Download CIPP US Practice Exam Overview and Instructions and more Exams Nursing in PDF only on Docsity!
CIPP/US Practice Exam Overview and Instructions
CIPP/US Practice Exam - correct answer Designed to support preparation
for the CIPP/US certification exam.
IAPP - correct answer International Association of Privacy Professionals, the
organization that provides the CIPP/US certification.
Body of Knowledge - correct answer The set of topics and knowledge areas
relevant to the CIPP/US certification.
Practice Exam Purpose - correct answer Helps identify relative strengths
and weaknesses in the major domains of the CIPP/US body of knowledge.
Certification Exam Simulation - correct answer The practice exam
simulates the types and breadth of questions encountered on the CIPP/US certification exam.
Performance Guarantee - correct answer A strong performance on the
practice exam does not guarantee similar success on the certification exam.
Review for Accuracy - correct answer All items on the practice exam were
reviewed for accuracy at the time of publication.
Independent Development - correct answer The practice exam was
developed independently of the CIPP/US certification exam.
Reproduction Restrictions - correct answer The CIPP/US practice exam and
rationales may not be reproduced in any manner other than for use by the original purchaser.
Answer Sheet Instructions - correct answer Print out the answer sheet to
indicate your selection for each question.
Timer Setting - correct answer Set a timer for 150 minutes (2.5 hours) to
simulate the certification exam.
Answer Key Usage - correct answer Print out the answer key to check your
answers against the exam questions.
Correct Response Marking - correct answer Place a '1' or a checkmark in
the corresponding domain column of the answer key for each correct response.
Domain Scoring - correct answer Total the number of correct answer s
under each domain column.
Score Calculation - correct answer Calculate scores as a percent by
dividing correct answer s by total questions in that domain and multiplying
by 100.
Rationales Consultation - correct answer Consult the rationales for
detailed explanations of each answer.
Exam Format - correct answer All questions are multiple-choice with only
one correct response.
Sub-domain Indication - correct answer The letter in the box next to the
unshaded box indicates the sub-domain of the body of knowledge related to the question.
Version - correct answer The practice exam is based on the IAPP's CIPP/US
body of knowledge version 2.6.
Publication Year - correct answer The copyright year for the publication is
Contact for Questions - correct answer Contact information is provided for
questions or comments.
Registered Trademarks - correct answer AIGP®, CIPP®, CIPP/A®, CIPP/C®,
CIPP/E®, CIPP/G®, CIPP/US®, CIPM®, and CIPT® are registered trademarks of the IAPP.
Fair and Accurate Credit Transactions Act of 2003 (FACTA) - correct answer
Strengthens the Fair Credit Reporting Act (FCRA) by introducing provisions that deal directly with identity theft.
Data flow mapping - correct answer A useful tool for organizations to
comply with their regulatory responsibilities.
Important step in data flow mapping - correct answer Identify custodians
who are responsible for the data.
Medical Quizzes app - correct answer A free app that allows users to take a
two-minute quiz to receive a medical diagnosis.
Health Insurance Portability and Accountability Act (HIPAA) - correct
answer Does not protect the medical information provided to Medical
Quizzes because the app is not provided by a covered entity.
U.S. website collecting IP addresses - correct answer Is collecting personal
data under U.S. law depending on whether the website can link the IP address to other identifying information about the visitor.
Biometric information - correct answer A more popular and secure form of
personal information to verify and/or authenticate identity.
Illinois Biometric Information Privacy Act (BIPA) - correct answer Imposes a
$1,000 penalty for each negligent violation, or a $5,000 penalty for each willful or reckless violation.
Layered privacy notice - correct answer A short privacy notice with key
points at the top.
Linking IP addresses to identifying information - correct answer A factor in
determining if IP addresses are considered personal data.
Voice-over-internet-protocol - correct answer A technology that allows for
voice communication over the internet.
Privacy Officer - correct answer An individual responsible for ensuring an
organization's compliance with privacy laws and regulations.
