[2024年06月13日] CIPP-C PDF問題集にはあなたに不可欠なCIPP-C試験解答を合格に繋ぐ! [Q46-Q67]

Share

[2024年06月13日] CIPP-C PDF問題集にはあなたに不可欠なCIPP-C試験解答を合格に繋ぐ!

CIPP-CPDF解答で完璧な予見CIPP-C練習試験問題

質問 # 46
SCENARIO
Please use the following to answer the next QUESTION
When there was a data breach involving customer personal and financial information at a large retail store, the company's directors were shocked. However, Roberta, a privacy analyst at the company and a victim of identity theft herself, was not. Prior to the breach, she had been working on a privacy program report for the executives. How the company shared and handled data across its organization was a major concern. There were neither adequate rules about access to customer information nor procedures for purging and destroying outdated dat a. In her research, Roberta had discovered that even low- level employees had access to all of the company's customer data, including financial records, and that the company still had in its possession obsolete customer data going back to the 1980s.
Her report recommended three main reforms. First, permit access on an as-needs-to-know basis. This would mean restricting employees' access to customer information to data that was relevant to the work performed. Second, create a highly secure database for storing customers' financial information (e.g., credit card and bank account numbers) separate from less sensitive information. Third, identify outdated customer information and then develop a process for securely disposing of it.
When the breach occurred, the company's executives called Roberta to a meeting where she presented the recommendations in her report. She explained that the company having a national customer base meant it would have to ensure that it complied with all relevant state breach notification laws. Thanks to Roberta's guidance, the company was able to notify customers quickly and within the specific timeframes set by state breach notification laws.
Soon after, the executives approved the changes to the privacy program that Roberta recommended in her report. The privacy program is far more effective now because of these changes and, also, because privacy and security are now considered the responsibility of every employee.
What could the company have done differently prior to the breach to reduce their risk?

  • A. Communicated requests for changes to users' preferences across the organization and with third parties.
  • B. Looked for any persistent threats to security that could compromise the company's network.
  • C. Implemented a comprehensive policy for accessing customer information.
  • D. Honored the promise of its privacy policy to acquire information by using an opt-in method.

正解:B


質問 # 47
SCENARIO
Please use the following to answer the next QUESTION
Otto is preparing a report to his Board of Directors at Filtration Station, where he is responsible for the privacy program. Filtration Station is a U.S. company that sells filters and tubing products to pharmaceutical companies for research use. The company is based in Seattle, Washington, with offices throughout the U.S. and Asi a. It sells to business customers across both the U.S. and the Asia-Pacific region. Filtration Station participates in the Cross-Border Privacy Rules system of the APEC Privacy Framework.
Unfortunately, Filtration Station suffered a data breach in the previous quarter. An unknown third party was able to gain access to Filtration Station's network and was able to steal data relating to employees in the company's Human Resources database, which is hosted by a third-party cloud provider based in the U.S. The HR data is encrypted. Filtration Station also uses the third-party cloud provider to host its business marketing contact database. The marketing database was not affected by the data breach. It appears that the data breach was caused when a system administrator at the cloud provider stored the encryption keys with the data itself.
The Board has asked Otto to provide information about the data breach and how updates on new developments in privacy laws and regulations apply to Filtration Station. They are particularly concerned about staying up to date on the various U.S. state laws and regulations that have been in the news, especially the California Consumer Privacy Act (CCPA) and breach notification requirements.
The Board has asked Otto whether the company will need to comply with the new California Consumer Privacy Law (CCPA). What should Otto tell the Board?

  • A. That CCPA only applies to companies based in California, which exempts the company from compliance.
  • B. That business contact information could be considered personal information governed by CCPA.
  • C. That the company is governed by CCPA, but does not need to take any additional steps because it follows CPBR.
  • D. That CCPA will apply to the company only after the California Attorney General determines that it will enforce the statute.

正解:D


質問 # 48
What practice does the USA FREEDOM Act NOT authorize?

  • A. An extension of the expiration for roving wiretaps
  • B. The bulk collection of telephone data and internet metadata
  • C. Emergency exceptions that allows the government to target roamers
  • D. An increase in the maximum penalty for material support to terrorism

正解:C


質問 # 49
In which situation is a company operating under the assumption of implied consent?

  • A. An online retailer subscribes new customers to an e-mail list by default
  • B. An employer contacts the professional references provided on an applicant's resume
  • C. A landlord uses the information on a completed rental application to run a credit report
  • D. A retail clerk asks a customer to provide a zip code at the check-out counter

正解:B


質問 # 50
In the event of a data breach, which type of information are data controllers NOT required to provide to either the supervisory authorities or the data subjects?

