CIPP US Practice Exam Overview and Instructions, Exams of Nursing

CIPP US Practice Exam Overview and Instructions CIPP US Practice Exam Overview and Instructions CIPP US Practice Exam Overview and Instructions

Typology: Exams

2025/2026

Available from 06/09/2026

answersheet
answersheet 🇺🇸

4.3

(8)

4.1K documents

1 / 35

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CIPP/US Practice Exam Overview and Instructions
CIPP/US Practice Exam -
correct answer
Designed to support preparation
for the CIPP/US certification exam.
IAPP -
correct answer
International Association of Privacy Professionals, the
organization that provides the CIPP/US certification.
Body of Knowledge -
correct answer
The set of topics and knowledge areas
relevant to the CIPP/US certification.
Practice Exam Purpose -
correct answer
Helps identify relative strengths
and weaknesses in the major domains of the CIPP/US body of knowledge.
Certification Exam Simulation -
correct answer
The practice exam
simulates the types and breadth of questions encountered on the CIPP/US
certification exam.
Performance Guarantee -
correct answer
A strong performance on the
practice exam does not guarantee similar success on the certification exam.
Review for Accuracy -
correct answer
All items on the practice exam were
reviewed for accuracy at the time of publication.
Independent Development -
correct answer
The practice exam was
developed independently of the CIPP/US certification exam.
Reproduction Restrictions -
correct answer
The CIPP/US practice exam and
rationales may not be reproduced in any manner other than for use by the
original purchaser.
Answer Sheet Instructions -
correct answer
Print out the answer sheet to
indicate your selection for each question.
Timer Setting -
correct answer
Set a timer for 150 minutes (2.5 hours) to
simulate the certification exam.
Answer Key Usage -
correct answer
Print out the answer key to check your
answers against the exam questions.
Correct Response Marking -
correct answer
Place a '1' or a checkmark in
the corresponding domain column of the answer key for each correct
response.
Domain Scoring -
correct answer
Total the number of
correct answer
s
under each domain column.
Score Calculation -
correct answer
Calculate scores as a percent by
dividing
correct answer
s by total questions in that domain and multiplying
by 100.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23

Partial preview of the text

Download CIPP US Practice Exam Overview and Instructions and more Exams Nursing in PDF only on Docsity!

CIPP/US Practice Exam Overview and Instructions

CIPP/US Practice Exam - correct answer Designed to support preparation

for the CIPP/US certification exam.

IAPP - correct answer International Association of Privacy Professionals, the

organization that provides the CIPP/US certification.

Body of Knowledge - correct answer The set of topics and knowledge areas

relevant to the CIPP/US certification.

Practice Exam Purpose - correct answer Helps identify relative strengths

and weaknesses in the major domains of the CIPP/US body of knowledge.

Certification Exam Simulation - correct answer The practice exam

simulates the types and breadth of questions encountered on the CIPP/US certification exam.

Performance Guarantee - correct answer A strong performance on the

practice exam does not guarantee similar success on the certification exam.

Review for Accuracy - correct answer All items on the practice exam were

reviewed for accuracy at the time of publication.

Independent Development - correct answer The practice exam was

developed independently of the CIPP/US certification exam.

Reproduction Restrictions - correct answer The CIPP/US practice exam and

rationales may not be reproduced in any manner other than for use by the original purchaser.

Answer Sheet Instructions - correct answer Print out the answer sheet to

indicate your selection for each question.

Timer Setting - correct answer Set a timer for 150 minutes (2.5 hours) to

simulate the certification exam.

Answer Key Usage - correct answer Print out the answer key to check your

answers against the exam questions.

Correct Response Marking - correct answer Place a '1' or a checkmark in

the corresponding domain column of the answer key for each correct response.

Domain Scoring - correct answer Total the number of correct answer s

under each domain column.

Score Calculation - correct answer Calculate scores as a percent by

dividing correct answer s by total questions in that domain and multiplying

by 100.

Rationales Consultation - correct answer Consult the rationales for

detailed explanations of each answer.

Exam Format - correct answer All questions are multiple-choice with only

one correct response.

Sub-domain Indication - correct answer The letter in the box next to the

unshaded box indicates the sub-domain of the body of knowledge related to the question.

Version - correct answer The practice exam is based on the IAPP's CIPP/US

body of knowledge version 2.6.

Publication Year - correct answer The copyright year for the publication is

Contact for Questions - correct answer Contact information is provided for

questions or comments.

