























































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
CIPP US PRACTICE SOLUTION 2026 SOLVED ITEMS CONFIRMED A+
Typology: Exams
1 / 63
This page cannot be seen from the preview
Don't miss anything!
























































◉ Preemption. Answer: The right of a federal law or a regulation to preclude enforcement of a state or local law or regulation. ◉ Privacy Notice. Answer: An external communication from an organization to consumers, customers or users to describe an organization's privacy practices. ◉ When should choice and consent solicitations be made?. Answer: at the point of collection or as soon as practical afterwards ◉ OECD - Purpose Specification. Answer: The purposes for which personal data are collected should be specified not later than at the time of collection and the subsequent use limited to the fulfilment of those purposes as specified o each occasion of change of purpose. ◉ Information Life Cycle Phases. Answer: 1. Collect/Derive
◉ Privacy Policy. Answer: Internal, detailed statement for users of personal information that defines handling practices ◉ What is privacy?. Answer: Appropriate use of Personal Information under the circumstances. An individual's right to control the collection, use and disclosure of personal information. ◉ Data Controller. Answer: someone who determines why and how personal data is processed ◉ data processor. Answer: An individual or organization, often a third-party outsourcing service, that processes data on behalf of the data controller. ◉ Example of Processing Personal Data. Answer: Anything you do with PI. Use, retrieval, consultation, erasure, destruction, recording, dissemination, organization, linking, storage, updating, collection
Office of the Comptroller of the Currency Gramm-Leach-Bliley Act ◉ Education Privacy. Answer: Dept of Education for the Family Educational Rights and Privacy Act ◉ Telemarketing/Marketing Privacy. Answer: Federal Communications Commission and FTC Telephone Consumer Protection Act ◉ Workplace Privacy. Answer: Equal Employment Opportunity ADA ◉ FTC Section 5. Answer: Unfair and Deceptive Acts or Practices in or affecting commerce are unlawful ◉ GeoCities, Inc. Answer: 1st FTC Internet Privacy Action Offered websites to users, promised information would not be sold without consent. Two FTC actions for Unfair and Deceptive Practices
Facts: BJ's failed to encrypt personal and financial information and to secure wireless networks to prevent unauthorized access and security lapses. ◉ Google, Inc.. Answer: 2011. Google Buzz autoenrolled gmail users without consent and exposed PI. FTC alleged that auto-enrollment without prior notice and explicit consent was a deceptive trade practice. First consent decree requiring a "comprehensive privacy program" and first U.S.-EU Safe Harbor enforcement by the FTC. ◉ Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy. Answer: The White House Report. 2012 ◉ Consumer Privacy Bill of Rights. Answer: 1)Individual control. Consumers have a right to exercise control over what personal data companies collect from them and how they use it 2)Transparency. Consumers have a right to easily understandable and accessible information about privacy and security practices.
3)Respect for context. Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data 4)Security. Consumers have a right to secure and responsible handling of personal data. 5)Access and accuracy. Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate. 6)Focused collection. Consumers have a right to reasonable limits on the personal data that companies collect and retain 7)Accountability. Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights. ◉ FTC primary method of enforcement 1990. Answer: Notice and Choice Approach. Required privacy notices to be placed on websites. ◉ FTC primary method of enforcement 2000. Answer: Harm-based model addressing substantial injury under the unfairness authority
◉ EPHI. Answer: electronic protected health information ◉ HIPPA applies to. Answer: Healthcare providers that conduct certain electronic transactions health plans (insurers) Healthcare clearinghouses (3rd parties) ◉ CALEA (Communications Assistance for Law Enforcement Act) is also known as. Answer: Digital Telephony Act ◉ GPEN. Answer: Global Privacy Enforcement Network Aims to promote cross-boarder information sharing as well as investigation and enforcement corporation ◉ GINA (Genetic Information Nondiscrimination Act). Answer: became law on May 21, 2008; its basic purpose is to protect people from discrimination by health insurers and employers based on genetic information. Amended: ERISA, SSA, Civil Rights Act
No private right to action ◉ HITECH impact on healthcare. Answer: - Provided incentive payments to hospitals and healthcare providers to adopt health IT.
