IAPP CIPP-US Practice Test - Questions Answers, Page 11

The most important step for the HR department to take when implementing this new software is to provide notice to employees that their emails will be scanned by the software and creating automated profiles. This is because the software involves the collection and use of personal information from employees, which may implicate their privacy rights and expectations. By providing notice, the HR department can inform employees about the purpose, scope, and consequences of the software, as well as their choices and rights regarding their data. Notice is also a key element of transparency and accountability, which are essential principles of privacy management. Providing notice can also help the HR department comply with various privacy laws and regulations that may apply to the software, such as the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), the Fair Credit Reporting Act (FCRA), and state privacy laws. Notice can also help the HR department avoid potential legal risks and liabilities that may arise from the software, such as claims of invasion of privacy, breach of contract, or violation of employee rights.Reference:

U S. Private-Sector Privacy, Third Editionby Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 4, Section 4.2.1, pp. 97-98.

U S. Private-Sector Privacy, Third Editionby Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 5, Section 5.2.1, pp. 125-126.

U S. Private-Sector Privacy, Third Editionby Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 6, Section 6.2.1, pp. 153-154. IAPP CIPP/US Certified Information Privacy Professional Study Guideby Mike Chapple and Joe Shelley, Chapter 4, Section 4.1, pp. 113-114.

The HIPAA Privacy Rule requires covered entities to obtain an individual's written authorization for any use or disclosure of protected health information (PHI) that is not for treatment, payment, or health care operations or otherwise permitted or required by the Privacy Rule. However, there are some exceptions to the authorization requirement for certain public interest-related activities, such as disclosing health information for public health activities, reporting child abuse, or treating a medical emergency. These exceptions are intended to balance the privacy interests of individuals with the public interest in protecting health and safety, promoting quality health care, and ensuring compliance with the law. Disclosing health information needed to pay a third party billing administrator is not one of the exceptions to the authorization requirement, as it is considered a payment activity that falls under the general rule of requiring authorization. Therefore, it is the correct answer to the question.Reference:Summary of the HIPAA Privacy Rule,HIPAA Exceptions,Exceptions to HIPAA Privacy Rule,Waiver of Authorization, IAPP CIPP/US Study Guide, Chapter 5.

The Privacy Act allows agencies to exempt certain records from some of its provisions, including the right to disclosure, if the records fall within one of the categories specified in subsections (j) or (k) of the Act. One of these categories is records maintained by an agency or component thereof which performs as its principal function any activity pertaining to the enforcement of criminal laws, including police efforts to prevent, control, or reduce crime or to apprehend criminals, and the activities of prosecutors, courts, correctional, probation, pardon, or parole authorities, and which consists of (A) information compiled for the purpose of identifying individual criminal offenders and alleged offenders and consisting only of identifying data and notations of arrests, the nature and disposition of criminal charges, sentencing, confinement, release, and parole and probation status; (B) information compiled for the purpose of a criminal investigation, including reports of informants and investigators, and associated with an identifiable individual; or reports identifiable to an individual compiled at any stage of the process of enforcement of the criminal laws from arrest or indictment through release from supervision. 5 U.S.C. 552a (j) (2). Therefore, material reporting investigative efforts pertaining to the enforcement of criminal law falls within this category and can be exempted from the right to disclosure under the Privacy Act.Reference:

Overview of the Privacy Act: 2020 Edition, Ten Exemptions, subsection (j) (2).

Privacy Act Exemptions, subsection (j) (2).

IAPP CIPP/US Study Guide, page 66.

Employers have a duty to protect the personal information of their current and former employees, as well as applicants, from unauthorized access, use, or disclosure. This duty may arise from federal or state laws, such as the Fair Credit Reporting Act (FCRA), the Health Insurance Portability and Accountability Act (HIPAA), or the California Consumer Privacy Act (CCPA), or from contractual obligations, such as non-disclosure agreements or privacy policies. Employers may retain sensitive employment records, such as performance evaluations, disciplinary actions, medical records, or background checks, for a legitimate business purpose, such as complying with legal requirements, defending against lawsuits, or conducting audits. However, employers must ensure that these records are stored securely, accessed only by authorized personnel, and disposed of properly when no longer needed.Reference:IAPP CIPP/US Study Guide, Chapter 4, Section 4.1.1,IAPP CIPP/US Body of Knowledge, Domain IV, Objective B

