CIPP-US Exam Dumps - IAPP Certified Information Privacy Professional Questions and Answers

The correct answer is C. If SMH must make a notification in any other state in which it operates, it must also make a notification to individuals in New York. Under the Health Insurance Portability and Accountability Act (HIPAA), SMH is required to notify the Office of Civil Rights (OCR) and the affected individuals of a data breach involving unsecured protected health information (PHI) within 60 days of discovery1. However, HIPAA does not preempt state laws that provide greater protection to individuals or impose additional obligations on covered entities2. Therefore, SMH must also comply with the state breach notification laws of the states where it operates, including New York.

According to the New York State Information Security Breach and Notification Act, any person or business that owns or licenses computerized data that includes private information of a resident of New York must disclose any breach of the security of the system to such resident in the most expedient time possible and without unreasonable delay, unless the exposure of the private information was inadvertent and unlikely to result in misuse or financial harm3. Private information includes personal information (such as name, number, or other identifier) plus one or more of the following data elements: social security number; driver’s license number or non-driver identification card number; account number, credit or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual’s financial account; biometric information; or a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account3.

Therefore, if SMH’s data breach involved any of these data elements of New York residents, SMH must notify them of the breach, regardless of whether SMH is compliant with HIPAA, has more than 500 patients in New York, or offers credit monitoring services. SMH must also notify the New York Attorney General, the Department of State, and the Division of State Police within 10 days of notifying the affected individuals3. Additionally, SMH must notify the New York Department of Health if the breach involved electronic health records4.

References: https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/Guide-on-Managing-and-Notifying-Data-Breaches-under-the-PDPA-15-Mar-2021.pdf?la=en

https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_note_dbn_e.pdf

Larry has a misconception about the applicability of federal law to private-sector employee rights. He believes that the U.S. Constitution protects American workers from various forms of discrimination, harassment, and invasion of privacy by their employers. However, the U.S. Constitution only applies to government actions, not private actions, unless there is a specific federal statute that extends constitutional protections to the private sector1. For example, the Civil Rights Act of 1964 prohibits discrimination on the basis of race, color, religion, sex, or national origin by private employers2. The Electronic Communications Privacy Act of 1986 regulates the interception and disclosure of electronic communications by private parties3. The CAN-SPAM Act of 2003 sets the rules for commercial email and gives recipients the right to opt out of receiving unwanted messages4. These are examples of federal laws that apply to private-sector employees, but they do not cover all the situations that Larry faces at SunriseLynx. For instance, there is no federal law that protects private-sector employees from political discrimination or from having their personal mail opened by their employers. Larry may have to rely on state laws or common law torts to seek redress for these violations of his rights. References: 1: Private Sector vs. Public Sector Employee Rights2: [Civil Rights Act of 1964 - Wikipedia] 3: [Electronic Communications Privacy Act - Wikipedia] 4: CAN-SPAM Act: A Compliance Guide for Business : IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 5: Federal Trade Commission and Consumer Privacy, p. 141-142

Illinois became the first state to pass a law specifically regulating the collection of biometric data in 2008, when it enacted the Biometric Information Privacy Act (BIPA). BIPA defines biometric identifiers as retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry, and biometric information as any information based on biometric identifiers used to identify an individual. BIPA requires entities that collect, store, or use biometric identifiers or information to obtain informed consent from individuals, provide written policies on data retention and destruction, limit disclosure and sale of biometric data, and protect biometric data using reasonable security measures. BIPA also provides a private right of action for individuals whose biometric data is collected, stored, or used in violation of the law, and allows them to recover statutory damages of $1,000 or actual damages, whichever is greater, for each negligent violation, and $5,000 or actual damages, whichever is greater, for each intentional or reckless violation, as well as attorneys’ fees and costs, and injunctive relief. References: U.S. Biometrics Laws Part I: An Overview of 2020, Is Biometric Information Protected by Privacy Laws?, Biometric Data Privacy Laws

 The most important step for the HR department to take when implementing this new software is to provide notice to employees that their emails will be scanned by the software and creating automated profiles. This is because the software involves the collection and use of personal information from employees, which may implicate their privacy rights and expectations. By providing notice, the HR department can inform employees about the purpose, scope, and consequences of the software, as well as their choices and rights regarding their data. Notice is also a key element of transparency and accountability, which are essential principles of privacy management. Providing notice can also help the HR department comply with various privacy laws and regulations that may apply to the software, such as the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), the Fair Credit Reporting Act (FCRA), and state privacy laws. Notice can also help the HR department avoid potential legal risks and liabilities that may arise from the software, such as claims of invasion of privacy, breach of contract, or violation of employee rights. References:

U.S. Private-Sector Privacy, Third Edition by Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 4, Section 4.2.1, pp. 97-98.

