Halloween Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

IAPP CIPP-C Certified Information Privacy Professional/ Canada (CIPP/C) Exam Practice Test

Demo: 22 questions
Total 76 questions

Certified Information Privacy Professional/ Canada (CIPP/C) Questions and Answers

Question 1

A federally regulated company based in Ontario has customers in Ontario, Quebec, New Brunswick, Alberta and British Columbia. Unfortunately, a third-party vendor that provides marketing support to the company experiences a privacy breach which impacts the personal information of all its customers across the provinces where it operates.

The Privacy Officer determines that the breach causes a real risk of significant harm to their customers and is tasked with reporting the breach to the relevant regulators.

With which provincial privacy regulators does the company have to file a report?

Options:

A.

It is unnecessary to file a report with any provinces because the company is federally regulated

B.

All of the provinces where its customers are located

C.

New Brunswick and British Columbia only

D.

Quebec and Alberta only

Question 2

Which of these employees would be subject to the Personal Information Protection and Electronic Documents Act (PIPEDA)?

Options:

A.

The staff of an airline offering flights across Canada.

B.

Underwriters for a New Brunswick insurance company.

C.

Clerks at a Montreal credit union based out of Montreal.

D.

The information technology department of the Saskatchewan Office of Residential Tenancies of Saskatchewan.

Question 3

Which of the following existing frameworks is least effective in addressing emerging AI issues while specific AI legislation is being decided?

Options:

A.

The Canada Consumer Product Safety Act.

B.

The Motor Vehicle Safety Act.

C.

The Copyright Act.

D.

The Criminal Code.

Question 4

What is the Generally Accepted Privacy Principles (GAPP) framework?

Options:

A.

An information management model that is widely recognized across many Canadian industries.

B.

A comprehensive guide for industry best practices as delineated by the Canadian federal Privacy Commissioner.

C.

A template for Privacy Impact Assessments (PIAs) that are conducted within private sector organizations in Canada.

D.

A principles-based privacy approach advocated by Canada’s leading accounting industry group and its U.S.-based counterpart.

Question 5

In which instance is your personal information deemed publicly available?

Options:

A.

You belong to a professional body and your name exists on a registry that meets legal requirements.

B.

You volunteer for an organization and they register you on their contact list in order to book you for future shifts.

C.

You applied to a variety of universities and your application data exists on a register by the admissions departments.

D.

You contributed financial donations to your local church and your name exists on their list for income tax receipt purposes.

Question 6

In 2007, four employees of TELUS Communications Corporation filed a complaint with the Privacy Commissioner of Canada in connection with the collection of what personal information?

Options:

A.

Voiceprint information.

B.

Drivers' licenses.

C.

Urine samples.

D.

Video images.

Question 7

Which statement is TRUE regarding health information privacy laws in Canada?

Options:

A.

Obligations regarding accountability for health information are transferred when control is outsourced to a third party.

B Emphasis is given lo personal information protection over the maintenance of the publicly funded healthcare system

B.

There is a significant amount of variation among provinces regarding the definition of consent and how the consent requirement is addressed.

C.

In provinces where there are no health information privacy statutes, a combination of the public health regulations and the private sector privacy legislation apply.

Question 8

Which organization was the primary influence in the development of Canadian privacy with their publication of a set of eight privacy principles?

Options:

A.

The Organization for Economic Co-operation and Development (OECD).

B.

The Canadian Institute of Chartered Accountants

C.

The Center for Democracy and Technology (CRT)

D.

The Canadian Standards Association (CSA).

Question 9

According to the federal court ruling in the Eastman Case, video cameras in the workplace are considered to be collecting personal information?

Options:

A.

At the moment a recording occurs.

B.

When a camera is on, even if it is not yet recording.

C.

As soon as the data is saved to a workplace server.

D When someone within the nrnani7atinn views the recording

Question 10

What is a difference between the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Personal Information Privacy Act (PIPA) of both Alberta and British Columbia?

Options:

A.

PIPEDA applies to personal information about individuals employed by government institutions; PIPA applies to personal information about individuals employed by public-sector organizations within the provinces.

B.

The enforcement powers of the federal Privacy Commissioner of Canada under PIPEDA are greater than those of the provincial privacy commissioners under PIPA.

C.

PIPEDA applies to federal undertakings and to inter-provincial organizations engaged in commercial activities; PIPA applies to private organizations.

D.

The person in charge of oversight of PIPEDA is a privacy commissioner; the person in charge of oversight of PIPA is an ombudsman.

Question 11

In which situation could a request for access to one’s personal information be denied under the Privacy Act?

Options:

A.