  • A. The predicted consequences of the breach.
  • B. The measures being taken to address the breach.
  • C. The contact details of the appropriate data protection officer.
  • D. The type of security safeguards used to protect the data.

正解:C


質問 # 51
What is required through the "circle of care" concept under Canadian health information privacy law?

  • A. An individual's consent may be implied unless the individual has refused consent or if the purpose of the disclosure is not to provide health care.
  • B. Notification to the individual be made in the event of a data breach of personal health information (PHI) by an organization that is based in Canada
  • C. Consent must be expressed or implied when a custodian discloses personal health information (PHI) to another custodian for the purpose of providing health care.
  • D. Health information custodians or trustees be specified only by applicable law or regulation

正解:C

解説:
The "circle of care" concept under Canadian health information privacy law refers to the ability of health information custodians to assume implied consent when disclosing personal health information (PHI) to other health information custodians for the purpose of providing health care. This concept allows for the seamless sharing of PHI among providers like doctors, nurses, and pharmacists, who are directly involved in the care of the individual, without requiring express consent for each exchange of information within this circle. The principle is based on the assumption that the disclosure is made in the patient's best interests for their ongoing care. Therefore, the correct answer is D, "Consent must be expressed or implied when a custodian discloses personal health information (PHI) to another custodian for the purpose of providing health care."


質問 # 52
Which EU institution is vested with the competence to propose new data protection legislation on its own initiative?

  • A. The Canadian Council
  • B. The Canadian Parliament
  • C. The Canadian Commission
  • D. Office of the Privacy Commissioner of Canada

正解:D


質問 # 53
In Ontario, a patient attends an appointment with a physician and reveals information about some new symptoms that she has been experiencing. Based on this information, the physician diagnoses the patient with a condition and prepares the report detailing the applicable history and diagnosis. The report is added to the patient's record. The patient later regrets revealing certain facts and doesn't want anyone else to know about these symptoms or the diagnosis. She acknowledges that the information she provided was correct and does not question the diagnosis.
Which of the following requests would the patient be most successful at pursuing?

  • A. That a correction be made to change the diagnosis based on the patient's wishes.
  • B. That the information be restricted from disclosure to other health care providers.
  • C. That a copy of the record be kept by the patient for disclosure to physicians.
  • D. That details of the diagnosis be deleted from the patient's health record.

正解:B

解説:
In Ontario, as well as in most jurisdictions in Canada, once a patient discloses information to a healthcare provider, the information becomes part of their health record and cannot typically be altered or deleted based on the patient's subsequent regret or preference for privacy. Under privacy laws that apply to health information in Ontario, such as the Personal Health Information Protection Act (PHIPA), a patient does not have the right to have valid medical diagnoses removed or altered in their health record. However, they can request that the disclosure of their health information be restricted to certain persons or for certain purposes.
Therefore, the patient would be most successful at pursuing Option B, requesting that the information be restricted from disclosure to other healthcare providers. This is supported by Section 20 of PHIPA, which allows individuals to withhold or withdraw consent for certain uses of their information, with necessary exceptions for emergency situations or other legally mandated disclosures.


質問 # 54
Under state breach notification laws, which is NOT typically included in the definition of personal information?

  • A. State identification number
  • B. First and last name
  • C. Medical Information
  • D. Social Security number

正解:C


質問 # 55
Which entities must comply with the Telemarketing Sales Rule?

  • A. For-profit organizations calling businesses when a binding contract exists between them
  • B. For-profit and not-for-profit organizations when selling additional services to establish customers
  • C. For-profit organizations and for-profit telefunders regarding charitable solicitations
  • D. Nonprofit organizations calling on their own behalf

正解:B


質問 # 56
Which of the following federal agencies does NOT enforce the Disposal Rule under the Fair and Accurate Credit Transactions Act (FACTA)?

  • A. The Office of the Comptroller of the Currency
  • B. The Federal Trade Commission
  • C. The Department of Health and Human Services
  • D. The Consumer Financial Protection Bureau

