[Q71-Q93] 合格させちゃうCertified Information Privacy Professional CIPP-US試験簡単かつ正確なPDF問題 [2024年05月15日]

Share

合格させちゃうCertified Information Privacy Professional CIPP-US試験簡単かつ正確なPDF問題 [2024年05月15日]

CIPP-US認証試験問題集解答を提供しています

質問 # 71
Which of the following accurately describes the purpose of a particular federal enforcement agency?

  • A. The Federal Trade Commission (FTC) is typically recognized as having the broadest authority under the FTC Act to address unfair or deceptive privacy practices.
  • B. The Federal Communications Commission (FCC) regulates privacy practices on the internet and enforces violations relating to websites' posted privacy disclosures.
  • C. The Cybersecurity and Infrastructure Security Agency (CISA) is authorized to bring civil enforcement actions against organizations whose website or other online service fails to adequately secure personal information.
  • D. The National Institute of Standards and Technology (NIST) has established mandatory privacy standards that can then be enforced against all for-profit organizations by the Department of Justice (DOJ).

正解:A

解説:
The FTC is the primary federal agency responsible for enforcing privacy and data security laws in the United States. The FTC has broad jurisdiction over most commercial entities that collect, use, or share personal information from consumers. The FTC Act prohibits unfair or deceptive acts or practices in or affecting commerce, which includes unfair or deceptive privacy practices. The FTC can bring enforcement actions against companies that violate their own privacy policies, fail to provide adequate notice or choice to consumers, engage in unfair or harmful data practices, or breach consumers' reasonable expectations of privacy. The FTC can also issue rules, guidelines, and reports on privacy and data security issues, as well as conduct investigations, workshops, and educational campaigns. References:
* IAPP CIPP/US Body of Knowledge, Section I.A.1.a
* IAPP CIPP/US Textbook, Chapter 1, pp. 9-12
* FTC Privacy and Security Enforcement


質問 # 72
SCENARIO
Please use the following to answer the next QUESTION:
Larry has become increasingly dissatisfied with his telemarketing position at SunriseLynx, and particularly with his supervisor, Evan. Just last week, he overheard Evan mocking the state's Do Not Call list, as well as the people on it. "If they were really serious about not being bothered," Evan said, "They'd be on the national DNC list. That's the only one we're required to follow. At SunriseLynx, we call until they ask us not to." Bizarrely, Evan requires telemarketers to keep records of recipients who ask them to call "another time." This, to Larry, is a clear indication that they don't want to be called at all. Evan doesn't see it that way.
Larry believes that Evan's arrogance also affects the way he treats employees. The U.S. Constitution protects American workers, and Larry believes that the rights of those at SunriseLynx are violated regularly. At first Evan seemed friendly, even connecting with employees on social medi a. However, following Evan's political posts, it became clear to Larry that employees with similar affiliations were the only ones offered promotions.
Further, Larry occasionally has packages containing personal-use items mailed to work. Several times, these have come to him already opened, even though this name was clearly marked. Larry thinks the opening of personal mail is common at SunriseLynx, and that Fourth Amendment rights are being trampled under Evan's leadership.
Larry has also been dismayed to overhear discussions about his coworker, Sadie. Telemarketing calls are regularly recorded for quality assurance, and although Sadie is always professional during business, her personal conversations sometimes contain sexual comments. This too is something Larry has heard Evan laughing about. When he mentioned this to a coworker, his concern was met with a shrug. It was the coworker's belief that employees agreed to be monitored when they signed on. Although personal devices are left alone, phone calls, emails and browsing histories are all subject to surveillance. In fact, Larry knows of one case in which an employee was fired after an undercover investigation by an outside firm turned up evidence of misconduct. Although the employee may have stolen from the company, Evan could have simply contacted the authorities when he first suspected something amiss.
Larry wants to take action, but is uncertain how to proceed.
Which act would authorize Evan's undercover investigation?

  • A. The Whistleblower Protection Act
  • B. The Fair and Accurate Credit Transactions Act (FACTA)
  • C. The National Labor Relations Act (NLRA)
  • D. The Stored Communications Act (SCA)

正解:C


質問 # 73
What is a legal document approved by a judge that formalizes an agreement between a governmental agency and an adverse party called?

