IAPP CIPP-US Practice Test - Questions Answers, Page 5

The Consumer Financial Protection Bureau (CFPB) has rulemaking authority for the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA), as well as other consumer financial laws. The Dodd-Frank Act, enacted in 2010, transferred most of the rulemaking responsibilities added to the FCRA by the FACTA and the Credit CARD Act from the Federal Trade Commission (FTC) to the CFPB.However, the FTC retains its enforcement authority for the FCRA and the FACTA, along with other federal and state agencies1.The CFPB also shares rulemaking authority for some provisions of the FACTA with the FTC, such as the identity theft red flags and address discrepancy rules2.The Department of Commerce and the State Attorneys General do not have rulemaking authority for the FCRA or the FACTA.Reference:1: FTC3, Fair Credit Reporting Act;2: CFPB4, Fair Credit Reporting Act;3:FTC;4:CFPB.

The Disposal Rule is a provision of the Fair and Accurate Credit Transactions Act (FACTA) that requires businesses and individuals to take appropriate measures to dispose of sensitive information about consumers, such as credit reports, that are derived from consumer reports. The Disposal Rule is intended to reduce the risk of identity theft and fraud by preventing unauthorized access to or use of the information. According to the Disposal Rule, reasonable steps for disposal include burning, pulverizing, or shredding papers that contain consumer report information so that they cannot be read or reconstructed.

In this scenario, the most appropriate action for a car dealer holding a paper folder of customer credit reports is to follow the Disposal Rule by having the reports shredded. This would ensure that the car dealer complies with the FACTA and protects the privacy and security of the customers' personal data. The other options are not correct, because:

The Red Flags Rule is another provision of the FACTA that requires financial institutions and creditors to implement a written identity theft prevention program that identifies and responds to the warning signs or red flags of identity theft in their operations. The Red Flags Rule does not apply to the disposal of consumer report information, nor does it require mailing the reports to customers, which could expose the information to interception or theft.

The Privacy Rule is a provision of the Gramm-Leach-Bliley Act (GLBA) that requires financial institutions to provide notice to customers about their privacy policies and practices, and to allow customers to opt out of sharing their personal information with certain third parties. The Privacy Rule does not apply to the disposal of consumer report information, nor does it require notifying customers that the reports are being stored, which could alert potential identity thieves to the existence of the information.

The Safeguards Rule is another provision of the GLBA that requires financial institutions to develop, implement, and maintain a comprehensive information security program that protects the security, confidentiality, and integrity of customer information. The Safeguards Rule does not apply to the disposal of consumer report information, nor does it require transferring the reports to a secure electronic file, which could still be vulnerable to hacking or unauthorized access.

FTC website, FACTA Disposal Rule Goes into Effect June 1

Shred Nations website, What Is the FACTA Disposal Rule?

Seam Services website, The FACTA Disposal Rule: What Does It Mean for Your Business?

IAPP CIPP/US Study Guide, Chapter 2: Limits on Private-sector Collection and Use of Data, pp. 49-50

IAPP website, Red Flags Rule

IAPP website, Fair and Accurate Credit Transactions Act (FACTA)

Access is the privacy concept that grants a consumer the right to view and correct errors on his or her credit report. The Fair Credit Reporting Act (FCRA) gives consumers the right to access their credit reports from the three nationwide credit reporting agencies (Equifax, Experian, and TransUnion) once every 12 months for free. Consumers also have the right to dispute any inaccurate or incomplete information in their credit reports and request that the credit reporting agencies investigate and correct the errors. The FCRA also requires the credit reporting agencies to provide consumers with a notice of their rights and a summary of the dispute process.Reference:

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 2: Limits on Private-sector Collection and Use of Data, Section 2.2: Consumer Privacy, p. 38-39

IAPP CIPP/US Body of Knowledge, Domain II: Limits on Private-sector Collection and Use of Data, Objective II.B: Identify the privacy requirements for consumer data, Subobjective II.B.1: Identify the consumer rights under the Fair Credit Reporting Act, p. 13

IAPP CIPP/US Exam Blueprint, Domain II: Limits on Private-sector Collection and Use of Data, Objective II.B: Identify the privacy requirements for consumer data, Subobjective II.B.1: Identify the consumer rights under the Fair Credit Reporting Act, p. 4

The design technique that would most effectively inform users of their data privacy rights and privileges when using the app is to offer information about data collection and uses at key data entry points. This technique is also known as ''just-in-time'' or ''layered'' notice, and it is recommended by the U.S.Federal Trade Commission (FTC) as a best practice for mobile app developers12

