Certified Information Privacy Manager (C.I.P.M.) Exam Prep Test

Explanation
Traditionally, accountability has been a fair information practices principle, that due diligence and reasonable steps will be undertaken to ensure that personal information will be protected and handled consistently with relevant law and other fair use principles.

Explanation
Active scanning tools are used to identify security and privacy risks to personal information. These tools can scan the network, storage, and other resources to detect any vulnerabilities or potential breaches. They can also monitor for compliance with internal policies and procedures, ensuring that data is handled according to the defined guidelines. Additionally, active scanning tools can block e-mail or file transfers if they contain data that falls under certain categories or definitions, providing an extra layer of protection against unauthorized data transfer.

Explanation
The given correct answer for this question is the American Institute of Certified Public Accountants. This organization is a U.S. professional organization that represents certified public accountants. They are also the co-creator of the WebTrust seal program, which is a program that provides assurance to users of websites that their personal information is secure and that the website is trustworthy. The American Institute of Certified Public Accountants plays a significant role in promoting and maintaining high professional standards in the accounting industry.

Explanation
Among many techniques, there are three primary ways that data is anonymized. Suppression is the most basic version of anonymization and it simply removes some identifying values from data to reduce its identifiability. Generalization takes specific identifying values and makes them broader, such as changing a specific age (18) to an age range (18-24). Noise addition takes identifying values from a given data set and switches them with identifying values from another individual in that data set.

Note that all of these processes will not guarantee that data is no longer identifiable and have to be performed in such a way that does not harm the usability of the data.

Associated law(s):Anonymous Data, De-Identification, Mircodata Sets, Re-identification

Explanation
Generalization is the process of taking specific identifying values and making them broader. This involves changing a specific age, such as 18, to an age range like 18-24. By generalizing, we can categorize and group similar values together, allowing for easier analysis and comparison.

Explanation
Suppression is the most basic version of anonymization as it involves removing identifying values from data to reduce its identifiability. This means that certain information, such as names or specific identifiers, is eliminated from the dataset to protect the privacy of individuals. By suppressing these identifying values, the data becomes less identifiable and helps to ensure that individuals cannot be directly linked to the information.

Explanation
The given correct answer is APEC Privacy Principles. This is because the passage states that the set of non-binding principles adopted by the Asia-Pacific Economic Cooperative (APEC) aims to promote electronic commerce in the Asia-Pacific region while balancing information privacy with business needs. Therefore, the APEC Privacy Principles align with this objective and are the most appropriate answer.

Explanation
The first of four phases of the privacy operational life cycle; provides the steps, checklists and processes necessary to assess any gaps in a privacy program as compared to industry best practices, corporate privacy policies, applicable privacy laws, and objective-based privacy program frameworks.

Associated term(s): Privacy Operational Life Cycle; Protect; Sustain; Respond

Explanation
The given answer, "Audit Life Cycle," is the missing term that completes the statement. The explanation is that the high-level, five-phase audit approach mentioned in the question is commonly referred to as the "Audit Life Cycle." This cycle includes the steps of Audit Planning, Audit Preparation, Conducting the Audit, Reporting, and Follow-up. The Audit Life Cycle provides a structured framework for conducting audits and ensures that all necessary steps are followed to effectively assess and report on the audited entity's compliance and performance.

Explanation
Advertising that is targeted at individuals based on the observation of their behavior over time. Most often done via automated processing of personal data, or profiling, the General Data Protection Regulation requires that data subjects be able to opt-out of any automated processing, to be informed of the logic involved in any automatic personal data processing and, at least when based on profiling, be informed of the consequences of such processing. If cookies are used to store or access information for the purposes of behavioral advertising, the ePrivacy Directive requires that data subjects provide consent for the placement of such cookies, after having been provided with clear and comprehensive information.

Acronym(s): OBA

Associated term(s): Online Behavioral Advertising, Behavioral Targeting, Contextual Advertising, Demographic Advertising, Premium Advertising, Psychographic Advertising, Remnant Advertising

Explanation
They do so by ensuring that the same high level of protection of personal data is complied with by all members of the organizational group by means of a single set of binding and enforceable rules. BCRs compel organizations to be able to demonstrate their compliance with all aspects of applicable data protection legislation and are approved by a member state data protection authority. To date, relatively few organizations have had BCRs approved.

Acronym(s): BCR

Explanation
Associated term(s): Bureau of Consumer Protection; Bureau of Economics

Explanation
Associated term(s): Bureau of Competition; Bureau of Economics

Explanation
Associated term(s): Bureau of Competition; Bureau of Consumer Protection

Explanation
The given answer, "Business case," is the correct answer because a business case is a document that outlines the justification for a proposed project or initiative. In the context of assessing the needs of a privacy organization, a business case would outline the individual program needs and provide a framework for meeting specific business goals, such as compliance with privacy laws, industry frameworks, customer requirements, and other considerations. The business case would outline the financial, strategic, and operational benefits of implementing the proposed privacy program, helping to justify the allocation of resources and support decision-making.