  • A. Stare decisis decree
  • B. A judgment rider
  • C. A consent decree
  • D. Common law judgment

正解:C


質問 # 74
In which situation would a policy of "no consumer choice" or "no option" be expected?

  • A. When a job applicant's credit report is provided to an employer
  • B. When a customer's street address is shared with a shipping company
  • C. When a patient's health record is made available to a pharmaceutical company
  • D. When a customer's financial information is requested by the government

正解:D

解説:
According to the Family Educational Rights and Privacy Act (FERPA), a policy of "no consumer choice" or
"no option" means that an educational agency or institution may disclose personally identifiable information (PII) from education records without the prior written consent of the parent or eligible student, subject to certain conditions and exceptions1. One of the exceptions is when the disclosure is to comply with a judicial order or lawfully issued subpoena, or to respond to an ex parte order from the Attorney General of the United States or his designee in connection with the investigation or prosecution of terrorism crimes12. In such cases, the educational agency or institution must make a reasonable effort to notify the parent or eligible student of the order or subpoena in advance of compliance, unless the order or subpoena specifies not to do so12. Therefore, when a customer's financial information, which may be part of the education records, is requested by the government under a valid legal authority, the customer does not have the option to prevent the disclosure and the educational agency or institution does not need to obtain the customer's consent. References: 1: FERPA, 34 CFR Part 99, Subpart D, 2. 2: The Family Educational Rights and Privacy Act Guidance for Parents, Student Privacy Policy Office, U.S. Department of Education, 1.


質問 # 75
SCENARIO
Please use the following to answer the next QUESTION
Matt went into his son's bedroom one evening and found him stretched out on his bed typing on his laptop. "Doing your homework?" Matt asked hopefully.
"No," the boy said. "I'm filling out a survey."
Matt looked over his son's shoulder at his computer screen. "What kind of survey?" "It's asking Question:s about my opinions."
"Let me see," Matt said, and began reading the list of Question:s that his son had already answered. "It's asking your opinions about the government and citizenship. That's a little odd. You're only ten." Matt wondered how the web link to the survey had ended up in his son's email inbox. Thinking the message might have been sent to his son by mistake he opened it and read it. It had come from an entity called the Leadership Project, and the content and the graphics indicated that it was intended for children. As Matt read further he learned that kids who took the survey were automatically registered in a contest to win the first book in a series about famous leaders.
To Matt, this clearly seemed like a marketing ploy to solicit goods and services to children. He asked his son if he had been prompted to give information about himself in order to take the survey. His son told him he had been asked to give his name, address, telephone number, and date of birth, and to answer Question:s about his favorite games and toys.
Matt was concerned. He doubted if it was legal for the marketer to collect information from his son in the way that it was. Then he noticed several other commercial emails from marketers advertising products for children in his son's inbox, and he decided it was time to report the incident to the proper authorities.
Depending on where Matt lives, the marketer could be prosecuted for violating which of the following?

  • A. Consumer Bill of Rights.
  • B. Unfair and Deceptive Acts and Practices laws.
  • C. Investigative Consumer Reporting Agencies Act.
  • D. Red Flag Rules.

正解:B


質問 # 76
Which of the following is NOT a principle found in the APEC Privacy Framework?

  • A. Integrity of Personal Information.
  • B. Privacy by Design.
  • C. Preventing Harm.
  • D. Access and Correction.

正解:B


質問 # 77
Smith Memorial Healthcare (SMH) is a hospital network headquartered in New York and operating in 7 other states. SMH uses an electronic medical record to enter and track information about its patients. Recently, SMH suffered a data breach where a third-party hacker was able to gain access to the SMH internal network.
Because it is a HIPPA-covered entity, SMH made a notification to the Office of Civil Rights at the U.S.
Department of Health and Human Services about the breach.
Which statement accurately describes SMH's notification responsibilities?

  • A. If SMH makes credit monitoring available to individuals who inquire, it will not have to make a separatenotification to individuals in the state of New York.
  • B. If SMH is compliant with HIPAA, it will not have to make a separate notification to individuals in the state of New York.
  • C. If SMH must make a notification in any other state in which it operates, it must also make a notification to individuals in New York.
  • D. If SMH has more than 500 patients in the state of New York, it will need to make separate notifications to these patients.

