answer 2

Accountable organisations have the proper policies and procedures to promote proper handling of personal information and, generally, can demonstrate that they have the capacity to comply with applicable privacy laws.

They promote trust and confidence and make all parties aware of the importance of proper handling of personal information.

Question 3

How can the IT group carry the mantle of privacy by design?

Answer 3

By implementing privacy principles into the realm of technology development by limiting the data fields built into a tool or application to only those actually required to perform a process or action, or by building in functions that enable the user to easily delete data according to a Retention schedule.

Question 4

What is privacy governance?

Answer 4

The components that guide a privacy function toward compliance with privacy laws and regulations and enable it to support the organization’s broader business objectives and goals.

Question 5

What are the components of privacy governance?

Answer 5

• creating the organisational privacy vision and Mission statement
• defining the scope of the privacy program
• selecting an appropriate privacy framework
• developing the organisational privacy strategy
• structuring the privacy team

Question 6

What two steps are usually adopted to identify the privacy program’s scope?

Answer 6

1. Identify the personal information collected and processed
2. Identify in-scope privacy and data protection laws and regulations

Question 7

Which Article of the GDPR has formalized the maintenance of written documentation about personal information (including info about how the org processes data, the categories of individuals impacted, and the recipients of data)

Answer 7

Article 30

Question 8

What country takes the sectoral approach to privacy and data protection?

Answer 8

US

Enactment of laws that specifically address a particular industry sector, such as

• financial transactions
• credit records
• law enforcement
• medical records
• communications

Question 9

What countries employ the comprehensive model for data protection?

Answer 9

EU member states and Canada

Govern the collection, use and dissemination of personal information in private and public sectors with an official oversight enforcement agency that:

• remedies past injustices
• promotes electronic commerce
• ensures consistency with pan-European laws

Question 10

What country adopts the co-regulatory model for data protection?

Answer 10

Australia

Variant of the comprehensive model, where industry develops enforcement standards that are overseen by a privacy agency

Question 11

What countries adopt the self- regulatory model for data protection?

Answer 11

US, Japan and Singapore

Companies use a code of practice by industry bodies. The Online Privacy Alliance, TrustArc, BBBOnline and Webtrust are examples of this type of model.

Question 12

What entities are subject to the Gramm-Leach-Bliley Act?

Answer 12

Financial institutions

Question 13

When is a DPO required under s37 GDPR?

Answer 13

(A) by public authorities or bodies
(B) Where the organization’s “core” activities consist of processing operations that require “regular and systematic monitoring of data subjects on a large scale
(C) Where the org’s core activities consist of processing “special” categories of data on a large scale

Question 14

Formally appointing a DPO will subject the organisation to what DPO requirements?

Answer 14

• reporting structure and independence (Article 38) : DPO is required to report to highest management level.
• qualifications and responsibilities : expert knowledge of data protection law and practices

Question 15

What are the requirements on a DPO under Article 39 GDPR?

Answer 15

(A) Monitoring company’s compliance with GDPR

(B) providing advice during data protection impact assessments

(C) Cooperating with supervisory authorities

Question 16

What is the maximum amount of penalty for breach of HITECH?

Answer 16

1.5 million

Question 17

What are the differences between privacy assessments, PIAs and DPIAs in terms of type of assessment?

Answer 17

Privacy assessment - measures an organisation’s compliance with laws and internal policies.

PIA- Analysis of privacy risks associated with processing information in relation to a project, product or service

DPIA- under GDPR, process designed to identify risks arising from the processing of personal data and to minimise these risks as much and as early as possible.

Question 18

What are the differences between how privacy assessments, PIAs and DPIAs are triggered?

Answer 18

Privacy assessments- BAU audit at a predefined time period or in response to a security or privacy event or at a request of an enforcement authority.

PIAs - emanate from industry codes, organisational policy, laws, regulations, or supervisory authorities

DPIAs - when Processing is likely to result in high risk to the rights and freedoms of natural persons

Question 19

What are the differences between the standards used for privacy assessments, vs PIAs and DPIAs?

