
100%無料Certified Information Privacy Professional CIPP-US問題集PDFお試しサンプル認定ガイドカバー率
PDF試験材料2025年最新の実際に出るCIPP-US問題集
IAPP CIPP-US(Certified Information Privacy Professional / United States(CIPP / US))試験は、データプライバシーの専門家として自己を確立しようとするプロフェッショナルにとって最も求められる認定資格の1つです。この試験は、候補者の米国のプライバシー法、規制、および個人データの収集、保存、共有を規制する標準についての知識をテストするよう設計されています。CIPP-US認定は、グローバルで認められ、プライバシー法や規制に関する専門知識を持つプロフェッショナルを雇用したい組織に高く評価されています。
質問 # 35
If an organization certified under Privacy Shield wants to transfer personal data to a third party acting as an agent, the organization must ensure the third party does all of the following EXCEPT?
- A. Uses the transferred data for limited purposes
- B. Enters a contract with the organization that states the third party will process data according to the consent agreement
- C. Notifies the organization if it can no longer meet its requirements for proper data handling
- D. Provides the same level of privacy protection as the organization
正解:B
解説:
According to the Privacy Shield Framework, an organization that transfers personal data to a third party acting as an agent must ensure that the agent does all of the following1:
* Uses the transferred data only for limited and specified purposes;
* Provides the same level of privacy protection as is required by the Privacy Shield Principles;
* Takes reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization's obligations under the Principles;
* Requires the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles;
* Upon notice, takes reasonable and appropriate steps to stop and remediate unauthorized processing; and
* Provides a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department of Commerce upon request.
Therefore, the only option that is not required by the Privacy Shield Framework is D. Enters a contract with the organization that states the third party will process data according to the consent agreement. While the organization must obtain the individual's consent for certain types of data transfers, such as those involving sensitive data or onward transfers to controllers, the organization does not have to include the consent agreement in the contract with the agent. The contract must, however, ensure that the agent will process the data in accordance with the individual's choices and expectations, as well as the Privacy Shield Principles2.
References: 1: Privacy Shield Framework3, Section 3 (b); 2: Privacy Shield Framework3, Section 2 (b) and
; 3: Privacy Shield Framework.
質問 # 36
SCENARIO
Please use the following to answer the next QUESTION:
Larry has become increasingly dissatisfied with his telemarketing position at SunriseLynx, and particularly with his supervisor, Evan. Just last week, he overheard Evan mocking the state's Do Not Call list, as well as the people on it. "If they were really serious about not being bothered," Evan said, "They'd be on the national DNC list. That's the only one we're required to follow. At SunriseLynx, we call until they ask us not to." Bizarrely, Evan requires telemarketers to keep records of recipients who ask them to call "another time." This, to Larry, is a clear indication that they don't want to be called at all. Evan doesn't see it that way.
Larry believes that Evan's arrogance also affects the way he treats employees. The U.S. Constitution protects American workers, and Larry believes that the rights of those at SunriseLynx are violated regularly. At first Evan seemed friendly, even connecting with employees on social medi a. However, following Evan's political posts, it became clear to Larry that employees with similar affiliations were the only ones offered promotions.
Further, Larry occasionally has packages containing personal-use items mailed to work. Several times, these have come to him already opened, even though this name was clearly marked. Larry thinks the opening of personal mail is common at SunriseLynx, and that Fourth Amendment rights are being trampled under Evan's leadership.
Larry has also been dismayed to overhear discussions about his coworker, Sadie. Telemarketing calls are regularly recorded for quality assurance, and although Sadie is always professional during business, her personal conversations sometimes contain sexual comments. This too is something Larry has heard Evan laughing about. When he mentioned this to a coworker, his concern was met with a shrug. It was the coworker's belief that employees agreed to be monitored when they signed on. Although personal devices are left alone, phone calls, emails and browsing histories are all subject to surveillance. In fact, Larry knows of one case in which an employee was fired after an undercover investigation by an outside firm turned up evidence of misconduct. Although the employee may have stolen from the company, Evan could have simply contacted the authorities when he first suspected something amiss.
Larry wants to take action, but is uncertain how to proceed.
In regard to telemarketing practices, Evan the supervisor has a misconception regarding?
