CIPP US PRACTICE SOLUTION 2026 SOLVED ITEMS CONFIRMED A+, Exams of Judicial Systems

CIPP US PRACTICE SOLUTION 2026 SOLVED ITEMS CONFIRMED A+

Typology: Exams

2025/2026

Available from 01/03/2026

WuodKowino
WuodKowino 🇺🇸

3.9

(11)

26K documents

1 / 63

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CIPP US PRACTICE SOLUTION 2026 SOLVED
ITEMS CONFIRMED A+
◉ Preemption. Answer: The right of a federal law or a regulation to
preclude enforcement of a state or local law or regulation.
◉ Privacy Notice. Answer: An external communication from an
organization to consumers, customers or users to describe an
organization's privacy practices.
◉ When should choice and consent solicitations be made?. Answer:
at the point of collection or as soon as practical afterwards
◉ OECD - Purpose Specification. Answer: The purposes for which
personal data are collected should be specified not later than at the
time of collection and the subsequent use limited to the fulfilment of
those purposes as specified o each occasion of change of purpose.
◉ Information Life Cycle Phases. Answer: 1. Collect/Derive
2. Use/Process
3. Disclose/Transfer
4. Store/Retain/Archive/Delete
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f

Partial preview of the text

Download CIPP US PRACTICE SOLUTION 2026 SOLVED ITEMS CONFIRMED A+ and more Exams Judicial Systems in PDF only on Docsity!

CIPP US PRACTICE SOLUTION 2026 SOLVED

ITEMS CONFIRMED A+

◉ Preemption. Answer: The right of a federal law or a regulation to preclude enforcement of a state or local law or regulation. ◉ Privacy Notice. Answer: An external communication from an organization to consumers, customers or users to describe an organization's privacy practices. ◉ When should choice and consent solicitations be made?. Answer: at the point of collection or as soon as practical afterwards ◉ OECD - Purpose Specification. Answer: The purposes for which personal data are collected should be specified not later than at the time of collection and the subsequent use limited to the fulfilment of those purposes as specified o each occasion of change of purpose. ◉ Information Life Cycle Phases. Answer: 1. Collect/Derive

  1. Use/Process
  2. Disclose/Transfer
  3. Store/Retain/Archive/Delete

◉ Privacy Policy. Answer: Internal, detailed statement for users of personal information that defines handling practices ◉ What is privacy?. Answer: Appropriate use of Personal Information under the circumstances. An individual's right to control the collection, use and disclosure of personal information. ◉ Data Controller. Answer: someone who determines why and how personal data is processed ◉ data processor. Answer: An individual or organization, often a third-party outsourcing service, that processes data on behalf of the data controller. ◉ Example of Processing Personal Data. Answer: Anything you do with PI. Use, retrieval, consultation, erasure, destruction, recording, dissemination, organization, linking, storage, updating, collection

Office of the Comptroller of the Currency Gramm-Leach-Bliley Act ◉ Education Privacy. Answer: Dept of Education for the Family Educational Rights and Privacy Act ◉ Telemarketing/Marketing Privacy. Answer: Federal Communications Commission and FTC Telephone Consumer Protection Act ◉ Workplace Privacy. Answer: Equal Employment Opportunity ADA ◉ FTC Section 5. Answer: Unfair and Deceptive Acts or Practices in or affecting commerce are unlawful ◉ GeoCities, Inc. Answer: 1st FTC Internet Privacy Action Offered websites to users, promised information would not be sold without consent. Two FTC actions for Unfair and Deceptive Practices

  • misrepresented how info would be used by reselling to 3rd partied
  • collected and maintained children's PI without parental consent Consent Order requiring privacy notice and required to obtain parental consent ◉ Eli Lilly. Answer: 2004 - Pharma Manufacturer's website privacy notice made promises about security and privacy of the information provided by users. An email was sent to all users, revealing all of their identities First time FTC required a company to develop and maintain an information privacy and security program. ◉ Microsoft. Answer: 2002 - Passport single sign-on service. FTC alleged that the representations of high-level online security were misleading because the security of the PI was within the control of a 3rd party and that they shared more PI than disclosed and had inadequate controls for children's info. First time FTC required a company to undergo biannual third-party audits