State privacy law - correct answer Legislation enacted by a state to protect
the privacy of its residents.
Data accountability - correct answer The responsibility of an organization
to manage and protect data in accordance with applicable laws and regulations.
Data classification - correct answer The process of organizing data into
categories based on specific criteria.
Sensitivity - correct answer The degree to which data must be protected
due to its confidential nature.
Transferability - correct answer The ability to move data from one system
or location to another.
Risk vulnerability - correct answer The potential for loss or harm related to
data due to exposure to threats.
Clinical class - correct answer A practical course in a nursing program
where students gain hands-on experience in a healthcare setting.
Internship - correct answer A temporary position that provides practical
experience in a professional environment.
Adjunct professor - correct answer A part-time instructor at a college or
university who is not a full-time faculty member.
Attendance - correct answer The act of being present at a class or event.
Grading - correct answer The process of evaluating a student's
performance and assigning a score or letter.
Clinical internships - correct answer Practical training experiences for
nursing students at healthcare facilities.
Upstate Medical Hospital - correct answer The healthcare facility where
John Doe is assigned for his clinical class.
Basic procedures - correct answer Fundamental medical tasks performed
by nursing students under supervision.
Appeal - correct answer A formal request to review and change a decision
made by an authority.
Disciplinary policy - correct answer The rules and procedures established
by an institution to address misconduct.
Hearing - correct answer A formal proceeding where evidence and
arguments are presented regarding a dispute.
Request for records - correct answer A formal inquiry to obtain documents
or information held by an organization.
Emails, texts, and written correspondence - correct answer Forms of
communication that may be requested as part of a records inquiry.
45 days - correct answer The maximum time allowed for the School to
provide requested records to John.
FERPA - correct answer Family Education Rights and Privacy Act, which
protects the privacy of student education records.
CCPA - correct answer California Consumer Privacy Act, which gives
consumers rights regarding their personal information.
Schrems II - correct answer A decision by the Court of Justice of the
European Union in July 2020 that invalidated the EU-U.S. Privacy Shield.
Protective Order - correct answer A court order to prevent the disclosure of
personal information during legal proceedings.
Hospital Badge Confiscation - correct answer An action taken by the
Hospital to investigate an incident involving John.
Written Communications - correct answer All written messages regarding
a student's grade that the nurse made.
School's Email System - correct answer The email system used by the
School to communicate, which must provide copies of emails sent.
Health and Safety Exception - correct answer Allows the School to provide
information about a student to the Hospital without consent if it relates to health and safety.
Educational Records Access - correct answer The right of a student to
access their educational records within 45 days of a request.
Federal Trade Commission (FTC) consent decree - correct answer A decree
in which the respondent does not admit fault but will change its practices and avoid further litigation.
Video Privacy Protection Act (VPPA) - correct answer A law that prohibits
the disclosure of personal information about video rental customers.
Exception to VPPA prohibition - correct answer Circumstances under which
customer personal information may be shared with third parties.
Order fulfillment - correct answer The process of completing a customer's
order.
Debt collection - correct answer The process of pursuing payments of
debts owed by individuals or businesses.
Opt-out process - correct answer A mechanism allowing users to decline
participation in certain practices or data sharing.
Regulatory complaints - correct answer Formal grievances filed with
regulatory agencies regarding potential violations of laws or regulations.
Unfair and deceptive practices - correct answer Business practices that
mislead consumers or create an unfair advantage.
Privacy policy - correct answer A statement that explains how an
organization collects, uses, and protects personal information.
Cross-sharing of information - correct answer The practice of sharing
personal data across different products or services.
Explicit consent - correct answer Clear and specific agreement given by an
individual regarding the use of their personal information.
Judge-approved settlement - correct answer An agreement reached
between parties that is sanctioned by a judge.
Privacy program office - correct answer A designated department within
an organization focused on managing privacy-related issues.
Tech Gurus - correct answer A fictional technology company involved in
the scenario.
Connect Me - correct answer An add-on product developed by Tech Gurus
for social networking.
