CIPP-US Exam Dumps - IAPP Certified Information Privacy Professional Questions and Answers

The Family and Medical Leave Act (FMLA) is a federal law that provides eligible employees with up to 12 weeks of unpaid, job-protected leave per year for certain family and medical reasons, such as the birth or adoption of a child,the serious health condition of the employee or a family member, or a qualifying exigency arising from the employee’s spouse, child, or parent being on covered active duty or call to covered active duty status in the Armed Forces. The FMLA also provides eligible employees with up to 26 weeks of unpaid, job-protected leave per year to care for a covered service member with a serious injury or illness if the employee is the spouse, child, parent, or next of kin of the service member. The FMLA applies to all public agencies, including state, local, and federal employers, and local education agencies (schools), and to private sector employers who employ 50 or more employees for at least 20 workweeks in the current or preceding calendar year.

The FMLA often requires employers to collect medical information from employees who request FMLA leave or from their health care providers to certify the need for leave, the duration of leave, and the employee’s ability to return to work. The FMLA regulations specify the type and amount of information that employers may request and require for different types of FMLA leave, such as:

Basic medical facts, such as the diagnosis, symptoms, hospitalization, doctor visits, whether medication has been prescribed, and any referrals for evaluation or treatment, for the employee’s own serious health condition or that of a family member.

Information on the medical necessity of intermittent leave or reduced schedule leave and the expected frequency and duration of such leave, for the employee’s own serious health condition or that of a family member, or for planned medical treatment.

A statement of the facts regarding the qualifying exigency, such as the type of military duty, the dates of the covered active duty, and the contact information of the military member, for leave due to a qualifying exigency arising from the employee’s spouse, child, or parent being on covered active duty or call to covered active duty status in the Armed Forces.

Information on the medical condition, treatment, and recovery of the covered service member, such as the date of injury or onset of illness, the current medical status, the prognosis, and the estimated time of treatment, for leave to care for a covered service member with a serious injury or illness.

The FMLA also imposes certain obligations on employers to protect the privacy and security of the medical information they collect from employees or their health care providers. For example, employers must:

Maintain records and documents relating to medical certifications, recertifications, or medical histories of employees or employees’ family members as confidential medical records in separate files/records from the usual personnel files, and if the Americans with Disabilities Act (ADA) applies, such records must be maintained in conformance with ADA confidentiality requirements.

Ensure that any electronic systems used to maintain such records meet the confidentiality requirements of the FMLA and the ADA, and that only authorized persons have access to such records.

Limit the disclosure of such records to supervisors and managers who need to know about an employee’s FMLA leave, first aid and safety personnel when an employee’s medical condition might require emergency treatment, and government officials investigating compliance with the FMLA.

Comply with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule when requesting medical information from an employee’s health care provider, such as obtaining a valid authorization from the employee or using a HIPAA-compliant certification form.

Refrain from requesting more information than allowed by the FMLA regulations, such as asking for an employee’s complete medical records or information unrelated to the FMLA leave request.

Respect the employee’s right to revoke a medical authorization or challenge a medical certification, and follow the procedures for resolving disputes over the validity or sufficiency of such documents.

References:

The Family and Medical Leave Act (FMLA)

FMLA Employee Guide

FMLA Employer Guide

FMLA Regulations

FMLA Forms

The Federal Trade Commission (FTC) issued its 2012 report, “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers”1, which outlined a framework for privacy protection based on three main principles: privacy by design, simplified consumer choice, and greater transparency. The report also identified five priority areas for the FTC’s privacy enforcement and policy efforts, which were:

Data brokers

Large platform providers

Mobile

Promoting enforceable self-regulatory codes

International data transfers

Do Not Track was not one of the five priority areas, but rather a specific mechanism for implementing the principle of simplified consumer choice. The report endorsed the development of a Do Not Track system that would allow consumers to opt out of online behavioral advertising across websites and platforms1. The report also noted the progress made by various stakeholders, such as the World Wide Web Consortium (W3C), the Digital Advertising Alliance (DAA), and browser companies, in advancing the Do Not Track initiative1. References: 1: Federal Trade Commission, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers (March 2012), available at 1.

Under the California Consumer Privacy Act (CCPA), a business that collects personal information of California residents must notify them of a data breach if their personal information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices. However, the CCPA excludes encrypted or redacted personal information from the definition of personal information, unless the encryption key or security credential is also compromised. Therefore, Privacy Is Hiring Inc. would need to notify the affected individuals only if the encryption keys were also taken along with the credit card information, as this would render the encryption ineffective and expose the personal information to unauthorized access. The other options are not relevant to the CCPA notification requirement, although they may be relevant to other laws or best practices. References: CCPA (Section 1798.150), IAPP CIPP/US Study Guide (p. 63-64)

