
CIPP-C問題集最新版を今すぐ試そう![2025年05月] 試験準備には欠かせません!
有能な受験者がシミュレーション済みのCIPP-C試験PDF問題を試そう
CIPP/C試験は、個人情報保護及び電子文書法(PIPEDA)、プライバシー原則、プライバシーガバナンス、プライバシーマネジメントフレームワークなど、カナダのプライバシー法規に関連する幅広いトピックをカバーしています。この試験は難易度が高く、受験者は試験を受ける前に、対象分野について強力な理解を持っていることが期待されています。
質問 # 31
In comparing British Columbia's privacy laws with the health information privacy acts of the remaining provinces, BC's privacy laws?
- A. Exclude laboratories, nursing homes and independent health facilities.
- B. Seek to create a more flexible regulatory system to manage the patient data itself
- C. Group data banks together rather than listing them separately.
- D. Refer to health sector participants as trustees as opposed to custodians.
正解:B
質問 # 32
A Spanish electricity customer calls her local supplier with Questions: about the company's upcoming merger.
Specifically, the customer wants to know the recipients to whom her personal data will be disclosed once the merger is final. According to Article 13 of the GDPR, what must the company do before providing the customer with the requested information?
- A. Verify that the request is applicable to the data collected before the GDPR entered into force.
- B. Verify that the personal data has not already been sent to the customer.
- C. Verify that the purpose of the request from the customer is in line with the GDPR.
- D. Verify that the identity of the customer can be proven by other means.
正解:A
質問 # 33
Under Article 21 of the GDPR, a controller must stop profiling when requested by a data subject, unless it can demonstrate compelling legitimate grounds that override the interests of the individual. In the Guidelines on Automated individual decision-making and Profiling, the WP 29 says the controller needs to do all of the following to demonstrate that it has such legitimate grounds EXCEPT?
- A. Consider the impact of the profiling on the data subject's interest, rights and freedoms.
- B. Demonstrate that the profiling is for the purposes of direct marketing.
- C. Consider the importance of the profiling to their particular objective.
- D. Carry out an exercise that weighs the interests of the controller and the basis for the data subject's objection.
正解:B
質問 # 34
SCENARIO
Please use the following to answer the next QUESTION:
You are the chief privacy officer at HealthCo, a major hospital in a large U.S. city in state A.
HealthCo is a HIPAA-covered entity that provides healthcare services to more than 100,000 patients. A third-party cloud computing service provider, CloudHealth, stores and manages the electronic protected health information (ePHI) of these individuals on behalf of HealthCo. CloudHealth stores the data in state B.
As part of HealthCo's business associate agreement (BAA) with CloudHealth, HealthCo requires CloudHealth to implement security measures, including industry standard encryption practices, to adequately protect the data. However, HealthCo did not perform due diligence on CloudHealth before entering the contract,
and has not conducted audits of CloudHealth's security measures.A CloudHealth employee has recently become the victim of a phishing attack. When the employee unintentionally clicked on a link from a suspicious email, the PHI of more than 10,000 HealthCo patients was compromised. It has since been published online.
The HealthCo cybersecurity team quickly identifies the perpetrator as a known hacker who has launched similar attacks on other hospitals - ones that exposed the PHI of public figures including celebrities and politicians.
During the course of its investigation, HealthCo discovers that CloudHealth has not encrypted the PHI in accordance with the terms of its contract. In addition, CloudHealth has not provided privacy or security training to its employees.
Law enforcement has requested that HealthCo provide its investigative report of the breach and a copy of the PHI of the individuals affected.A patient affected by the breach then sues HealthCo,
claiming that the company did not adequately protect the individual's ePHI, and that he has suffered substantial harm as a result of the exposed data. The patient's attorney has submitted a discovery request for the ePHI exposed in the breach.
What is the most significant reason that the U.S. Department of Health and Human Services (HHS) might impose a penalty on HealthCo?
- A. Because CloudHealth violated its contract with HealthCo by not encrypting the ePHI
- B. Because HealthCo did not conduct due diligence to verify or monitor CloudHealth's security measures
- C. Because HealthCo did not require CloudHealth to implement appropriate physical and administrative measures to safeguard the ePHI
- D. Because HIPAA requires the imposition of a fine if a data breach of this magnitude has occurred
正解:B
質問 # 35
To whom does the Privacy Commissioner of Canada report?
- A. House of Commons and the Senate.
- B. Administrative tribunal.
- C. Auditor General.