Regulatory investigation - correct answer An inquiry conducted by a
regulatory body to assess compliance with laws and regulations.
Misrepresenting privacy - correct answer Providing false or misleading
information regarding the handling of personal data.
Privacy or confidentiality of individuals' information - correct answer The
protection of personal data from unauthorized access or disclosure.
Misrepresenting compliance - correct answer Falsely claiming adherence to
privacy, security, or compliance standards.
Federal Trade Commission (FTC) - correct answer A regulatory authority
that may enforce actions against companies like Tech Gurus.
U.S. Department of Commerce (DOC) - correct answer A regulatory
authority that may have jurisdiction over commerce-related issues.
Federal Communications Commission (FCC) - correct answer A regulatory
authority that oversees communications and may enforce regulations.
Consumer Financial Protection Bureau (CFPB) - correct answer A regulatory
authority that protects consumers in the financial sector.
Consent decree - correct answer A type of settlement agreement reached
between Tech Guru and the regulatory agency.
Private right of action - correct answer A legal term referring to the right of
an individual to sue for a legal remedy.
Settlement agreement - correct answer An agreement reached to resolve a
dispute without admission of guilt.
Strict liability tort settlement - correct answer A legal term referring to a
settlement where liability is established without fault.
Judicial Branch - correct answer The branch of government that interprets
laws and administers justice.
Military Branch - correct answer The branch of government responsible for
national defense and military operations.
Executive Branch - correct answer The branch of government responsible
for enforcing laws and administering the government.
Legislative Branch - correct answer The branch of government responsible
for making laws. Legal Authority - correct answer The power granted to a
regulatory agency to enforce laws.
Specific Authority - correct answer Authority granted to a regulatory
agency for specific regulatory functions.
General Authority - correct answer Broad authority granted to a regulatory
agency to regulate within its jurisdiction.
Vendor agreements in California - correct answer If a consumer clicks on
the 'Do Not Sell' button, the store can continue to share publicly visible account profile picture.
AI-driven automated tool in hiring - correct answer A tool used by a hotel
chain to help sort best suited applicants to open jobs based on received résumés.
Sherry's qualifications - correct answer Included her name, phone number,
past work experience at hospitality internships, education history at a top university and relevant extracurriculars.
Interview selection bias - correct answer Despite her qualifications, only
men were selected for interviews for the associate position.
Human resources manager - correct answer Rhonda, who reviews
recommendations for approved applicants.
Consumer's in-store purchase history - correct answer An example of
personal information that can be shared despite a 'Do Not Sell' request.
Environmental safeguards under GLBA - correct answer Providing
environmental safeguards, business continuity plans and disaster recovery.
Securing computer systems under GLBA - correct answer Securing the
computer systems, networks and applications together with access controls.
Anticipated threats to information security - correct answer Protecting
against anticipated threats or hazards to the security or integrity of the information.
Disclosure of personal information under 42 CFR Part 2 - correct answer
Requires consent to disclose personal information for the purpose of treatment.
Subpoena for disclosing personal information - correct answer 42 CFR Part
2 requires only a subpoena for disclosing personal information to a court.
Unique customer identifier - correct answer An example of personal
information that can be shared despite a 'Do Not Sell' request.
Private email address - correct answer An example of personal information
that cannot be shared if a consumer clicks on 'Do Not Sell'.
Publicly visible account profile picture - correct answer An example of
personal information that can be shared despite a 'Do Not Sell' request.
Civil lawsuits - correct answer Legal actions individuals can pursue under
a private right of action.
Health plan or healthcare provider - correct answer A covered entity that
transmits protected health information data.
State regulatory agency - correct answer Any state regulatory agency or
body that enforces a specific breach notification law.
Resident affected by a breach - correct answer A resident of that state
affected by a personal information breach who suffers harm.
Discrepancy in résumé - correct answer A difference between Sherry's
skill level and the position she was applying for.
Recruitment selection tool - correct answer A tool that may sort
applications and assess candidates for job positions.