正解:C

解説:
The correct answer is C. If SMH must make a notification in any other state in which it operates, it must also make a notification to individuals in New York. Under the Health Insurance Portability and Accountability Act (HIPAA), SMH is required to notify the Office of Civil Rights (OCR) and the affected individuals of a data breach involving unsecured protected health information (PHI) within 60 days of discovery1. However, HIPAA does not preempt state laws that provide greater protection to individuals or impose additional obligations on covered entities2. Therefore, SMH must also comply with the state breach notification laws of the states where it operates, including New York.
According to the New York State Information Security Breach and Notification Act, any person or business that owns or licenses computerized data that includes private information of a resident of New York must disclose any breach of the security of the system to such resident in the most expedient time possible and without unreasonable delay, unless the exposure of the private information was inadvertent and unlikely to result in misuse or financial harm3. Private information includes personal information (such as name, number, or other identifier) plus one or more of the following data elements: social security number; driver's license number or non-driver identification card number; account number, credit or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual's financial account; biometric information; or a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account3.
Therefore, if SMH's data breach involved any of these data elements of New York residents, SMH must notify them of the breach, regardless of whether SMH is compliant with HIPAA, has more than 500 patients in New York, or offers credit monitoring services. SMH must also notify the New York Attorney General, the Department of State, and the Division of State Police within 10 days of notifying the affected individuals3. Additionally, SMH must notify the New York Department of Health if the breach involved electronic health records4.
References: https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/Guide-on-Managing-and-No
https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_note_dbn_e.pdf


質問 # 78
Which of the following is an example of federal preemption?

  • A. The U.S. Federal Trade Commission's (FTC) ability to enforce against unfair and deceptive trade practices across sectors and industries.
  • B. The U.S. Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act prohibiting states from passing laws that impose greater obligations on senders of email marketing.
  • C. The Payment Card Industry's (PCI) ability to self-regulate and enforce data security standards for payment card data.
  • D. The California Consumer Privacy Act (CCPA) regulating businesses that have no physical brick-and-mortal presence in California, but which do business there.

正解:A


質問 # 79
SCENARIO
Please use the following to answer the next QUESTION:
Matt went into his son's bedroom one evening and found him stretched out on his bed typing on his laptop. "Doing your network?" Matt asked hopefully.
"No," the boy said. "I'm filling out a survey."
Matt looked over his son's shoulder at his computer screen. "What kind of survey?" "It's asking Questions about my opinions."
"Let me see," Matt said, and began reading the list of Questions that his son had already answered. "It's asking your opinions about the government and citizenship. That's a little odd. You're only ten." Matt wondered how the web link to the survey had ended up in his son's email inbox. Thinking the message might have been sent to his son by mistake he opened it and read it. It had come from an entity called the Leadership Project, and the content and the graphics indicated that it was intended for children. As Matt read further he learned that kids who took the survey were automatically registered in a contest to win the first book in a series about famous leaders.
To Matt, this clearly seemed like a marketing ploy to solicit goods and services to children. He asked his son if he had been prompted to give information about himself in order to take the survey. His son told him he had been asked to give his name, address, telephone number, and date of birth, and to answer Questions about his favorite games and toys.
Matt was concerned. He doubted if it was legal for the marketer to collect information from his son in the way that it was. Then he noticed several other commercial emails from marketers advertising products for children in his son's inbox, and he decided it was time to report the incident to the proper authorities.
Based on the incident, the FTC's enforcement actions against the marketer would most likely include what violation?

  • A. Collecting information from a child under the age of thirteen.
  • B. Disregarding the privacy policy of the children's marketing industry.
  • C. Failing to notify of a breach of children's private information.
  • D. Intruding upon the privacy of a family with young children.

正解:B


質問 # 80
Which of the following is most likely to provide privacy protection to private-sector employees in the United States?