◉ Texas Privacy Laws (Texas HIPAA). Answer: Under the Texas law, covered entities (health care providers, health insurers, and health clearinghouses) must provide customized employee training regarding the maintenance and protection of electronic protected health information (PHI). Covered entities are required to tailor the employee training to reflect the nature of the covered entity's operations and each employee's scope of employment as they relate to the maintenance and protection of PHI. New employees must complete the training within 60 days of hire and all employees must complete training at least once every two years. Covered entities must maintain training attendance records for all employees. The Texas law requires covered entities to provide patients with electronic copies of their EHR within fifteen days of the patient's written request for the records. This provision of the Texas law reduces the timeframe a covered entity has to produce EHR following a patient's request from thirty days under HIPAA. The law charges the Texas Health and Human Services Commission with establishing a standard format for releasing patient EHR that is consistent with federal laws. HB 300 also requires the Texas Attorney General (AG) to establish and maintain a website that states and explains patients' privacy rights under Texas and federal law. The website will list the state agencies that regulate covered entities, and provide the agencies' contact information and each agency's complaint enforcement process. Under the new law, the AG must issue an annual report
regarding the number and types of complaints pertaining to patient privacy issues. ◉ In which service model of cloud computing are applications hosted by the cloud provider in the cloud and typically accessed by users through a web browser?. Answer: Software as a Service (SaaS) ◉ A website's privacy notice clearly states that it will not encrypt sensitive personal information, and the website operator does not, in fact, encrypt the data.. Answer: Example of Unfair Trade Practice because the website operator is not being deceptive but the potential harm caused by not encrypting the sensitive data clearly outweighs the cost of providing encryption, a commonplace and inexpensive security control. ◉ An organization promises to honor opt out requests within 10 days but fails to honor opt out requests within stated timeframe. Answer: Example of deceptive trade practice. When companies state they will safeguard personal information but fail to do so. A violation of a promise made in a privacy notice is an example of deceptive trade practice. ◉ Deceptive trade practice under FTC Section 5.. Answer: When companies state they will safeguard personal information but fail to
◉ Self-regulatory Model. Answer: Industry associations establish rules or regulations that are adhered to by industry participants. Examples include the Payment Card Industry (PCI DSS) and the privacy seal programs administered by the Online Privacy Alliance. ◉ EU Data Protection Directive. Answer: The EU Directive was adopted in 1995 and became effective in 1998 and protects individuals' privacy and personal data use. The Directive recognizes the European view that privacy is a fundamental human right, and establishes a general comprehensive legal framework that is aimed at protecting individuals and promoting individual choice regarding the processing of personal data. ◉ The EU Protection Directive States that personal data should not be precessed unless 3 categories of conditions are met:. Answer: Transparency legitimate purpose proportionality ◉ Adequate Level of Protection. Answer: A label that the EU may apply to third-party countries who have committed to protect data through domestic law making or international commitments. Conferring of the label requires a proposal by the European Commission, an Article 29 Working Group Opinion, an opinion of the article 31 Management Committee, a right of scrutiny by the European Parliament and adoption by the European Commission.
◉ APEC (Asia-Pacific Economic Cooperation). Answer: Adopted a self-regulatory code of contact designed to create more consistent ◉ 8 OECD Principals. Answer: 1. Collection Limitation
◉ FCRA (Fair Credit Reporting Act). Answer: Mandates accurate and relevant data collection, provides consumers with the ability to access and correct their information, and limits the use of consumer reports to defined permissible purposes ◉ FCRA regulates. Answer: any consumer reporting agency that furnishes a consumer report. ◉ A consumer report is. Answer: any communication by a CRA related to an individual that pertains to a person's: Creditworthiness Credit standing credit capacity character general reputation personal characteristics mode of living and that is used in whole or in part for the purpose of serving as a factor in establishing a consumer's eligibility for credit, insurance, employment or other business purpose ◉ Users of consumer reports must meet which requirements?. Answer: Third party data for decision making must be accurate, current and complete