The personal information was collected by the Royal Canadian Mounted Police while performing policing services for a province or municipality.

B.

The personal information was obtained in confidence from a foreign state or agency which has consented to the disclosure of the information.

C.

The release of the personal information could reasonably be expected to cause injury to a protected species of wildlife.

D.

The personal information is more than 20 years old and relates to the detection or suppression of money laundering.

Question 12

What can be concluded from the Blood Tribe case regarding the Privacy Commissioner's access to information?

Options:

A.

The commissioner cannot receive information unless it is gathered under oath.

B.

The commissioner cannot ask an organization to prove that a document is privileged.

C.

The commissioner can compel the production of all documents that are relevant to the investigation.

D.

The commissioner can officially request proof that desired information is subject to solicitor-client privilege.

Question 13

According to the Alberta Personal Information Protection Act, which of the following data breach reporting notifications to the commissioner is NOT automatically triggered when real risk of significant harm (RROSH) has been determined?

Options:

A.

Providing a description of the steps the organization will take to notify the affected individual(s).

B.

Providing a description of the steps the organization has taken to reduce or mitigate that harm.

C.

Providing an estimate of the number of individuals affected by the breach.

D.

Providing a description of the personal information involved in the breach.

Question 14

According to the Privacy Act, which of the following disclosures of personal information by a government institution would require the data subject’s consent?

Options:

A.

When disclosing to a law enforcement body.

B.

When disclosing to comply with a search warrant.

C.

When disclosing to a registered charitable organization.

D.

When disclosing to a member of parliament to assist in resolving a problem.

Question 15

ABC Corp uses a third-party provider to perform data analytics and sends the following data sets to the third party to run some reports: name, customer ID, age, transaction activity, transaction date, location, outcome, customer type.

If ABC Corp wants the third party to send all the data sets to their US based marketing partner for a new use, they must?

Options:

A.

Encrypt data in transit.

B.

Anonymize the personal data before sending.

C.

Seek additional consent from their customers.

D.

Ensure the marketing partner has equal or stronger protections than Canada.

Question 16

Of the key principles in the Personal Information Protection and Electronic Documents Act (PIPEDA), which principle in particular contributes to the increase in privacy policies in recent years?

Options:

A.

Limiting Use, Disclosure, and Retention.

B.

Individual Access.

C.

Openness.

D.

Accuracy

Question 17

According to the Canadian Standards Association (CSA) Model Code, how long should personal information be retained?

Options:

A.

Personal information should not be retained at all.

B.

Personal information should be retained indefinitely as long as consent has been given.

C.

Personal information should be retained for at least two years after the last administrative use.

D.

Personal information should be retained as long as necessary for the fulfillment of the purpose of the collection.

Question 18

The process of de-identification where new data elements are substituted for identifying information is?

Options:

A.

Shuffling.

B.

Encryption.

C.

Anonymization.

D.

Pseudonymization.

Question 19

A boutique hotel in Montreal seeks to attract travelers from Europe but wants to avoid becoming subject to the GDPR’s requirements. Which of the following activities is most likely to result in a finding that the hotel is subject to the GDPR?

Options:

A.

Placing advertisements on travel websites accessible in Europe.

B.

Collecting contact information for foreign business leaders from public directories.

C.

Sending discount offers to guests who previously registered using a foreign address.

D.

Translating the hotel's registration page into German based on the visitor's IP address.

Question 20

A new client is opening a Registered Retirement Savings Plan. Their investment advisor asks for their social insurance number (SIN). The advisor must tell the client that because they are opening a tax reporting product, their SIN is mandatory for tax reporting purposes and?

Options:

A.

Optional for identity verification purposes.

B.

Mandatory for identity verification purposes.

C.

Optional for secondary marketing purposes.

D.

Mandatory for secondary marketing purposes.

Question 21

What is critical to consider when an organization responsible for a large number of records wants to outsource the storage of those records?

Options:

A.

Determining if the personal information stored on the records will be used for data matching

B.

Putting into place a contractual agreement between the organization and the records storage company.

C.

Conducting a Privacy Impact Assessment (PIA) prior to establishing a relationship with the storage company.

D.

Establishing that consent gathered from individuals by the organization in order to store their personal information was informed and meaningful.

Question 22

What must a federal government department do before it implements an electronic service (e-service)?

Options:

A.

Conduct a preliminary PIA before acquiring the service

B.

Complete a PIA in accordance with Treasury Board guidelines.

C.

Publish a privacy statement in newspapers and on the government website.

D.

Determine if the Office of the Privacy Commissioner must be notified of the launch of this new e-service

Demo: 22 questions
Total 76 questions