The Family and Medical Leave Act (FMLA) is a federal law that provides eligible employees with up to 12 weeks of unpaid, job-protected leave per year for certain family and medical reasons, such as the birth or adoption of a child, the serious health condition of the employee or a family member, or a qualifying exigency arising from the employee's spouse, child, or parent being on covered active duty or call to covered active duty status in the Armed Forces. The FMLA also provides eligible employees with up to 26 weeks of unpaid, job-protected leave per year to care for a covered service member with a serious injury or illness if the employee is the spouse, child, parent, or next of kin of the service member. The FMLA applies to all public agencies, including state, local, and federal employers, and local education agencies (schools), and to private sector employers who employ 50 or more employees for at least 20 workweeks in the current or preceding calendar year.

The FMLA often requires employers to collect medical information from employees who request FMLA leave or from their health care providers to certify the need for leave, the duration of leave, and the employee's ability to return to work. The FMLA regulations specify the type and amount of information that employers may request and require for different types of FMLA leave, such as:

Basic medical facts, such as the diagnosis, symptoms, hospitalization, doctor visits, whether medication has been prescribed, and any referrals for evaluation or treatment, for the employee's own serious health condition or that of a family member.

Information on the medical necessity of intermittent leave or reduced schedule leave and the expected frequency and duration of such leave, for the employee's own serious health condition or that of a family member, or for planned medical treatment.

A statement of the facts regarding the qualifying exigency, such as the type of military duty, the dates of the covered active duty, and the contact information of the military member, for leave due to a qualifying exigency arising from the employee's spouse, child, or parent being on covered active duty or call to covered active duty status in the Armed Forces.

Information on the medical condition, treatment, and recovery of the covered service member, such as the date of injury or onset of illness, the current medical status, the prognosis, and the estimated time of treatment, for leave to care for a covered service member with a serious injury or illness.

The FMLA also imposes certain obligations on employers to protect the privacy and security of the medical information they collect from employees or their health care providers. For example, employers must:

Maintain records and documents relating to medical certifications, recertifications, or medical histories of employees or employees' family members as confidential medical records in separate files/records from the usual personnel files, and if the Americans with Disabilities Act (ADA) applies, such records must be maintained in conformance with ADA confidentiality requirements.

Ensure that any electronic systems used to maintain such records meet the confidentiality requirements of the FMLA and the ADA, and that only authorized persons have access to such records.

Limit the disclosure of such records to supervisors and managers who need to know about an employee's FMLA leave, first aid and safety personnel when an employee's medical condition might require emergency treatment, and government officials investigating compliance with the FMLA.

Comply with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule when requesting medical information from an employee's health care provider, such as obtaining a valid authorization from the employee or using a HIPAA-compliant certification form.

Refrain from requesting more information than allowed by the FMLA regulations, such as asking for an employee's complete medical records or information unrelated to the FMLA leave request.

Respect the employee's right to revoke a medical authorization or challenge a medical certification, and follow the procedures for resolving disputes over the validity or sufficiency of such documents.

The Family and Medical Leave Act (FMLA)

FMLA Employee Guide

FMLA Employer Guide

FMLA Regulations

FMLA Forms

The CCPA provides consumers with a private right of action to pursue statutory damages following data security breaches that impact certain sensitive categories of personal information and are caused by a business's failure to institute reasonable and appropriate security. The CCPA defines personal information for this purpose as an individual's name in combination with any of the following: social security number, driver's license number, account number, credit or debit card number, medical information, or health insurance information. The CCPA allows consumers to seek damages between $100 and $750 per consumer per incident, or actual damages, whichever is greater. The CCPA also requires consumers to provide the business with 30 days' written notice and an opportunity to cure the violation before initiating an action. Additionally, the CCPA requires consumers to notify the Attorney General within 30 days of filing the action and obtain the Attorney General's approval or nonobjection before proceeding with the action. Therefore, John can sue the corporation for the data breach to recover monetary damages suffered as a result of the data breach, and in some circumstances seek statutory damages irrespective of whether he suffered any financial harm, as long as he meets the requirements of the CCPA.Reference:

CCPA Provides Private Right of Action for Data Security Breaches

CCPA Private Right of Action -- Data Breach Security Requirement

CCPA Fines & Penalties for Data Protection Violations | MatrixPoint

The correct answer is C. If SMH must make a notification in any other state in which it operates, it must also make a notification to individuals in New York.Under the Health Insurance Portability and Accountability Act (HIPAA), SMH is required to notify the Office of Civil Rights (OCR) and the affected individuals of a data breach involving unsecured protected health information (PHI) within 60 days of discovery1.However, HIPAA does not preempt state laws that provide greater protection to individuals or impose additional obligations on covered entities2. Therefore, SMH must also comply with the state breach notification laws of the states where it operates, including New York.

According to the New York State Information Security Breach and Notification Act, any person or business that owns or licenses computerized data that includes private information of a resident of New York must disclose any breach of the security of the system to such resident in the most expedient time possible and without unreasonable delay, unless the exposure of the private information was inadvertent and unlikely to result in misuse or financial harm3.Private information includes personal information (such as name, number, or other identifier) plus one or more of the following data elements: social security number; driver's license number or non-driver identification card number; account number, credit or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual's financial account; biometric information; or a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account3.

Therefore, if SMH's data breach involved any of these data elements of New York residents, SMH must notify them of the breach, regardless of whether SMH is compliant with HIPAA, has more than 500 patients in New York, or offers credit monitoring services.SMH must also notify the New York Attorney General, the Department of State, and the Division of State Police within 10 days of notifying the affected individuals3.Additionally, SMH must notify the New York Department of Health if the breach involved electronic health records4.

https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_note_dbn_e.pdf

The correct answer is C because the California Consumer Privacy Act (CCPA) is a state privacy law that grants California residents the right to request the deletion of their personal information that a business has collected from them. The CCPA applies to any business that collects personal information from California residents, regardless of where the business is located, as long as the business meets certain thresholds of revenue, data volume, or data sharing. Therefore, the social media platform that Sarah uses is subject to the CCPA and must honor Sarah's deletion request, unless an exception applies. The CCPA also requires businesses to provide notice and choice to consumers about their data collection and use practices, and to respond to consumer requests within 45 days.

The other answers are incorrect because:

A is incorrect because the General Data Protection Regulation (GDPR) is a European Union privacy law that applies to the processing of personal data of individuals who are in the EU, regardless of where the data controller or processor is located. However, the GDPR does not apply to the processing of personal data of individuals who are outside the EU, unless the processing relates to the offering of goods or services to such individuals or the monitoring of their behavior within the EU. Therefore, the GDPR does not apply to Sarah's personal data, since she is not in the EU and the social media platform is not targeting or tracking her in the EU.

B is incorrect because Section 5 of the FTC Act is a federal law that prohibits unfair or deceptive acts or practices in or affecting commerce. The FTC has used its Section 5 authority to enforce privacy and data security standards against businesses that violate their own privacy policies, misrepresent their data practices, or fail to protect consumer data from unauthorized access or disclosure. However, the FTC has not held that refusing to delete an individual's personal information upon request constitutes an unfair practice per se, unless the refusal is inconsistent with the business's privacy policy or representations, or causes substantial injury to consumers that is not reasonably avoidable or outweighed by countervailing benefits.

D is incorrect because the New York SHIELD Act is a state law that imposes data breach notification and data security requirements on any person or business that owns or licenses computerized data that includes the private information of a New York resident. The SHIELD Act does not grant New York residents the right to request the deletion of their personal information, nor does it apply to businesses that do not collect or hold the private information of New York residents. Therefore, the SHIELD Act does not apply to Sarah's personal data, since she is not a New York resident and the social media platform may not have her private information as defined by the SHIELD Act.Reference:

U S. Private-Sector Privacy, Third Editionby Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 7, Section 7.2.1, pp. 183-186. IAPP CIPP/US Certified Information Privacy Professional Study Guideby Mike Chapple and Joe Shelley, Chapter 7, Section 7.2, pp. 217-219.