[Full-Version] 2023 New CIPP-C Actual Exam Dumps, IAPP Practice Test [Q37-Q62]

[Full-Version] 2023 New CIPP-C Actual Exam Dumps,  IAPP Practice Test

Study HIGH Quality CIPP-C Free Study Guides and Exams Tutorials

What are the prerequisites for IAPP CIPP-C Exam

To be eligible for IAPP CIPP-C certification, the candidate must have a background in information protection and privacy. The candidate should also have at least two years of practical experience in the subject. Proposal development, project management, or program management experience are highly regarded. Wording and understanding of privacy legislation and regulatory frameworks is a must. Fooled proof of knowledge of security infrastructure is also needed. Compliant coding should also be aware of the latest security best practices. Authorities to make changes to the security features of computer systems should also be familiar with these changes. To resolve technical issues can not be avoided if an individual is to take the IAPP CIPP-C exam. IAPP CIPP-C exam dumps is a reliable solution to pass the CIPP-C exam.

Preferably, the candidate should have a bachelor's degree in the area of information protection and privacy, computer science, or information technology; or at least 5 years of practical experience in the subject. Equipment, software, and other related tools and techniques are to be learned and applied in the application of information privacy. As stated plainly, a candidate for IAPP CIPP-C certification must be tested on his/her knowledge of information protection and privacy laws, regulations, standards, and guidelines. Sector-specific certification from IAPP may be required for those seeking employment as the chief privacy officer. The examcandidates should forget about unknown anxiety. Question and answer (Q&A) tests are to be taken as well as a practical application training session.

What is the purpose of the IAPP CIPP-C Certification Exam?

The purpose of the IAPP CIPP-C exam is to assess the application and implementation of Privacy and information management practices and techniques. The IAPP CIPP-C exam is used as a tool to measure the ability of individuals in handling the day-to-day tasks associated with personal data protection. Border security, market access, and integrity of national infrastructure must be achieved through the effective management of personal information. Installed data protection measures are needed to protect the confidentiality, integrity, and availability of personal information.

Additional protection of the national and global environment is needed to reduce threats posed by data thefts and terrorism. Located at the nexus between public and private sectors, the global economy requires the effective protection of information. Internet technologies have created an environment where data controls are essential. IAPP CIPP-C exam dumps for the IAPP CIPP-C certification exam help candidates to improve their practice. CIPP-C study materials will cover all topics of the exam. A standard blueprint must be in place to effectively respond to cyber threats. The goal of this exam is to assess the level of knowledge possessed by each candidate.

The Need for IAPP CIPP-C Exam

A Certified Information Privacy Professional is necessary for all organizations that handle personal information. IAPP CIPP-C certification Exam has become a must-have necessity in today's global environment. The necessity of this certification is derived from the ever-increasing responsibilities that organizations have to comply with data protection laws and the need to meet the expectations of clients, users, and regulators. Scenario-based IAPP CIPP-C exam dumps questions are prepared by the IAPP CIPP-C certification team based on their extensive research into best practices. Understand how to manage compliance with privacy laws, regulations, codes of conduct, policies, procedures, and best practices including the importance of compliance staff training. Supersedes the Privacy Management section of the old CIPP exam.

Enacted laws require organizations to have a current understanding of data protection laws. Sufficient knowledge of privacy and data protection laws is also important for organizations that handle personal data on a global basis. Secure success in the CIPP-C exam will require that candidates have a thorough understanding of privacy and data protection laws that are applicable to their organizations. Select, collect, protect, retain, use and dispose of data appropriately with regard to meeting legal requirements and managing risks. Contained in this area is the protection of sensitive data, such as personal information and financial data.

 

NEW QUESTION 37
Acme Student Loan Company has developed an artificial intelligence algorithm that determines whether an individual is likely to pay their bill or default. A person who is determined by the algorithm to be more likely to default will receive frequent payment reminder calls, while those who are less likely to default will not receive payment reminders.
Which of the following most accurately reflects the privacy concerns with Acme Student Loan Company using artificial intelligence in this manner?

• A. If the algorithm uses information about protected classes to make automated decisions, Acme must ensure that the algorithm does not have a disparate impact on protected classes in the output.
• B. If the algorithm's methodology is disclosed to consumers, then it is acceptable for Acme to have a disparate impact on protected classes.
• C. If the algorithm uses risk factors that impact the automatic decision engine. Acme must ensure that the algorithm does not have a disparate impact on protected classes in the output.
• D. If the algorithm makes automated decisions based on risk factors and public information, Acme need not determine if the algorithm has a disparate impact on protected classes.

Answer: D

 

NEW QUESTION 38
Which of the following best describes an employer's privacy-related responsibilities to an employee who has left the workplace?

• A. An employer has a responsibility to maintain the security and privacy of any sensitive employment records retained for a legitimate business purpose.
• B. An employer may consider any privacy-related responsibilities terminated, as the relationship between employer and employee is considered primarily contractual.
• C. An employer has a responsibility to permanently delete or expunge all sensitive employment records to minimize privacy risks to both the employer and former employee.
• D. An employer has a responsibility to maintain a former employee's access to computer systems and company data needed to support claims against the company such as discrimination.

Answer: C

 

NEW QUESTION 39
Which federal act does NOT contain provisions for preempting stricter state laws?

• A. The Telemarketing Consumer Protection and Fraud Prevention Act
• B. The CAN-SPAM Act
• C. The Fair and Accurate Credit Transactions Act (FACTA)
• D. The Children's Online Privacy Protection Act (COPPA)

Answer: A

 

NEW QUESTION 40
SCENARIO
Please use the following to answer the next question:
Louis, a long-time customer of Bedrock Insurance, was involved in a minor car accident a few months ago.
Although no one was hurt, Louis has been plagued by texts and calls from a company called Accidentable offering to help him recover compensation for personal injury. Louis has heard about insurance companies selling customers' data to third parties, and he's convinced that Accidentable must have gotten his information from Bedrock Insurance.
Louis has also been receiving an increased amount of marketing information from Bedrock, trying to sell him their full range of their insurance policies.
Perturbed by this, Louis has started looking at price comparison sites on the internet and has been shocked to find that other insurers offer much cheaper rates than Bedrock, even though he has been a loyal customer for many years. When his Bedrock policy comes up for renewal, he decides to switch to Zantrum Insurance.
In order to activate his new insurance policy, Louis needs to supply Zantrum with information about his No Claims bonus, his vehicle and his driving history. After researching his rights under the GDPR, he writes to ask Bedrock to transfer his information directly to Zantrum. He also takes this opportunity to ask Bedrock to stop using his personal data for marketing purposes.
Bedrock supplies Louis with a PDF and XML (Extensible Markup Language) versions of his No Claims Certificate, but tells Louis it cannot transfer his data directly to Zantrum as this is not technically feasible.
Bedrock also explains that Louis's contract included a provision whereby Louis agreed that his data could be used for marketing purposes; according to Bedrock, it is too late for Louis to change his mind about this. It angers Louis when he recalls the wording of the contract, which was filled with legal jargon and very confusing.
In the meantime, Louis is still receiving unwanted calls from Accidentable Insurance. He writes to Accidentable to ask for the name of the organization that supplied his details to them. He warns Accidentable that he plans to complain to the data protection authority, because he thinks their company has been using his data unlawfully. His letter states that he does not want his data being used by them in any way.
Accidentable's response letter confirms Louis's suspicions. Accidentable is Bedrock Insurance's wholly owned subsidiary, and they received information about Louis's accident from Bedrock shortly after Louis submitted his accident claim. Accidentable assures Louis that there has been no breach of the GDPR, as Louis's contract included, a provision in which he agreed to share his information with Bedrock's affiliates for business purposes.
Louis is disgusted by the way in which he has been treated by Bedrock, and writes to them insisting that all his information be erased from their computer system.
After Louis has exercised his right to restrict the use of his data, under what conditions would Accidentable have grounds for refusing to comply?

• A. If the accuracy of the data is not an aspect that Louis is disputing.
• B. If Accidentable is entitled to use of the data as an affiliate of Bedrock.
• C. If Accidentable also uses the data to conduct public health research.
• D. If the data becomes necessary to defend Accidentable's legal rights.

Answer: B

 

NEW QUESTION 41
What type of material is exempt from an individual's right to disclosure under the Privacy Act?

• A. Material reporting investigative efforts pertaining to the enforcement of criminal law.
• B. Material reporting investigative efforts to prevent unlawful persecution of an individual.
• C. Material requires by statute to be maintained and used solely for research purposes.
• D. Material used to determine potential collaboration with foreign governments in negotiation of trade deals.

