CIPP-C Online Practice Questions and Answers

According to the Canadian Standards Association (CSA) Model Code, how long should personal information be retained?

A. Personal information should not be retained at all.

B. Personal information should be retained indefinitely as long as consent has been given.

C. Personal information should be retained for at least two years after the last administrative use.

D. Personal information should be retained as long as necessary for the fulfillment of the purpose of the collection.

A new client is opening a Registered Retirement Savings Plan. Their investment advisor asks for their social insurance number (SIN). The advisor must tell the client that because they are opening a tax reporting product, their SIN is mandatory for tax reporting purposes and?

A. Optional for identity verification purposes.

B. Mandatory for identity verification purposes.

C. Optional for secondary marketing purposes.

D. Mandatory for secondary marketing purposes.

In which situation could a request for access to one's personal information be denied under the Privacy Act?

A. The personal information was collected by the Royal Canadian Mounted Police while performing policing services for a province or municipality.

B. The personal information was obtained in confidence from a foreign state or agency which has consented to the disclosure of the information.

C. The release of the personal information could reasonably be expected to cause injury to a protected species of wildlife.

D. The personal information is more than 20 years old and relates to the detection or suppression of money laundering.

Safeguarding and securing information that is considered sensitive under privacy legislation generally falls into three categories: Administrative, Technical and?

A. Legal.

B. Physical.

C. Personal.

D. Logistical.

What is an exception to the Electronic Communications Privacy Act of 1986 ban on interception of wire, oral and electronic communications?

A. Where one of the parties has given consent

B. Where state law permits such interception

C. If an organization intercepts an employee's purely personal call

D. Only if all parties have given consent

Felicia is also in favor of strict employee oversight. In addition to protecting the inventory, she wants to prevent mistakes during transactions, which will require video monitoring. She also wants to regularly check the company vehicle's GPS for locations visited by employees. She also believes that employees who use their own devices for work-related purposes should agree to a certain amount of supervision.

Given her high standards, Felicia is skeptical about the proposed location of the store. She has been told that many types of background checks are not allowed under California law. Her friend Celeste thinks these worries are unfounded, as long as applicants verbally agree to the checks and are offered access to the results. Nor does Celeste share Felicia's concern about state breach notification laws, which, she claims, would be costly to implement even on a minor scale. Celeste believes that

even if the business grows a customer database of a few thousand, it's unlikely that a state agency would hassle an honest business if an accidental security incident were to occur.

In any case, Celeste feels that all they need is common sense ?like remembering to tear up sensitive documents before throwing them in the recycling bin. Felicia hopes that she's right, and that all of her concerns will be put to rest next month when their new business consultant (who is also a privacy professional) arrives from North Carolina.

Which law will be most relevant to Felicia's plan to ask applicants about drug addiction?

A.

B. The Americans with Disabilities Act (ADA).

C. The Occupational Safety and Health Act (OSHA).

D. The Genetic Information Nondiscrimination Act of 2008.

E. The Health Insurance Portability and Accountability Act (HIPAA).

The rules for "e-discovery" mainly prevent which of the following?

A. A conflict between business practice and technological safeguards

B. The loss of information due to poor data retention practices

C. The practice of employees using personal devices for work

D. A breach of an organization's data retention program

Which jurisdiction must courts have in order to hear a particular case?

A. Subject matter jurisdiction and regulatory jurisdiction

B. Subject matter jurisdiction and professional jurisdiction

C. Personal jurisdiction and subject matter jurisdiction

D. Personal jurisdiction and professional jurisdiction

Which of the following became the first state to pass a law specifically regulating the practices of data brokers?

A. Washington.

B. California.

C. New York.

D. Vermont.

Which of the following would NOT constitute an exception to the authorization requirement under the HIPAA Privacy Rule?

A. Disclosing health information for public health activities.

B. Disclosing health information to file a child abuse report.

C. Disclosing health information needed to treat a medical emergency.

D. Disclosing health information needed to pay a third party billing administrator.