U.S. Private-Sector Privacy, Third Edition by Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 5, Section 5.2.1, pp. 125-126.

U.S. Private-Sector Privacy, Third Edition by Peter P. Swire, DeBrae Kennedy-Mayo, Chapter 6, Section 6.2.1, pp. 153-154.

IAPP CIPP/US Certified Information Privacy Professional Study Guide by Mike Chapple and Joe Shelley, Chapter 4, Section 4.1, pp. 113-114.

 According to the Privacy Shield Framework, an organization that transfers personal data to a third party acting as an agent must ensure that the agent does all of the following1:

Uses the transferred data only for limited and specified purposes;

Provides the same level of privacy protection as is required by the Privacy Shield Principles;

Takes reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles;

Requires the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles;

Upon notice, takes reasonable and appropriate steps to stop and remediate unauthorized processing; and

Provides a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department of Commerce upon request.

Therefore, the only option that is not required by the Privacy Shield Framework is D. Enters a contract with the organization that states the third party will process data according to the consent agreement. While the organization must obtain the individual’s consent for certain types of data transfers, such as those involving sensitive data or onward transfers to controllers, the organization does not have to include the consent agreement in the contract with the agent. The contract must, however, ensure that the agent will process the data in accordance with the individual’s choices and expectations, as well as the Privacy Shield Principles2.

References: 1: Privacy Shield Framework3, Section 3 (b); 2: Privacy Shield Framework3, Section 2 (b) and ©; 3: Privacy Shield Framework.

The APEC Privacy Framework is a set of non-binding principles adopted by the Asia-Pacific Economic Cooperation (APEC) that aim to promote electronic commerce and protect information privacy in the region. The Framework is consistent with the core values of the OECD Guidelines on the Protection of Privacy and Trans-Border Flows of Personal Data, and reaffirms the value of privacy to individuals and to the information society. The Framework consists of nine principles: Preventing Harm, Notice, Collection Limitation, Use of Personal Information, Choice, Integrity of Personal Information, Security Safeguards, Access and Correction, and Accountability. Privacy by Design is not one of the principles in the APEC Privacy Framework, although it is a concept that is endorsed by the OECD Guidelines and other privacyframeworks. References: APEC Privacy Framework (2015), APEC Privacy Principles, IAPP CIPP/US Study Guide, Chapter 4.

 Declan might directly violate the HIPAA Privacy Rule by using John’s name and personal health information (PHI) in his paper without his written authorization. The Privacy Rule protects the confidentiality of PHI that is created, received, maintained, or transmitted by a covered entity or its business associate. PHI includes any information that relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual1. Declan, as a nursing assistant, is part of the covered entity’s workforce and must comply with the Privacy Rule. He cannot disclose John’s PHI to anyone, including his classmates or instructors, without John’s authorization or a valid exception under the Privacy Rule. Even if he does not use John’s full name, hemay still reveal enough information to make John identifiable, such as his diagnosis, his father’s condition, or his location. This would be an impermissible use and disclosure of PHI, and a potential HIPAA violation. Declan should either obtain John’s written authorization to use his PHI in his paper, or de-identify the information according to the Privacy Rule’s standards2. References:

Summary of the HIPAA Privacy Rule

Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule

 Matt’s decision to report the marketer’s activities is based on his suspicion that the marketer violated the Children’s Online Privacy Protection Act (COPPA), which is a federal law that regulates the online collection, use, and disclosure of personal information from children under 13 years of age1. According to COPPA, operators of websites or online services that are directed to children or knowingly collect personal information from children must:

Provide notice to parents about their information practices and obtain verifiable parental consent before collecting, using, or disclosing personal information from children12.

Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents)12.

Provide parents access to their child’s personal information to review and/or have the information deleted and give parents the opportunity to prevent further use or online collection of a child’s personal information12.

Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security12.

Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use12.

Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children12.

In Matt’s case, he did not receive any notice from the marketer about the survey or the contest, nor did he give his consent for the collection or disclosure of his son’s personal information. He also did not have any access or control over his son’s information or the ability to prevent further use or collection. Moreover, he noticed that his son’s information seemed to have been shared with other marketers, as evidenced by the commercial emails in his son’s inbox. These actions indicate that the marketer did not comply with COPPA’s requirements and may have exposed his son’s information to unauthorized or inappropriate parties. Therefore, Matt decided to report the marketer’s activities to the proper authorities, such as the Federal Trade Commission (FTC), which enforces COPPA and can impose civil penalties for violations13. References: 1: Children’s Online Privacy Protection Act | Federal Trade Commission, 1. 2: 16 CFR Part 312 – Children’s Online Privacy Protection Rule, 3. 3: Children’s Online Privacy Protection Act - Wikipedia, 2.