Registered Trademarks - correct answer AIGP®, CIPP®, CIPP/A®, CIPP/C®,

CIPP/E®, CIPP/G®, CIPP/US®, CIPM®, and CIPT® are registered trademarks of the IAPP.

Fair and Accurate Credit Transactions Act of 2003 (FACTA) - correct answer

Strengthens the Fair Credit Reporting Act (FCRA) by introducing provisions that deal directly with identity theft.

Data flow mapping - correct answer A useful tool for organizations to

comply with their regulatory responsibilities.

Important step in data flow mapping - correct answer Identify custodians

who are responsible for the data.

Medical Quizzes app - correct answer A free app that allows users to take a

two-minute quiz to receive a medical diagnosis.

Health Insurance Portability and Accountability Act (HIPAA) - correct

answer Does not protect the medical information provided to Medical

Quizzes because the app is not provided by a covered entity.

U.S. website collecting IP addresses - correct answer Is collecting personal

data under U.S. law depending on whether the website can link the IP address to other identifying information about the visitor.

Biometric information - correct answer A more popular and secure form of

personal information to verify and/or authenticate identity.

Illinois Biometric Information Privacy Act (BIPA) - correct answer Imposes a

$1,000 penalty for each negligent violation, or a $5,000 penalty for each willful or reckless violation.

Layered privacy notice - correct answer A short privacy notice with key

points at the top.

Linking IP addresses to identifying information - correct answer A factor in

determining if IP addresses are considered personal data.

Voice-over-internet-protocol - correct answer A technology that allows for

voice communication over the internet.

Privacy Officer - correct answer An individual responsible for ensuring an

organization's compliance with privacy laws and regulations.

State privacy law - correct answer Legislation enacted by a state to protect

the privacy of its residents.

Data accountability - correct answer The responsibility of an organization

to manage and protect data in accordance with applicable laws and regulations.

Data classification - correct answer The process of organizing data into

categories based on specific criteria.

Sensitivity - correct answer The degree to which data must be protected

due to its confidential nature.

Transferability - correct answer The ability to move data from one system

or location to another.

Risk vulnerability - correct answer The potential for loss or harm related to

data due to exposure to threats.

Clinical class - correct answer A practical course in a nursing program

where students gain hands-on experience in a healthcare setting.

Internship - correct answer A temporary position that provides practical

experience in a professional environment.

Adjunct professor - correct answer A part-time instructor at a college or

university who is not a full-time faculty member.

Attendance - correct answer The act of being present at a class or event.

Grading - correct answer The process of evaluating a student's

performance and assigning a score or letter.

Clinical internships - correct answer Practical training experiences for

nursing students at healthcare facilities.

Upstate Medical Hospital - correct answer The healthcare facility where

John Doe is assigned for his clinical class.

Basic procedures - correct answer Fundamental medical tasks performed

by nursing students under supervision.

Appeal - correct answer A formal request to review and change a decision

made by an authority.

Disciplinary policy - correct answer The rules and procedures established

by an institution to address misconduct.

Hearing - correct answer A formal proceeding where evidence and

arguments are presented regarding a dispute.

Request for records - correct answer A formal inquiry to obtain documents

or information held by an organization.

Emails, texts, and written correspondence - correct answer Forms of

communication that may be requested as part of a records inquiry.

45 days - correct answer The maximum time allowed for the School to

provide requested records to John.

FERPA - correct answer Family Education Rights and Privacy Act, which

protects the privacy of student education records.

CCPA - correct answer California Consumer Privacy Act, which gives

consumers rights regarding their personal information.

Schrems II - correct answer A decision by the Court of Justice of the

European Union in July 2020 that invalidated the EU-U.S. Privacy Shield.

Protective Order - correct answer A court order to prevent the disclosure of

personal information during legal proceedings.

Hospital Badge Confiscation - correct answer An action taken by the

Hospital to investigate an incident involving John.

Written Communications - correct answer All written messages regarding

a student's grade that the nurse made.

School's Email System - correct answer The email system used by the

School to communicate, which must provide copies of emails sent.

Health and Safety Exception - correct answer Allows the School to provide

information about a student to the Hospital without consent if it relates to health and safety.

Educational Records Access - correct answer The right of a student to

access their educational records within 45 days of a request.

Federal Trade Commission (FTC) consent decree - correct answer A decree

in which the respondent does not admit fault but will change its practices and avoid further litigation.

