CIPM Exam Dumps - Certified Information Privacy Manager (CIPM)

Go to page:

<< First
Prev
1
2
3
4
5
6
7
8
9
Next
Last >>

Question # 25

For an organization that has just experienced a data breach, what might be the least relevant metric for a company's privacy and governance team?

The number of security patches applied to company devices.

The number of privacy rights requests that have been exercised.

The number of Privacy Impact Assessments that have been completed.

The number of employees who have completed data awareness training.

Full Access

Question # 26

A "right to erasure" request could be rejected if the processing of personal data is for?

An outdated original purpose.

Compliance with legal obligation.

The offer of information society services.

The establishment of personal legal claims.

Full Access

Question # 27

SCENARIO

Please use the following to answer the next QUESTION.

Manasa is a product manager at Omnipresent Omnimedia, where she is responsible for leading the development of the companyâ€™s flagship product, the Handy Helper. The Handy Helper is an application that can be used in the home to manage family calendars, do online shopping, and schedule doctor appointments.

After having had a successful launch in the United States, the Handy Helper is about to be made available for purchase worldwide.

The packaging and user guide for the Handy Helper indicate that it is a â€œprivacy friendlyâ€ product suitable for the whole family, including children, but does not provide any further detail or privacy notice. In order to use the application, a family creates a single account, and the primary user has access to all information about the other users. Upon start up, the primary user must check a box consenting to receive marketing emails from Omnipresent Omnimedia and selected marketing partners in order to be able to use the application.

Sanjay, the head of privacy at Omnipresent Omnimedia, was working on an agreement with a European distributor of Handy Helper when he fielded many Questions about the product from the distributor. Sanjay needed to look more closely at the product in order to be able to answer the Questions as he was not involved in the product development process.

In speaking with the product team, he learned that the Handy Helper collected and stored all of a userâ€™s sensitive medical information for the medical appointment scheduler. In fact, all of the userâ€™s information is stored by Handy Helper for the additional purpose of creating additional products and to analyze usage of the product. This data is all stored in the cloud and is encrypted both during transmission and at rest.

Consistent with the CEOâ€™s philosophy that great new product ideas can come from anyone, all Omnipresent Omnimedia employees have access to user data under a program called â€œEureka.â€ Omnipresent Omnimedia is hoping that at some point in the future, the data will reveal insights that could be used to create a fully automated application that runs on artificial intelligence, but as of yet, Eureka is not well-defined and is considered a long-term goal.

What security controls are missing from the Eureka program?

Storage of medical data in the cloud is not permissible under the General Data Protection Regulation (GDPR)

Data access is not limited to those who â€œneed to knowâ€ for their role

Collection of data without a defined purpose might violate the fairness principle

Encryption of the data at rest prevents European users from having the right of access and the right of portability of their data

Full Access

Question # 28

When conducting due diligence during an acquisition, what should a privacy professional avoid?

Discussing with the acquired company the type and scope of their data processing.

Allowing legal in both companies to handle the privacy laws and compliance.

Planning for impacts on the data processing operations post-acquisition.

Benchmarking the two Companies privacy policies against one another.

Full Access

Question # 29

SCENARIO

Please use the following to answer the next QUESTION:

Your organization, the Chicago (U.S.)-based Society for Urban Greenspace, has used the same vendor to operate all aspects of an online store for several years. As a small nonprofit, the Society cannot afford the higher-priced options, but you have been relatively satisfied with this budget vendor, Shopping Cart Saver (SCS). Yes, there have been some issues. Twice, people who purchased items from the store have had their credit card information used fraudulently subsequent to transactions on your site, but in neither case did the investigation reveal with certainty that the Societyâ€™s store had been hacked. The thefts could have been employee-related.

Just as disconcerting was an incident where the organization discovered that SCS had sold information it had collected from customers to third parties. However, as Jason Roland, your SCS account representative, points out, it took only a phone call from you to clarify expectations and the â€œmisunderstandingâ€ has not occurred again.

As an information-technology program manager with the Society, the role of the privacy professional is only one of many you play. In all matters, however, you must consider the financial bottom line. While these problems with privacy protection have been significant, the additional revenues of sales of items such as shirts and coffee cups from the store have been significant. The Societyâ€™s operating budget is slim, and all sources of revenue are essential.

Now a new challenge has arisen. Jason called to say that starting in two weeks, the customer data from the store would now be stored on a data cloud. â€œThe good news,â€ he says, â€œis that we have found a low-cost provider in Finland, where the data would also be held. So, while there may be a small charge to pass through to you, it wonâ€™t be exorbitant, especially considering the advantages of a cloud.â€

Lately, you have been hearing about cloud computing and you know itâ€™s fast becoming the new paradigm for various applications. However, you have heard mixed reviews about the potential impacts on privacy protection. You begin to research and discover that a number of the leading cloud service providers have signed a letter of intent to work together on shared conventions and technologies for privacy protection. You make a note to find out if Jasonâ€™s Finnish provider is signing on.

What is the best way to prevent the Finnish vendor from transferring data to another party?

Restrict the vendor to using company security controls

Offer company resources to assist with the processing

Include transfer prohibitions in the vendor contract

Lock the data down in its current location

Full Access

Question # 30

SCENARIO

Please use the following to answer the next QUESTION:

Perhaps Jack Kelly should have stayed in the U.S. He enjoys a formidable reputation inside the company, Special Handling Shipping, for his work in reforming certain "rogue" offices. Last year, news broke that a police sting operation had revealed a drug ring operating in the Providence, Rhode Island office in the United States. Video from the office's video surveillance cameras leaked to news operations showed a drug exchange between Special Handling staff and undercover officers.

In the wake of this incident, Kelly had been sent to Providence to change the "hands off" culture that upper management believed had let the criminal elements conduct their illicit transactions. After a few weeks under Kelly's direction, the office became a model of efficiency and customer service. Kelly monitored his workers' activities using the same cameras that had recorded the illegal conduct of their former co-workers.

Now Kelly has been charged with turning around the office in Cork, Ireland, another trouble spot. The company has received numerous reports of the staff leaving the office unattended. When Kelly arrived, he found that even when present, the staff often spent their days socializing or conducting personal business on their mobile phones. Again, he observed their behaviors using surveillance cameras. He issued written reprimands to six staff members based on the first day of video alone.

Much to Kelly's surprise and chagrin, he and the company are now under investigation by the Data Protection Commissioner of Ireland for allegedly violating the privacy rights of employees. Kelly was told that the company's license for the cameras listed facility security as their main use, but he does not know why this matters. He has pointed out to his superiors that the company's training programs on privacy protection and data collection mention nothing about surveillance video.

You are a privacy protection consultant, hired by the company to assess this incident, report on the legal and compliance issues, and recommend next steps.

Knowing that the regulator is now investigating, what would be the best step to take?

Consult an attorney experienced in privacy law and litigation.

Use your background and knowledge to set a course of action.

If you know the organization is guilty, advise it to accept the punishment.

Negotiate the terms of a settlement before formal legal action takes place.

Full Access

Question # 31

An organization's privacy officer was just notified by the benefits manager that she accidentally sent out the retirement enrollment report of all employees to a wrong vendor.

Which of the following actions should the privacy officer take first?

Perform a risk of harm analysis.

Report the incident to law enforcement.

Contact the recipient to delete the email.

Send firm-wide email notification to employees.

Full Access

Answer:

Explanation:

The first action that the privacy officer should take after being notified by the benefits manager that she accidentally sent out the retirement enrollment report of all employees to a wrong vendor is to perform a risk of harm analysis.Â A risk of harm analysis is a process of assessing the potential adverse consequences for the individuals whose personal data has been compromised by a data breach or incident5Â The purpose of this analysis is to determine whether the breach or incident poses a significant risk of harm to the affected individuals, such as identity theft, fraud, discrimination, physical harm, emotional distress, or reputational damage6Â The risk of harm analysis should consider various factors, such as the type and amount of data involved, the sensitivity and context of the data, the likelihood and severity of harm, the characteristics of the recipients or unauthorized parties who accessed the data, and the mitigating measures taken or available to reduce the harm7Â Based on this analysis, the privacy officer can then decide whether to notify the affected individuals, the relevant authorities, or other stakeholders about the breach or incident.Â Notification is usually required by law or best practice when there is a high risk of harm to the individuals as a result of the breach or incident8Â Notification can also help to mitigate the harm by allowing the individuals to take protective actions or seek remedies.Â Therefore, performing a risk of harm analysis is a crucial first step for responding to a data breach or incident.Â References:Â 5:Â Can a risk of harm itself be a harm? | Analysis | Oxford Academic;Â 6:Â No Harm Done? Assessing Risk of Harm under the Federal Breach Notification Rule;Â 7:Â CCOHS: Hazard and Risk - Risk Assessment;Â 8: Breach Notification Requirements in Canada | PrivacySense.net

Question # 32

Which of the following privacy frameworks are legally binding?

Binding Corporate Rules (BCRs).

Generally Accepted Privacy Principles (GAPP).

Asia-Pacific Economic Cooperation (APEC) Privacy Framework.

Organization for Economic Co-Operation and Development (OECD) Guidelines.

Full Access