The idea behind this technique is to provide users with relevant and timely information about how their data is collected and used by the app, and what choices they have to control their data, at the moment when they are asked to provide or access their data. For example, if the app collects location data from the user's device, it should display a pop-up notice explaining why it needs the location data, how it will use it, and how the user can opt-out or change the settings.This way, the user can make an informed decision about whether to allow or deny the app's access to their data, and understand the consequences of their choice12

The advantage of this technique is that it avoids overwhelming the user with too much information at once, and instead provides concise and contextual information that is easy to understand and act upon.It also increases the user's trust and confidence in the app, as they feel more in control of their data and privacy12

The other design techniques are less effective because they do not provide the user with sufficient or timely information about their data privacy rights and privileges when using the app. Publishing a privacy policy written in clear, concise, and understandable language is a good practice, but it is not enough to inform the user of their data privacy rights and privileges, as many users may not read or understand the policy, or may not be aware of where to find it. Presenting a privacy policy to users during the wellness program registration process is also a good practice, but it may not capture all the data collection and uses that the app may perform, and it may not give the user enough opportunity to review and consent to the policy.Providing a link to the wellness program privacy policy at the bottom of each screen is also a good practice, but it may not be noticeable or accessible to the user, and it may not provide the user with the specific information they need at the point of data entry or access12

Mobile Privacy Disclosures: Building Trust Through Transparency: A Federal Trade Commission Staff Report (February 2013)

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 6: Privacy Program Management, Section 6.4: Privacy by Design

The FCRA requires that an employer who takes an adverse action against an applicant or employee based on information in a consumer report must provide a notice of the adverse action to the individual.The notice must include the name, address, and phone number of the CRA that supplied the report; a statement that the CRA did not make the decision and cannot explain why the adverse action was taken; a notice of the individual's right to dispute the accuracy or completeness of the information in the report; and a notice of the individual's right to obtain a free copy of the report from the CRA within 60 days12.Reference:

CIPP/US Practice Questions (Sample Questions), Question 141, Answer A, Explanation A.

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 4, Section 4.2, p. 101-102.

Fair Credit Reporting Act (FCRA), Section 615, Subsection (a).

According to the Gramm-Leach-Bliley Act (GLBA) and its implementing Regulation P, a financial institution may share consumer information with non-affiliated third parties for marketing purposes only after disclosing its information-sharing practices to customers and after giving them an opportunity to opt out of such sharing. The GLBA defines a customer as a consumer who has a continuing relationship with a financial institution that provides one or more financial products or services to be used primarily for personal, family, or household purposes. A consumer is an individual who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or that individual's legal representative. A non-affiliated third party is any person except a financial institution's affiliate or a person employed jointly by a financial institution and a company that is not the financial institution's affiliate. An affiliate is any company that controls, is controlled by, or is under common control with another company.

The GLBA requires that a financial institution provide a privacy notice to customers: (i) at the time of establishing the customer relationship; (ii) annually during the continuation of the customer relationship; and (iii) before disclosing any nonpublic personal information (NPI) about the customer to any non-affiliated third party, unless an exception applies. The privacy notice must describe the categories of NPI that the financial institution collects and discloses; the categories of affiliates and non-affiliated third parties to whom the financial institution discloses NPI; the categories of NPI disclosed to service providers and joint marketers; the policies and practices with respect to protecting the confidentiality and security of NPI; and the disclosures of NPI to which the customer has a right to opt out. The financial institution must also provide a reasonable means for the customer to opt out of the disclosure of NPI to non-affiliated third parties, such as a check-off box, a reply form, or a toll-free telephone number. The opt-out notice must be clear and conspicuous, and must state that the customer can opt out at any time. The opt-out notice must also explain how the customer can opt out, and the effect of opting out. The financial institution must honor the customer's opt-out direction as soon as reasonably practicable after receiving it, and must not disclose any NPI to which the opt-out applies, unless an exception applies.

The GLBA provides several exceptions to the opt-out requirement, such as when the disclosure of NPI is necessary to effect, administer, or enforce a transaction requested or authorized by the customer; when the disclosure of NPI is required or permitted by law; when the disclosure of NPI is to a consumer reporting agency in accordance with the Fair Credit Reporting Act; or when the disclosure of NPI is to a person that performs marketing services on behalf of the financial institution or on behalf of the financial institution and another financial institution under a joint marketing agreement. A joint marketing agreement is a formal written contract between a financial institution and any other person under which the parties agree to offer, endorse, or sponsor a financial product or service. The joint marketing agreement must prohibit the other person from using or disclosing the NPI for any purpose other than offering, endorsing, or sponsoring the financial product or service covered by the agreement.

