CIPP-US Exam Dumps - IAPP Certified Information Privacy Professional Questions and Answers

The Privacy Protection Act of 1980 (PPA) is a federal law that protects journalists and newsrooms from search and seizure by government officials in connection with criminal investigations or prosecutions. The PPA prohibits the government from searching for or seizing any work product materials or documentary materials possessed by a person who intends to disseminate them to the public through a newspaper, book, broadcast, or other similar form of public communication, unless certain exceptions apply. The PPA was drafted in response to the Supreme Court’s decision in Zurcher v. Stanford Daily, which upheld the constitutionality of a police search of a student newspaper’s office without a subpoena, based on probable cause that the newspaper had evidence of a crime. The PPA was intended to protect the First Amendment rights of the press and the privacy interests of journalists and their sources from unreasonable government intrusion123. References:

• 1: IAPP, Privacy Protection Act of 1980, https://epic.org/the-privacy-protection-act-of-1980/
• 2: DOJ, Privacy Protection Act of 1980, https://www.justice.gov/archives/jm/criminal-resource-manual-661-privacy-protection-act-1980
• 3: Wikipedia, Privacy Protection Act of 1980, https://en.wikipedia.org/wiki/Privacy_Protection_Act_of_1980

According to the Health Insurance Portability and Accountability Act (HIPAA), a covered entity is a health plan, a health care clearinghouse, or a health care provider that transmits any health information in electronic form in connection with a transaction covered by HIPAA. A covered entity must report a breach of unsecured protected health information (PHI) to the following parties:

• The Department of Health and Human Services (HHS), which is the federal agency responsible for enforcing HIPAA and issuing regulations and guidance on privacy and security issues. A covered entity must notify HHS of a breach affecting 500 or more individuals without unreasonable delay and in no case later than 60 days after discovery of the breach. A covered entity must also notify HHS of breaches affecting fewer than 500 individuals within 60 days of the end of the calendar year in which the breaches occurred.
• The affected individuals, who are the individuals whose PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of the breach. A covered entity must notify the affected individuals without unreasonable delay and in no case later than 60 days after discovery of the breach. The notification must be in writing by first-class mail or, if the individual agrees, by electronic mail. The notification must include a brief description of the breach, the types of information involved, the steps the individual should take to protect themselves, the steps the covered entity is taking to investigate and mitigate the breach, and the contact information of the covered entity.
• The local media, if the breach affects more than 500 residents of a state or jurisdiction. A covered entity must notify prominent media outlets serving the state or jurisdiction without unreasonable delay and in no case later than 60 days after discovery of the breach. The notification must include the same information as the notification to the affected individuals.

A covered entity does not have to report the breach to medical providers, unless they are also affected individuals or business associates of the covered entity. A business associate is a person or entity that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of PHI. A covered entity must have a writtencontract or agreement with its business associates that requires them to protect the privacy and security of PHI and report any breaches to the covered entity.

References:

• IAPP CIPP/US Body of Knowledge, Domain II: Limits on Private-sector Collection and Use of Data, Section C: Sector-specific Requirements for Health Information
• IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 2: Limits on Private-sector Collection and Use of Data, Section 2.3: Sector-specific Requirements for Health Information
• Practice Exam - International Association of Privacy Professionals

The U.S. Department of Commerce (DOC) is a federal agency that promotes economic growth, trade, and innovation, but does not have regulatory authority related to privacy. The DOC administers several voluntary privacy frameworks, such as the Privacy Shield, the APEC Cross-Border Privacy Rules, and the NIST Privacy Framework, but these are not legally binding or enforceable by the DOC12. The DOC also participates in international privacy negotiations and dialogues, but does not have the power to issue rules or regulations on privacy matters3.

The other three options are examples of federal agencies that do have regulatory authority related to privacy. The Consumer Financial Protection Bureau (CFPB) is an independent agency that enforces consumer protection laws, such as the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and the Dodd-Frank Act, which contain privacy and data security provisions4. The U.S. Department of Transportation (DOT) is a federal agency that regulates transportation safety, security, and infrastructure, and has issued privacy rules for airlines, motor carriers, and railroads. The FederalReserve (FRB) is an independent agency that oversees the nation’s monetary policy, banking system, and financial stability, and has issued privacy rules for financial institutions under its jurisdiction. References: 1: Privacy Shield Program Overview | International Trade Administration 2: NIST Privacy Framework | NIST 3: Privacy and Data Security | U.S. Department of Commerce 4: Consumer Financial Protection Bureau - Wikipedia : [Privacy | US Department of Transportation] : [Privacy - Federal Reserve Board]

Contact tracing apps are designed to help public health authorities track and contain the spread of COVID-19 or any other diagnosed virus by notifying users who have been in close contact with an infected person. However, these apps also raise privacy concerns, as they collect and process sensitive personal data, such as health status and location information. Therefore, contact tracing apps should follow the principles of privacy by design and default, which means that they should incorporate privacy measures into their development and operation, and offer the highest level of privacy protection to users.

Some of the privacy measures that should be considered when designing contact tracing apps are:

• Data retention: Contact tracing apps should only retain the personal data they collect for as long as necessary to achieve their public health purpose, and delete or anonymize the data afterwards. Data retention periods should be clearly communicated to users and based on scientific evidence and legal requirements.
• Use limitations: Contact tracing apps should only use the personal data they collect for the specific and legitimate purpose of contact tracing, and not for any other purposes, such as commercial, law enforcement, or surveillance. Use limitations should be enforced by technical and organizational measures, such as encryption, access controls, and audits.
• User confidentiality: Contact tracing apps should protect the confidentiality of users’ personal data and identity, and not disclose them to third parties without their consent or legal authorization. User confidentiality should be ensured by technical and organizational measures, such as pseudonymization, aggregation, and data minimization.

Opt-out choice, on the other hand, is not a privacy measure that should be considered when designing contact tracing apps, as it would undermine their effectiveness and public health objective. Contact tracing apps rely on voluntary participation and widespread adoption by users to function properly and achieve their purpose. Therefore, offering users the option to opt out of the app or certain features, such as data sharing or notifications, would reduce the app’s coverage and accuracy, and potentially expose users and others to greater health risks. Instead of opt-out choice, contact tracing apps should provide users with clear and transparent information about how the app works, what data it collects and how it uses it, what benefits and risks it entails, and what rights and controls users have over their data. This way, users can make an informed and voluntary decision to use the app or not, based on their own preferences and values.

References:

• [IAPP CIPP/US Study Guide], Chapter 2: Privacy by Design and Default, pp. 35-36.
• [IAPP CIPP/US Body of Knowledge], Section II: Limits on Private-sector Collection and Use of Data, Subsection B: Privacy by Design, pp. 9-10.
• [IAPP Glossary], Terms: Contact Tracing, Privacy by Design, Privacy by Default.