HIPAA compliance - correct answer A requirement ensuring that health
information is protected and handled according to regulations.
Résumé sorting tool assessment - correct answer The evaluation of the
résumé sorting tool for potential bias in its application.
Employee code violation discussion - correct answer A meeting summoned
to address breaches of the organization's employee conduct policies.
Invalid basis for discussion - correct answer A situation that does not
constitute a legitimate reason for addressing a code violation.
Layoff best practices - correct answer Recommended actions to take when
terminating employees to ensure compliance and security.
FACTA requirements - correct answer Regulations that require disclosure
before using a credit score for loans.
Opting out under GLBA - correct answer A method for consumers to
prevent sharing of their personal information with third parties.
Records retention under FACTA - correct answer Guidelines governing how
long sensitive information derived from consumer reports must be kept.
Biometric data removal - correct answer The process of deleting former
employees' biometric information from access systems during layoffs.
Email account deletion - correct answer The action of removing access to
former employees' email accounts as part of the layoff process.
Personal item disposal - correct answer The act of discarding personal and
business-related items left by former employees.
Personnel file retention policy - correct answer The rules governing how
long personnel files of former employees must be kept.
Co-regulatory model - correct answer A model emphasizing industry
development of enforceable codes or standards for privacy and data protection alongside government legal requirements.
Trust Arc - correct answer An example of a co-regulatory model for privacy
and data protection.
Children's Online Privacy Protection Act (COPPA) - correct answer A law
that regulates the online collection of personal information from children.
Payment Card Industry Data Security Standards (PCI-DSS) - correct
answer Standards that ensure companies protect cardholder data.
Employee privacy risk reduction policy - correct answer A policy that might
restrict employees from using personal devices for company business to reduce privacy risks.
Keystroke monitoring - correct answer Monitoring of all employees to
block non-business use of office computers.
Discovery requests - correct answer Requests for information during
litigation, which may include non-business-related material.
Unauthorized accounts - correct answer Accounts opened by a bank's
employees on behalf of customers without their consent, which can lead to enforcement action.
Data breach - correct answer An incident where a consumer reporting
agency suffers a breach due to lax information security practices.
Money service business registration - correct answer The requirement for
individuals buying and selling cryptocurrency on behalf of consumers to register as a money service business.
Parental consent - correct answer The requirement for online platforms to
obtain verified parental consent before collecting children's personal information.
GLBA Safeguards Rule - correct answer A regulation that requires financial
institutions to implement security measures to protect consumer information.
Physical security - correct answer Measures taken to protect physical
assets and facilities from unauthorized access or damage.
Theoretical security - correct answer A concept of security that is based on
theoretical frameworks rather than practical implementation.
Operational security - correct answer Processes and practices that protect
sensitive information from being accessed by unauthorized individuals.
Reasonable security - correct answer Security measures that are
appropriate and effective for the level of risk faced by an organization.
Data security - correct answer Protective measures that safeguard digital
information from unauthorized access, corruption, or theft.
Administrative security - correct answer Policies and procedures that
govern the management and protection of sensitive information.
Technical security - correct answer Technological measures used to
protect information systems and data from cyber threats.
Security surveillance - correct answer Monitoring activities in a specific
area to ensure safety and security.
Wiretap Act - correct answer A federal law that prohibits the interception of
wire and oral communications without consent.
Electronic Communication Privacy Act (ECPA) - correct answer A law that
extends government restrictions on wiretaps to include electronic communications.
KardiaBros Inc. (KBI) - correct answer A private company that
manufactures implantable medical devices for cardiac patients.
Initial Public Offering (IPO) - correct answer The process through which a
private company offers shares to the public for the first time.
Myocardial infarction - correct answer A medical term for a heart attack,
which occurs when blood flow to the heart is blocked.
Workforce expansion - correct answer The process of increasing the
number of employees in an organization.
Data protection checklist - correct answer A list of items and measures that
need to be addressed to ensure data protection compliance.
