This multiple choice assessment focuses on the new General Data Protection Regulation (GDPR).

The purpose of the assessment is to enable you to assess the extent and depth of your knowledge of the Data Protection Law in preparation for the CIPT.

Format: Multiple Choice

Time: 90 minutes

The result will be provided immediately, with details on all questions.

1)  Under the EU’s General Data Protection Regulation (GDPR), which of the following types of information would NOT require notification to a supervisory authority in the event of a personal data breach?

2) The acronym PGP stands for:

3)  Which of the following circumstances would best be addressed by utilizing radio frequency identification (RFID) technology?

4)  A marketing lead has collected a large data set of personal information and stored it in a shared folder. The marketing lead controls who has access to the shared folder. The type of access control being used is:

5)  What was the first privacy framework to be developed?

6) Use the following to answer the question

SCENARIO

Cycle & Loop is a company that offers paper shredding services for house-hold and offices. The company receives requests from consumers via their website and telephone, to book shredding services. Based on the type and size of service. Cycle & Loop then sub-contracts to other service providers that are registered on its database - currently managed in-house by Cycle & Loop IT Support. Because of Cycle & Loop's business model, resources are contracted as needed instead of permanently employed.

Below indicates some of the personal information Cycle & Loop requires as part of its business operations:
  • Customers: Name, address (location), contact information, billing information
  • Sub Contractors: Name, contact information, banking details, address

Cycle & Loop has an internal employee base of about 30 people. A recent privacy compliance exercise has been conducted to align employee data management and human resource functions with applicable data protection regulation. Therefore the Cycle & Loop permanent employee base is not included as part of this scenario.

With an increase in construction work and housing developments, Cycle & Loop has had an influx of requests for paper shredding services. The demand has overwhelmed Cycle & Loop's traditional supply and demand system that has caused some overlapping bookings.

In a business strategy session held by senior management recently. Cycle & Loop invited vendors to present potential solutions to their current operational issues. These vendors included Application developers and Cycle & Loop's solution providers, presenting their proposed solutions and platforms.

The Managing Director opted to initiate the process to integrate Shredding as operations with a cloud solution (OpsCentral) that will provide the following solution one single online platform: A web interface that Cycle & Loop accesses for the purposes of resource and customer management. This would entail uploading resource and customer information.

 A customer facing web interface that enables customers to register, manage and submit shredding service requests online.  A resource facing web interface that enables contractors to apply and manage their assigned jobs  An online payment facility for customers to pay for services.

Considering that OpsCentral will host/process personal information on behalf of Cycle & Loop remotely, what is an appropriate next step for Cycle & Loop senior management to assess OpsCentral's appropriateness?

7) Use the following to answer the question

SCENARIO

Cycle & Loop is a company that offers paper shredding services for house-hold and offices. The company receives requests from consumers via their website and telephone, to book shredding services. Based on the type and size of service. Cycle & Loop then sub-contracts to other service providers that are registered on its database - currently managed in-house by Cycle & Loop IT Support. Because of Cycle & Loop's business model, resources are contracted as needed instead of permanently employed.

Below indicates some of the personal information Cycle & Loop requires as part of its business operations:

  • Customers: Name, address (location), contact information, billing information
  • Sub Contractors: Name, contact information, banking details, address

Cycle & Loop has an internal employee base of about 30 people. A recent privacy compliance exercise has been conducted to align employee data management and human resource functions with applicable data protection regulation. Therefore the Cycle & Loop permanent employee base is not included as part of this scenario.

With an increase in construction work and housing developments, Cycle & Loop has had an influx of requests for paper shredding services. The demand has overwhelmed Cycle & Loop's traditional supply and demand system that has caused some overlapping bookings.

In a business strategy session held by senior management recently. Cycle & Loop invited vendors to present potential solutions to their current operational issues. These vendors included Application developers and Cloud-Q's solution providers, presenting their proposed solutions and platforms.

The Managing Director opted to initiate the process to integrate Shredding as operations with a cloud solution (OpsCentral) that will provide the following solution one single online platform: A web interface that Cycle & Loop accesses for the purposes of resource and customer management. This would entail uploading resource and customer information.

 A customer facing web interface that enables customers to register, manage and submit shredding service requests online.  A resource facing web interface that enables contractors to apply and manage their assigned jobs  An online payment facility for customers to pay for services.

Which question would you most likely ask to gain more insight about OpsCentral's and provide practical privacy recommendations?

8)  Which is the most accurate type of biometrics?

9) After committing to a Privacy by Design program. which activity should take place first?

10) Granting data subjects the right to have data corrected, amended, or deleted describes?

11) What is the term for information provided to a social network by a member?

12) What is the most important requirement to fulfil when transferring data out of an organization?

13) Which of the following is NOT a workplace surveillance best practice?

14) To comply with the Sarbanes-Oxley Act (SOX), public companies in the United States are required to annually report on the effectiveness of the auditing controls of their financial reporting systems. These controls must be implemented to prevent unauthorized use, disclosure, modification, and damage or loss of financial data.

Why do these controls ensure both the privacy and security of data?

15) All of the following can be indications of a ransomware attack EXCEPT?

16) Use the following to answer the question

SCENARIO

Julian is a new security compliance manager who will be responsible for coordinating and executing controls to ensure compliance with the company's information security policy and industry standards.

Julian is also new to the company, where collaboration is a core value. On his first day of new-hire orientation, Julian's schedule included participating in meetings and observing work in the IT and compliance departments Julian spent the morning in the IT department, where the CSO welcomed him and explained that her department was responsible for IT governance. The CSO and Julian engaged in a conversation about the importance of identifying meaningful IT governance metrics. Following their conversation, the CSO introduced Julian to Ria and Barney. Ria is implementing a plan to encrypt data at the transportation level of the organization's wireless network. Julian would need to get up to speed on the project and suggest ways to monitor effectiveness once the implementation was complete. Barney explained that his short-term goals are to establish rules governing where data can be placed and to minimize the use of offline data storage.