Answer: D

 

NEW QUESTION 42
SCENARIO
Please use the following to answer the next QUESTION
Otto is preparing a report to his Board of Directors at Filtration Station, where he is responsible for the privacy program. Filtration Station is a U.S. company that sells filters and tubing products to pharmaceutical companies for research use. The company is based in Seattle, Washington, with offices throughout the U.S. and Asi a. It sells to business customers across both the U.S. and the Asia-Pacific region. Filtration Station participates in the Cross-Border Privacy Rules system of the APEC Privacy Framework.
Unfortunately, Filtration Station suffered a data breach in the previous quarter. An unknown third party was able to gain access to Filtration Station's network and was able to steal data relating to employees in the company's Human Resources database, which is hosted by a third-party cloud provider based in the U.S. The HR data is encrypted. Filtration Station also uses the third-party cloud provider to host its business marketing contact database. The marketing database was not affected by the data breach. It appears that the data breach was caused when a system administrator at the cloud provider stored the encryption keys with the data itself.
The Board has asked Otto to provide information about the data breach and how updates on new developments in privacy laws and regulations apply to Filtration Station. They are particularly concerned about staying up to date on the various U.S. state laws and regulations that have been in the news, especially the California Consumer Privacy Act (CCPA) and breach notification requirements.
The Board has asked Otto whether the company will need to comply with the new California Consumer Privacy Law (CCPA). What should Otto tell the Board?

• A. That the company is governed by CCPA, but does not need to take any additional steps because it follows CPBR.
• B. That CCPA will apply to the company only after the California Attorney General determines that it will enforce the statute.
• C. That CCPA only applies to companies based in California, which exempts the company from compliance.
• D. That business contact information could be considered personal information governed by CCPA.

Answer: B

 

NEW QUESTION 43
Which of the following is NOT recognized as being a common characteristic of cloud-computing services?

• A. The supplier assumes the vendor's business risk associated with data processed by the supplier.
• B. The supplier allows customer data to be transferred around the infrastructure according to capacity.
• C. The service's infrastructure is shared among the supplier's customers and can be located in a number of countries.
• D. The supplier determines the location, security measures, and service standards applicable to the processing.

Answer: A

 

NEW QUESTION 44
SCENARIO
Please use the following to answer the next question:
Liem, an online retailer known for its environmentally friendly shoes, has recently expanded its presence in Europe. Anxious to achieve market dominance, Liem teamed up with another eco friendly company, EcoMick, which sells accessories like belts and bags. Together the companies drew up a series of marketing campaigns designed to highlight the environmental and economic benefits of their products. After months of planning, Liem and EcoMick entered into a data sharing agreement to use the same marketing database, MarketIQ, to send the campaigns to their respective contacts.
Liem and EcoMick also entered into a data processing agreement with MarketIQ, the terms of which included processing personal data only upon Liem and EcoMick's instructions, and making available to them all information necessary to demonstrate compliance with GDPR obligations.
Liem and EcoMick then procured the services of a company called JaphSoft, a marketing optimization firm that uses machine learning to help companies run successful campaigns. Clients provide JaphSoft with the personal data of individuals they would like to be targeted in each campaign. To ensure protection of its clients' data, JaphSoft implements the technical and organizational measures it deems appropriate. JaphSoft works to continually improve its machine learning models by analyzing the data it receives from its clients to determine the most successful components of a successful campaign. JaphSoft then uses such models in providing services to its client-base. Since the models improve only over a period of time as more information is collected, JaphSoft does not have a deletion process for the data it receives from clients. However, to ensure compliance with data privacy rules, JaphSoft pseudonymizes the personal data by removing identifying information from the contact information. JaphSoft's engineers, however, maintain all contact information in the same database as the identifying information.
Under its agreement with Liem and EcoMick, JaphSoft received access to MarketIQ, which included contact information as well as prior purchase history for such contacts, to create campaigns that would result in the most views of the two companies' websites. A prior Liem customer, Ms. Iman, received a marketing campaign from JaphSoft regarding Liem's as well as EcoMick's latest products. While Ms. Iman recalls checking a box to receive information in the future regarding Liem's products, she has never shopped EcoMick, nor provided her personal data to that company.
Which of the following BEST describes the relationship between Liem, EcoMick and JaphSoft?

• A. Liem and EcoMick are joint controllers because they carry out joint marketing activities.
• B. JaphSoft is the sole processor because it processes personal data on behalf of its clients.
• C. Liem is a controller and EcoMick is a processor because Liem provides specific instructions regarding how the marketing campaigns should be rolled out.
• D. EcoMick and JaphSoft are is a controller and Liem is a processor because EcoMick is sharing its marketing data with Liem for contacts in Europe.