- D. Supreme Court of Canada and Prime Minister
正解:A
解説:
The Privacy Commissioner of Canada reports to the Parliament of Canada, specifically to both the House of Commons and the Senate. This structure supports the Commissioner's role as an officer of Parliament, emphasizing the independence necessary for overseeing the government's adherence to privacy laws and handling Canadians' personal information. The reporting relationship ensures accountability and enables the Commissioner to report on privacy issues directly to the legislative body that represents the interests of the public.
質問 # 36
More than half of U.S. states require telemarketers to?
- A. Provide written contracts for customer transactions
- B. Obtain written consent from potential customers
- C. Register with the state before conducting business
- D. identify themselves at the beginning of a call
正解:A
質問 # 37
Which of the following incidents will require reporting to OPC?
- A. An organization's point-of-sale system that was subject to an attempted hack that was blocked by the organization's firewall.
- B. A file with client ID, sales amount and sales date that was sent to the wrong processors who cannot identify the clients.
- C. As part of a freedom of information request, a nursing home that released an e-mail with everybody's e-mail address in the "to" section unredacted.
- D. A sales report with aggregated information that was sent to the wrong person internally.
正解:D
質問 # 38
SCENARIO
Please use the following to answer the next QUESTION:
Matt went into his son's bedroom one evening and found him stretched out on his bed typing on his laptop. "Doing your network?" Matt asked hopefully.
"No," the boy said. "I'm filling out a survey."
Matt looked over his son's shoulder at his computer screen. "What kind of survey?" "It's asking Questions about my opinions."
"Let me see," Matt said, and began reading the list of Questions that his son had already answered. "It's asking your opinions about the government and citizenship. That's a little odd. You're only ten." Matt wondered how the web link to the survey had ended up in his son's email inbox. Thinking the message might have been sent to his son by mistake he opened it and read it. It had come from an entity called the Leadership Project, and the content and the graphics indicated that it was intended for children. As Matt read further he learned that kids who took the survey were automatically registered in a contest to win the first book in a series about famous leaders.
To Matt, this clearly seemed like a marketing ploy to solicit goods and services to children. He asked his son if he had been prompted to give information about himself in order to take the survey. His son told him he had been asked to give his name, address, telephone number, and date of birth, and to answer Questions about his favorite games and toys.
Matt was concerned. He doubted if it was legal for the marketer to collect information from his son in the way that it was. Then he noticed several other commercial emails from marketers advertising products for children in his son's inbox, and he decided it was time to report the incident to the proper authorities.
How could the marketer have best changed its privacy management program to meet COPPA "Safe Harbor" requirements?
- A. By participating in an approved self-regulatory program
- B. By making a COPPA privacy notice available on website
- C. By regularly assessing the security risks to consumer privacy
- D. By receiving FTC approval for the content of its emails
正解:D
質問 # 39
Which question is NOT part of the Office of the Privacy Commissioner of Canada's (OPC's) four-point test for establishing whether providing access to genetic testing results goes beyond what is necessary or reasonable?
- A. Are there less privacy-invasive alternatives?
- B. Are the validity and accuracy of individual test results guaranteed to be accurate?
- C. Are the collection and the use proportionate to the benefits gained?
- D. Is the personal information likely to be effective in achieving a legitimate business purpose?
正解:B
質問 # 40
What does the Massachusetts Personal Information Security Regulation require as it relates to encryption of personal information?
- A. The encryption of all personal information of Massachusetts residents when all equipment is located in Massachusetts.
- B. The encryption of all personal information of Massachusetts residents when stored on portable devices.
- C. The encryption of personal information stored in Massachusetts-based companies when stored on portable devices.
- D. The encryption of all personal information stored in Massachusetts-based companies when all equipment is located in Massachusetts.
正解:B
質問 # 41
A company is hesitating between Binding Corporate Rules and Standard Contractual Clauses as a global data transfer solution. Which of the following statements would help the company make an effective decision?
- A. Binding Corporate Rules are especially recommended for small and medium companies.
- B. Binding Corporate Rules provide a global solution for all the entities of a company that are bound by the intra-group agreement.
- C. The data exporter does not need to be located in the EU for the standard Contractual Clauses.
- D. The company will need the prior authorization of all EU data protection authorities for concluding Standard Contractual Clauses.
正解:B
質問 # 42
According to the Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems, signatories commit to doing all of the following EXCEPT?
- A. Supporting public awareness and education on Al.
- B. Adopting low-risk uses of AI.
- C. Contributing to the development and application of Al standards.
- D. Sharing information and best practices of Al governance.