Answer 19

Privacy assessments- subject like employee interviews, or objective like info system logs

PIAs - ISO 29134

DPIAs- minimum features : (a) description of processing, including its purpose and the legitimate interest being pursued; (b) the necessity of the processing, its proportionality and the risks it poses to data subjects; and (c) measures to address the risks specified

Question 20

Which of privacy assessments, PIAs and DPIAs facilitate privacy by design?

Answer 20

PIAs

Question 21

Which US government act requires PIAs from government agencies?

Answer 21

E-Government Act

Question 22

When are PIAs required by the US gov pursuant to the E-Government Act of 2002?

Answer 22

(A) When developing or procuring IT systems containing PII of the public; or
(B) when initiating an electronic collection of PII

Question 23

Under the E-Government Act of 2002, what requirements precedes a PIA to determine whether a PIA is needed?

Answer 23

Privacy Threshold Analysis

The PTA will seek to determine:
(A) from whom data is collected
(B) what types of personal data are collected
(C) how such data is shared
(D) whether the data has been merged
(E) Whether any determinations have been made as to the info security aspects of the system

Question 24

Under ISO 29134, what is the performing phase?

Answer 24

1. Identifying information flows of PII
2. analysing the implications of the use case
3. Determining the relevant privacy-safeguarding requirements
4. Assessing privacy risks using steps or risk identification, risk analysis and risk evaluation
5. Privacy risk treatment option

Question 25

What is the follow up phase under ISO 29134?

Answer 25

• preparing and publishing the PIA report
• implementing the privacy risk treatment plan
• reviewing the PIS and reflecting changes to the process

Question 26

What is the fine for failure to carry out a DPIA when the processing is subject to a DPIA, carrying out a DPIA in an incorrect way, or failing to consult the competent supervisory authority where required?

Answer 26

Admin fine of up to 10k euros, or 2% or total worldwide annual revenue, whichever is higher

Question 27

What are the examples for when a processing operation is likely to result in high risks under Article 35 of the GDPR?

Answer 27

(a) systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and in which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
(b) processing on a large scale of special categories of data, or of personal data relating to criminal convictions and offences; or

(C) a systematic monitoring of a publicly accessible area on a large scale

Question 28

What factors does the WP29 recommend be considered when determining whether the processing is carried out on a large scale?

Answer 28

(1) the no. of data subjects concerned, either as a specific number or as a proportion of the relevant population;
(2) the volume of data and/or the range of different data items being processed;
(3) the duration, or permanence, of the data processing activity; and
(4) the geographical extent of the processing activity

Question 29

As part of the accountability principle, what info must a data controller maintain?

Answer 29

A record of processing activities under its protection responsibility including the purposes of processing, a description of the categories of data and the recipients of the data and where possible, a general description of the technical and organisational security measures

Question 30

What should a DPIA include as a minimum under the GDPR?

Answer 30

(A) a description of the processing, including its purpose and the legitimate interest being pursued
(B) Necessity of the Processing, it’s proportionality and the risks that it poses to data subjects
(C) Measures to address the risks identified

Question 31

Which three guides are the CNIL’s PIA method?

Answer 31

1. The method explains how to carry out a PIA
2. The models help to formalise a PIA by detailing how to handle the different sections introduced in the method
3. The knowledge base is a code of practice that lists measures to be used to treat the risks

Question 32

When must the supervisory authority be contacted in the context of a DPIA?

Answer 32

Whenever the data controller cannot find sufficient measures to reduce risks to an acceptable level, consultation with the supervisory authority will be necessary

Question 33

What is attestation?

Answer 33

It is a tool for ensuring functions outside the privacy team are held accountable for privacy-related responsibilities

Question 34

What is NIST 800-60?

Answer 34

A guide from the National Institute of Standards and Technology and the US Department of Commerce

Question 35

Info security requires ongoing assessment of threats and risks and of procedures and controls, consistent with three key attributes. of w

Answer 35

Confidentiality, integrity and availability

Question 36

What rule sets forth required disposal protections for financial institutions?

