IAPP CIPT Practice Test - Questions Answers, Page 11
Question list
List of questions
Related questions
Which of the following is NOT relevant to a user exercising their data portability rights?
Notice and consent for the downloading of data.
Detection of phishing attacks against the portability interface.
Re-authentication of an account, including two-factor authentication as appropriate.
Validation of users with unauthenticated identifiers (e.g. IP address, physical address).
In order to prevent others from identifying an individual within a data set, privacy engineers use a cryptographically-secure hashing algorithm. Use of hashes in this way illustrates the privacy tactic known as what?
Isolation.
Obfuscation.
Perturbation.
Stripping.
An organization based in California, USA is implementing a new online helpdesk solution for recording customer call information. The organization considers the capture of personal data on the online helpdesk solution to be in the interest of the company in best servicing customer calls.
Before implementation, a privacy technologist should conduct which of the following?
A Data Protection Impact Assessment (DPIA) and consultation with the appropriate regulator to ensure legal compliance.
A privacy risk and impact assessment to evaluate potential risks from the proposed processing operations.
A Legitimate Interest Assessment (LIA) to ensure that the processing is proportionate and does not override the privacy, rights and freedoms of the customers.
A security assessment of the help desk solution and provider to assess if the technology was developed with a security by design approach.
Which technique is most likely to facilitate the deletion of every instance of data associated with a deleted user account from every data store held by an organization?
Auditing the code which deletes user accounts.
Building a standardized and documented retention program for user data deletion.
Monitoring each data store for presence of data associated with the deleted user account.
Training engineering teams on the importance of deleting user accounts their associated data from all data stores when requested.
Which of the following CANNOT be effectively determined during a code audit?
Whether access control logic is recommended in all cases.
Whether data is being incorrectly shared with a third-party.
Whether consent is durably recorded in the case of a server crash.
Whether the differential privacy implementation correctly anonymizes data.
An EU marketing company is planning to make use of personal data captured to make automated decisions based on profiling. In some cases, processing and automated decisions may have a legal effect on individuals, such as credit worthiness.
When evaluating the implementation of systems making automated decisions, in which situation would the company have to accommodate an individual's right NOT to be subject to such processing to ensure compliance under the General
Data Protection Regulation (GDPR)?
When an individual's legal status or rights are not affected by the decision.
When there is no human intervention or influence in the decision-making process.
When the individual has given explicit consent to such processing and suitable safeguards exist.
When the decision is necessary for entering into a contract and the individual can contest the decision.
SCENARIO
Please use the following to answer next question:
EnsureClaim is developing a mobile app platform for managing data used for assessing car accident insurance claims. Individuals use the app to take pictures at the crash site, eliminating the need for a built-in vehicle camera. EnsureClaim uses a third-party hosting provider to store data collected by the app. EnsureClaim customer service employees also receive and review app data before sharing with insurance claim adjusters.
The app collects the following information:
First and last name
Date of birth (DOB)
Mailing address
Email address
Car VIN number
Car model
License plate
Insurance card number
Photo
Vehicle diagnostics
Geolocation
The app is designed to collect and transmit geolocation data. How can data collection best be limited to the necessary minimum?
Allow user to opt-out geolocation data collection at any time.
Allow access and sharing of geolocation data only after an accident occurs.
Present a clear and explicit explanation about need for the geolocation data.
SCENARIO
Please use the following to answer next question:
EnsureClaim is developing a mobile app platform for managing data used for assessing car accident insurance claims. Individuals use the app to take pictures at the crash site, eliminating the need for a built-in vehicle camera. EnsureClaim uses a third-party hosting provider to store data collected by the app. EnsureClaim customer service employees also receive and review app data before sharing with insurance claim adjusters.
The app collects the following information:
First and last name
Date of birth (DOB)
Mailing address
Email address
Car VIN number
Car model
License plate
Insurance card number
Photo
Vehicle diagnostics
Geolocation
All of the following technical measures can be implemented by EnsureClaim to protect personal information that is accessible by third-parties EXCEPT?
Encryption.
Access Controls.
De-identification.
Multi-factor authentication.
SCENARIO
Please use the following to answer next question:
EnsureClaim is developing a mobile app platform for managing data used for assessing car accident insurance claims. Individuals use the app to take pictures at the crash site, eliminating the need for a built-in vehicle camera. EnsureClaim uses a third-party hosting provider to store data collected by the app. EnsureClaim customer service employees also receive and review app data before sharing with insurance claim adjusters.
The app collects the following information:
First and last name
Date of birth (DOB)
Mailing address
Email address
Car VIN number
Car model
License plate
Insurance card number
Photo
Vehicle diagnostics
Geolocation
What IT architecture would be most appropriate for this mobile platform?
Peer-to-peer architecture.
Client-server architecture.
Plug-in-based architecture.
Service-oriented architecture.
SCENARIO
Please use the following to answer next question:
EnsureClaim is developing a mobile app platform for managing data used for assessing car accident insurance claims. Individuals use the app to take pictures at the crash site, eliminating the need for a built-in vehicle camera. EnsureClaim uses a third-party hosting provider to store data collected by the app. EnsureClaim customer service employees also receive and review app data before sharing with insurance claim adjusters.
The app collects the following information:
First and last name
Date of birth (DOB)
Mailing address
Email address
Car VIN number
Car model
License plate
Insurance card number
Photo
Vehicle diagnostics
Geolocation
What would be the best way to supervise the third-party systems the EnsureClaim App will share data with?
Review the privacy notices for each third-party that the app will share personal data with to determine adequate privacy and data protection controls are in place.
Conduct a security and privacy review before onboarding new vendors that collect personal data from the app.
Anonymize all personal data collected by the app before sharing any data with third-parties.
Develop policies and procedures that outline how data is shared with third-party apps.
Question