Video Privacy Protection Act (VPPA) - correct answer A law that prohibits

the disclosure of personal information about video rental customers.

Exception to VPPA prohibition - correct answer Circumstances under which

customer personal information may be shared with third parties.

Order fulfillment - correct answer The process of completing a customer's

order.

Debt collection - correct answer The process of pursuing payments of

debts owed by individuals or businesses.

Opt-out process - correct answer A mechanism allowing users to decline

participation in certain practices or data sharing.

Regulatory complaints - correct answer Formal grievances filed with

regulatory agencies regarding potential violations of laws or regulations.

Unfair and deceptive practices - correct answer Business practices that

mislead consumers or create an unfair advantage.

Privacy policy - correct answer A statement that explains how an

organization collects, uses, and protects personal information.

Cross-sharing of information - correct answer The practice of sharing

personal data across different products or services.

Explicit consent - correct answer Clear and specific agreement given by an

individual regarding the use of their personal information.

Judge-approved settlement - correct answer An agreement reached

between parties that is sanctioned by a judge.

Privacy program office - correct answer A designated department within

an organization focused on managing privacy-related issues.

Tech Gurus - correct answer A fictional technology company involved in

the scenario.

Connect Me - correct answer An add-on product developed by Tech Gurus

for social networking.

Regulatory investigation - correct answer An inquiry conducted by a

regulatory body to assess compliance with laws and regulations.

Misrepresenting privacy - correct answer Providing false or misleading

information regarding the handling of personal data.

Privacy or confidentiality of individuals' information - correct answer The

protection of personal data from unauthorized access or disclosure.

Misrepresenting compliance - correct answer Falsely claiming adherence to

privacy, security, or compliance standards.

Federal Trade Commission (FTC) - correct answer A regulatory authority

that may enforce actions against companies like Tech Gurus.

U.S. Department of Commerce (DOC) - correct answer A regulatory

authority that may have jurisdiction over commerce-related issues.

Federal Communications Commission (FCC) - correct answer A regulatory

authority that oversees communications and may enforce regulations.

Consumer Financial Protection Bureau (CFPB) - correct answer A regulatory

authority that protects consumers in the financial sector.

Consent decree - correct answer A type of settlement agreement reached

between Tech Guru and the regulatory agency.

Private right of action - correct answer A legal term referring to the right of

an individual to sue for a legal remedy.

Settlement agreement - correct answer An agreement reached to resolve a

dispute without admission of guilt.

Strict liability tort settlement - correct answer A legal term referring to a

settlement where liability is established without fault.

Judicial Branch - correct answer The branch of government that interprets

laws and administers justice.

Military Branch - correct answer The branch of government responsible for

national defense and military operations.

Executive Branch - correct answer The branch of government responsible

for enforcing laws and administering the government.

Legislative Branch - correct answer The branch of government responsible

for making laws. Legal Authority - correct answer The power granted to a

regulatory agency to enforce laws.

Specific Authority - correct answer Authority granted to a regulatory

agency for specific regulatory functions.

General Authority - correct answer Broad authority granted to a regulatory

agency to regulate within its jurisdiction.

Vendor agreements in California - correct answer If a consumer clicks on

the 'Do Not Sell' button, the store can continue to share publicly visible account profile picture.

AI-driven automated tool in hiring - correct answer A tool used by a hotel

chain to help sort best suited applicants to open jobs based on received résumés.

Sherry's qualifications - correct answer Included her name, phone number,

past work experience at hospitality internships, education history at a top university and relevant extracurriculars.

Interview selection bias - correct answer Despite her qualifications, only

men were selected for interviews for the associate position.

Human resources manager - correct answer Rhonda, who reviews

recommendations for approved applicants.

Consumer's in-store purchase history - correct answer An example of

personal information that can be shared despite a 'Do Not Sell' request.

Environmental safeguards under GLBA - correct answer Providing

environmental safeguards, business continuity plans and disaster recovery.

Securing computer systems under GLBA - correct answer Securing the

computer systems, networks and applications together with access controls.

Anticipated threats to information security - correct answer Protecting

against anticipated threats or hazards to the security or integrity of the information.

Disclosure of personal information under 42 CFR Part 2 - correct answer

Requires consent to disclose personal information for the purpose of treatment.

Subpoena for disclosing personal information - correct answer 42 CFR Part

2 requires only a subpoena for disclosing personal information to a court.

Unique customer identifier - correct answer An example of personal

information that can be shared despite a 'Do Not Sell' request.

Private email address - correct answer An example of personal information

that cannot be shared if a consumer clicks on 'Do Not Sell'.

Publicly visible account profile picture - correct answer An example of

personal information that can be shared despite a 'Do Not Sell' request.

Civil lawsuits - correct answer Legal actions individuals can pursue under

a private right of action.

Health plan or healthcare provider - correct answer A covered entity that

transmits protected health information data.

State regulatory agency - correct answer Any state regulatory agency or

body that enforces a specific breach notification law.

Resident affected by a breach - correct answer A resident of that state

affected by a personal information breach who suffers harm.

Discrepancy in résumé - correct answer A difference between Sherry's

skill level and the position she was applying for.

Recruitment selection tool - correct answer A tool that may sort

applications and assess candidates for job positions.

HIPAA compliance - correct answer A requirement ensuring that health

information is protected and handled according to regulations.

Résumé sorting tool assessment - correct answer The evaluation of the

résumé sorting tool for potential bias in its application.

Employee code violation discussion - correct answer A meeting summoned

to address breaches of the organization's employee conduct policies.

Invalid basis for discussion - correct answer A situation that does not

constitute a legitimate reason for addressing a code violation.

Layoff best practices - correct answer Recommended actions to take when

terminating employees to ensure compliance and security.

FACTA requirements - correct answer Regulations that require disclosure

before using a credit score for loans.

Opting out under GLBA - correct answer A method for consumers to

prevent sharing of their personal information with third parties.

Records retention under FACTA - correct answer Guidelines governing how

long sensitive information derived from consumer reports must be kept.

Biometric data removal - correct answer The process of deleting former

employees' biometric information from access systems during layoffs.

Email account deletion - correct answer The action of removing access to

former employees' email accounts as part of the layoff process.

Personal item disposal - correct answer The act of discarding personal and

business-related items left by former employees.

Personnel file retention policy - correct answer The rules governing how

long personnel files of former employees must be kept.

Co-regulatory model - correct answer A model emphasizing industry

development of enforceable codes or standards for privacy and data protection alongside government legal requirements.

Trust Arc - correct answer An example of a co-regulatory model for privacy

and data protection.

Children's Online Privacy Protection Act (COPPA) - correct answer A law

that regulates the online collection of personal information from children.

Payment Card Industry Data Security Standards (PCI-DSS) - correct

answer Standards that ensure companies protect cardholder data.

Employee privacy risk reduction policy - correct answer A policy that might

restrict employees from using personal devices for company business to reduce privacy risks.

Keystroke monitoring - correct answer Monitoring of all employees to

block non-business use of office computers.

Discovery requests - correct answer Requests for information during

litigation, which may include non-business-related material.

Unauthorized accounts - correct answer Accounts opened by a bank's

employees on behalf of customers without their consent, which can lead to enforcement action.

Data breach - correct answer An incident where a consumer reporting

agency suffers a breach due to lax information security practices.

Money service business registration - correct answer The requirement for

individuals buying and selling cryptocurrency on behalf of consumers to register as a money service business.

Parental consent - correct answer The requirement for online platforms to

obtain verified parental consent before collecting children's personal information.

GLBA Safeguards Rule - correct answer A regulation that requires financial

institutions to implement security measures to protect consumer information.

Physical security - correct answer Measures taken to protect physical

assets and facilities from unauthorized access or damage.

Theoretical security - correct answer A concept of security that is based on

theoretical frameworks rather than practical implementation.

Operational security - correct answer Processes and practices that protect

sensitive information from being accessed by unauthorized individuals.

Reasonable security - correct answer Security measures that are

appropriate and effective for the level of risk faced by an organization.

Data security - correct answer Protective measures that safeguard digital

information from unauthorized access, corruption, or theft.

Administrative security - correct answer Policies and procedures that

govern the management and protection of sensitive information.

Technical security - correct answer Technological measures used to

protect information systems and data from cyber threats.

Security surveillance - correct answer Monitoring activities in a specific

area to ensure safety and security.

Wiretap Act - correct answer A federal law that prohibits the interception of

wire and oral communications without consent.

Electronic Communication Privacy Act (ECPA) - correct answer A law that

extends government restrictions on wiretaps to include electronic communications.

