CIPP-A Online Practice Questions and Answers

In the Asia-Pacific Economic Cooperation (APEC) Privacy Framework, what exception is allowed to the Access and Correction principle?

A. Paper-based records.

B. Publicly-available information.

C. Foreign intelligence.

D. Unreasonable expense.

What term is defined by the European Commission to mean any data that relates to an identified or identifiable individual?

A. Personally identifiable information.

B. Sensitive information.

C. Personal data.

D. Identified data.

SCENARIO

SCENARIO

Which of the following entities do NOT fall under India's Right to Information Act of 2005?

A. High courts.

B. State legislatures.

C. Law enforcement agencies.

D. National Security Guard.

SCENARIO

SCENARIO

In 2013-14, the Indian Supreme Court ruled in Puttaswamy and Anr. vs Union of India that requiring a Unique Identification Number was unconstitutional if what?

A. It was restricted to residents of India.

B. It was necessary for proving citizenship.

C. It was required in order to obtain government services.

D. It was used to gather information to discriminate against minorities.

Under the General Data Protection Regulation (GDPR), European Union member states may be allowed to transfer personal data to the United States in some cases.

Which of the following could NOT be used as a legitimate means of doing this?

A. A consent derogation.

B. A certification mechanism.

C. Privacy Shield.

D. Ad-hoc contractual clauses.

What was the basis for the "TrustSg" mark, which was designed to build confidence in e-commerce transactions before the PDPA was enacted?

A. The Fair Information Practice Principles.

B. The Model Data Protection Code.

C. The Electronic Transactions Act.

D. The 1995 European Directive.

Protection of which kind of personal information is NOT explicitly mentioned in the privacy laws of Hong Kong, Singapore, and India?

A. Sensitive data.

B. Children's data.

C. Outsourced data.

D. Extraterritorial data.

Who is NOT potentially liable when an employee in a Singapore corporation or partnership breaches the PDPA?

A. A corporate officer responsible of setting up data processing.

B. The employee following the management processes.

C. The employee's direct manager overseeing data handling.

D. A partner of the partnership handling data related matters.

In Singapore, a potential employer can collect all of the following data on an individual in the pre-employment phase EXCEPT?

A. Postings from social media websites.

B. Information from a background check.

C. Information about the individual's children.

D. The individual's university attendance records.

Based on the model contract released by the Privacy Commissioner for Personal Data (PDPC), Hong Kong, all of the following sections are recommended to be put into a contract to address Ordinance 33 (Data transfer/export) of Hong Kong's Personal Data Privacy Ordinance (PDPO) EXCEPT?

A. Liability and indemnity.

B. Exemptions and Definitions.

C. Termination of the contract.

D. Obligations of the Transferee.

E. None of the above.

In what way are Singapore residents protected following a data breach in ways that India and Hong Kong residents are not?

A. The affected individuals must be informed when significant harm is likely to occur.

B. The relevant authority must be informed of such data breach following its discovery.

C. The company must have in place a data breach response plan including third-parties.

D. The breach must be reported to the relevant authority within 72 hours of the discovery.