SCENARIO
Kyle is a new security compliance manager who will be responsible for coordinating and executing
controls to ensure compliance with the company's information security policy and industry
standards. Kyle is also new to the company, where collaboration is a core value. On his first day of
new-hire orientation, Kyle's schedule included participating in meetings and observing work in the IT
and compliance departments.
Kyle spent the morning in the IT department, where the CIO welcomed him and explained that her
department was responsible for IT governance. The CIO and Kyle engaged in a conversation about
the importance of identifying meaningful IT governance metrics. Following their conversation, the
CIO introduced Kyle to Ted and Barney. Ted is implementing a plan to encrypt data at the
transportation level of the organization's wireless network. Kyle would need to get up to speed on
the project and suggest ways to monitor effectiveness once the implementation was complete.
Barney explained that his short-term goals are to establish rules governing where data can be placed
and to minimize the use of offline data storage.
Kyle spent the afternoon with Jill, a compliance specialist, and learned that she was exploring an
initiative for a compliance program to follow self-regulatory privacy principles. Thanks to a recent
internship, Kyle had some experience in this area and knew where Jill could find some support. Jill
also shared results of the company’s privacy risk assessment, noting that the secondary use of
personal information was considered a high risk.
By the end of the day, Kyle was very excited about his new job and his new company. In fact, he
learned about an open position for someone with strong qualifications and experience with access
privileges, project standards board approval processes, and application-level obligations, and
couldn’t wait to recommend his friend Ben who would be perfect for the job.
Which data practice is Barney most likely focused on improving?
C
Explanation:
Barney’s focus on establishing rules governing where data can be placed and minimizing the use of
offline data storage indicates a concern with data retention practices. Proper data retention policies
ensure that data is stored appropriately and retained for the necessary duration to meet regulatory
and business requirements, reducing risks associated with excessive or improperly stored data.
Reference:
IAPP CIPT Study Guide: Data Lifecycle Management.
IAPP Certified Information Privacy Technologist (CIPT) Handbook: Section on Data Retention and
Storage.
What is the main function of a breach response center?
B
Explanation:
The main function of a breach response center is to address privacy incidents by managing the
response to data breaches and other security incidents. This includes identifying, containing, and
mitigating the impact of breaches, as well as coordinating communication with affected parties and
regulatory bodies.
Reference:
IAPP CIPT Study Guide: Incident Response and Breach Management.
IAPP Certified Information Privacy Technologist (CIPT) Handbook: Section on Incident Management
and Breach Response.
Which is NOT a suitable action to apply to data when the retention period ends?
D
Explanation:
When the retention period for data ends, suitable actions typically include deletion, de-
identification, or aggregation to ensure that the data is no longer in a form that can be used to
identify individuals or is completely removed from systems. Retagging is not a suitable action as it
implies merely re-labeling or reclassifying the data rather than properly handling it according to data
retention policies. Retagging does not mitigate privacy risks and may result in non-compliance with
data protection regulations (IAPP, Certified Information Privacy Technologist (CIPT) materials).
What is the distinguishing feature of asymmetric encryption?
C
Explanation:
The distinguishing feature of asymmetric encryption is that it uses distinct keys for encryption and
decryption. Specifically, it involves a public key for encryption and a private key for decryption. This
dual-key mechanism ensures that even if the encryption key (public key) is widely distributed, the
decryption key (private key) remains secure and confidential. This is in contrast to symmetric
encryption, which uses the same key for both encryption and decryption (IAPP, Certified Information
Privacy Technologist (CIPT) materials).
What is the most important requirement to fulfill when transferring data out of an organization?
C
Explanation:
The most important requirement when transferring data out of an organization is ensuring that the
commitments made to the data owner are followed. This includes adhering to any privacy policies,
consent agreements, and legal obligations regarding how the data should be handled, protected, and
used by the receiving party. Fulfilling these commitments helps maintain trust and compliance with
data protection laws (IAPP, Certified Information Privacy Technologist (CIPT) materials).
Which activity would best support the principle of data quality?
D
Explanation:
Ensuring that information remains accurate is the activity that best supports the principle of data
quality. Data quality principles emphasize the importance of keeping personal information correct,
complete, and up-to-date to prevent harm and ensure reliability. Maintaining accuracy involves
regular updates, validation, and correction processes to avoid using outdated or incorrect data (IAPP,
Certified Information Privacy Technologist (CIPT) materials).
Which Organization for Economic Co-operation and Development (OECD) privacy protection principle
encourages an organization to obtain an individual s consent before transferring personal
information?
A
Explanation:
The OECD privacy protection principle that encourages an organization to obtain an individual's
consent before transferring personal information is individual participation. This principle asserts
that individuals should have the right to know about the collection and use of their personal data,
and to consent to its transfer. It emphasizes transparency and individual control over personal
information (IAPP, Certified Information Privacy Technologist (CIPT) materials).
Granting data subjects the right to have data corrected, amended, or deleted describes?
D
Explanation:
The concept described in the question pertains to Individual Participation, which is a principle found
in various data protection frameworks, such as the OECD Privacy Guidelines and the GDPR. Individual
Participation refers to the rights provided to data subjects to participate in the process of managing
their personal data. This includes rights such as accessing their data, correcting inaccuracies, and
requesting the deletion of their data. These rights empower individuals to have a say in how their
data is used and ensure that it remains accurate and up-to-date.
Reference:
OECD Privacy Guidelines, Principle 8: Individual Participation
GDPR, Articles 16 (Right to rectification) and 17 (Right to erasure)
What is a mistake organizations make when establishing privacy settings during the development of
applications?
A
Explanation:
A common mistake organizations make when establishing privacy settings is Providing a user with
too many choices. This phenomenon, often referred to as "choice overload", can lead to user
confusion, decision fatigue, and potentially poor privacy decisions. When users are presented with
too many options, they may become overwhelmed and either make suboptimal choices or disengage
from the decision-making process altogether.
Reference:
"Too Much Choice: A Problem That Can Paralyze" - The New York Times
"The Paradox of Choice: Why More Is Less" by Barry Schwartz
Which of the following suggests the greatest degree of transparency?
D
Explanation:
The option that suggests the greatest degree of transparency is After reading the privacy notice, a
data subject confidently infers how her information will be used. Transparency in data protection
means that data subjects should have clear, concise, and understandable information about how
their data is collected, used, and shared. The ability of the data subject to confidently infer the use of
their information after reading the privacy notice indicates that the notice is clear and transparent,
effectively communicating the data processing practices.
Reference:
GDPR, Article 12: Transparent information, communication, and modalities for the exercise of the
rights of the data subject
"Privacy on the Ground: Driving Corporate Behavior" by Kenneth A. Bamberger and Deirdre K.
Mulligan