Answer 36

The Disposal Rule under the Fair and Accurate Credit Transactions Act of 2003

Question 37

What is the difference between the privacy policy and the privacy notice?

Answer 37

The privacy policy is the high-level governance that aligns with the privacy vision or Mission statement of the organisation. Internal document:

The privacy notice is an external communication which describes how the organisation collects, uses, shares, retains and disclosed its personal information based on the organisation’s privacy policy.

Question 38

Supporting policies must contain the following

Answer 38

1) Issue/ objective statement
2) Statements of the organisation’s position
3) Applicability
4) Roles and responsibilities
5) Compliance
6) Points of contacts and supplementary information

Question 39

How can action been taken against breaches of privacy notices in the US?

Answer 39

Section 5(a) or the Federal Trade Commission Act prohibits unfair and deceptive trade practices and allows the FTC to investigate and bring enforcement actions against companies engaging in unfair and deceptive trade practices

Question 40

How often must credit information be provided to consumers free of charge once a year under the Federal Credit Reporting Act in the US?

Answer 40

Free of charge once a year

Question 41

What are the obligations placed on employers under the Federal Credit Reporting Act?

Answer 41

FCRA places obligations upon employers to obtain an applicant or employee’s written consent prior to conducting a background check.

Additionally, FCRA requires employers to inform the applicant or employee that the information obtained in the background check may be used to make the decision about their employment. This information must be provided in a standalone written notice separate from an employment application.

Question 42

Under the Health Insurance Portability and Accountability Act (HIPAA), when must changes be implemented for corrections?

Answer 42

Within 60 days

Question 43

Who enforces the Do Not Call Registry in the US?

Answer 43

Federal Communications Commission

Question 44

Which Act provides individuals with a right of access to their own records from each federal agency that maintains a system of records, upon receipt of a written request from an individual?

Answer 44

Privacy Act of 1974

Question 45

What are the three categories of law enforcement and national security records which are not subject to the requirements of the Freedom of Information Act?

Answer 45

1. existence of ongoing criminal law enforcement investigation when the subject is unaware and disclosure could interfere with enforcement proceedings
2. Informant records
3. FBI- existence of foreign intelligence or counterintelligence

Question 46

Which was the first state in the US to require commercial website or online service Operators To conspicuously post privacy notices on their websites or online services?

Answer 46

California Online Privacy Protection Act

Question 47

What are the differences between the Delaware Online Privacy Protection Act and CalOPPA?

Answer 47

1. CalOPPA applies to consumers while DOPPA applies to users
2. CalOPPA is limited to commercial website and apps; DOPPA covers broader range of entities that could be handling PII, including websites, cloud computing services, online apps and mobile apps.

Question 48

What are the similarities between CalOPPA and DOPPA?

Answer 48

Both require that Operators disclose in their privacy notices how they respond to Do Not Track requests regarding the collection of consumers’ and users’ PII

Question 49

What is California’s Shine the Light law?

Answer 49

Gives California residents the right to request and be notified about how businesses use and share their personal information with other businesses for direct marketing purposes

The law also gives consumers a private right of action in the event that a business fails to respond to a consumer’s request

Question 50

What is California’s Online Eraser law?

Answer 50

Designed to protect individuals under the age of 18, requires Operators of websites, online services, online applications and mobile applications to permit minors who Are registered users to request and remove content he posted

Question 51

What is the California Consumer Privacy Act of 2018?

Answer 51

Landmark privacy bill to be implemented 1 Jan 2020

Ability to request a record of:

• What types of personal info an organisation holds about the requestor, it’s sources and the specific personal information that has been collected
• information about the use of the individual ‘s personal information in terms of both business use and third party sharing
• right to erasure
• option for consumers to opt out of having their data sold to third parties

Question 52

Which act provides the most robust consumer rights of the biometric laws adopted thus far?

Answer 52

Illinois Biometric Information Privacy Act

BIPA requires that a private entity notify an individual in writing of its intent to collect biometric information; inform the individual of the purpose and length of term for which biometric information is being collected and used, and receive a written release authorising the use.

A private entity must also obtain consent for further disclosure of biometric identifiers.