  • A. The U.S. Department of Health and Human Services (HHS)
  • B. State law, contract law, and tort law
  • C. Amendments one, four, and five of the U.S. Constitution
  • D. The Federal Trade Commission Act (FTC Act)

正解:B

解説:
Unlike many other countries, the United States does not have a comprehensive federal law that regulates the privacy of private-sector employees. Instead, the privacy protection of employees depends largely on state law, contract law, and tort law. State law may provide specific rights and remedies for employees regarding issues such as drug testing, background checks, electronic monitoring, social media access, and genetic information.
Contract law may create obligations and expectations for employers and employees based on written or implied agreements, such as employment contracts, employee handbooks, or collective bargaining agreements.
Tort law may allow employees to sue their employers for invasion of privacy, such as intrusion upon seclusion, public disclosure of private facts, false light, or appropriation of name or likeness. The other options are less likely to provide privacy protection to private-sector employees in the United States. The FTC Act primarily regulates the privacy practices of businesses that collect and use consumer data, not employee data.
The U.S. Constitution only protects individuals from unreasonable searches and seizures by the government, not by private employers. The HHS only enforces the HIPAA Privacy Rule, which applies to covered entities and business associates that handle protected health information, not to all private-sector employers. References:
* IAPP CIPP/US Study Guide, Chapter 6: Workplace Privacy
* Privacy Rights of Employees Using Workplace Computers in the United States
* Employee Privacy Laws


質問 # 81
Which of the following federal agencies does NOT enforce the Disposal Rule under the Fair and Accurate Credit Transactions Act (FACTA)?

  • A. The Department of Health and Human Services
  • B. The Federal Trade Commission
  • C. The Office of the Comptroller of the Currency
  • D. The Consumer Financial Protection Bureau

正解:A


質問 # 82
If an organization maintains data classified as high sensitivity in the same system as data classified as low sensitivity, which of the following is the most likely outcome?

  • A. The organization will still be in compliance with most sector-specific privacy and security laws.
  • B. The impact of an organizational data breach will be more severe than if the data had been segregated.
  • C. The organization will be able to address legal discovery requests efficiently without producing more information than necessary.
  • D. Temporary employees will be able to find the data necessary to fulfill their responsibilities.

正解:B

解説:
Data classification is the process of categorizing data based on its sensitivity and importance to determine its level of confidentiality and protection. Data classification helps organizations apply appropriate security and compliance measures to ensure each category receives proper protection1. Data classification also helps organizations identify which data is subject to specific privacylaws and regulations, such as the GDPR, HIPAA, or CCPA, and how to handle data subject requests, data breaches, or legal discovery2. If an organization maintains data classified as high sensitivity, such as personal information, financial information, or health information, in the same system as data classified as low sensitivity, such as public information or internal information, it increases the risk of exposing the high sensitivity data in the event of a data breach. A data breach can result in legal consequences, reputational damage, and loss of trust from customers and stakeholders. Therefore, it is advisable to segregate data based on its classification and apply different levels of encryption, access control, and monitoring to each category3. This way, the organization can minimize the impact of a data breach and protect the privacy and security of its data assets. References:
* Why Is Data Classification Important?
* Data Classification for GDPR Explained
* Data classification and privacy considerations


質問 # 83
Which entity within the Department of Health and Human Services (HHS) is the primary enforcer of the Health Insurance Portability and Accountability Act (HIPAA) "Privacy Rule"?

  • A. Office of Public Health and Safety.
  • B. Office of Social Services.
  • C. Office of Inspector General.
  • D. Office for Civil Rights.

正解:D

解説:
The Office for Civil Rights (OCR) within the HHS is the primary enforcer of the HIPAA Privacy Rule, which establishes national standards for the protection of individually identifiable health information by covered entities and business associates. The OCR investigates complaints, conducts compliance reviews, and provides technical assistance and guidance to ensure compliance with the Privacy Rule. The OCR can also impose civil monetary penalties for violations of the Privacy Rule, ranging from $100 to $50,000 per violation, up to a maximum of $1.5 million per year for the same violation. References: HIPAA Enforcement, IAPP CIPP/US Study Guide, Chapter 3, Section 3.1.1


質問 # 84
The CFO of a pharmaceutical company is duped by a phishing email and discloses many of the company's employee personnel files to an online predator. The files include employee contact information, job applications, performance reviews, discipline records, and job descriptions.
Which of the following state laws would be an affected employee's best recourse against the employer?

  • A. The state social security number confidentiality statute.
  • B. The state personnel record review statute.
  • C. The state UDAP statute.
  • D. The state data destruction statute.