正解:C


質問 # 57
SCENARIO
Please use the following to answer the next QUESTION:
Declan has just started a job as a nursing assistant in a radiology department at Woodland Hospital. He has also started a program to become a registered nurse.
Before taking this career path, Declan was vaguely familiar with the Health Insurance Portability and Accountability Act (HIPAA). He now knows that he must help ensure the security of his patients' Protected Health Information (PHI). Therefore, he is thinking carefully about privacy issues.
On the morning of his first day, Declan noticed that the newly hired receptionist handed each patient a HIPAA privacy notice. He wondered if it was necessary to give these privacy notices to returning patients, and if the radiology department could reduce paper waste through a system of one-time distribution.
He was also curious about the hospital's use of a billing company. He Questioned whether the hospital was doing all it could to protect the privacy of its patients if the billing company had details about patients' care.
On his first day Declan became familiar with all areas of the hospital's large radiology department. As he was organizing equipment left in the halfway, he overheard a conversation between two hospital administrators. He was surprised to hear that a portable hard drive containing non-encrypted patient information was missing. The administrators expressed relief that the hospital would be able to avoid liability. Declan was surprised, and wondered whether the hospital had plans to properly report what had happened.
Despite Declan's concern about this issue, he was amazed by the hospital's effort to integrate Electronic Health Records (EHRs) into the everyday care of patients. He thought about the potential for streamlining care even more if they were accessible to all medical facilities nationwide.
Declan had many positive interactions with patients. At the end of his first day, he spoke to one patient, John, whose father had just been diagnosed with a degenerative muscular disease. John was about to get blood work done, and he feared that the blood work could reveal a genetic predisposition to the disease that could affect his ability to obtain insurance coverage. Declan told John that he did not think that was possible, but the patient was wheeled away before he could explain why. John plans to ask a colleague about this.
In one month, Declan has a paper due for one his classes on a health topic of his choice. By then, he will have had many interactions with patients he can use as examples. He will be pleased to give credit to John by name for inspiring him to think more carefully about genetic testing.
Although Declan's day ended with many Questions, he was pleased about his new position.
Based on the scenario, what is the most likely way Declan's supervisor would answer his question about the hospital's use of a billing company?

  • A. By describing how the billing system is integrated into the hospital's electronic health records (EHR) system
  • B. By assuring Declan that third parties are prevented from seeing Private Health Information (PHI)
  • C. By pointing out that contracts are in place to help ensure the observance of minimum security standards
  • D. By suggesting that Declan look at the hospital's publicly posted privacy policy

正解:C


質問 # 58
SCENARIO
Please use the following to answer the next QUESTION:
Cheryl is the sole owner of Fitness Coach, Inc., a medium-sized company that helps individuals realize their physical fitness goals through classes, individual instruction, and access to an extensive indoor gym. She has owned the company for ten years and has always been concerned about protecting customer's privacy while maintaining the highest level of service. She is proud that she has built long-lasting customer relationships.
Although Cheryl and her staff have tried to make privacy protection a priority, the company has no formal privacy policy. So Cheryl hired Janice, a privacy professional, to help her develop one.
After an initial assessment, Janice created a first of a new policy. Cheryl read through the draft and was concerned about the many changes the policy would bring throughout the company. For example, the draft policy stipulates that a customer's personal information can only be held for one year after paying for a service such as a session with personal trainer. It also promises that customer information will not be shared with third parties without the written consent of the customer. The wording of these rules worry Cheryl since stored personal information often helps her company to serve her customers, even if there are long pauses between their visits. In addition, there are some third parties that provide crucial services, such as aerobics instructors who teach classes on a contract basis. Having access to customer files and understanding the fitness levels of their students helps instructors to organize their classes.
Janice understood Cheryl's concerns and was already formulating some ideas for revision. She tried to put Cheryl at ease by pointing out that customer data can still be kept, but that it should be classified according to levels of sensitivity. However, Cheryl was skeptical. It seemed that classifying data and treating each type differently would cause undue difficulties in the company's day-to-day operations. Cheryl wants one simple data storage and access system that any employee can access if needed.
Even though the privacy policy was only a draft, she was beginning to see that changes within her company were going to be necessary. She told Janice that she would be more comfortable with implementing the new policy gradually over a period of several months, one department at a time. She was also interested in a layered approach by creating documents listing applicable parts of the new policy for each department.
Based on the scenario, which of the following would have helped Janice to better meet the company's needs?

  • A. Spending more time understanding the company's information goals
  • B. Explaining the importance of transparency in implementing a new policy
  • C. Removing the financial burden of the company's employee training program
  • D. Creating a more comprehensive plan for implementing a new policy

正解:A


質問 # 59
A student has left high school and is attending a public postsecondary institution. Under what condition may a school legally disclose educational records to the parents of the student without consent?

  • A. If the student is still a dependent for tax purposes
  • B. If the student has applied to transfer to another institution
  • C. If the student has not yet turned 18 years of age
  • D. If the student is in danger of academic suspension

正解:A


質問 # 60
According to the federal Privacy Commissioner, what protection is missing from the Privacy Act regarding outsourcing of government work that contains personal information?

  • A. A statement indicating that the government institution from which the information is outsourced remains accountable for its security.
  • B. A statement granting the Privacy Commissioner the right to issue orders following an investigation into a possible data breach.
  • C. A statement preventing the vendor to whom the information is outsourced to subcontract its processing.
  • D. A statement requiring the government agency to complete a Privacy Impact Assessment (PIA) prior to outsourcing to a third party.