Julian spent the afternoon with Anna, a compliance specialist, and learned that she was exploring an initiative for a compliance program to follow self-regulatory privacy principles. Thanks to a recent internship, Julian had some experience in this area and knew where Anna could find some support. Anna also shared results of the company's privacy risk assessment, noting that the secondary use of personal information was considered a high risk.

By the end of the day Julian was very excited about his new job and his new company. In fact, he learned about an open position for someone with strong qualifications and experience with access privileges, project standards board approval processes, and application-level obligations, and couldn't wait to recommend his friend Joe who would be perfect for the job.

Ria's implementation is most likely a response to what incident?

17) Which is NOT a suitable action to apply to data when the retention period ends?

18) A user who owns a resource wants to give other individuals access to the resource. What control would apply?

19) Which of the following became a foundation for privacy principles and practices of countries and organizations across the globe?

20) Which is NOT a suitable method for assuring the quality of data collected by a third-party company?

21) What is the main benefit of using a private cloud?

22) How does k-anonymity help to protect privacy in micro data sets?

23) What is the distinguishing feature of asymmetric encryption?

24) Why is first-party web tracking very difficult to prevent?

25) Which Organization for Economic Co-operation and Development (OECD) privacy protection principle encourages an organization to obtain an individual's consent before transferring personal information?

26. Which of the following would be considered a type of privacy interference?

27. Which of the following scenarios best describes a situation where there could be surveillance without the reasonable knowledge of the individual?

28. Which of the following best describes the goal of privacy engineering?

29. A data broker collects information on medications that are prescribed to individuals and sells this information to pharmaceutical companies to allow them to target their advertising budgets. The information they collect does not contain direct identifiers regarding the individuals to whom the medications are prescribed, but does contain several indirect identifiers that in combination could allow reidentification. What must the data broker do prior to selling this data to pharmaceutical companies?

30. The leadership team for a retailer wants to improve customer satisfaction and increase customer retention. They propose introducing software that would enable them to learn more about their customers’ attitudes and behaviors to act upon. Their IT team is leading efforts to select a closed- source loyalty management system for this purpose by creating a list of software requirements and undertaking a tender process. These requirements include ensuring robustness of software against attack and vendor support for patching and customizations. Which is the following is TRUE?

31. ABC Company sells t-shirts from multiple manufacturers on its website. Several t-shirts sold are made by ABC. The company’s website allows consumers to review products and provide comments on their experiences. However, when a new user attempts to view negative product reviews on ABC’s brand of t-shirts, the company limits access to them. Using Daniel Solove’s Taxonomy of Privacy model, which privacy problem is this an example of?

32. A company wants to build a brand image that differentiates itself from the competition by focusing on enhancing customer trust to grow its business. In the company’s online environment, they want to empower data subjects to play an active role in the management of their own data, via a consent mechanism. Which of the following privacy by design foundational principles best supports this initiative?

33. Software that collects and reports runtime failures to a bug tracker may sometimes include the user’s personal data as part of the bug report. What should be a design consideration for such automated bug trackers?

 

SCENARIO VI

 

Please use the following scenario to answer the next TWO questions.

 

You have just been hired by Hybrid-Co as their technical lead for workplace resources (WPR) and human resources IT systems. In Spring 2020, all workers were sent home due to the COVID-19 pandemic and only remote work was permitted. As the pandemic moved into an endemic phase, hybrid work quickly became the norm (i.e., some workers are in the office and others are remote). You were tasked with designing the company’s hybrid work model and leading the company-wide initiative for employees to return to the office safely.

 

The first task the CEO asked your team to complete was to assess how much office space was needed to provide sufficient workspace for employees who want to work in an office environment. Relying on your own experience and the team’s expertise, you design a system that combines information from security logs from badge readers, Wi-Fi access point logs, and video footage from CCTV security cameras to collect information about people who enter and exit into the building and connect their devices to the company’s Wi-Fi. This data is de-identified and aggregated to protect individual privacy.


While the pandemic was moving toward an endemic phase, periodic COVID-19 surges still occurred. Hybrid-Co had to take steps to make the office environment as safe as possible. In that regard, the chief medical officer asked you to help devise a method to track COVID-19 positive cases in the office. With so many remote workers in the new hybrid work environment, managing by walking around is not as effective as it used to be, and managers have rising concerns about employee productivity. For your third task, you were asked to assess what tools, logs, information and metadata were available to measure productivity and employee engagement within the hybrid work model.

34. Do the company’s data collection processes regarding building access align with the OECD Fair Information Practices and Ann Cavoukian’s Privacy by Design framework?

35. Which of the following did you neglect to do in your haste to comply with your CEO’s request?

36. Which of the following is an example of first-party collection?

37. Industrial Industries, Inc. collects customer personal data to assist with product returns. Three years after the sale, customers can no longer return the product, but Industrial Industries wants to continue using some of this information to analyze the percentage of returns during that period of time. Of the following optons, which is the best practice to mitigate risks associated with maintaining this data for return analyses?

38. During a recent software inventory review, Jim noted that the Web Server software currently deployed is Apache Version 2.4.39 whereas the latest version is 2.4.50. Which of the following is a control that will reduce Apache Web Server vulnerabilities by impeding malicious state-sponsored hackers from exploiting the gap in the software versions?

39. Which of the following IT roles serve as a repository of privacy knowledge and tailors this knowledge as needed to help the different stakeholders to fulfill their roles?

40. Which of the following is a tool that shows the relationship between the requirements of a privacy law and the implemented software design elements?