Exam4Training

DSCI DCPP-01 DSCI certified Privacy Professional Online Training

Question #1

APEC privacy framework envisages common principles such as Notice, Collection limitation, Use Limitation, Access and Correction, Security/Safeguards, and Accountability.

But it differs from the EU Data Protection Directive in which of the below aspect?

  • A . APEC privacy framework does not deal with the usage of personal information
  • B . APEC privacy framework does not mandate the binding treaties or directives for member countries
  • C . APEC privacy framework does not have a provision for co-operation between privacy enforcement agencies of members
  • D . APEC privacy framework does not deal with e-commerce

Reveal Solution Hide Solution

Correct Answer: B
Question #2

A multinational company with operations in several parts within EU and outside EU, involves international data transfer of both its employees and customers. In some of its EU branches, which are relatively larger in size, the organization has a works council. Most of the data transferred is personal, and some of the data that the organization collects is sensitive in nature, the processing of some of which is also outsourced to its branches in Asian countries.

Which of the following are not mandatory pre-requisite before transferring sensitive personal data to its Asian branches?

  • A . Notifying the data subject
  • B . Conducting risk assessment for the processing involved
  • C . Determining adequacy status of the country
  • D . Self-certifying to Safe Harbor practices and reporting to Federal Trade Commission

Reveal Solution Hide Solution

Correct Answer: D
Question #3

A multinational company with operations in several parts within EU and outside EU, involves international data transfer of both its employees and customers. In some of its EU branches, which are relatively larger in size, the organization has a works council. Most of the data transferred is personal, and some of the data that the organization collects is sensitive in nature, the processing of some of which is also outsourced to its branches in Asian countries.

For exporting EU branch employees’ data to Asian Countries for processing, which of the following instruments could be used for legal data transfer?

  • A . Customized contracts mandating ISO 27001 certification by the data processor
  • B . Standard Contractual Clauses
  • C . Binding Corporate Rules
  • D . Privacy Shield Framework

Reveal Solution Hide Solution

Correct Answer: D
Question #4

A multinational company with operations in several parts within EU and outside EU, involves international data transfer of both its employees and customers. In some of its EU branches, which are relatively larger in size, the organization has a works council. Most of the data transferred is personal, and some of the data that the organization collects is sensitive in nature, the processing of some of which is also outsourced to its branches in Asian countries.

For the outsourced work of its customers’ data processing, in order to initiate data transfer to another organizations outside EU, which is the most appropriate among the following?

  • A . The vendor (data importer) in the third country, and not the exporter is responsible to put in place suitable model contractual clauses, and hence the exporter does not need to take any action.
  • B . Since the data is processed by the vendor outside the EU, the EU directive does not apply and hence there are no legal concerns
  • C . The data exporter needs to initiate model contractual clauses after obtaining approvals from data protection commissioner and have the vendor be a signatory on the same as data importer
  • D . The data importer need to notify about the transfer to data protection commissioner in the destination country and exporter need to similarly notify in the EU country of origin

Reveal Solution Hide Solution

Correct Answer: D
Question #5

With reference to APEC privacy framework, when personal information is to be transferred to another person or organization, whether domestically or internationally, “the ______________ should obtain the consent of the individual and exercise due diligence and take reasonable steps to ensure that the recipient person or organization will protect the information consistently with APEC information privacy principles”.

  • A . Personal Information Owner
  • B . Personal Information Controller
  • C . Personal Information Processor
  • D . Personal Information Auditor

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Reference: https://iapp.org/news/a/gdpr-matchup-the-apec-privacy-framework-and-cross-border-privacy-rules/

Question #6

From the below listed options, identify the new privacy principle that is being advocated in proposed EU General Data Protection Regulation?

  • A . Right to be informed prior to sharing of data
  • B . Right to modify data
  • C . Right to be forgotten
  • D . Right to object data collection and processing

Reveal Solution Hide Solution

Correct Answer: C
Question #7

Which of the following statements are true about the privacy statement of an organization?