正解:B
質問 # 43
Assuming that the "without undue delay" provision is followed, what is the time limit for complying with a data access request?
- A. Within one month of receipt, which may be extended by up to an additional month
- B. Within 40 days of receipt
- C. Within 40 days of receipt, which may be extended by up to 40 additional days
- D. Within one month of receipt, which may be extended by an additional two months
正解:A
質問 # 44
Which of the following would NOT constitute an exception to the authorization requirement under the HIPAA Privacy Rule?
- A. Disclosing health information needed to pay a third party billing administrator.
- B. Disclosing health information to file a child abuse report.
- C. Disclosing health information for public health activities.
- D. Disclosing health information needed to treat a medical emergency.
正解:D
解説:
Section: (none)
質問 # 45
What must a federal government department do before it implements an electronic service (e-service)?
- A. Conduct a preliminary PIA before acquiring the service
- B. Determine if the Office of the Privacy Commissioner must be notified of the launch of this new e-service
- C. Complete a PIA in accordance with Treasury Board guidelines.
- D. Publish a privacy statement in newspapers and on the government website.
正解:C
質問 # 46
SCENARIO
Looking back at your first two years as the Director of Personal Information Protection and Compliance for the Berry Country Regional Medical Center in Thorn Bay, Ontario, Canada, you see a parade of accomplishments, from developing state-of-the-art simulation based training for employees on privacy protection to establishing an interactive medical records system that is accessible by patients as well as by the medical personnel. Now, however, a question you have put off looms large: how do we manage all the data-not only records produced recently, but those still on hand from years ago? A data flow diagram generated last year shows multiple servers, databases, and work stations, many of which hold files that have not yet been incorporated into the new records system. While most of this data is encrypted, its persistence may pose security and compliance concerns. The situation is further complicated by several long-term studies being conducted by the medical staff using patient information. Having recently reviewed the major Canadian privacy regulations, you want to make certain that the medical center is observing them.
You also recall a recent visit to the Records Storage Section, often termed "The Dungeon" in the basement of the old hospital next to the modern facility, where you noticed a multitude of paper records. Some of these were in crates marked by years, medical condition or alphabetically by patient name, while others were in undifferentiated bundles on shelves and on the floor. The back shelves of the section housed data tapes and old hard drives that were often unlabeled but appeared to be years old. On your way out of the dungeon, you noticed just ahead of you a small man in a lab coat who you did not recognize. He carried a batch of folders under his arm, apparently records he had removed from storage.
Which cryptographic standard would be most appropriate for protecting patient credit card information in the records system?
- A. Symmetric Encryption
- B. Hashing
- C. Obfuscation
- D. Asymmetric Encryption
正解:D
質問 # 47
The Government of Canada's Directive on Privacy Impact Assessments applies to all of the following EXCEPT?
- A. The Cabinet.
- B. The Bank of Canada.
- C. Crown Corporations.
- D. The Ministry of Health
正解:A
解説:
The Government of Canada's Directive on Privacy Impact Assessments is designed to ensure that privacy implications are appropriately considered in the delivery of Government of Canada programs and services.
This directive typically applies to federal departments and agencies. However, it does not apply to The Cabinet, which is essentially part of the executive branch of government involved in decision-making at the highest levels. Cabinet discussions and materials are often confidential and governed by different sets of rules regarding privacy and security. Thus, the correct answer is D, The Cabinet.
質問 # 48
As a result of the European Court of Justice's ruling in the case of Google v. Spain, search engines outside the EEA are also likely to be subject to the Regulation's right to be forgotten. This holds true if the activities of an EU subsidiary and its U.S. parent are what?
- A. Bound by a standard contractual clause.
- B. Inextricably linked in their businesses.
- C. Consistent with Privacy Shield requirements
- D. Supervised by the same Data Protection Officer.
正解:B
質問 # 49
......
CIPP-C認定試験は、カナダのプライバシー法規、プライバシープログラムのガバナンス、データ漏洩管理、プライバシー影響評価など、幅広いトピックをカバーしています。この試験は90問の択一問題から構成され、候補者は2時間半で回答する必要があります。認定は2年間有効であり、プロフェッショナルは認定維持のために継続的な教育と専門開発を証明する必要があります。CIPP-C認定は雇用主に高く評価され、プライバシーとデータ保護の分野でキャリアを進めたいプロフェッショナルにとって必須の資格です。
検証済み材料を使うならまずCIPP-Cテストエンジンを試そう:https://jp.fast2test.com/CIPP-C-premium-file.html