- A. The conditions under which recipients can opt out
- B. The wishes of recipients who request callbacks
- C. The right to monitor calls for quality assurance
- D. The relationship of state law to federal law
正解:B
質問 # 37
Which of these organizations would be required to provide its customers with an annual privacy notice?
- A. The Golden Gavel Auction House.
- B. The Four Winds Tribal College.
- C. The King County Savings and Loan.
- D. The Breezy City Housing Commission.
正解:C
解説:
The annual privacy notice requirement under the Gramm-Leach-Bliley Act (GLBA) applies to financial institutions that collect nonpublic personal information from customers and disclose it to nonaffiliated third parties, unless they qualify for an exception. A financial institution is any entity that engages in activities that are financial in nature or incidental to such activities, as defined by section 4(k) of the Bank Holding Company Act of 1956. The King County Savings and Loan is a financial institution under this definition, as it engages in lending money and accepting deposits. Therefore, it is required to provide its customers with an annual privacy notice, unless it meets the conditions for an exception. The Four Winds Tribal College, the Golden Gavel Auction House, and the Breezy City Housing Commission are not financial institutions under the GLBA, as they do not engage in activities that are financial in nature or incidental to such activities. Therefore, they are not required to provide their customers with an annual privacy notice under the GLBA. References:
* Amendment to the Annual Privacy Notice Requirement Under the Gramm-Leach-Bliley Act, section I.
Background, paragraph 2.
* 17 CFR § 248.5 - Annual privacy notice to customers required., paragraph (a) (1).
* IAPP CIPP/US Study Guide, page 65.
質問 # 38
SCENARIO
Please use the following to answer the next QUESTION:
A US-based startup company is selling a new gaming application. One day, the CEO of the company receives an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an EU resident, the letter describes an ongoing investigation by a supervisory authority into the retailer's data handling practices.
The complainant accuses the retailer of improperly disclosing her personal data, without consent, to parties in the United States. Further, the complainant accuses the EU-based retailer of failing to respond to her withdrawal of consent and request for erasure of her personal dat a. Your organization, the US-based startup company, was never informed of this request for erasure by the EU-based retail partner. The supervisory authority investigating the complaint has threatened the suspension of data flows if the parties involved do not cooperate with the investigation. The letter closes with an urgent request: "Please act immediately by identifying all personal data received from our company." This is an important partnership. Company executives know that its biggest fans come from Western Europe; and this retailer is primarily responsible for the startup's rapid market penetration.
As the Company's data privacy leader, you are sensitive to the criticality of the relationship with the retailer.
Under the GDPR, the complainant's request regarding her personal information is known as what?
- A. Right of Removal
- B. Right of Access
- C. Right to Be Forgotten
- D. Right of Rectification
正解:A
質問 # 39
A law enforcement subpoenas the ACME telecommunications company for access to text message records of a person suspected of planning a terrorist attack. The company had previously encrypted its text message records so that only the suspect could access this data.
What law did ACME violate by designing the service to prevent access to the information by a law enforcement agency?
- A. CALEA
- B. USA Freedom Act
- C. ECPA
- D. SCA
正解:A
解説:
To amend title 18, United States Code, to make clear a telecommunications carrier's duty to cooperate in the interception of communications for Law Enforcement purposes, and for other purposes.
質問 # 40
Which of the following would NOT constitute an exception to the authorization requirement under the HIPAA Privacy Rule?
- A. Disclosing health information for public health activities.
- B. Disclosing health information needed to pay a third party billing administrator.
- C. Disclosing health information needed to treat a medical emergency.
- D. Disclosing health information to file a child abuse report.
正解:B
解説:
Among the options provided, disclosing health information needed to pay a third party billing administrator would NOT constitute an exception to the authorization requirement under the HIPAA Privacy Rule. Generally, when disclosing health information for payment and healthcare operations purposes, specific patient authorization is not required. However, this exception applies primarily to disclosures made to healthcare providers, health plans, and other entities directly involved in the payment or healthcare operations process.
質問 # 41
Global Manufacturing Co's Human Resources department recently purchased a new software tool. This tool helps evaluate future candidates for executive roles by scanning emails to see what those candidates say and what is said about them. This provides the HR department with an automated "360 review" that lets them know how the candidate thinks and operates, what their peers and direct reports say about them, and how well they interact with each other.
What is the most important step for the Human Resources Department to take when implementing this new software?