正解:B

解説:
A state personnel record review statute typically governs the access, maintenance, and protection of employee personnel records. It may establish certain rights for employees to access their own personnel records, and it could also include provisions related to data security and breaches of employee information. Given that the disclosed information includes employee contact information, job applications, performance reviews, and other personnel-related data, the affected employee could potentially rely on this statute to seek remedies or protections related to the breach of their personal and confidential information.


質問 # 85
Which federal agency plays a role in privacy policy, but does NOT have regulatory authority?

  • A. The Department of Commerce.
  • B. The Federal Communications Commission.
  • C. The Office of the Comptroller of the Currency.
  • D. The Department of Transportation.

正解:D


質問 # 86
In what way does the "Red Flags Rule" under the Fair and Accurate Credit Transactions Act (FACTA) relate to the owner of a grocery store who uses a money wire service?

  • A. It requires the owner to implement an identity theft warning system
  • B. It is not usually enforced in the case of a small financial institution
  • C. It mandates the use of updated technology for securing credit records
  • D. It does not apply because the owner is not a creditor

正解:D

解説:
The Red Flags Rule is a regulation that requires financial institutions and creditors to implement a written identity theft prevention program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account1. A creditor is any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit2. A covered account is an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account2. A money wire service is a service that allows customers to send or receive money electronically3. The owner of a grocery store who uses a money wire service is not a creditor because he or she does not regularly extend, renew, or continue credit to customers. Therefore, the Red Flags Rule does not apply to the owner of a grocery store who uses a money wire service. References:
* 1: FTC, Red Flags Rule, https://www.ftc.gov/business-guidance/privacy-security/red-flags-rule
* 2: FTC, Fighting Identity Theft with the Red Flags Rule: A How-To Guide for Business,
https://www.ftc.gov/tips-advice/business-center/guidance/fighting-identity-theft-red-flags-rule-how-guide-
* 3: Alessa, Wire Transfer Red Flags: Understanding Money Laundering and Fraud Risks,
https://alessa.com/webinars/wire-transfer-red-flags-and-fraud-risks/


質問 # 87
What consumer service was the Fair Credit Reporting Act (FCRA) originally intended to provide?

  • A. The ability to investigate incidents of identity theft.
  • B. The ability to appeal negative credit-based decisions.
  • C. The ability to receive reports from multiple credit reporting agencies.
  • D. The ability to correct inaccurate credit information.

正解:D

解説:
, "..Specifically, FCRA mandates accurate and relevant data collection, provides consumers with the ability to access and correct their information, and limits the use of consumer reports to defined permissible purposes".


質問 # 88
SCENARIO
Please use the following to answer the next question :
You are the chief privacy officer at HealthCo, a major hospital in a large U.S. city in state A. HealthCo is a HIPAA-covered entity that provides healthcare services to more than 100,000 patients. A third-party cloud computing service provider, CloudHealth, stores and manages the electronic protected health information (ePHI) of these individuals on behalf of HealthCo. CloudHealth stores the data in state B. As part of HealthCo's business associate agreement (BAA) with CloudHealth, HealthCo requires CloudHealth to implement security measures, including industry standard encryption practices, to adequately protect the data. However, HealthCo did not perform due diligence on CloudHealth before entering the contract, and has not conducted audits of CloudHealth's security measures.
A CloudHealth employee has recently become the victim of a phishing attack. When the employee unintentionally clicked on a link from a suspicious email, the PHI of more than 10,000 HealthCo patients was compromised. It has since been published online. The HealthCo cybersecurity team quickly identifies the perpetrator as a known hacker who has launched similar attacks on other hospitals - ones that exposed the PHI of public figures including celebrities and politicians.
During the course of its investigation, HealthCo discovers that CloudHealth has not encrypted the PHI in accordance with the terms of its contract. In addition, CloudHealth has not provided privacy or security training to its employees. Law enforcement has requested that HealthCo provide its investigative report of the breach and a copy of the PHI of the individuals affected.
A patient affected by the breach then sues HealthCo, claiming that the company did not adequately protect the individual's ePHI, and that he has suffered substantial harm as a result of the exposed data. The patient's attorney has submitted a discovery request for the ePHI exposed in the breach.
What is the most effective kind of training CloudHealth could have given its employees to help prevent this type of data breach?

