Summer Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: buysanta

Exact2Pass Menu

Certified Information Privacy Technologist

Last Update 7 hours ago Total Questions : 256

The Certified Information Privacy Technologist content is now fully updated, with all current exam questions added 7 hours ago. Deciding to include CIPT practice exam questions in your study plan goes far beyond basic test preparation.

You'll find that our CIPT exam questions frequently feature detailed scenarios and practical problem-solving exercises that directly mirror industry challenges. Engaging with these CIPT sample sets allows you to effectively manage your time and pace yourself, giving you the ability to finish any Certified Information Privacy Technologist practice test comfortably within the allotted time.

Question # 31

SCENARIO

WebTracker Limited is a cloud-based online marketing service located in London. Last year, WebTracker migrated its IT infrastructure to the cloud provider AmaZure, which provides SQL Databases and Artificial Intelligence services to WebTracker. The roles and responsibilities between the two companies have been formalized in a standard contract, which includes allocating the role of data controller to WebTracker.

The CEO of WebTracker, Mr. Bond, would like to assess the effectiveness of AmaZure ' s privacy controls, and he recently decided to hire you as an independent auditor. The scope of the engagement is limited only to the marketing services provided by WebTracker, you will not be evaluating any internal data processing activity, such as HR or Payroll.

This ad-hoc audit was triggered due to a future partnership between WebTracker and SmartHome — a partnership that will not require any data sharing. SmartHome is based in the USA, and most recently has dedicated substantial resources to developing smart refrigerators that can suggest the recommended daily calorie intake based on DNA information. This and other personal data is collected by WebTracker.

To get an idea of the scope of work involved, you have decided to start reviewing the company ' s documentation and interviewing key staff to understand potential privacy risks.

The results of this initial work include the following notes:

    There are several typos in the current privacy notice of WebTracker, and you were not able to find the privacy notice for SmartHome.

    You were unable to identify all the sub-processors working for SmartHome. No subcontractor is indicated in the cloud agreement with AmaZure, which is responsible for the support and maintenance of the cloud infrastructure.

    There are data flows representing personal data being collected from the internal employees of WebTracker, including an interface from the HR system.

    Part of the DNA data collected by WebTracker was from employees, as this was a prototype approved by the CEO of WebTracker.

    All the WebTracker and SmartHome customers are based in USA and Canada.

Which of the following issues is most likely to require an investigation by the Chief Privacy Officer (CPO) of WebTracker?

A.

Data flows use encryption for data at rest, as defined by the IT manager.

B.

AmaZure sends newsletter to WebTracker customers, as approved by the Marketing Manager.

C.

Employees’ personal data are being stored in a cloud HR system, as approved by the HR Manager.

D.

File Integrity Monitoring is being deployed in SQL servers, as indicated by the IT Architect Manager.

Question # 32

What is the distinguishing feature of asymmetric encryption?

A.

It has a stronger key for encryption than for decryption.

B.

It employs layered encryption using dissimilar methods.

C.

It uses distinct keys for encryption and decryption.

D.

It is designed to cross operating systems.

Question # 33

Properly configured databases and well-written website codes are the best protection against what online threat?

A.

Pharming.

B.

SQL injection.

C.

Malware execution.

D.

System modification.

Question # 34

Which of the following best describes the basic concept of " Privacy by Design? "

A.

The adoption of privacy enhancing technologies.

B.

The integration of a privacy program with all lines of business.

C.

The implementation of privacy protection through system architecture.

D.

The introduction of business process to identify and assess privacy gaps.

Question # 35

SCENARIO

Please use the following to answer the next question:

Light Blue Health (LBH) is a healthcare technology company developing a new web and mobile application that collects personal health information from electronic patient health records. The application will use machine learning to recommend potential medical treatments and medications based on information collected from anonymized electronic health records. Patient users may also share health data collected from other mobile apps with the LBH app.

The application requires consent from the patient before importing electronic health records into the application and sharing it with their authorized physicians or healthcare provider. The patient can then review and share the recommended treatments with their physicians securely through the app. The patient user may also share location data and upload photos in the app. The patient user may also share location data and upload photos in the app for a healthcare provider to review along with the health record. The patient may also delegate access to the app.

LBH’s privacy team meets with the Application development and Security teams, as well as key business stakeholders on a periodic basis. LBH also implements Privacy by Design (PbD) into the application development process.

The Privacy Team is conducting a Privacy Impact Assessment (PIA) to evaluate privacy risks during development of the application. The team must assess whether the application is collecting descriptive, demographic or any other user related data from the electronic health records that are not needed for the purposes of the application. The team is also reviewing whether the application may collect additional personal data for purposes for which the user did not provide consent.

Regarding the app, which action is an example of a decisional interference violation?

A.

The app asks income level to determine the treatment of care.

B.

The app sells aggregated data to an advertising company without prior consent.

C.

The app has a pop-up ad requesting sign-up for a pharmaceutical company newsletter.

D.

The app asks questions during account set-up to disclose family medical history that is not necessary for the treatment of the individual’s symptoms.

Question # 36

What is the main issue pertaining to data protection with the use of ' deep fakes ' ?

A.

Misinformation.

B.

Non-conformity with the accuracy principle.

C.

Issues with establishing non-repudiation.

D.

Issues with confidentiality of the information.

Question # 37

Truncating the last octet of an IP address because it is NOT needed is an example of which privacy principle?

A.

Use Limitation

B.

Data Minimization

C.

Purpose Limitation

D.

Security Safeguards

Question # 38

Which of the following is an example of an appropriation harm?

A.

A friend takes and uploads your pictures to a social media website.

B.

A hacker gains access to your email account and reads your messages.

C.

A govemment agency uses cameras to monitor your movements in a public area.

D.

An unauthorized individual obtains access to your personal information and uses it for medical fraud.

Question # 39

Between November 30th and December 2nd, 2013, cybercriminals successfully infected the credit card payment systems and bypassed security controls of a United States-based retailer with malware that exfiltrated 40 million credit card numbers. Six months prior, the retailer had malware detection software installed to prevent against such an attack.

Which of the following would best explain why the retailer’s consumer data was still exfiltrated?

A.

The detection software alerted the retailer’s security operations center per protocol, but the information security personnel failed to act upon the alerts.

B.

The U.S Department of Justice informed the retailer of the security breach on Dec. 12th, but the retailer took three days to confirm the breach and eradicate the malware.

C.

The IT systems and security measures utilized by the retailer’s third-party vendors were in compliance with industry standards, but their credentials were stolen by black hat hackers who then entered the retailer’s system.

D.

The retailer’s network that transferred personal data and customer payments was separate from the rest of the corporate network, but the malware code was disguised with the name of software that is supposed to protect this information.

Question # 40

An EU marketing company is planning to make use of personal data captured to make automated decisions based on profiling. In some cases, processing and automated decisions may have a legal effect on individuals, such as credit worthiness.

When evaluating the implementation of systems making automated decisions, in which situation would the company have to accommodate an individual’s right NOT to be subject to such processing to ensure compliance under the General Data Protection Regulation (GDPR)?

A.

When an individual’s legal status or rights are not affected by the decision.

B.

When there is no human intervention or influence in the decision-making process.

C.

When the individual has given explicit consent to such processing and suitable safeguards exist.

D.

When the decision is necessary for entering into a contract and the individual can contest the decision.

Go to page: