Home

Home / IAPP / CIPP-US

Question list

List of questions

Question 1

(0)

The Video Privacy Protection Act of 1988 restricted which of the following?

Question 2

(0)

The Cable Communications Policy Act of 1984 requires which activity?

Question 3

(0)

What is the main purpose of requiring marketers to use the Wireless Domain Registry?

Question 4

(0)

SCENARIO Please use the following to answer the next QUESTION: You are the chief privacy officer at HealthCo, a major hospital in a large U.S. city in state A. HealthCo is a HIPAA-covered entity

Question 5

(0)

Which jurisdiction must courts have in order to hear a particular case?

Question 6

(0)

Which authority supervises and enforces laws regarding advertising to children via the Internet?

Question 7

(0)

According to Section 5 of the FTC Act, self-regulation primarily involves a company's right to do what?

Question 8

(0)

Which was NOT one of the five priority areas listed by the Federal Trade Commission in its 2012 report, ''Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Po

Question 9

(0)

The ''Consumer Privacy Bill of Rights'' presented in a 2012 Obama administration report is generally based on?

Question 10

(0)

What is a legal document approved by a judge that formalizes an agreement between a governmental agency and an adverse party called?

Open VPLUS File

Convert VPLUS to PDF

Related questions

Which of the following federal agencies does NOT have regulatory authority related to privacy?

Under the Driver's Privacy Protection Act (DPPA), which of the following parties would require consent of an individual in order to obtain his or her Department of Motor Vehicle information?

The use of cookies on a website by a service provider is generally not deemed a 'sale' of personal information by CCPA, as long as which of the following conditions is met?

Which of the following conditions would NOT be sufficient to excuse an entity from providing breach notification under state law?

Which of the following data elements is most likely to be subject to comprehensive state data security and privacy laws?

Which power was NOT granted to the California Privacy Protection Agency by the California Privacy Rights Act (CPRA)?

Which of the following most accurately describes the regulatory status ot pandemic contact-tracing apps in the United States?

The Clarifying Lawful Overseas Use of Data (CLOUD) Act is primarily intended to do which of the following?

Due to cookie deprecation, businesses will be required to simplify their tracking practices by doing what?

A software company wants to use web scraping to collect personal data from professional networking websites in order to train an artificial intelligence program to evaluate Job applications. The company has identified several actions for limiting their potential legal liability regarding affected data subjects and professional networking websites. Which of the following would be the least effective action for helping them do this?

Question 137 - CIPP-US discussion

Report

In the US, II is a best practice (and in some states a requirement) to conduct a data protection assessment in which instance?

A.

When a background check is used as part of the hiring process

B.

When any information is processed by a corporation.

C.

When trade secrets are shared with a third party.

D.

When technology is used to monitor employees.

Suggested answer: D

Explanation:

In the U.S., it is a best practice and, in some states, a requirement to conduct a data protection impact assessment (DPIA) or similar evaluation when technology is used to monitor employees. This practice aligns with privacy principles aimed at ensuring that monitoring practices are proportionate, necessary, and lawful, while minimizing potential harm to employees' privacy.

Why Conduct a DPIA When Monitoring Employees?

Employee Privacy Risks: Monitoring technologies, such as video surveillance, keystroke logging, or location tracking, can significantly impact employees' privacy. Assessments help evaluate these risks and ensure compliance with applicable privacy laws.

State-Specific Requirements: Some states, like California under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), require businesses to implement privacy safeguards, including assessments for high-risk activities involving sensitive data.

Best Practices: Even when not legally required, conducting a DPIA demonstrates accountability and helps mitigate risks associated with employee privacy violations.

Explanation of Options:

A. When a background check is used as part of the hiring process: While background checks involve sensitive data and compliance with laws like the Fair Credit Reporting Act (FCRA), a DPIA is not typically required for this process. Instead, consent and notice are emphasized.

B. When any information is processed by a corporation: This is too broad. DPIAs are generally reserved for high-risk activities involving sensitive data or technologies, not for all data processing activities.

C. When trade secrets are shared with a third party: Sharing trade secrets involves contractual and confidentiality measures, but it does not usually necessitate a data protection assessment unless personal data is also involved.

D. When technology is used to monitor employees: This is correct. Monitoring employees with technology poses significant privacy risks, making it a best practice (and sometimes a requirement) to assess the impacts on privacy and ensure compliance with state and federal laws.

Reference from CIPP/US Materials:

California Privacy Rights Act (CPRA): Introduces risk assessments for certain data processing activities.

IAPP CIPP/US Certification Textbook: Discusses privacy risks associated with employee monitoring and the importance of impact assessments.

Show Answer

asked 22/11/2024

Gaetano Vito Fraccalvieri

37 questions

User

Your answer: A B C D

0 comments

Sorted by

Leave a comment first