  • A . Content of the online privacy statement of an organization will depend upon the applicable laws, and may need to address requirements across geographical boundaries and legal jurisdictions
  • B . As per privacy laws generally it is mandatory to mention the phone contact details of the owner of organization in the online privacy statement where customers can reach out in case of a grievance or incident
  • C . Online privacy statement is an instrument to demonstrate to stakeholders how the organization gathers, uses, discloses, and manages personal data
  • D . India’s Information Technology (Amendment) Act, 2008 does not require that privacy policy be published on the website

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Reference: https://en.wikipedia.org/wiki/Privacy_policy

Question #8

With respect to ‘Data Minimization’ privacy principle, please select the correct statements from the following:

  • A . Right to object by the data subject for minimizing the collection of personal information
  • B . Data controllers should limit the amount of data collected to what is directly relevant and necessary to accomplish a specified purpose
  • C . Data controllers should retain the data only for as long as is necessary to fulfil the purpose for which it was collected
  • D . Process of analyzing and minimizing the collected data into useful information

Reveal Solution Hide Solution

Correct Answer: A
Question #9

Which of the following privacy principle deals with informed consent of the data subject before sharing the personal information (of the data subject) to third parties for processing?

  • A . Collection limitation
  • B . Purpose limitation
  • C . Disclosure of information
  • D . Accountability

Reveal Solution Hide Solution

Correct Answer: C
Question #10

For negligence in implementing and maintaining the reasonable security practices and procedures for protecting Sensitive Personal Data or Information (SPDI) as mentioned in Section 43A and associated rules under IT (Amendment) Act, 2008, a corporate entity may be liable to pay compensation of up to___________

  • A . Rs. 50,000,000
  • B . Rs. 500,000,000
  • C . Rs. 5,000,000
  • D . Upper limit not defined

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Reference: https://shodhganga.inflibnet.ac.in/bitstream/10603/164562/3/chapter%20ii.pdf

Question #11

‘Challenging Compliance’ as a privacy principle is covered in which of the following data protection/privacy act?

  • A . Federal Data Protection Act, Germany
  • B . UK Data Protection Act
  • C . PIPEDA
  • D . Singapore Data Protection Act

Reveal Solution Hide Solution

Correct Answer: C
Question #12

Which of the following is not required by an organization in US, resorting to EU-US Safe Harbor provisions, to transfer personal information from EU member nation to US?

  • A . Adherence to the seven safe harbor principles
  • B . Disclose their privacy policy publicly
  • C . Sign standard contractual clauses with data exporters in EU
  • D . Notify FTC of the self-certification

Reveal Solution Hide Solution

Correct Answer: B
Question #13

Please select the incorrect statement in context of “Online Privacy”:

  • A . A person’s act of ‘Selective disclosure” (of themselves) in an online environment
  • B . A person’s concern over usage of information that were collected during an online activity
  • C . A person’s control over collection of information during an online activity
  • D . A person’s concern on the software licensing agreement they sign with any organization

Reveal Solution Hide Solution

Correct Answer: C
Question #14

Complete the sentence: The Gramm-Leach-Bliley Act (GLBA) of US regulates the privacy practices adopted by financial institutions, requiring them to provide adequate security of the customer records. It lays various obligations on the financial institutions but allows such financial institutions to share the non-public information of customers (after properly notifying their consumers in a manner mentioned in the Act) with

  • A . Its affiliates only after obtaining explicit consent from the consumers
  • B . Its affiliates without need for obtaining explicit consent from the consumers for sharing their data
  • C . Its affiliates after disclosure in initial and annual GLBA privacy notices
  • D . Its affiliates after obtaining explicit permission of Federal Trade Commission

Reveal Solution Hide Solution

Correct Answer: A
Question #15

Companies based in EU and willing to transfer data outside the EU/EEA, use model contracts as an instrument.

Which of the following statements are true in reference to above statement?

  • A . It is a requirement mentioned in EU Data Protection Directive
  • B . It is a requirement mentioned in the OECD Privacy Framework
  • C . It is a requirement mentioned in the EU E-Commerce Directive
  • D . None of the above

Reveal Solution Hide Solution

Correct Answer: D
Question #16

After the rules were notified under section 43A of the IT (Amendment) Act, 2008, a clarification was issued by the government which exempted the service providers, which get access to/processes Sensitive Personal Data or information (SPDI) under contractual agreement with a legal entity located within or outside India.

Which privacy principle provisions notified under Sec 43A were exempted for the service providers?