Question 53

What are the statutory damages against an entity for violating BIPA?

Answer 53

Negligence - $1k

Intentional or reckless violation - $5k

Question 54

What are the exemptions for the right to erasure?

Answer 54

Orgs can decline data subjects’ requests to the extent that the processing is necessary:

(A) for exercising the right of freedom of expression and information
(B) for compliance with a legal obligation or performance of a task in public interest (eg. Public health, archiving and scientific, historical research or statistical purposes)

Question 55

For personal data processed for scientific and historical research purposes or statistical purposes, how far does the right to object go?

Answer 55

Under Article 21(6) GDPR, where personal data is processed for scientific and historical research data purposes or statistical purposes, the right to object exists only as far as the processing is not considered necessary for the performance of a task carried out for reasons of public interest

Question 56

What is irregular component or noise?

Answer 56

This analysis focuses on what is left over when the other components of the series (time and cyclical) have been accounted for. It is just the most difficult to detect- an example would be the absence of privacy breaches.

Question 57

What are the maturity levels in the Privacy Maturity Model?

Answer 57

1. Ad hoc
2. Repeatable
3. Defined
4. Managed (reviews are conducted to assess effectiveness of controls)
5. Optimised (regular feedback)

Question 58

What are the four common approaches for compliance monitoring?

Answer 58

Self monitoring, audit management, security/ system management and risk management

Question 59

What procedures should supplier monitoring cover?

Answer 59

• appropriate private and security requirements
• provider performance
• security of mobile devices

Question 60

What are the types of audit?

Answer 60

1. First party - will consider the org risk management culture, identify privacy risk factors, and evaluate control design and implementation
2. Supplier audits
3. Third party audits - NIST or ISO

Question 61

What is a metric lifecycle?

Answer 61

The processes and methods to sustain a metric to match the ever changing needs of an organisation

Question 62

What categories constitute preparedness?

Answer 62

1. Training
2. Getting an incident response plan in place
3. Understanding key stakeholders
4. Getting insurance coverage when appropriate
5. Managing vendors who might be a part of an incident

Question 63

Who are the relevant regulators to notify in the US?

Answer 63

The state attorney general and the FTC

Question 64

In the healthcare industry, which regulator should be notified in a healthcare breach?

Answer 64

Department of Health and Human Services

Question 65

What are the seven foundational principles of Privacy by Design?

Answer 65

1. Proactive, not reactive; preventative not remedial
2. Privacy as the default
3. Privacy embedded into design
4. Full functionality - positive-sum, not zero-sum
5. End to end security - full lifecycle protection
6. Visibility and transparency
7. Respect for user privacy

Question 66

What are the qualities of the Privacy by Design Paradigm?

Answer 66

1. Being proactive - by default, privacy controls are part of the system engineering requirements. They are tested for effectiveness and monitored continuously
2. Embedded privacy controls - this involves putting them into systems and applications, auditing them for regulatory compliance, and evaluating them when new threats to information systems are discovered
3. Demonstrating respect for users - privacy and security controls coexist transparently to a user: they do not diminish the necessary authoritarians to access data. The protection of organisational information assets is enabled without unnecessary trade offs.

Question 67

Which EU principles summarize the data protection by design and default?

Answer 67

Article 25 GDPR- data protection by design and default

Recital 78 - appropriate technical and organisational measures

Question 68

What are the appropriate technical and organisational measures under Recital 78?

Answer 68

• pseudonymizing personal data as soon as possible
• transparency with regard to the functions and processing of personal data
• enabling the data subject to monitor the data processing, enabling the controller to create and improve security features

Question 69

What is privacy engineering?

Answer 69

Privacy engineering provides a methodology and technical tools based on industry guidelines and best practices, including the Unified Modeling Language

Question 70

What does information security aim to Ensure throughout the data lifecycle?

Answer 70

Confidentiality - prevention of unauthorised disclosure

Integrity- information is protected from unauthorised or unintentional alternation, modification or deletion

Availability - information is readily accessible to authorised users

Question 71

What does accountability and assurance mean in information security?