正解:A

解説:
The Privacy Act governs how federal government institutions handle personal information. The Privacy Commissioner of Canada has highlighted limitations within the Act regarding outsourcing, specifically:
* Lack of Explicit Accountability: While the Privacy Act implies the government institution remains responsible for the personal information, the Commissioner argues that the law needs a clearer, more explicit statement to ensure full accountability when it's outsourced.
* Outsourcing & Privacy Risks: Outsourcing government functions to third parties can add complexity and risk to the protection of personal information.
* References:
* You can find discussions of the Privacy Commissioner's position on outsourcing in reports and resources on the Office of the Privacy Commissioner of Canada (OPC) website: https://priv.gc.ca/en/ Why Other Options Are Less Relevant
* A. Preventing subcontracting: While controlling further subcontracting might be important, it's not the primary concern identified by the Commissioner.
* B. Commissioner's order power: While the Commissioner advocates for greater powers, this is not the specific gap in the Privacy Act related to outsourcing.
* C. Privacy Impact Assessments (PIAs): PIAs are crucial, but the Commissioner's argument highlights that even with PIAs, the Act lacks clear accountability language when the information leaves the government institution.
Key Points
* The Privacy Commissioner plays an advocacy role, identifying areas where privacy legislation could be strengthened.
* Accountability is crucial in all privacy contexts, especially when third parties handle sensitive data.


質問 # 61
Which of the following incidents will require reporting to OPC?

  • A. A file with client ID, sales amount and sales date that was sent to the wrong processors who cannot identify the clients.
  • B. As part of a freedom of information request, a nursing home that released an e-mail with everybody's e-mail address in the "to" section unredacted.
  • C. A sales report with aggregated information that was sent to the wrong person internally.
  • D. An organization's point-of-sale system that was subject to an attempted hack that was blocked by the organization's firewall.

正解:B

解説:
Under PIPEDA, any breach of security safeguards involving personal information that poses a real risk of significant harm (RROSH) requires reporting to the Office of the Privacy Commissioner of Canada (OPC). In the scenarios given, sending a sales report with aggregated information (option A) or a file with client data to wrong processors who cannot identify the clients (option B), or blocking an attempted hack (option C), may not necessarily pose a RROSH. However, a nursing home releasing an email with everyone's email address in the "to" section unredacted during a freedom of information request (option D) potentially exposes individuals to a risk of spam, phishing, and other malicious activities, thereby posing a real risk of significant harm. This constitutes a breach requiring reporting to the OPC.


質問 # 62
According to the federal Privacy Act, before collecting personal information, public-sector organizations are required to ensure that any of the following are met EXCEPT?

  • A. Collection directly relates to, and is necessary for, operating a program of that organization.
  • B. Collection is for the purposes of a law enforcement action.
  • C. Collection is expressly authorized under an act.
  • D. Collection is authorized by consent.

正解:D


質問 # 63
Which marketing-related activity is least likely to be covered by the provisions of Privacy and Electronic Communications Regulations (Directive 2002/58/EC)?

  • A. An email from a retail outlet promoting a sale to one of their previous customer.
  • B. A text message to individuals from a company offering concert tickets for sale.
  • C. Advertisements passively displayed on a website.
  • D. The use of cookies to collect data about an individual.

正解:C


質問 # 64
Which of the following became the first state to pass a law specifically regulating the practices of data brokers?

  • A. California.
  • B. Vermont.
  • C. New York.
  • D. Washington.

正解:B


質問 # 65
SCENARIO
Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick's instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients' data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft's engineers, however, maintain all contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies' websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem's as well as EcoMick's latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem's products, she has never shopped EcoMick, nor provided her personal data to that company.
Why would the consent provided by Ms. Iman NOT be considered valid in regard to JaphSoft?

  • A. She did not read the privacy notice stating that her personal data would be shared.
  • B. She was not told which controller would be processing her personal data.
  • C. She has never made any purchases from JaphSoft and has no relationship with the company.
  • D. She only viewed the visual representations of the privacy notice Liem provided.

正解:A


質問 # 66
As a result of the European Court of Justice's ruling in the case of Google v. Spain, search engines outside the EEA are also likely to be subject to the Regulation's right to be forgotten. This holds true if the activities of an EU subsidiary and its U.S. parent are what?

  • A. Consistent with Privacy Shield requirements
  • B. Inextricably linked in their businesses.
  • C. Bound by a standard contractual clause.
  • D. Supervised by the same Data Protection Officer.

正解:B


質問 # 67
......

CIPP-Cリアル試験問題と正確なCertified Information Privacy Professional/ Canada (CIPP/C)PDF解答:https://jp.fast2test.com/CIPP-C-premium-file.html


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어