  • A . Consent
  • B . Privacy policy (which is published)
  • C . Access and Correction
  • D . Disclosure of information

Reveal Solution Hide Solution

Correct Answer: B
Question #17

Select the element(s) of APEC cross border privacy rules system from the following list:

i. self-assessment

ii. compliance review

iii. recognition/acceptance by APEC members

iv. dispute resolution and enforcement

Please select correct option:

  • A . i, ii and iii
  • B . ii, iii, and iv
  • C . i, iii and iv
  • D . i, ii, iii and iv

Reveal Solution Hide Solution

Correct Answer: C
Question #18

A ministry under government of India plans to collect citizens’ information related to their education, medical condition, economic status, caste and religion.

As per the privacy requirements mentioned under Sec 43A of IT (Amendment) Act, 2008, the citizens’ ‘Consent’ would be mandatory for which of the following elements before their collection?

  • A . Educational records
  • B . Medical condition
  • C . Caste and religion
  • D . Sec 43A may not be applicable

Reveal Solution Hide Solution

Correct Answer: B
Question #19

Which of the following legislations/guidelines do not cover the concept of trans-border data flow?

  • A . OECD
  • B . IT (Amendment) Act, 2008
  • C . PIPEDA
  • D . None of the above

Reveal Solution Hide Solution

Correct Answer: B
Question #20

XYZ is a successful startup that acquired a respectable size & scale of operations in last 3 years, handling business process services for small & medium scale enterprises, largely in US & Europe. They are at the stage of closing a deal with a new banking client and working out the details of privacy related obligations in contract.

Ensuring effective enforcement of which of the below listed privacy principles is client’s accountability, even after outsourcing its loan approval process to XYZ?

I. Notice

II. Choice and Consent

III. Collection Limitation

IV. Use Limitation

V. Access and Correction

VI. Security

VII. Disclosure to third Party

Please select the correct set of principles from below listed options:

  • A . None of the above, since they are outsourcing the work to XYZ who will carry the liability going forward
  • B . All except V and VI
  • C . All except III
  • D . All of the above listed privacy principles

Reveal Solution Hide Solution

Correct Answer: C

Question #21

Which of the following categories of information are generally protected under privacy laws?

  • A . Personally Identifiable Information (PII)
  • B . Sensitive Personal Information (SPI)
  • C . Trademark, copyright and patent information
  • D . Organizations’ confidential business information

Reveal Solution Hide Solution

Correct Answer: A
Question #22

Effective 2013, HIPAA Omnibus rule applies to which of the following?

  • A . Covered Entities only
  • B . Business Associates only
  • C . Covered Entities & Business Associates
  • D . Federal Health Bodies only

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The final Omnibus Rule becomes effective on March 26, 2013. Covered entities and Business Associates Reference: http://www.hipaasurvivalguide.com/hipaa-omnibus-rule.php

Question #23

A US IT company has created a cloud based application for Canadian consumers only, with servers located in Vancouver, Canada. The application allows its users to publish their short stories, essays or e-books. The purpose of the application, i.e. literary work, is clearly stated in the terms and conditions which are mandatorily acknowledged by each user.

With respect to this application, the company must ensure compliance with:

  • A . PIPEDA
  • B . US Consumer Privacy Bill of Rights
  • C . EU Data Protection Directive
  • D . None of the above

Reveal Solution Hide Solution

Correct Answer: D
Question #24

XYZ & Co., an Indian hospital specialized in dealing with cancer treatment has organized a free health checkup camp for women in a specific district, after seeking due permission from competent authorities. During the camp the hospital staffs will be feeding the medical records of these women into the computer connected to hospital network system.

Does the said hospital need to notify its privacy policy to the women attending the camp and seek their consent regarding the collection and processing of such information?

  • A . No, since it is a free checkup camp for their welfare
  • B . Yes, in the any language as per the wishes of said hospital
  • C . No, since the law does not require the same in this case
  • D . Yes, in the language such women would understand

Reveal Solution Hide Solution

Correct Answer: B
Question #25

Under which of the following conditions can a company in India may transfer sensitive personal information (SPI) to any other company or a person in India, or located in any other country?

  • A . Transfer of information is allowed to those who ensure the same level of data protection that is adhered to by the company as provided for under the Indian laws
  • B . The transfer of information is allowed only after taking approval of Chief Information Commissioner of India
  • C . The transfer of information is allowed only after taking approval of ministry of electronics and information technology
  • D . The transfer may be allowed only if it is necessary for the performance of the lawful contract or where the data subject has consented to data transfer

Reveal Solution Hide Solution

Correct Answer: A
Question #26

Which of the following provides the legal basis for an Adjudicating Officer in every Indian state & union territory, with the powers of a civil court, to hear complaints and order compensation to the affected individuals?