Answer 71

Accountability means entity ownership is traceable, while assurance means all other four objectives are met

Question 72

What are the categories of information security controls?

Answer 72

Preventative, Detective, corrective

Question 73

What are the different nature of information security controls

Answer 73

Physical, administrative or policy controls, technical controls

Question 74

What ISO provides the overview of information security management systems?

Answer 74

ISO/IEC 27000:2018

Question 75

What is the standard that provides requirements for an ISMS?

Answer 75

ISO/IEC 27001

Question 76

What is an ISMS information security management system?

Answer 76

An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management system

Question 77

What are the areas of overlap for information security and privacy?

Answer 77

• integrity / accuracy
• authorised access
• accountability
• access/ availability

Question 78

Why is there not a complete overlap between privacy and information security?

Answer 78

1. Privacy has a wider set of obligations and responsibilities than information security does (such as collection Limitation, openness, relevancy, use Limitation)
2. Confidentiality - personal info is not always nonpublic
3. You can have security without privacy, but you cannot have privacy without security

Question 79

A survey commissioned by the IAPP and Trustarc found the nexus of information privacy and information security is driven by…

Answer 79

The mutual goal of preventing or mitigating data breaches.

Question 80

What are some of the ways for information privacy and information security programs to align?

Answer 80

• increased involvement of privacy personnel on information security teams and vice versa
• employment of core privacy functions will an IT motivated to get a better handle on their data and the extent of their corporate risk
• increased investment in privacy technology
• increased use of privacy impact assessments and data inventory and classification
• increased use of data retention policies

Question 81

What are the four principles for better alignment for information security and data privacy

Answer 81

• teaming
• don’t reinvent
• stay aware
• tank and prioritise

Question 82

Basic security principles for role-based access include:

Answer 82

• segregation of duties
• least privilege
• need to know access

Question 83

Required administrative or policy controls for privacy can be found in four areas. What are they?

Answer 83

1. Laws and regulations
2. Self regulatory regime
3. Industry practices
4. Corporate ethos/ policy

Question 84

What are the four types of technical controls?

Answer 84

Obfuscation, data minimise ion, security, privacy engineering technologies

Question 85

What regulations require data privacy training?

Answer 85

US Health Insurance Portability and Accountability Act HIPAA

Question 86

What Act prohibits unfair and deceptive trade practices and allows the US FTC to investigate and bring enforcement actions against companies engaging in unfair and deceptive trade practices

Answer 86

Section 5(a) of the FTC Act

Question 87

Which organisations have endorsed a layered approach to privacy notices?

Answer 87

Endorsed by both the FTC and the EU’s Article 29 Working Party, now the European Data Protection Board

Question 88

The Digital Advertising Alliance regulates the use of its icon on websites and mobile screens by requiring compliance with DAA principles relating to what?

Answer 88

Notice, opt out and limitations on data collection and use

Question 89

What is the age for parental consent under the California Consumer Privacy Act?

Answer 89

Parental or legal Guardian consent for children under the age of 13 and the affirmative consent of children between 13 and 16 years of age prior to engaging in data selling

Question 90

What obligations does the Federal Credit Reporting Act place on employers?

Answer 90

FCRA places obligations upon employers to obtain an applicant or employee’s written consent prior to conducting a background check. Additionally, FCRA requires employers to inform the applicant or employee that the information obtained in the background check may be used to make the decision about their employment.

Question 91

How Long do individuals have to obtain a copy of their information under HIPAA?

Answer 91

30 days

Question 92

Under HIPAA, an individual has the right to change any incorrect information and add any missing or incomplete information and these changes must be implemented within how many days?

Answer 92

60 days

Question 93

Who enforces the Do not call registry?

Answer 93

FTC and Federal Communications Commission

Question 94

Who enforces CAN-SPAM?

Answer 94

FTC

Question 95

What are the nine exemptions to information that may be requested under the Freedom of Information Act?