The GLBA prohibits financial institutions from disclosing a consumer’s account number or similar form of access number or access code to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer. This restriction is intended to prevent unauthorized access to a person’s bank account by third parties who may use the account number to initiate fraudulent transactions or identity theft. The GLBA also requires financial institutions to implement safeguards to protect the security, confidentiality, and integrity of customer information, and to notify customers and regulators in the event of a security breach involving such information. References:

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 2: Limits on Private-sector Collection and Use of Data, Section 2.3: Financial Privacy, p. 49-50

IAPP CIPP/US Body of Knowledge, Domain II: Limits on Private-sector Collection and Use of Data, Objective II.C: Identify the privacy requirements for financial institutions, Subobjective II.C.2: Identify the restrictions on disclosure of account numbers, p. 14

IAPP CIPP/US Exam Blueprint, Domain II: Limits on Private-sector Collection and Use of Data, Objective II.C: Identify the privacy requirements for financialinstitutions, Subobjective II.C.2: Identify the restrictions on disclosure of account numbers, p. 5

The Civil Rights Act, Pregnancy Discrimination Act, Americans with Disabilities Act, Age Discrimination Act, and Equal Pay Act are all federal laws that prohibit employment discrimination based on certain protected characteristics, such as race, sex, disability, age, and pay1234 These laws also afford certain classes of employees’ privacy protection by limiting inquiries concerning their personal information that may reveal their protected status or be used for discriminatory purposes. For example:

The Civil Rights Act of 1964 prohibits employers from making pre-employment inquiries that express a preference, limitation, or specification based on race, color, religion, sex, or national origin, unless they are bona fide occupational qualifications.

The Pregnancy Discrimination Act of 1978, which amended the Civil Rights Act of 1964, prohibits employers from making pre-employment inquiries about whether an applicant is pregnant or intends to become pregnant, unless they are related to the ability to perform the job.

The Americans with Disabilities Act of 1990 prohibits employers from making pre-employment inquiries about whether an applicant has a disability or the nature or severity of a disability, unless they are related to the ability to perform the essential functions of the job with or without reasonable accommodation.

The Age Discrimination in Employment Act of 1967 prohibits employers from making pre-employment inquiries about an applicant’s age, unless they are related to a bona fide occupational qualification or a lawful affirmative action plan.

The Equal Pay Act of 1963 prohibits employers from making pre-employment inquiries about an applicant’s salary history, unless they are made for a lawful purpose other than determining the applicant’s pay.

Option A is incorrect because these laws do not require employers not to discriminate against certain classes when employees use personal information. Rather, they require employers not to discriminate against certain classes in any aspect of employment, such as hiring, firing, pay, promotion, training, benefits, etc1234 The use of personal information by employees is not directly addressed by these laws, although it may be subject to other privacy laws or policies.

Option B is incorrect because these laws do not require that employers provide reasonable accommodations to certain classes of employees. Rather, only the Americans with Disabilities Act and the Pregnancy Discrimination Act require employers to provide reasonable accommodations to qualified individuals with disabilities and workers with limitations related to pregnancy, childbirth, or related medical conditions, respectively, unless doing so would cause an undue hardship to the employer. The other laws do not have a similar requirement, although they may prohibit employers from denying equal opportunities to certain classes of employees.

Option C is correct because these laws afford certain classes of employees’ privacy protection by limiting inquiries concerning their personal informationthat may reveal their protected status or be used for discriminatory purposes, as explained above.

Option D is incorrect because these laws do not permit employers to use or disclose personal information specifically about employees who are members of certain classes. Rather, these laws generally prohibit employers from using or disclosing personal information that is protected by these laws for any unlawful or discriminatory purpose, unless an exception applies. For example, employers may use or disclose such information for legitimate business reasons, such as complying with reporting requirements, administering benefits, or conducting investigations.

References: 1: Facts About Equal Pay and Compensation Discrimination 2: Pregnancy Discrimination and Pregnancy-Related Disability Discrimination | U.S. Equal Employment Opportunity Commission 3: Regulations, Guidance and Policy | Equal Opportunity Guidance | OEEOWE 4: Age Discrimination | U.S. Equal Employment Opportunity Commission : Pre-Employment Inquiries and Medical Questions & Examinations | U.S. Equal Employment Opportunity Commission : Employee Medical Information | U.S. Equal Employment Opportunity Commission : Employee Privacy Rights | U.S. Department of Labor : Title VII of the Civil Rights Act of 1964 | U.S. Equal Employment Opportunity Commission : Fact Sheet: Pregnancy Discrimination | U.S. Equal Employment Opportunity Commission : The Americans with Disabilities Act: A Primer for Small Business : Age Discrimination in Employment Act of 1967 | U.S. Equal Employment Opportunity Commission : Equal Pay Act of 1963 | U.S. Equal Employment Opportunity Commission