  • A. Training on CloudHealth's HR policy regarding the role of employees involved data breaches
  • B. Training on techniques for identifying phishing attempts
  • C. Training on the difference between confidential and non-public information
  • D. Training on the terms of the contractual agreement with HealthCo

正解:B


質問 # 89
The Family Educational Rights and Privacy Act (FERPA) requires schools to do all of the following EXCEPT?

  • A. Verify the identity of students who make requests for access to their records.
  • B. Respond to all reasonable student requests regarding explanation of their records.
  • C. Provide students with access to their records within a specified amount of time.
  • D. Obtain student authorization before releasing directory information in their records.

正解:C


質問 # 90
What is the main purpose of the CAN-SPAM Act?

  • A. To ensure that organizations respect individual rights when using electronic advertising
  • B. To empower the FTC to create rules for messages containing sexually explicit content
  • C. To diminish the use of electronic messages to send sexually explicit materials
  • D. To authorize the states to enforce federal privacy laws for electronic marketing

正解:A

解説:
Explanation/Reference: https://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act-compliance-guide-business


質問 # 91
SCENARIO
Please use the following to answer the next QUESTION
Felicia has spent much of her adult life overseas, and has just recently returned to the U.S. to help her friend Celeste open a jewelry store in California. Felicia, despite being excited at the prospect, has a number of security concerns, and has only grudgingly accepted the need tohire other employees. In order to guard against the loss of valuable merchandise, Felicia wants to carefully screen applicants. With their permission, Felicia would like to run credit checks, administer polygraph tests, and scrutinize videos of interviews. She intends to read applicants' postings on social media, ask questions about drug addiction, and solicit character references. Felicia believes that if potential employees are serious about becoming part of a dynamic new business, they will readily agree to these requirements.
Felicia is also in favor of strict employee oversight. In addition to protecting the inventory, she wants to prevent mistakes during transactions, which will require video monitoring. She also wants to regularly check the company vehicle's GPS for locations visited by employees. She also believes that employees who use their own devices for work-related purposes should agree to a certain amount of supervision.
Given her high standards, Felicia is skeptical about the proposed location of the store. She has been told that many types of background checks are not allowed under California law. Her friend Celeste thinks these worries are unfounded, as long as applicants verbally agree to the checks and are offered access to the results.
Nor does Celeste share Felicia's concern about state breach notification laws, which, she claims, would be costly to implement even on a minor scale. Celeste believes that even if the business grows a customer database of a few thousand, it's unlikely that a state agency would hassle an honest business if an accidental security incident were to occur.
In any case, Celeste feels that all they need is common sense - like remembering to tear up sensitive documents before throwing them in the recycling bin. Felicia hopes that she's right, and that all of her concerns will be put to rest next month when their new business consultant (who is also a privacy professional) arrives from North Carolina.
Regarding credit checks of potential employees, Celeste has a misconception regarding what?

  • A. Records retention policies
  • B. Employment-at-will rules.
  • C. Consent requirements.
  • D. Disclosure requirements.

正解:C

解説:
Celeste has a misconception regarding the consent requirements for conducting credit checks of potential employees in California. She thinks that verbal consent from the applicants is sufficient, and that they only need to be offeredaccess to the results. However, under the California Consumer Credit Reporting Agencies Act (CCRAA), employers who want to obtain a consumer credit report for employment purposes must comply with the following consent and disclosure requirements12:
* Before requesting a consumer credit report, the employer must provide the applicant with a clear and conspicuous written disclosure that informs them of the following:
* The specific purpose for obtaining the report.
* The source of the report.
* The applicant's right to obtain a free copy of the report from the source within 60 days.
* The applicant's right to dispute the accuracy or completeness of any information in the report.
* The employer must also obtain the applicant's written authorization to obtain the report.
* If the employer intends to take an adverse action based on the report, such as denying employment, the employer must provide the applicant with a copy of the report and a summary of their rights under the CCRAA before taking the action.
* After taking the adverse action, the employer must provide the applicant with a notice that includes the following:
* The name, address, and telephone number of the source of the report.
* A statement that the source of the report did not make the decision and cannot explain why the decision was made.
* A statement that the applicant has the right to obtain another free copy of the report from the source within 60 days.
* A statement that the applicant has the right to dispute the accuracy or completeness of any information in the report.
Therefore, Celeste is wrong to assume that verbal consent and optional access to the results are enough to comply with the CCRAA. She should follow the written consent and disclosure requirements to avoid violating the law and potentially facing civil penalties or lawsuits. References:
* California Consumer Credit Reporting Agencies Act
* Employment Credit Checks: What You Need to Know | Nolo


質問 # 92
Which of the following best describes the ASIA-Pacific Economic Cooperation (APEC) principles?

  • A. A code of responsibilities for medical establishments to uphold privacy laws.
  • B. An international court ruling on personal information held in the commercial sector.
  • C. A baseline of marketers' minimum responsibilities for providing opt-out mechanisms.
  • D. A bill of rights for individuals seeking access to their personal information.

正解:B

解説:
The APEC principles are part of the APEC Privacy Framework, which is an inter-governmental agreement among the 21 member economies of the Asia-Pacific Economic Cooperation (APEC) to promote information privacy protection and the free flow of information in the region. The APEC Privacy Framework consists of four parts: a preamble, a scope, a set of nine information privacy principles, and an implementation section.
The APEC information privacy principles are:
* Preventing harm: Personal information controllers should take reasonable steps to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction, and to address the risks and challenges posed by specific technologies and business practices.
* Notice: Personal information controllers should provide clear and easily accessible statements about their personal information handling practices, including the types of personal information they collect, the purposes for which they collect it, the types of third parties to which they disclose it, the choices and means they offer individuals for limiting the use and disclosure of their personal information, and how they can contact the personal information controller with inquiries or complaints.
* Collection limitation: Personal information controllers should limit the collection of personal information to what is relevant for the purposes of collection and should collect personal information by lawful and fair means and, where appropriate, with notice to, or consent of, the individual concerned.
* Use limitation: Personal information controllers should use personal information only for the purposes for which it was collected or for purposes that a reasonable person would consider appropriate in the circumstances, and should retain personal information only as long as necessary to fulfill the stated purposes or as required by law or regulation.
* Choice: Personal information controllers should offer individuals choices and means to limit the use and disclosure of their personal information, where appropriate, and should respect the choices made by individuals.
* Integrity of personal information: Personal information controllers should take reasonable steps to ensure that personal information is accurate, complete, and up-to-date for the purposes for which it is used.
* Security safeguards: Personal information controllers should protect personal information with reasonable security safeguards against risks such as loss, unauthorized access, destruction, misuse, modification, and disclosure.
* Access and correction: Personal information controllers should give individuals the ability to access and, where appropriate, correct their personal information that is under their control, subject to reasonable limitations, such as where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy, or where the legitimate rights of persons other than the individual would be violated.
* Accountability: Personal information controllers should be accountable for complying with the privacy principles and should have in place mechanisms to ensure their implementation and compliance.
The APEC Privacy Framework is not a binding legal instrument, but rather a voluntary and flexible arrangement that allows each member economy to implement the principles according to its own domestic laws and regulations, applicable international frameworks, and cultural and social values. The APEC Privacy Framework also provides for cross-border cooperation and information sharing among member economies, as well as the development of mechanisms to facilitate the cross-border transfer of personal information,such as the APEC Cross-Border Privacy Rules (CBPR) System and the APEC Privacy Recognition for Processors (PRP) System. These mechanisms are based on a common set of rules and standards derived from the APEC Privacy Framework, and are intended to enhance the protection of personal information that flows across borders and to increase the interoperability among different privacy regimes in the region and beyond. References:
* APEC Privacy Framework (2015)
* APEC Cross-Border Privacy Rules (CBPR) System
* APEC Privacy Recognition for Processors (PRP) System
* APEC Privacy Framework: A New Model for Transborder Data Flows


質問 # 93
......

検証済みで更新されたCIPP-US問題集と解答で100%一発合格保証の問題集:https://drive.google.com/open?id=1LCyTnKPzqdpRvcc4IcqG0vnA8DojI-16

更新されたCIPP-US試験練習テスト問題:https://jp.fast2test.com/CIPP-US-premium-file.html


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어