Facts: BJ's failed to encrypt personal and financial information and to secure wireless networks to prevent unauthorized access and security lapses. ◉ Google, Inc.. Answer: 2011. Google Buzz autoenrolled gmail users without consent and exposed PI. FTC alleged that auto-enrollment without prior notice and explicit consent was a deceptive trade practice. First consent decree requiring a "comprehensive privacy program" and first U.S.-EU Safe Harbor enforcement by the FTC. ◉ Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy. Answer: The White House Report. 2012 ◉ Consumer Privacy Bill of Rights. Answer: 1)Individual control. Consumers have a right to exercise control over what personal data companies collect from them and how they use it 2)Transparency. Consumers have a right to easily understandable and accessible information about privacy and security practices.

3)Respect for context. Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data 4)Security. Consumers have a right to secure and responsible handling of personal data. 5)Access and accuracy. Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate. 6)Focused collection. Consumers have a right to reasonable limits on the personal data that companies collect and retain 7)Accountability. Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights. ◉ FTC primary method of enforcement 1990. Answer: Notice and Choice Approach. Required privacy notices to be placed on websites. ◉ FTC primary method of enforcement 2000. Answer: Harm-based model addressing substantial injury under the unfairness authority

◉ EPHI. Answer: electronic protected health information ◉ HIPPA applies to. Answer: Healthcare providers that conduct certain electronic transactions health plans (insurers) Healthcare clearinghouses (3rd parties) ◉ CALEA (Communications Assistance for Law Enforcement Act) is also known as. Answer: Digital Telephony Act ◉ GPEN. Answer: Global Privacy Enforcement Network Aims to promote cross-boarder information sharing as well as investigation and enforcement corporation ◉ GINA (Genetic Information Nondiscrimination Act). Answer: became law on May 21, 2008; its basic purpose is to protect people from discrimination by health insurers and employers based on genetic information. Amended: ERISA, SSA, Civil Rights Act

No private right to action ◉ HITECH impact on healthcare. Answer: - Provided incentive payments to hospitals and healthcare providers to adopt health IT.

  • "Meaningful Use"- criteria required to be met that demonstrated meaningful use of electronic health records (EHR). EHR technology must be used to achieve certain objectives. ◉ HITECH name. Answer: Health Information Technology for Economic and Clinical Health Act ◉ HITECH Act of 2009. Answer: Strengthened HIPPA to address privacy impact on electronic health records Breach: must notify individuals within 60 days if more than 500 people, notify HHS immediately if 500 or more in same jurisdiction, notify media Avoid liability for using encryption software ◉ 21st Century Cures Act 2016. Answer: Expedite research, quicken drug approval, reform mental health

◉ Texas Privacy Laws (Texas HIPAA). Answer: Under the Texas law, covered entities (health care providers, health insurers, and health clearinghouses) must provide customized employee training regarding the maintenance and protection of electronic protected health information (PHI). Covered entities are required to tailor the employee training to reflect the nature of the covered entity's operations and each employee's scope of employment as they relate to the maintenance and protection of PHI. New employees must complete the training within 60 days of hire and all employees must complete training at least once every two years. Covered entities must maintain training attendance records for all employees. The Texas law requires covered entities to provide patients with electronic copies of their EHR within fifteen days of the patient's written request for the records. This provision of the Texas law reduces the timeframe a covered entity has to produce EHR following a patient's request from thirty days under HIPAA. The law charges the Texas Health and Human Services Commission with establishing a standard format for releasing patient EHR that is consistent with federal laws. HB 300 also requires the Texas Attorney General (AG) to establish and maintain a website that states and explains patients' privacy rights under Texas and federal law. The website will list the state agencies that regulate covered entities, and provide the agencies' contact information and each agency's complaint enforcement process. Under the new law, the AG must issue an annual report