The GLBA also requires that a financial institution provide a privacy notice to consumers who are not customers before disclosing any NPI about the consumer to any non-affiliated third party, unless an exception applies. The financial institution does not need to provide an opt-out notice to consumers who are not customers, unless it has a customer relationship with them. However, if the financial institution establishes a customer relationship with a consumer who was previously not a customer, it must provide a privacy notice and an opt-out notice to the customer as described above.

Guide to the Gramm--Leach--Bliley Act

GLBA or FCRA? Data Sharing Between Affiliates and Non-Affiliates

Existing Privacy Laws Already Regulate Information Sharing

Why Do Banks Share Your Financial Information and Are They Allowed To?

[IAPP CIPP/US Certified Information Privacy Professional Study Guide], Chapter 5, pages 161-165.

The Gramm-Leach-Bliley Act (GLBA) is a federal law that regulates the privacy and security of consumer financial information collected, used, and disclosed by financial institutions, such as banks, credit unions, securities firms, insurance companies, and others12.Under the GLBA, financial institutions must comply with two main rules: the Privacy Rule and the Safeguards Rule12.The Privacy Rule requires financial institutions to provide notice to their customers about their information-sharing practices and to obtain verifiable parental consent before collecting, using, or disclosing personal information from children12.The Privacy Rule also gives customers the right to opt out of having their personal information shared with certain nonaffiliated third parties, unless an exception applies12.The Safeguards Rule requires financial institutions to develop, implement, and maintain a comprehensive information security program that protects the confidentiality, security, and integrity of customer information12.

Therefore, banks and other financial institutions are required to offer an opt-out before transferring personal information (PI) to an unaffiliated third party for the latter's own use, unless an exception applies, such as when the disclosure is necessary to complete a transaction requested or authorized by the customer, or when the disclosure is to a service provider or joint marketer that agrees to protect the information and use it only for the purposes for which it was disclosed12.This requirement is intended to give customers more control over how their personal information is used and shared by financial institutions and to protect their privacy rights12.

Declan might directly violate the HIPAA Privacy Rule by using John's name and personal health information (PHI) in his paper without his written authorization. The Privacy Rule protects the confidentiality of PHI that is created, received, maintained, or transmitted by a covered entity or its business associate.PHI includes any information that relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual1. Declan, as a nursing assistant, is part of the covered entity's workforce and must comply with the Privacy Rule. He cannot disclose John's PHI to anyone, including his classmates or instructors, without John's authorization or a valid exception under the Privacy Rule. Even if he does not use John's full name, he may still reveal enough information to make John identifiable, such as his diagnosis, his father's condition, or his location. This would be an impermissible use and disclosure of PHI, and a potential HIPAA violation.Declan should either obtain John's written authorization to use his PHI in his paper, or de-identify the information according to the Privacy Rule's standards2.Reference:

Summary of the HIPAA Privacy Rule

Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule

HIPAA requires covered entities to provide a notice of privacy practices (NPP) to individuals who receive health care services from the covered entity. The NPP must describe how the covered entity may use and disclose protected health information (PHI), the individual's rights with respect to their PHI, and the covered entity's obligations to protect the privacy of PHI. The NPP must be provided to the individual no later than the date of the first service delivery, either in person or electronically. The covered entity must also make the NPP available on request and post it on its website if it has one. The covered entity must also make a good faith effort to obtain a written acknowledgment from the individual that they received the NPP. If the individual refuses to sign the acknowledgment, the covered entity must document the attempt and the reason for the refusal.

The other options are not sufficient to comply with HIPAA. Stating the privacy policy verbally (option A) does not provide the individual with a written or electronic copy of the NPP that they can keep for future reference. Posting the privacy notice in a prominent location (option B) does not ensure that the individual receives the NPP or has an opportunity to review it before receiving services. Directing patients to the correct area of the hospital website (option C) does not provide the individual with the NPP at the time of service delivery, unless the individual agrees to receive the NPP electronically and has access to the website at that time.Reference:

Notice of Privacy Practices for Protected Health Information

Model Notices of Privacy Practices

Sample Notice: Availability of Notice of Privacy Practices

Notice of Privacy Practices

Notice of Privacy Practices (NPP) Distribution and Acknowledgement