- A. Providing notice to employees that their emails will be scanned by the software and creating automated profiles.
- B. Making sure that the software does not unintentionally discriminate against protected groups.
- C. Confirming that employees have read and signed the employee handbook where they have been advised that they have no right to privacy as long as they are using the organization's systems, regardless of the protected group or laws enforced by EEOC.
- D. Ensuring that the software contains a privacy notice explaining that employees have no right to privacy as long as they are running this software on organization systems to scan email systems.
正解:A
解説:
The most important step for the HR department to take when implementing this new software is to provide notice to employees that their emails will be scanned by the software and creating automated profiles. This is because the software involves the collection and use of personal information from employees, which may implicate their privacy rights and expectations. By providing notice, the HR department can inform employees about the purpose, scope, and consequences of the software, as well as their choices and rights regarding their data. Notice is also a key element of transparency and accountability, which are essential principles of privacy management. Providing notice can also help the HR department comply with various privacy laws and regulations that may apply to the software, such as the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), the Fair Credit Reporting Act (FCRA), and state privacy laws. Notice can also help the HR department avoid potential legal risks and liabilities that may arise from the software, such as claims of invasion of privacy, breach of contract, or violation of employee rights. References:
* U.S. Private-Sector Privacy, Third Edition by Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 4,
* Section 4.2.1, pp. 97-98.
* U.S. Private-Sector Privacy, Third Edition by Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 5, Section 5.2.1, pp. 125-126.
* U.S. Private-Sector Privacy, Third Edition by Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 6, Section 6.2.1, pp. 153-154.
* IAPP CIPP/US Certified Information Privacy Professional Study Guide by Mike Chapple and Joe Shelley, Chapter 4, Section 4.1, pp. 113-114.
質問 # 42
What consumer protection did the Fair and Accurate Credit Transactions Act (FACTA) require?
- A. Consumer notice when third-party data is used to make an adverse decision
- B. The ability for the consumer to correct inaccurate credit report information
- C. The truncation of account numbers on credit card receipts
- D. The right to request removal from e-mail lists
正解:C
質問 # 43
More than half of U.S. states require telemarketers to?
- A. Provide written contracts for customer transactions
- B. Obtain written consent from potential customers
- C. Register with the state before conducting business
- D. Identify themselves at the beginning of a call
正解:C
解説:
According to the IAPP CIPP/US Study Guide, more than half of U.S. states require telemarketers to register with the state before conducting business within the state. This registration requirement may involve paying a fee, posting a bond, or providing information about the telemarketer's identity, location, and business practices. The purpose of this requirement is to protect consumers from fraudulent or deceptive telemarketing calls and to facilitate the enforcement of state laws and regulations. The other options are not required by most states, although some states may have additional rules or guidelines for telemarketers regarding identification, consent, or contracts. References:
* IAPP CIPP/US Study Guide, Chapter 7: Marketing and Advertising
* State Telemarketing Registration Requirements
質問 # 44
The Cable Communications Policy Act of 1984 requires which activity?
- A. Delivery of an annual notice detailing how subscriber information is to be used
- B. Notice to subscribers of any investigation involving unauthorized reception of cable services
- C. Obtaining subscriber consent for disseminating any personal information necessary to render cable services
- D. Destruction of personal information a maximum of six months after it is no longer needed
正解:B
質問 # 45
According to FERPA, when can a school disclose records without a student's consent?
- A. If the disclosure would not reveal a student's student identification number
- B. If the disclosure is to practitioners who are involved in a student's health care
- C. If the disclosure is to provide transcripts to a school where a student intends to enroll
- D. If the disclosure is not to be conducted through email to the third party
正解:C
解説:
Explanation/Reference: https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html
質問 # 46
In 2012, the White House and the FTC both issued reports advocating a new approach to privacy enforcement that can best be described as what?
- A. Comprehensive.
- B. Self-regulatory.
- C. Harm-based.
- D. Notice and choice.
正解:A
質問 # 47
Even when dealing with an organization subject to the CCPA, California residents are NOT legally entitled to request that the organization do what?
- A. Correct their personal information.
- B. Disclose their personal information to them.
- C. Refrain from selling their personal information to third parties.
- D. Delete their personal information.
正解:B
解説:
https://oag.ca.gov/privacy/ccpa
質問 # 48
If an organization certified under Privacy Shield wants to transfer personal data to a third party acting as an agent, the organization must ensure the third party does all of the following EXCEPT?