regarding the number and types of complaints pertaining to patient privacy issues. ◉ In which service model of cloud computing are applications hosted by the cloud provider in the cloud and typically accessed by users through a web browser?. Answer: Software as a Service (SaaS) ◉ A website's privacy notice clearly states that it will not encrypt sensitive personal information, and the website operator does not, in fact, encrypt the data.. Answer: Example of Unfair Trade Practice because the website operator is not being deceptive but the potential harm caused by not encrypting the sensitive data clearly outweighs the cost of providing encryption, a commonplace and inexpensive security control. ◉ An organization promises to honor opt out requests within 10 days but fails to honor opt out requests within stated timeframe. Answer: Example of deceptive trade practice. When companies state they will safeguard personal information but fail to do so. A violation of a promise made in a privacy notice is an example of deceptive trade practice. ◉ Deceptive trade practice under FTC Section 5.. Answer: When companies state they will safeguard personal information but fail to

  1. Integrity and security
  2. Enforcement and redress ◉ Four Models of Privacy Protection. Answer: Comprehensive Model Co-regulatory Model Sectoral model Self-regulatory Model ◉ Comprehensive Model. Answer: Used in the EU, this method of data protection to govern the collection, use and dissemination of personal information in the public and private sectors, generally with an official or agency responsible for overseeing enforcement. ◉ Co-regulatory Model. Answer: Used in Canada, Australia and New Zealand, this model emphasizes industry development of enforceable codes or standards for privacy and data protection, against the backdrop of legal requirements by the government. ◉ Sectoral Model. Answer: This framework protects personal information by enacting laws that address a particular industry sector. In these countries, enforcement is achieved through various mechanisms, including regulatory bodies such as the FTC. Used by the US and Japan.

◉ Self-regulatory Model. Answer: Industry associations establish rules or regulations that are adhered to by industry participants. Examples include the Payment Card Industry (PCI DSS) and the privacy seal programs administered by the Online Privacy Alliance. ◉ EU Data Protection Directive. Answer: The EU Directive was adopted in 1995 and became effective in 1998 and protects individuals' privacy and personal data use. The Directive recognizes the European view that privacy is a fundamental human right, and establishes a general comprehensive legal framework that is aimed at protecting individuals and promoting individual choice regarding the processing of personal data. ◉ The EU Protection Directive States that personal data should not be precessed unless 3 categories of conditions are met:. Answer: Transparency legitimate purpose proportionality ◉ Adequate Level of Protection. Answer: A label that the EU may apply to third-party countries who have committed to protect data through domestic law making or international commitments. Conferring of the label requires a proposal by the European Commission, an Article 29 Working Group Opinion, an opinion of the article 31 Management Committee, a right of scrutiny by the European Parliament and adoption by the European Commission.

◉ APEC (Asia-Pacific Economic Cooperation). Answer: Adopted a self-regulatory code of contact designed to create more consistent ◉ 8 OECD Principals. Answer: 1. Collection Limitation

  1. Data Quality
  2. Purpose Specification
  3. Use Limitation
  4. Security Safeguards
  5. Openness
  6. Individual Participation
  7. Accountability ◉ In which countries is a person's tax return considered public record?. Answer: Norway, Finland and Sweden These countries also include a person's salary as public record ◉ Which countries take a co-regulatory approach to privacy protection?. Answer: Canada, Australia and New Zealand ◉ Correct formula for assessing risk. Answer: Risk = Threat X Vulnerability X Loss

◉ FCRA (Fair Credit Reporting Act). Answer: Mandates accurate and relevant data collection, provides consumers with the ability to access and correct their information, and limits the use of consumer reports to defined permissible purposes ◉ FCRA regulates. Answer: any consumer reporting agency that furnishes a consumer report. ◉ A consumer report is. Answer: any communication by a CRA related to an individual that pertains to a person's: Creditworthiness Credit standing credit capacity character general reputation personal characteristics mode of living and that is used in whole or in part for the purpose of serving as a factor in establishing a consumer's eligibility for credit, insurance, employment or other business purpose ◉ Users of consumer reports must meet which requirements?. Answer: Third party data for decision making must be accurate, current and complete