KardiaBros Inc. (KBI) - correct answer A private company that

manufactures implantable medical devices for cardiac patients.

Initial Public Offering (IPO) - correct answer The process through which a

private company offers shares to the public for the first time.

Myocardial infarction - correct answer A medical term for a heart attack,

which occurs when blood flow to the heart is blocked.

Workforce expansion - correct answer The process of increasing the

number of employees in an organization.

Data protection checklist - correct answer A list of items and measures that

need to be addressed to ensure data protection compliance.

Chief Privacy Officer - correct answer An executive responsible for

overseeing data protection and privacy policies within an organization.

Lawyers LLC - correct answer The outside counsel advising KBI on legal

matters, including data protection.

Sam Myoma - correct answer A second-year MBA student interning at KBI,

tasked with handling the data protection checklist.

Data governance structure - correct answer The framework that defines

how data is managed, protected, and utilized within an organization.

Job requisition follow-up questions - correct answer Questions Sam should

ask the director of human resources regarding the marketing executive role.

Independence between roles - correct answer No, Sam cannot accept

these positions because there is not sufficient independence between the two roles.

Country-based position requirement - correct answer No, Sam cannot

accept these positions because each position must be based in its respective country.

Algorithm for newsfeed curation - correct answer A social media platform

uses an algorithm to curate users' newsfeeds based on factors like who they follow, their past interactions, and trending topics.

Medical records transmission app - correct answer Grandview Hospital

hired Apps for All to create and maintain a mobile app for transmitting medical records to patients.

Contract for medical records - correct answer The contract establishes the

accepted practice for the collection, use, retention, and disclosure of patients' medical records.

Healthcare ransomware attacks - correct answer Healthcare entities were

one of the highest targeted organizations for ransomware attacks in the last few years.

Ransomware threat response - correct answer Disconnect all infected

devices from the network.

Federal Trade Commission enforcement - correct answer The Federal Trade

Commission currently shares authority with another federal bureau for civil enforcement of alleged violations of Section 5 of the FTC Act.

ECPA and email access - correct answer The ECPA requires a warrant to

access the contents of an email if it has been stored on a provider's server for more than 180 days, but a subpoena can be used for emails stored for less than 180 days.

Cybersecurity Information Sharing Act provisions - correct answer

Identifying devices, data and systems used to conduct the core company activities.

Consumer Financial Protection Bureau authority - correct answer The

ability to conduct investigations and issue subpoenas, hold hearings and commence civil actions against offenders.

EU to U.S. data transfer mechanisms - correct answer File Transfer

Protocol. Department of Labor oversight - correct answer FLSA,

OSHA and ERISA.

HIPAA individual rights - correct answer Right to Request Confidential

Communications.

Information Management Program building stage - correct answer

Procedure development and verification.

Data Elements - correct answer Specific pieces of information that make up

an individual's personal data.

IP Address - correct answer A unique address that identifies a device on

the internet.

Notification Timing - correct answer The consideration of when to inform

affected individuals about a data breach.

Preliminary Information - correct answer Initial data provided by a vendor

regarding a data breach incident.

Connecticut - correct answer The U.S. state where the online gaming

company is located.

Massachusetts - correct answer The U.S. state where the vendor assisting

with payment processing is located.

Referral Bonus - correct answer An incentive offered to customers for

bringing in new customers.

Customer Service - correct answer Support provided to customers before,

during, and after purchasing products or services.

18 Month Notification Requirement - correct answer Notify affected

individuals within the following 18 months provided you notify the appropriate state attorneys general within 30 days of the breach determination.

Post-Investigation Notification - correct answer Notify affected individuals

as soon as you have finished the investigation and determined the vendor does not have any more data at risk from this incident.

Best Notification Method A - correct answer Send each affected individual a

'We're Very Sorry!' post card in the mail indicating that they have been affected by a breach and give them a code for 15% off the next game purchase they make.

Best Notification Method B - correct answer Have your customer service

department personally call each affected individual letting them know what happened, apologizing for the incident and reinforcing that they are a valued customer.

Best Notification Method C - correct answer Send each affected individual

a letter describing the incident, what personal information was involved, a customer service number and an offer to pay for credit monitoring if their credit card was involved.

Best Notification Method D - correct answer Describe the incident,

including the data elements involved, on the 'News and Notifications' page of your website and offer an 800 number for individuals to call to find out if they were affected by the breach.

Concerned Entity for Data Breach - correct answer State attorney general.