Deck 2: Certified Information Privacy Professional/Asia (CIPP/A)

A) Subscribers must have explicitly indicated that they did not object to their data being collected and used for marketing purposes.
B) Subscribers can opt out of the use of their data for marketing purposes after collection by withdrawing consent.
C) Data subjects must be notified on a website if their data is being used for marketing purposes.
D) Data subjects are protected from the secondary use of personal data for marketing purposes.

A) Order an organization to stop collecting personal data.
B) Order an organization to destroy collected personal data.
C) Order an organization to award compensation to a complainant.
D) Order an organization to pay a financial penalty to the government.

A) Enforcement by Accountability Agents.
B) Self-assessment against CBPR questionnaire.
C) Consultation with Privacy Enforcement (PE) Authority.
D) Dispute resolution via the Accountability Agent's compliance program.

A) Anonymised data is not personal data.
B) Any data that has been anonymised bears the same risks for re-identification.
C) Data that has been anonymised satisfies the "cease to retain" requirement of Section 25.
D) Organizations should consider the risk of re-identification if it intends to publish or disclose anonymised data.

A) Trust corporations.
B) Third-party processors.
C) Private sector organizations.
D) Limited liability partnerships.

A) No, because Jimmy is not in the division that Bigbank seeks to acquire.
B) No, because the data was collected for the express purpose of complying with Singabank's privacy policies.
C) Yes, if Singabank informs Jimmy of the disclosure of his personal data before it occurs.
D) Yes, if Jimmy's personal data is necessary for Bigbank to determine whether to proceed with the acquisition.

A) If the employees did not explicitly consent to it.
B) If the bank's data security policy was being overhauled.
C) If the bank collected employees' sensitive personal information.
D) If the employees were not provided contact information to ask questions about the monitoring.

A) Decline to turn over the footage as it is not a valid data access request.
B) Provide a copy of the footage within 40 days as it is a data access request.
C) Provide a copy of the footage to the lawyer under the exemption for legal professional privilege.
D) Decline to turn over the footage as there is no basis for it to be disclosed under the exemption for prevention or detection of crime.

A) Third-party data processors located in foreign countries.
B) Companies researching the viability of business mergers.
C) Service providers hosting customer information in the cloud.
D) Direct marketers acting in the best interest of their company.

A) Paper-based records.
B) Publicly-available information.
C) Foreign intelligence.
D) Unreasonable expense.

A) Asia's APEC Privacy Framework.
B) Macau's Personal Data Protection Act.
C) South Korea's Public Agency Data Protection Act.
D) Europe's Data Protection Directive (Directive 95/46/EC).

A) The information was collected in the previous 12 months.
B) The information is related to an individual's credit rating.
C) The cost of providing the information proved to be unreasonable.
D) Any personal information about others has been deleted from the document.

A) Constitutional protections of personal information.
B) International agreements protecting privacy.
C) The tort of invasion of privacy.
D) Breach of confidence law.

A) Personally identifiable information.
B) Sensitive information.
C) Personal data.
D) Identified data.

A) Zoe must immediately notify all guests, the police and the Privacy Commissioner of the breach.
B) Zoe does not need to do anything as there is no mandatory breach notification requirement in Hong Kong.
C) Zoe must report the breach to the Privacy Commissioner and make an action plan together with the Commissioner.
D) Zoe should consider if there is a real risk of harm to the guests and take appropriate action based on her assessment.

A) Because Delilah "consented" to her business contact information being used by Good Mining by passing it to Evan voluntarily.
B) Because any business contact information can be freely used, collected or disclosed by Good Mining.
C) Because Good Mining does not export the information to a cloud vendor.
D) Because Delilah initiated the relationship with Good Mining.

A) Consent of the guest in writing to the transfer.
B) Amending StarOne's privacy policy to refer to the transfer.
C) Putting in place Model Clauses between the relevant entities.
D) China being included as a "White List" country for data transfer.

A) Direct marketing practices.
B) Law enforcement requests.
C) Biometric authentication.
D) Data breach reports.

A) Inform the staff that Relax Ltd can transfer the data to StarOne given they are in the same premises and guests would reasonably expect that.
B) Inform the staff that Relax Ltd should not transfer the data to StarOne without a privacy notice identifying StarOne as a class of transferee.
C) Inform the staff that Relax Ltd should not transfer the data to StarOne without the guest's opt-in consent to do so.
D) Inform the staff that Relax Ltd can transfer the data as Section 33 is not in force.

A) Digital signatures.
B) Censorship limitations.
C) Electronic transactions.
D) Cybersecurity procedures.

A) The recipients of the collected data.
B) The name of the body collecting the data.
C) The type of safeguards protecting the data.
D) The options the subject has to access his data.

A) Retain the data of members who have been suspended for non-payment, in the event that the data is needed to seek compensation in a court of law.
B) Retain all member data and documents in original form for two years after account termination, to better inform marketing efforts focused on re-activating accounts of former customers.
C) Retain an anonymous data set after account termination indicating dates of membership, age, and other statistical data, to be included in aggregate reports about gym membership trends.
D) Retain copies of files of customers who utilized personal trainer services for six months after account termination, to allow trainers to respond to inquiries from personal physicians about training-related injuries.

A) It expanded the interpretation of right to life under Article 21 of the Constitution.
B) It established that privacy is a fundamental right granted by the Constitution under Article 21.
C) It upheld that the impounding of passports for "public interest" is allowable under Section 10(3)(c) of the Passports Act.
D) It ruled that under Article 32 of the Constitution individuals may file writ petitions when they feel their rights were violated.