California’s SB 1386, also known as the California Security Breach Information Act, was enacted in 2002 and became effective in 2003. It was the first law of its kind in the United States to require commercial entities that own or license personal information of California residents to notify them in the event of a security breach that compromises their unencrypted data. The law aims to protect the privacy and security of personal information and to enable individuals to take preventive measures against identity theft and fraud. The law applies to any business or person that conducts business in California and that owns or licenses computerized data that includes personal information, as defined by the law. Personal information includes an individual’s first name or first initial and last name in combination with any one or more of the following data elements: Social Security number, driver’s license number or California identification card number, account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account, or medical information or health insurance information. The law does not apply to encrypted information, publicly available information, or information that is lawfully obtained from federal, state, or local government records. The law requires the disclosure of a breach of the security of the system to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. The disclosure may be made by written notice, electronic notice, or substitute notice, as specified by the law. The law also requires any person or business that maintains computerized data that includes personal information that the person or business does not own to notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The law also authorizes a civil action for damages by a customer injured by a violation of the law and provides that the rights and remedies available under the law are cumulative to each other and to any other rights and remedies available under law. References:

California Senate Bill 1386 (2002)

California SB 1386: For the Love of Privacy

What Is the California Security Breach Information Act?

California Raises the Bar on Data Security and Privacy

Data brokers are companies that collect, analyze, and share personal information about consumers for various purposes, such as marketing, risk mitigation, and research. The U.S. Federal Trade Commission (FTC) conducted a study of nine data brokers in 2012 and published a report in 2014, titled “Data Brokers: A Call for Transparency and Accountability”. In the report, the FTC identified three broad categories of products offered by data brokers, based on the primary purposes for which the products are used by their customers. The three categories are: 12

Marketing products: These products help customers target potential customers, tailor marketing offers, measure the effectiveness of marketing campaigns, and improve customer relationships. Marketing products include data elements, segments, scores, lists, and analytics that are derived from consumer data. Data brokers may provide marketing products through direct marketing (such as postal mail, e-mail, or phone), online marketing (such as online display ads, social media, or mobile apps), or marketing analytics (such as measuring consumer behavior, preferences, and trends)12

Risk mitigation products: These products help customers verify and authenticate consumers’ identities, prevent fraud, and comply with legal obligations. Risk mitigation products include identity verification, identity authentication, fraud prevention, and compliance products that are based on consumer data. Data brokers may provide risk mitigation products through various methods, such as matching consumer-providedinformation with data broker records, generating questions or challenges based on consumer data, or providing scores or indicators of fraud risk or compliance status12

Research products: These products help customers understand consumer behavior, preferences, and trends, as well as market conditions, industry developments, and economic factors. Research products include reports, studies, statistics, and insights that are derived from consumer data. Data brokers may provide research products through various formats, such as online portals, dashboards, newsletters, or custom reports12

The FTC report did not include location of individuals as one of the three broad categories of products offered by data brokers. Location of individuals may be a specific type of product or service that some data brokers provide, but it is not a primary purpose for which data brokers use consumer data. Therefore, the correct answer is C. Location of individuals (such as identifying an individual from partial information).

References:

Data Brokers: A Call For Transparency and Accountability: A Report of the Federal Trade Commission (May 2014)

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 5: State Privacy Laws, Section 5.3: Data Broker Laws

The Department of Commerce (DOC) plays a role in privacy policy by promoting the development and adoption of voluntary codes of conduct, standards, and best practices for the private sector, as well as facilitating cross-border data transfers through mechanisms such as the EU-U.S. Privacy Shield and the APEC Cross-Border Privacy Rules. However, the DOC does not have regulatory authority to enforce privacy laws or impose sanctions for privacy violations. The other agencies listed have some degree of regulatory authority over privacy issues within their respective domains. For example, the Office of the Comptroller of the Currency (OCC) supervises national banks and federal savings associations and enforces the GLBA privacy and security rules for these institutions. The Federal Communications Commission (FCC) regulates interstate and international communications and enforces the privacy and security rules for telecommunications carriers, broadband providers, and voice over internet protocol (VoIP) services. The Department of Transportation (DOT) oversees the transportation sector and enforces the privacy and security rules for airlines, travel agents, and other covered entities under the Aviation and Transportation Security Act (ATSA). References:

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 1: Introduction to the U.S. Privacy Environment, Section 1.3: Federal Agencies with a Role in Privacy, p. 18-19

IAPP CIPP/US Body of Knowledge, Domain I: Introduction to the U.S. Privacy Environment, Objective I.B: Identify the major federal agencies with a role inprivacy, Subobjective I.B.4: Identify the role of the Department of Commerce, p. 7

IAPP CIPP/US Exam Blueprint, Domain I: Introduction to the U.S. Privacy Environment, Objective I.B: Identify the major federal agencies with a role in privacy, Subobjective I.B.4: Identify the role of the Department of Commerce, p. 3

 The CCPA applies to any business that collects personal information of California residents, regardless of where the business is located1. The CCPA defines personal information broadly as any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household2. This could include business contact information, such as name, email address, phone number, or job title, if it is linked to a specific individual3. Therefore, Otto should tell the Board that business contact information could be considered personal information governed by CCPA, and that the company may need to comply with the CCPA requirements, such as providing notice, honoring consumer rights requests, and implementing reasonable security measures4. References:

CIPP/US Practice Questions (Sample Questions), Question 124, Answer C, Explanation C.

IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 6, Section 6.2, p. 181-182.

California Consumer Privacy Act (CCPA), Section 1798.140, Subsection (o).

CCPA Compliance Checklist for Businesses, Section 2, Subsection (a).

The Privacy Protection Act of 1980 (PPA) is a federal law that protects journalists and newsrooms from search and seizure by government officials in connection with criminal investigations or prosecutions. The PPA prohibits the government from searching for or seizing any work product materials or documentary materials possessed by a person who intends to disseminate them to the public through a newspaper, book, broadcast, or other similar form of public communication, unless certain exceptions apply. The PPA was drafted in response to the Supreme Court’s decision in Zurcher v. Stanford Daily, which upheld the constitutionality of a police search of a student newspaper’s office without a subpoena, based on probable cause that the newspaper had evidence of a crime. The PPA was intended to protect the First Amendment rights of the press and the privacy interests of journalists and their sources from unreasonable government intrusion123. References:

1: IAPP, Privacy Protection Act of 1980, https://epic.org/the-privacy-protection-act-of-1980/

2: DOJ, Privacy Protection Act of 1980, https://www.justice.gov/archives/jm/criminal-resource-manual-661-privacy-protection-act-1980

3: Wikipedia, Privacy Protection Act of 1980, https://en.wikipedia.org/wiki/Privacy_Protection_Act_of_1980

Title VII of the Civil Rights Act of 1964 is a federal law that prohibits employment discrimination based on race, color, religion, sex, and national origin1 It also prohibits retaliation against individuals who assert their rights under the law or participate in an EEOC investigation1 Title VII applies to employers with 15 or more employees, as well as to employment agencies, labor organizations, and joint labor-management committees1

Title VII prohibits employers from making pre-employment inquiries that express a preference, limitation, or specification based on any of the protected characteristics, unless they are bona fide occupational qualifications (BFOQs)2 BFOQs are rare and narrowly construed exceptions that allow employers to consider a protected characteristic when it is reasonably necessary to the normal operation of the business2 For example, a religious organization may require its employees to share its faith, or a women’s shelter may hire only female counselors2

Option A is incorrect because questions about age are not prohibited by Title VII, but by the Age Discrimination in Employment Act of 1967 (ADEA), which protects individuals who are 40 years of age or older from employment discrimination based on age3 The ADEA generally prohibits employers from asking applicants about their age or date of birth, unless age is a BFOQ or the inquiry is part of a lawful affirmative action plan3

Option B is incorrect because questions about a disability are not prohibited by Title VII, but by the Americans with Disabilities Act of 1990 (ADA), which protects qualified individuals with disabilities from employment discrimination based on disability4 The ADA generally prohibits employers from asking applicants about whether they have a disability or the nature or severity of a disability, unless the inquiry is related to the ability to perform the essential functions of the job with or without reasonable accommodation4

Option C is incorrect because questions about a national origin are prohibited by Title VII, but not in all circumstances. Title VII prohibits employers from asking applicants about their national origin, ancestry, birthplace, native language, or accent, unless they are BFOQs or the inquiry is related to a legitimate business purpose, such as verifying eligibility to work in the United States or assessing language proficiency for a job that requires communication skills25

Option D is correct because questions about intended pregnancy are prohibited by Title VII, as amended by the Pregnancy Discrimination Act of 1978 (PDA), which protects women from employment discrimination based on pregnancy, childbirth, or related medical conditions. The PDA prohibits employers from asking applicants about whether they are pregnant or intend to become pregnant, unless they are related to the ability to perform the job. Such questions may indicate an intent to discriminate based on sex or pregnancy, or may deter women from applying for certain jobs.

References: 1: Title VII of the Civil Rights Act of 1964 | U.S. Equal Employment Opportunity Commission 2: Questions and Answers about Race and Color Discrimination in Employment | U.S. Equal Employment Opportunity Commission 3: Age Discrimination | U.S. Equal Employment Opportunity Commission 4: Disability Discrimination | U.S. Equal Employment Opportunity Commission 5: National Origin Discrimination | U.S. Equal Employment Opportunity Commission : Pregnancy Discrimination | U.S. Equal Employment Opportunity Commission

The Foreign Intelligence Surveillance Act (FISA) was enacted in 1978 in response to revelations of widespread privacy violations by the federal government under President Nixon. It established procedures for requesting judicial authorization for electronic surveillance and physical search of persons engaged in espionage or international terrorism against the United States on behalf of a foreign power1 The original purpose of FISA was to further define a framework for authorizing wiretaps by the executive branch for national security purposes under Article II of the Constitution, which grants the president the power to conduct foreign affairs and defend the nation23 FISA was intended to balance the need for collecting foreign intelligence information with the protection of privacy and civil liberties of U.S. persons4 References: https://www.intelligence.gov/foreign-intelligence-surveillance-act

https://www.intelligence.gov/foreign-intelligence-surveillance-act/1234-categories-of-fisa