- A. Uses the transferred data for limited purposes
- B. Enters a contract with the organization that states the third party will process data according to the consent agreement
- C. Notifies the organization if it can no longer meet its requirements for proper data handling
- D. Provides the same level of privacy protection as the organization
正解:B
解説:
Explanation/Reference: https://www.privacyshield.gov/Key-New-Requirements
質問 # 49
SCENARIO -
Please use the following to answer the next question:
Jane is a U.S. citizen and a senior software engineer at California-based Jones Labs, a major software supplier to the U.S. Department of Defense and other U.S. federal agencies. Jane's manager, Patrick, is a French citizen who has been living in California for over a decade. Patrick has recently begun to suspect that Jane is an insider secretly transmitting trade secrets to foreign intelligence. Unbeknownst to Patrick, the FBI has already received a hint from anonymous whistleblower, and jointly with the National Security Agency is investigating Jane's possible implication in a sophisticated foreign espionage campaign.
Ever since the pandemic, Jane has been working from home. To complete her daily tasks she uses her corporate laptop, which after each login conspicuously provides notice that the equipment belongs to Jones Labs and may be monitored according to the enacted privacy policy and employment handbook. Jane also has a corporate mobile phone that she uses strictly for business, the terms of which are defined in her employment contract and elaborated upon in her employee handbook. Both the privacy policy and the employee handbook are revised annually by a reputable California law firm specializing in privacy law. Jane also has a personal iPhone that she uses for private purposes only.
Jones Labs has its primary data center in San Francisco, which is managed internally by Jones Labs engineers. The secondary data center, managed by Amazon AWS, is physically located in the UK for disaster recovery purposes. Jones Labs' mobile devices backup is managed by a mid-sized mobile defense company located in Denver, which physically stores the data in Canada to reduce costs. Jones Labs MS Office documents are securely stored in a Microsoft Office 365 data center based in Ireland. Manufacturing data of Jones Labs is stored in Taiwan and managed by a local supplier that has no presence in the U.S.
Before inspecting any GPS geolocation data from Jane's corporate mobile phone, Patrick should first do what?
- A. Ensure that such activity is permitted under Jane's employment contract or the company's employee privacy policy.
- B. Revise emerging workplace privacy best practices with a reputable advocacy organization.
- C. Obtain a subpoena from law enforcement, or a court order, directing Jones Labs to collect the GPS geolocation data.
- D. Obtain prior consent from Jane pursuant to the Telephone Consumer Protection Act
正解:A
解説:
"In California, it is legal to track employees during work hours. However, Californians have a constitutional right to privacy. Therefore, if you plan to track employees, make sure it's not in violation of any union agreements and that there's a documented tracking policy in place. " https://www.workyard.com/employee-time-tracking/gps-tracking-employees-laws
質問 # 50
Which statement is FALSE regarding the provisions of the Employee Polygraph Protection Act of 1988 (EPPA)?
- A. Employers involved in the manufacture of controlled substances may terminate employees based on polygraph results if other evidence exists.
- B. The EPPA includes an exception that allows polygraph tests in professions in which employee honesty is necessary for public safety.
- C. Employers are prohibited from administering psychological testing based on personality traits such as honesty, preferences or habits.
- D. The EPPA requires that employers post essential information about the Act in a conspicuous location.
正解:C
解説:
Polygraphs (but no other lie detector tests) are permissible in certain circumstances. Under the EPPA, polygraph means an instrument that records continuously, visually, permanently, and simultaneously changes in cardiovascular, respiratory and electrodermal patterns as minimum instrumentation standards and is used to render a diagnostic opinion as to the *honesty or dishonesty* of as individual. https://www.dol.gov/agencies/whd/fact-sheets/36-eppa
質問 # 51
SCENARIO
Please use the following to answer the next QUESTION
Felicia has spent much of her adult life overseas, and has just recently returned to the U.S. to help her friend Celeste open a jewelry store in Californi a. Felicia, despite being excited at the prospect, has a number of security concerns, and has only grudgingly accepted the need to hire other employees. In order to guard against the loss of valuable merchandise, Felicia wants to carefully screen applicants. With their permission, Felicia would like to run credit checks, administer polygraph tests, and scrutinize videos of interviews. She intends to read applicants' postings on social media, ask Question:s about drug addiction, and solicit character references. Felicia believes that if potential employees are serious about becoming part of a dynamic new business, they will readily agree to these requirements.