Chief Privacy Officer - correct answer An executive responsible for
overseeing data protection and privacy policies within an organization.
Lawyers LLC - correct answer The outside counsel advising KBI on legal
matters, including data protection.
Sam Myoma - correct answer A second-year MBA student interning at KBI,
tasked with handling the data protection checklist.
Data governance structure - correct answer The framework that defines
how data is managed, protected, and utilized within an organization.
Job requisition follow-up questions - correct answer Questions Sam should
ask the director of human resources regarding the marketing executive role.
Independence between roles - correct answer No, Sam cannot accept
these positions because there is not sufficient independence between the two roles.
Country-based position requirement - correct answer No, Sam cannot
accept these positions because each position must be based in its respective country.
Algorithm for newsfeed curation - correct answer A social media platform
uses an algorithm to curate users' newsfeeds based on factors like who they follow, their past interactions, and trending topics.
Medical records transmission app - correct answer Grandview Hospital
hired Apps for All to create and maintain a mobile app for transmitting medical records to patients.
Contract for medical records - correct answer The contract establishes the
accepted practice for the collection, use, retention, and disclosure of patients' medical records.
Healthcare ransomware attacks - correct answer Healthcare entities were
one of the highest targeted organizations for ransomware attacks in the last few years.
Ransomware threat response - correct answer Disconnect all infected
devices from the network.
Federal Trade Commission enforcement - correct answer The Federal Trade
Commission currently shares authority with another federal bureau for civil enforcement of alleged violations of Section 5 of the FTC Act.
ECPA and email access - correct answer The ECPA requires a warrant to
access the contents of an email if it has been stored on a provider's server for more than 180 days, but a subpoena can be used for emails stored for less than 180 days.
Cybersecurity Information Sharing Act provisions - correct answer
Identifying devices, data and systems used to conduct the core company activities.
Consumer Financial Protection Bureau authority - correct answer The
ability to conduct investigations and issue subpoenas, hold hearings and commence civil actions against offenders.
EU to U.S. data transfer mechanisms - correct answer File Transfer
Protocol. Department of Labor oversight - correct answer FLSA,
OSHA and ERISA.
HIPAA individual rights - correct answer Right to Request Confidential
Communications.
Information Management Program building stage - correct answer
Procedure development and verification.
Data Elements - correct answer Specific pieces of information that make up
an individual's personal data.
IP Address - correct answer A unique address that identifies a device on
the internet.
Notification Timing - correct answer The consideration of when to inform
affected individuals about a data breach.
Preliminary Information - correct answer Initial data provided by a vendor
regarding a data breach incident.
Connecticut - correct answer The U.S. state where the online gaming
company is located.
Massachusetts - correct answer The U.S. state where the vendor assisting
with payment processing is located.
Referral Bonus - correct answer An incentive offered to customers for
bringing in new customers.
Customer Service - correct answer Support provided to customers before,
during, and after purchasing products or services.
18 Month Notification Requirement - correct answer Notify affected
individuals within the following 18 months provided you notify the appropriate state attorneys general within 30 days of the breach determination.
Post-Investigation Notification - correct answer Notify affected individuals
as soon as you have finished the investigation and determined the vendor does not have any more data at risk from this incident.
Best Notification Method A - correct answer Send each affected individual a
'We're Very Sorry!' post card in the mail indicating that they have been affected by a breach and give them a code for 15% off the next game purchase they make.
Best Notification Method B - correct answer Have your customer service
department personally call each affected individual letting them know what happened, apologizing for the incident and reinforcing that they are a valued customer.
Best Notification Method C - correct answer Send each affected individual
a letter describing the incident, what personal information was involved, a customer service number and an offer to pay for credit monitoring if their credit card was involved.
Best Notification Method D - correct answer Describe the incident,
including the data elements involved, on the 'News and Notifications' page of your website and offer an 800 number for individuals to call to find out if they were affected by the breach.
Concerned Entity for Data Breach - correct answer State attorney general.