A) It was restricted to residents of India.
B) It was necessary for proving citizenship.
C) It was required in order to obtain government services.
D) It was used to gather information to discriminate against minorities.

A) The data subject's personal data is collected from public registers or third parties.
B) The products or services are being offered by the organization's parent company.
C) The data subject has already given consent for other services offered by the company.
D) The products or services are being offered for the exclusive use of an individual's organization.

A) Prescription details.
B) Location data.
C) Nationality.
D) Religion.

A) High courts.
B) State legislatures.
C) Law enforcement agencies.
D) National Security Guard.

A) The patient cannot purchase medications from Bharat Medicals.
B) The hospital has the right to refuse withdrawal of consent since it has a partnership with Bharat Medicals.
C) The hospital will obtain the necessary medications from Bharat Medicals and provide them directly to patient.
D) The patient can buy medications from Bharat Medicals by uploading prescription to the Bharat Medicals website.

A) Charitable groups.
B) Sole proprietorships.
C) Government agencies.
D) Religious organizations.

A) The Indian Information Technology Act of 2000.
B) The Hong Kong guide to monitoring personal data privacy at work.
C) The Hong Kong Code of Practice on Human Resource Management.
D) The Singapore advisory guidelines on the personal data protection act for selected topics (employment and CCTV).

A) It should be available and produced on request.
B) It should be published on the website of the body corporate.
C) It should be emailed or faxed to data providers by the body corporate.
D) It should be shown to the data provider at the time of data collection.

A) That the vendor submits for approval from Dracarys a privacy notice explaining how personal data will be protected under the Indian Information Technology Act.
B) That the vendor files requests for transfer of personal data out of India through the offices of the privacy commissioners of Hong Kong and Singapore.
C) That the vendor is bound by legally enforceable obligations to provide the personal data a standard of protection that is at least comparable to the protection under the Singapore PDPA.
D) That the vendor adheres to the same sector privacy rules followed by Dracarys headquarters based in Seattle regarding the transfer of personal data.

A) From the FFE retention department, offering a special discount for reactivating membership.
B) From health care services provided by Hong Kong's Hospital Authority or Department of Health.
C) From an FFE affiliate that provides a mechanism to opt out of further communications by reply-texting "OO."
D) From an FFE affiliate in the region Stephen was transferred to, offering services similar to those he purchased previously.

A) No penalty, as FFE and the new employer are the responsible parties.
B) Violation of the terms of his employment agreement.
C) A maximum $500,000 HKD fine.
D) Up to five years imprisonment.

A) Assess the business risk of further processing in the absence of any regulations on anonymised data.
B) Refer to India's Information Technology Act and the 2011 rules 3-8 for guidance on handling anonymised data.
C) Obtain the consent of the data subjects because anonymous data must be treated as personal data at all times.
D) Adhere to the Singapore guidelines on anonymization and the Hong Kong Guidance on Personal Data Erasure and Anonymization.

A) Notice.
B) Choice.
C) Right to erasure.
D) Right to data access.

A) FFE's collection of full name from prospective clients.
B) FFE affiliates' receipt of Stephen's contact information.
C) FFE's collection of age and HKID from prospective clients.
D) FFE's collection of Stephen's messenger cell details through Kelvin.

A) They only apply to the private sector.
B) They allow exemptions for military personnel.
C) They apply to controllers and processors alike.
D) They impose obligations on individuals acting in a domestic capacity.

A) Breach notification.
B) Data retention periods.
C) Employee recruitment process.
D) Data subject consent provisions.

A) A Chief Risk Officer.
B) A Grievance Officer.
C) A Data Protection Officer.
D) A Chief Technology Officer.

A) That the rules apply to data subjects located outside of India.
B) That the rules apply to persons or companies collecting sensitive data within India.
C) That the data processor must provide notice to the data subject before data is processed.
D) That sensitive personal data or information includes passwords, financial information, medical records, and biometric information.

A) The Fair Information Practice Principles.
B) The Model Data Protection Code.
C) The Electronic Transactions Act.
D) The 1995 European Directive.

A) Government officials.
B) Children under 13.
C) The deceased.
D) The clergy.

A) Personal liberty.
B) Right to property.
C) Equality before the law.
D) Freedom from intrusion.

A) A definition of what constitutes reasonable security practices.
B) A requirement for the creation of a data protection authority.
C) A list of cases in which privacy policies are not necessary.
D) A clarification regarding the role of non-automated data.

A) Argentina.
B) Mexico.
C) Taiwan.
D) Korea.

A) Liability and indemnity.
B) Exemptions and Definitions.
C) Termination of the contract.
D) Obligations of the Transferee.

A) Publish the decisions it makes regarding complaints.
B) Provide the complainant with a way to appeal a decision.
C) Publish the name of an organization named in a complaint.
D) Intervene in civil actions to provide assistance to complainants.

A) A consent derogation.
B) A certification mechanism.
C) The Safe Harbor Framework.
D) Binding Corporate Rules (BCR).

A) If it has a physical office in Singapore.
B) If it is storing information in Singapore.
C) If it is collecting personal information in Singapore.
D) If it collects information from Singaporeans living abroad.

A) Physical or mental health data.
B) Financial information.
C) Race or ethnic origin.
D) Political opinions.

A) Sensitive data.
B) Children's data.
C) Outsourced data.
D) Extraterritorial data.

A) Hospital administrators.
B) Financial institutions.
C) News organizations.
D) Non-profit groups.