Free Access to IAPP.CIPP-US.v2024-06-24.q124 with Valid Practice Test (Page 6)

Question 21

Federal laws establish which of the following requirements for collecting personal information of minors under the age of 13?

A.Implied consent from a minor's parent or guardian, or affirmative consent from the minor.
B.Affirmative consent from a minor's parent or guardian before collecting the minor's personal information online.
C.Implied consent from a minor's parent or guardian before collecting a minor's personal information online, such as when they permit the minor to use the internet.
D.Affirmative consent of a parent or guardian before collecting personal information of a minor offline (e.g., in person), which also satisfies any requirements for online consent.

Question 22

What type of material is exempt from an individual's right to disclosure under the Privacy Act?

A.Material requires by statute to be maintained and used solely for research purposes.
B.Material reporting investigative efforts to prevent unlawful persecution of an individual.
C.Material used to determine potential collaboration with foreign governments in negotiation of trade deals.
D.Material reporting investigative efforts pertaining to the enforcement of criminal law.

Question 23

A company's employee wellness portal offers an app to track exercise activity via users' mobile devices.
Which of the following design techniques would most effectively inform users of their data privacy rights and privileges when using the app?

A.Offer information about data collection and uses at key data entry points.
B.Publish a privacy policy written in clear, concise, and understandable language.
C.Present a privacy policy to users during the wellness program registration process.
D.Provide a link to the wellness program privacy policy at the bottom of each screen.

Correct Answer: A

The design technique that would most effectively inform users of their data privacy rights and privileges when using the app is to offer information about data collection and uses at key data entry points. This technique is also known as "just-in-time" or "layered" notice, and it is recommended by the U.S. Federal Trade Commission (FTC) as a best practice for mobile app developers12 The idea behind this technique is to provide users with relevant and timely information about how their data is collected and used by the app, and what choices they have to control their data, at the moment when they are asked to provide or access their data. For example, if the app collects location data from the user's device, it should display a pop-up notice explaining why it needs the location data, how it will use it, and how the user can opt-out or change the settings. This way, the user can make an informed decision about whether to allow or deny the app's access to their data, and understand the consequences of their choice12 The advantage of this technique is that it avoids overwhelming the user with too much information at once, and instead provides concise and contextual information that is easy to understand and act upon. It also increases the user's trust and confidence in the app, as they feel more in control of their data and privacy12 The other design techniques are less effective because they do not provide the user with sufficient or timely information about their data privacy rights and privileges when using the app. Publishing a privacy policy written in clear, concise, and understandable language is a good practice, but it is not enough to inform the user of their data privacy rights and privileges, as many users may not read or understand the policy, or may not be aware of where to find it. Presenting a privacy policy to users during the wellness program registration process is also a good practice, but it may not capture all the data collection and uses that the app may perform, and it may not give the user enough opportunity to review and consent to the policy. Providing a link to the wellness program privacy policy at the bottom of each screen is also a good practice, but it may not be noticeable or accessible to the user, and it may not provide the user with the specific information they need at the point of data entry or access12 References:
* Mobile Privacy Disclosures: Building Trust Through Transparency: A Federal Trade Commission Staff Report (February 2013)
* IAPP CIPP/US Certified Information Privacy Professional Study Guide, Chapter 6: Privacy Program Management, Section 6.4: Privacy by Design

Question 24

SCENARIO
Please use the following to answer the next QUESTION :
Declan has just started a job as a nursing assistant in a radiology department at Woodland Hospital. He has also started a program to become a registered nurse.
Before taking this career path, Declan was vaguely familiar with the Health Insurance Portability and Accountability Act (HIPAA). He now knows that he must help ensure the security of his patients' Protected Health Information (PHI). Therefore, he is thinking carefully about privacy issues.
On the morning of his first day, Declan noticed that the newly hired receptionist handed each patient a HIPAA privacy notice. He wondered if it was necessary to give these privacy notices to returning patients, and if the radiology department could reduce paper waste through a system of one-time distribution.
He was also curious about the hospital's use of a billing company. He Questioned whether the hospital was doing all it could to protect the privacy of its patients if the billing company had details about patients' care.
On his first day Declan became familiar with all areas of the hospital's large radiology department. As he was organizing equipment left in the halfway, he overheard a conversation between two hospital administrators. He was surprised to hear that a portable hard drive containing non-encrypted patient information was missing. The administrators expressed relief that the hospital would be able to avoid liability. Declan was surprised, and wondered whether the hospital had plans to properly report what had happened.
Despite Declan's concern about this issue, he was amazed by the hospital's effort to integrate Electronic Health Records (EHRs) into the everyday care of patients. He thought about the potential for streamlining care even more if they were accessible to all medical facilities nationwide.
Declan had many positive interactions with patients. At the end of his first day, he spoke to one patient, John, whose father had just been diagnosed with a degenerative muscular disease. John was about to get blood work done, and he feared that the blood work could reveal a genetic predisposition to the disease that could affect his ability to obtain insurance coverage. Declan told John that he did not think that was possible, but the patient was wheeled away before he could explain why. John plans to ask a colleague about this.
In one month, Declan has a paper due for one his classes on a health topic of his choice. By then, he will have had many interactions with patients he can use as examples. He will be pleased to give credit to John by name for inspiring him to think more carefully about genetic testing.
Although Declan's day ended with many QUESTIONS, he was pleased about his new position.
How can the radiology department address Declan's concern about paper waste and still comply with the Health Insurance Portability and Accountability Act (HIPAA)?

A.State the privacy policy to the patient verbally
B.Post the privacy notice in a prominent location instead
C.Direct patients to the correct area of the hospital website
D.Confirm that patients are given the privacy notice on their first visit

Question 25

Which of the following federal agencies does NOT have regulatory authority related to privacy?

A.U.S. Department of Commerce.
B.Federal Reserve
C.Consumer Financial Protection Bureau.
D.U.S. Department of Transportation.

Question 21

Question 22

Question 23

Question 24

Question 25

Download PDF File