Which of the following is the MOST important privacy consideration when developing a contact tracing application?
Correct Answer: A
Explanation The proportionality of the data collected for the intended purpose is the most important privacy consideration when developing a contact tracing application. This means that the application should only collect the minimum amount of personal data necessary to achieve the specific and legitimate purpose of preventing and controlling the spread of COVID-191. The application should also ensure that the data collected are relevant, adequate, and not excessive in relation to the purpose2. The application should avoid collecting or processing any data that are not essential for the purpose, such as location data, biometric data, or health data unrelated to COVID-193. The application should also respect the data minimization principle, which requires that the data are kept for no longer than necessary for the purpose4. References: * European Data Protection Board Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak * Article 5(1) of the General Data Protection Regulation (GDPR) * Article 29 Data Protection Working Party Opinion 04/2017 on the Proposed Regulation for the ePrivacy Regulation * Article 5(1)(e) of the GDPR
Question 102
Which of the following is the GREATEST obstacle to conducting a privacy impact assessment (PIA)?
Correct Answer: D
Explanation The value proposition of a PIA is not understood by management is the greatest obstacle to conducting a PIA, as it may result in lack of support, funding, resources or commitment for the PIA process and outcomes. Management may not appreciate or recognize the benefits of a PIA, such as enhancing privacy protection, reducing privacy risks and costs, increasing customer trust and satisfaction, and complying with privacy laws and regulations. Management may also perceive a PIA as a burden, a delay or a hindrance to the system or project development and delivery. The other options are not as significant as the value proposition of a PIA is not understood by management as obstacles to conducting a PIA. Conducting a PIA requires significant funding and resources is an obstacle to conducting a PIA, but it may be overcome by demonstrating the return on investment or the cost-benefit analysis of a PIA. PIAs need to be performed many times in a year is an obstacle to conducting a PIA, but it may be mitigated by adopting a scalable or modular approach to PIAs that can be tailored to different types or levels of systems or projects. The organization lacks knowledge of PIA methodology is an obstacle to conducting a PIA, but it may be resolved by acquiring or developing the necessary skills, tools or guidance for performing PIAs1, p. 67-68 References: 1: CDPSE Review Manual (Digital Version)
Question 103
Which of the following is the PRIMARY consideration to ensure control of remote access is aligned to the privacy policy?
Correct Answer: A
Question 104
Which of the following is the PRIMARY reason that organizations need to map the data flows of personal data?
Correct Answer: A
Explanation Data flow mapping is a technique to document how personal data flows within and outside an organization, including the sources, destinations, formats, purposes and legal bases of the data processing activities. Data flow mapping helps organizations to assess privacy risks, such as data breaches, unauthorized access, misuse or loss of data, and to implement appropriate controls to mitigate those risks. Data flow mapping may also help organizations to evaluate the effectiveness of data controls, determine data integration gaps and comply with regulations, but those are not the primary reasons for data flow mapping1, p. 69-70 References: 1: CDPSE Review Manual (Digital Version)
Question 105
A privacy risk assessment identified that a third-party collects personal data on the organization's behalf. This finding could subject the organization to a regulatory fine for not disclosing this relationship. What should the organization do NEXT?
Correct Answer: D
Explanation The organization should disclose the relationship to those affected in jurisdictions where such disclosures are required, as this is the most appropriate and compliant action to take after identifying a privacy risk related to third-party data collection. Disclosing the relationship to the data subjects is a way of providing transparency and accountability, as well as respecting their rights and choices regarding their personal data. It also helps the organization avoid regulatory fines or sanctions for not complying with the applicable privacy laws or regulations that mandate such disclosures. The other options are not as effective or sufficient as disclosing the relationship, as they do not address the root cause of the risk, do not mitigate the potential harm to the data subjects, or do not align with the privacy principles and best practices. References: CDPSE Review Manual, 2021, p. 36