  • A . Indian Civil Code
  • B . Indian Criminal Procedure Code
  • C . Telecom Regulatory Authority of India (TRAI) Act
  • D . Information Technology Act, 2000 & Information Technology (Amendment) Act, 2008

Reveal Solution Hide Solution

Correct Answer: A
Question #27

According to IT (Amendment) Act,2008, who should designate a grievance officer to redress grievance(s) of provider of information?

  • A . Data processor
  • B . Third party agency collecting personal information
  • C . Body corporate, which determines the means and purpose of data processing
  • D . Natural person sharing his/her information

Reveal Solution Hide Solution

Correct Answer: B
Question #28

You are part of a team that has been created by Indian government to create India’s privacy law based on recommendations in Justice AP Shah’s Report.

Which of the following provisions should be addressed in the law?

  • A . Privacy as an explicit fundamental constitutional right
  • B . Offences, penalties and remedies
  • C . National privacy principles
  • D . Setup of a national data controller registry

Reveal Solution Hide Solution

Correct Answer: C
Question #29

Which of the following privacy regulation advocates de-identification of personal information?

  • A . EU Data Protection Directive
  • B . Canada’s PIPEDA
  • C . Australia’s ANPP
  • D . IT Act of India

Reveal Solution Hide Solution

Correct Answer: A
Question #30

Indian constitution does not expressly provide for the “right to privacy” to its citizens.

However, there were various judicial pronouncements of the apex court which finally established the “right to privacy” as a fundamental right subsumed under Article 21 of the constitution of India. Article 21 inter alia provides and protects the __________________.

  • A . Right to Life and Personal liberty
  • B . Right to Opportunity
  • C . Right to Freedom of Speech and Expression
  • D . Right to Equality before law

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Article 21 of the Constitution of India, 1950 provides that, “No person shall be deprived of his life or personal liberty except according to procedure established by law.

Reference: https://www.google.com/search?q=article+21+of+indian+constitution&rlz=1C1CHBF_enPK808PK808&oq=article+21+of +india&aqs=chrome.0.0j69i57j0l4.3344j0j7&sourceid=chrome&ie=UTF-8

Question #31

Which among the following is the Canadian privacy law?

  • A . COPPA
  • B . PIPEDA
  • C . HIPAA
  • D . IT Act of Canada

Reveal Solution Hide Solution

Correct Answer: B
Question #32

ABC company is a large US based IT Company that provides a range of services to its clients. The company had developed a cloud based application providing end-to-end services for the medical industry.

The application had three modules for:

– Patients

– Hospitals and Doctors

– Insurance and Pharmaceutical companies

Each of the modules was designed to be integrated with others depending on user’s choice. For example, a patient could choose to share his/her medical history with his/her doctor (for medical advice) as well as insurance companies (for claims).

The application requires that all registered users of the application read and acknowledge the privacy policy. Additionally, users are required to identify the purpose for which they are providing any personal data in any of the modules. For example, a patient providing his/her medical history and current symptoms can select ‘Medical Advice’ as the purpose for the data being provided.

Few months ago, company launched new services in the applications namely, Business Analytics, Group Consultations, Insurance Policy purchase, and Medical Trials Management. The new services used all existing data collected over the years from users. The Company’s clients/users are based only in three geographical locations – United States, European Union and India. Additionally, to facilitate better performance of its application, the company established one datacenter each in US, Germany and India for its operations. Each of the datacenter provides the following: -US Datacenter – Storage of data for US based users only -Germany Datacenter – Storage of data for EU based users only -India Datacenter – Storage of data for India based users and alternate site for US and Germany Datacenters (used as part of global load balancing) -Services of a cloud service provider are leveraged in US as a Disaster Recovery (DR) site for Indian Datacenter

Recently, the company’s Application Support Desk has started receiving user complaints related to unsolicited communications.

These complaints have warranted a review of company’s privacy policies as well as practices.

The use of all user data for business analytics would be in direct conflict with which of the following privacy principles?