Explanation
The given answer, "Business Continuity and Disaster Recovery Plan," accurately describes the acronym BCDR. BCDR is a risk mitigation plan that helps organizations prepare for crises and ensure that critical business functions can continue even in the face of disruptions or disasters. This plan focuses on recovering from a disaster and maintaining business continuity regardless of the size or nature of the disruption.

Explanation
A Business Continuity Plan (BCP) is a document that outlines the responsibilities and actions that key stakeholders and teams must take in order to ensure that operations run smoothly before, during, and after an event. It is typically drafted and maintained by these stakeholders and covers various situations such as fire, flood, natural disasters, and terrorist attacks. The purpose of a BCP is to provide a roadmap for businesses to follow in order to minimize disruptions and ensure the continuity of critical functions in the face of unexpected events.

Explanation
COPPA requires these website operators: to post a privacy notice on the homepage of the website; provide notice about collection practices to parents; obtain verifiable parental consent before collecting personal information from children; give parents a choice as to whether their child’s personal information will be disclosed to third parties; provide parents access and the opportunity to delete the child’s personal information and opt out of future collection or use of the information, and maintain the confidentiality, security and integrity of personal information collected from children.

Acronym(s): COPPA

Link to text of law: 15 U.S.C. §§ 6501-6508

Explanation
In the context of consent, choice refers to the idea that consent must be freely given and that data subjects must have a genuine choice as to whether to provide personal data or not. If there is no true choice it is unlikely the consent will be deemed valid under the General Data Protection Regulation.

Associated term(s): Consent

Explanation
Also known as information security triad; three common information security principles from the 1960s: Confidentiality, integrity, availability.

Associated term(s): Information Security Triad

Explanation
The CIA Triad, also known as the Information Security Triad, consists of three fundamental principles: confidentiality, integrity, and availability. Confidentiality ensures that information is only accessible to authorized individuals, protecting it from unauthorized disclosure. Integrity ensures that information remains accurate, complete, and unaltered, preventing unauthorized modifications. Availability ensures that information is accessible and usable by authorized individuals when needed. These three principles form the foundation of information security, providing a comprehensive approach to protect sensitive information from unauthorized access, manipulation, and unavailability.

Explanation
The given answer, "Collection Limitation," is the correct answer because it accurately describes the fair information practices principle mentioned in the question. This principle states that there should be limits to the collection of personal data, and any such data should be obtained through lawful and fair means, with the knowledge or consent of the data subject. "Collection Limitation" summarizes this principle effectively.

Explanation
If an individual has choice about the use or disclosure of his or her information, consent is the individual's way of giving permission for the use or disclosure. Consent may be affirmative; i.e., opt-in; or implied; i.e., the individual didn’t opt out.

(1) Affirmative/Explicit Consent: A requirement that an individual "signifies" his or her agreement with a data controller by some active communication between the parties.

(2) Implicit Consent: Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual.

Associated term(s): Choice

Explanation
(1) Affirmative/Explicit Consent: A requirement that an individual "signifies" his or her agreement with a data controller by some active communication between the parties.

(2) Implicit Consent: Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual.

Explanation
(1) Affirmative/Explicit Consent: A requirement that an individual "signifies" his or her agreement with a data controller by some active communication between the parties.

(2) Implicit Consent: Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual.

Explanation
Acronym(s): CRAs

Associated term(s): Credit Reporting Agency

Explanation
The given answer "Current baseline" refers to the existing state or condition of the data privacy requirements, environment, and the protections, policies, and procedures that are currently in place. It suggests that the answer is related to the current status or starting point of these factors, indicating that the question is asking for an assessment or evaluation of the present situation rather than any future or hypothetical scenario.

Explanation
Cyber liability insurance may cover many breach-related expenses, including forensic investigations, outside counsel fees, crisis management services, public relations experts, breach notification, and call center costs.

Explanation
Breaches do not include good faith acquisitions of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector —provided the personal information is not used for a purpose unrelated to the data collector's business or subject to further unauthorized disclosure.

Associated term(s): Breach, Privacy Breach (Canadian)

Explanation
Where the purposes and means of such processing are determined by EU or member state law, the controller or the specific criteria for its nomination may be provided for by EU or member state law.