Answer 95

1. Information that is classified to protect national security
2. Information related solely to the internal personnel rules and practices of an agency
3. Information that is prohibited from disclosure by another federal law
4. Trade secrets or commercial or financial information that is confidential or privileged
5. Privileged communications within or between agencies
6. Information that, if disclosed, would invade another individual’s personal privacy
7. Information compiled for various law enforcement purposes
8. Information that concerns the supervision of financial institutions
9. Geological information on wells

Question 96

What is the scope of the CalOPPA?

Answer 96

The law applies to any website or online service operator in the US and possibly the world whose website collects personally identifiable information from Californian consumers

Question 97

What are the differences between DOPPA and CalOPPA?

Answer 97

• scope (consumers under CalOPPA and users under DOPPA)
• DOPPA covers broader range of entities that could be handling PII, including websites, cloud computing services, online apps and mobile apps, while CalOPPA is limited to commercial websites and apps

Question 98

What are the exceptions for the California Online eraser law?

Answer 98

A service operator is not required to comply with the request for removal and deletion if the content about the minor was posted by a third party other than the minor, who is a registered user of the website;

If a minor does not follow instructions provided to the minor on how to request removal of content

If a minor received compensation or other consideration for the content

Question 99

Under Article 13 of the GDPR, what information do data subjects have the right to be provided with in relation to their relationship with the controller?

Answer 99

1: controller’s identity and contact details
2: reasons or purposes for processing their personal data
3: legal basis for processing
4: recipients of that data
5: other relevant information necessary to Ensure the fair and transparent processing of the data
6: the controller must identify the source of data if collected or obtained from a third party, in order to effectively enable the data subject to pursue their rights

Question 100

What are the exemptions to the right of erasure in Article 17(3)?

Answer 100

Data subjects’ requests can be declined to the extent that processing is necessary:

• for exercising the right of freedom of expression and information
• for compliance with a legal obligation which requires processing in the public interest, like public health, archiving and scientific, historical research or statistical purposes

Question 101

How does the right to object work under Article 21(1) whenever a controller justifies the data processing on the basis of its legitimate interests?

Answer 101

Data subjects can object to such processing. As a consequence, the controller is no longer allowed to process the data subject’s personal data unless it can demonstrate compelling, legitimate grounds for the processing

Question 102

Under the draft PI Security Specification, the handling of personal information and personal sensitive information must follow the seven principles of:

Answer 102

1. Consistent rights and responsibilities
2. Clear purpose
3. Choice and consent
4. Minimal and necessary uses
5. Openness and transparency
6. Security assurance
7. Data subject participation

Question 103

What are the three sub tasks of strategic management

Answer 103

1) Define privacy vision and Mission statement
2) Develop privacy strategy
3) Structure privacy team

Question 104

What should a privacy vision/ Mission statement include?

Answer 104

1) Develop privacy objectives
2) Define scope
3) Identify legal and regulatory compliance challenges
4) Identify Personal Information Legal Requirements

Question 105

Steps to develop a privacy strategy

Answer 105

1) ID stakeholders and internal partnerships
2) Leverage key functions
3) Create a process for interfacing
4) Develop a data governance strategy
5) Conduct a privacy workshop

Question 106

What is a Privacy Program Framework?

Answer 106

Implementation roadmap that provides structure or checklists to guide privacy professionals through management and prompts for details to determine privacy relevant decisions

Question 107

What are the four parts of the privacy operational life cycle?

Answer 107

1) Assess
2) Protect
3) Sustain
4) Respond

A pretty sweet rabbit

Question 108

All of the following are factors in determining whether an organisation can craft a common solution to the privacy requirements of multiple jurisdictions except:

Answer 108

(A) effective date of most restrictive law

Other factors that can be considered:
(B) Implementation complexity
(C) legal regulations
(D) cost

Question 109

What are nongovernmental organisations that advocate for privacy protection known as?

Answer 109

External privacy organisations

Question 110

What step can best help you to identify the specific needs and objectives of Country Fresh regarding privacy protection?

Answer 110

Development of the business case.

Question 111

What is a privacy program framework?

Answer 111

This is an implementation road map that provides the structure or checklists (document privacy procedures and processes) to guide the privacy professional through privacy management and prompts them for the details to determine all privacy- relevant decisions for the organization