  • A . Access and Correction
  • B . Collection Limitation
  • C . Data Quality
  • D . Use Limitation

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Reference: http://oecdprivacy.org/#quality

Question #33

If an entity operates a website designed for kids or a website that targets general audience but collects information from individuals known to be under age of 13 years, the entity must comply with requirements in the US.

  • A . Child online protection Act, 1998
  • B . Gramm-Leach-Bliley Act, 1999
  • C . Personal Information Protection and Electronic Documents Act (PIPEDA)
  • D . Sarbanes-Oxley Act, 2000

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Reference: https://www.ftc.gov/tips-advice/business-center/guidance/childrens-online-privacy-protection-rule­six-step-compliance

Question #34

As per GDPR, the adequacy decision is taken the European Commission based on its findings and assessment of privacy laws of the third country, territory, sector, etc. The ____________ is required to provide the Commission with an opinion for the assessment of the adequacy of the level of protection in a third country or international organization, including for the assessment whether a third country, a territory or one or more specified sectors within that third country, or an international organization.

  • A . European Data Protection Board
  • B . Article 29 Working Party
  • C . Lead Supervisory Authority
  • D . Convention 108 Council

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Reference: https://books.google.com.pk/books?id=rKXaDwAAQBAJ&pg=PA141&lpg=PA141&dq=GDPR+is +required+to+provide+the+Commission+with+an+opinion+for+the+assessment+of+the+adequacy+of+the+level+of+protection+in+a+third+country+or+international+organization,+including+for+the+assessment+whether+a+third+country,+a+territory+or+one+or+more+specified+sectors+within+that+third+country,+or+an +international+organization&source=bl&ots=iTGUl_dS9C&sig=ACfU3U1_Q4wLavcnbA58JvJ8ek3PZ6YVqg&hl=en&sa=X&ved=2ahUKEwjk4NTnyp_pAhXCRBUIHXqIDj4Q6AEwDHoECBQQAQ#v=onepage&q=GDPR%20is%20required%20to%20provide%20the%20Commission%20with%20an%20opinion%20for%20the%20assessment%20of%20the%20adequacy%20of%20the%20level%20of%20protection%20in%20a%20third%20country%20or%20international%20organization%2C%20including%20for%20the%20assessment%20whether%20a%20third%20country%2C%20a%20territory%20or%20one%20or%20more%20specified%20sectors%20within%20that%20third%20country%2C%20or%20an%20international%20organization&f=false

Question #35

As per Article 33 of GDPR, in case of a personal data breach, the data controller has to inform the supervisory authority within ___________ of becoming aware of the breach.

  • A . 48 hours
  • B . 14 days
  • C . 72 hours
  • D . 24 hours

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Reference: https://gdpr-info.eu/art-33-gdpr/

Question #36

Which of the following wasn’t prescribed as a privacy principle under the OECD Privacy Guidelines, 1980?

  • A . Openness
  • B . Data minimization
  • C . Security Safeguard
  • D . Purpose Specification

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Reference: https://www.oecd.org/internet/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm

Question #37

As per Article 6 of General Data Protection Regulation, 2016, which of the following is not a lawful ground of processing personal data?

  • A . Performance of Contract
  • B . Legal Obligation
  • C . Legitimate Interest
  • D . Consent
  • E . Vital Interest
  • F . All of them are lawful grounds of processing personal data

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Reference: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection­regulation-gdpr/lawful-basis-for-processing/

Question #38

“As per Indian laws, any information that is freely available or accessible in public domain cannot be regarded as sensitive personal data or information.”

Please state if this statement is True or False.

  • A . True
  • B . False

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Reference: https://www.linklaters.com/en/insights/data-protected/data-protected—india

Question #39

Which of the following laws does not have a mandatory personal data breach notification requirement?

  • A . General Data Protection Regulation, 2016
  • B . Information Technology (Amendment) Act, 2008
  • C . Japanese Act on the Protection of Personal Information
  • D . UK Data Protection Act, 2018

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Reference: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1680152

Question #40

The Information Technology (Reasonable Security Practices And Procedures and Sensitive Data or Information) Rules, 2011 incorporate which of the following privacy concepts and principles:

i. Collection Limitation

ii. Accountability

iii. Right to be forgotten

iv. Purpose Limitation

v. Access and correction

  • A . i, ii, iii and iv
  • B . I, ii, iv and v
  • C . I, iii, iv and v
  • D . All the above

Reveal Solution Hide Solution

Correct Answer: B
Exit mobile version