Associated term(s): Data Processor

Explanation
A data inventory, also known as a record of authority, is a tool used to identify and track personal data as it moves across different systems. It helps to organize and categorize the data, as well as identify any inconsistencies or disparities in the data versions. By creating a data inventory, organizations can have a clear understanding of how data is shared and organized, and its location, which is crucial for effective data management and compliance with data protection regulations.

Explanation
Also known as Information Life Cycle Management (ILM) or data governance, DLM is a policy-based approach to managing the flow of information through a life cycle from creation to final disposition. DLM provides a holistic approach to the processes, roles, controls and measures necessary to organize and maintain data, and has 11 elements: Enterprise objectives; minimalism; simplicity of procedure and effective training; adequacy of infrastructure; information security; authenticity and accuracy of one’s own records; retrievability; distribution controls; auditability; consistency of policies; and enforcement.

Acronym(s): DLM; ILM

Associated term(s): Information Life Cycle Management

Explanation
Link to text of law: Directive 95/46/EC

Link to text of law: Regulation EC (No) 45/2001

Explanation
DPAs provide advice on data protection issues and field complaints from individuals alleging violations of the General Data
Protection Regulation. Each EU member state has its own DPA. Under GDPR, DPAs have extensive enforcement powers, including the ability to impose fines that total 4% of a company’s global annual revenue.

Acronym(s): DPA

Explanation
The process by which companies can systematically assess and identify the privacy and data protection impacts of any products they offer and services they provide. It enables them to identify the impact and take the appropriate actions to prevent or, at the very least, minimize the risk of those impacts.

Acronym(s): DPIA

Associated term(s): Privacy Impact Assessments (PIAs)

Explanation
The quality of data is judged by four criteria: Does it meet the business needs?; Is it accurate?; Is it complete?, and is it recent? Data is of an appropriate quality if these criteria are satisfied for a particular application.

Explanation
Associated term(s): Local Governance

Explanation
When the seller directly contacts an individual, in contrast to marketing through mass media such as television or radio.

Explanation
A proposed regulatory policy, similar to the existing Do-Not-Call Registry in the United States, which would allow consumers to opt out of web-usage tracking.

Acronym(s): DNT

Explanation
The collective name of the Electronic Communications Privacy and Stored Wire Electronic Communications Acts, which updated the Federal Wiretap Act of 1968. ECPA, as amended, protects wire, oral and electronic communications while those communications are being made, are in transit, and when they are stored on computers. The act applies to e-mail, telephone conversations and data stored electronically.

The USA PATRIOT Act and subsequent federal enactments have clarified and updated ECPA in light of the ongoing development of modern communications technologies and methods, including easing restrictions on law enforcement access to stored communications in some cases.

Link to text of law: Electronic Communications Privacy Act of 1986

Acronym(s): ECPA

Associated law(s): Stored Communications Act, Stored Wire Electronic Communications Act, USA Patriot Act

Explanation
The EU Data Protection Directive (95/46/EC) was replaced by the General Data Protection Regulation in 2018. The Directive was adopted in 1995, became effective in 1998 and was the first EU-wide legislation that protected individuals’ privacy and personal data use.

Associated term(s): Data Protection Directive

Explanation
The given answer, Gap Analysis, is correct because it accurately describes the process of evaluating the capability of current privacy management systems and infrastructure to meet the identified business and technical requirements. Gap analysis involves reviewing various aspects such as current systems, tools, hardware, expertise, and physical infrastructure to identify any gaps or deficiencies that need to be addressed in order to align with the requirements. This analysis helps in identifying areas where improvements or changes are needed to bridge the gap between the current state and desired state of privacy management.

Explanation
The correct answer is Generally Accepted Privacy Principles. The explanation is that GAPP is a framework developed by the AICPA and CICA to provide guidance on privacy practices. It consists of ten principles that cover various aspects of privacy, including management, notice, choice and consent, collection, use and retention, access, disclosure to third parties, security for privacy, quality, monitoring, and enforcement. These principles are widely recognized and accepted as best practices for protecting individuals' privacy rights.

Explanation
Link to text of law: Gramm-Leach-Bliley Act

Acronym(s): GLBA

Explanation
Link to text of law: The Health Insurance Portability and Accountability Act

Acronym(s): HIPAA

Related terms: HITECH, The Privacy Rule, The Security Rule

Explanation
This privacy governance model is known as Hybrid Governance. It involves a combination of centralized and local governance, where a main individual is assigned responsibility for privacy-related affairs in a large organization. The local entities then follow and support the policies and directives set by the central governing body.

Explanation
Associated term(s): FIPs

Explanation
The given correct answer, "Information Life Cycle," refers to the concept that data goes through different stages as it moves through an organization. This includes collection, processing, use, disclosure, retention, and destruction. The information life cycle recognizes that data has varying value and requires different approaches at each stage.