Felicia is also in favor of strict employee oversight. In addition to protecting the inventory, she wants to prevent mistakes during transactions, which will require video monitoring. She also wants to regularly check the company vehicle's GPS for locations visited by employees. She also believes that employees who use their own devices for work-related purposes should agree to a certain amount of supervision.
Given her high standards, Felicia is skeptical about the proposed location of the store. She has been told that many types of background checks are not allowed under California law. Her friend Celeste thinks these worries are unfounded, as long as applicants verbally agree to the checks and are offered access to the results. Nor does Celeste share Felicia's concern about state breach notification laws, which, she claims, would be costly to implement even on a minor scale. Celeste believes that even if the business grows a customer database of a few thousand, it's unlikely that a state agency would hassle an honest business if an accidental security incident were to occur.
In any case, Celeste feels that all they need is common sense - like remembering to tear up sensitive documents before throwing them in the recycling bin. Felicia hopes that she's right, and that all of her concerns will be put to rest next month when their new business consultant (who is also a privacy professional) arrives from North Carolina.
Which law will be most relevant to Felicia's plan to ask applicants about drug addiction?
- A. The Americans with Disabilities Act (ADA).
- B. The Genetic Information Nondiscrimination Act of 2008.
- C. The Health Insurance Portability and Accountability Act (HIPAA).
- D. The Occupational Safety and Health Act (OSHA).
正解:A
質問 # 52
Your company, an online store selling digital keys to video games, has received a data access request from an individual. Specifically, the individual wants access to her recent purchase history, as she has misplaced the emails containing the digital keys to multiple game purchases she made last month.
From a security standpoint, what would the user have to do under CCPA in order to acceptably verify her identity?
- A. Phone the company and provide her contact details and credit card number
- B. Log in to her password-protected account with the company
- C. Take a photo of herself with her driver license
- D. Provide a notarized affidavit signed by two witnesses.
正解:B
解説:
Under the California Consumer Privacy Act (CCPA), businesses must verify the identity of individuals making data access requests to ensure the security of personal information. The most secure and straightforward way to verify a consumer's identity is by requiring the individual to log in to their password- protected account, as this demonstrates that the requester is the account owner.
Why Password-Protected Accounts Are Best for Verification:
* Account-Based Relationship:If the consumer has a password-protected account with the business, verification can typically be achieved by having the consumer log in to the account. This is considered a sufficient method of verifying identity under CCPA guidelines.
* Minimizing Risk:Verifying identity through account login reduces the risk of fraudulent access to personal information, as only the account owner has access to the login credentials.
Explanation of Options:
* A. Take a photo of herself with her driver license:While this might verify identity, it is more intrusive and poses unnecessary risks of identity theft. This is not a preferred or common method under the CCPA.
* B. Provide a notarized affidavit signed by two witnesses:This is excessive and impractical for verifying identity in most cases, particularly for an online store.
* C. Log in to her password-protected account with the company:This is correct. Logging into a password-protected account is a straightforward and secure way to verify the identity of a requester under the CCPA.
* D. Phone the company and provide her contact details and credit card number:This method is insecure, as it could lead to identity theft or fraudulent access if someone else provides this information.
References from CIPP/US Materials:
* CCPA Regulations (11 CCR § 999.323): Specifies identity verification requirements, including the use of password-protected accounts.
* IAPP CIPP/US Certification Textbook: Covers secure methods for verifying consumer identity under the CCPA.
質問 # 53
......
IAPP CIPP-US 認定試験は、組織がプライバシー法や規制に準拠していることを確認する責任を持つ専門家を対象としています。データ漏洩やサイバー脅威の増加に伴い、プライバシーは多くの組織にとって重要な問題となっています。したがって、CIPP-US 認定を持つことは、個人にとって求職市場での優位性を示し、プライバシー分野での能力を証明することができます。
更新されたのはIAPP CIPP-US問題集PDFオンラインエンジン:https://jp.fast2test.com/CIPP-US-premium-file.html
CIPP-US.PDFで問題解答PDFサンプル問題信頼され続ける:https://drive.google.com/open?id=12wJPiYpH0lEutASuybTwD4XV5PykvDoQ