Answer: D

 

NEW QUESTION 45
Please use the following to answer the next question:
WonderkKids provides an online booking service for childcare. Wonderkids is based in France, but hosts its website through a company in Switzerland. As part of their service, WonderKids will pass all personal data provided to them to the childcare provider booked through their system. The type of personal data collected on the website includes the name of the person booking the childcare, address and contact details, as well as information about the children to be cared for including name, age, gender and health information. The privacy statement on Wonderkids' website states the following:
"WonderkKids provides the information you disclose to us through this website to your childcare provider for scheduling and health and safety reasons. We may also use your and your child's personal information for our own legitimate business purposes and we employ a third-party website hosting company located in Switzerland to store the data. Any data stored on equipment located in Switzerland meets the European Commission provisions for guaranteeing adequate safeguards for you and your child's personal information.
We will only share you and your child's personal information with businesses that we see as adding real value to you. By providing us with any personal data, you consent to its transfer to affiliated businesses and to send you promotional offers."
"We may retain you and your child's personal information for no more than 28 days, at which point the data will be depersonalized, unless your personal information is being used for a legitimate business purpose beyond 28 days where it may be retained for up to 2 years."
"We are processing you and your child's personal information with your consent. If you choose not to provide certain information to us, you may not be able to use our services. You have the right to: request access to you and your child's personal information; rectify or erase you or your child's personal information; the right to correction or erasure of you and/or your child's personal information; object to any processing of you and your child's personal information. You also have the right to complain to the supervisory authority about our data processing activities." What direct marketing information can WonderKids send by email without prior consent of the person booking the childcare?

• A. No marketing information at all.
• B. Any marketing information at all.
• C. Marketing information related to other business operations of WonderKids.
• D. Marketing information for products or services similar to those purchased from WonderKids.

Answer: C

 

NEW QUESTION 46
A company is hesitating between Binding Corporate Rules and Standard Contractual Clauses as a global data transfer solution. Which of the following statements would help the company make an effective decision?

• A. The data exporter does not need to be located in the EU for the standard Contractual Clauses.
• B. The company will need the prior authorization of all EU data protection authorities for concluding Standard Contractual Clauses.
• C. Binding Corporate Rules are especially recommended for small and medium companies.
• D. Binding Corporate Rules provide a global solution for all the entities of a company that are bound by the intra-group agreement.

Answer: D

 

NEW QUESTION 47
Which jurisdiction must courts have in order to hear a particular case?

• A. Personal jurisdiction and subject matter jurisdiction
• B. Subject matter jurisdiction and professional jurisdiction
• C. Subject matter jurisdiction and regulatory jurisdiction
• D. Personal jurisdiction and professional jurisdiction

Answer: A

Explanation:
Reference:
~klett/chapter%25202%2520bl281%2520judicial%2520review%2520new.htm
+&cd=1&hl=en&ct=clnk&gl=pk&client=firefox-b-e

 

NEW QUESTION 48
SCENARIO
Please use the following to answer the next QUESTION:
You are the chief privacy officer at HealthCo, a major hospital in a large U.S. city in state A.
HealthCo is a HIPAA-covered entity that provides healthcare services to more than 100,000 patients.
A third-party cloud computing service provider, CloudHealth, stores and manages the electronic protected health information (ePHI) of these individuals on behalf of HealthCo. CloudHealth stores the data in state B.
As part of HealthCo's business associate agreement (BAA) with CloudHealth, HealthCo requires CloudHealth to implement security measures, including industry standard encryption practices, to adequately protect the data. However, HealthCo did not perform due diligence on CloudHealth before entering the contract, and has not conducted audits of CloudHealth's security measures.
A CloudHealth employee has recently become the victim of a phishing attack. When the employee unintentionally clicked on a link from a suspicious email, the PHI of more than 10,000 HealthCo patients was compromised. It has since been published online.
The HealthCo cybersecurity team quickly identifies the perpetrator as a known hacker who has launched similar attacks on other hospitals - ones that exposed the PHI of public figures including celebrities and politicians.
During the course of its investigation, HealthCo discovers that CloudHealth has not encrypted the PHI in accordance with the terms of its contract. In addition, CloudHealth has not provided privacy or security training to its employees.
Law enforcement has requested that HealthCo provide its investigative report of the breach and a copy of the PHI of the individuals affected.
A patient affected by the breach then sues HealthCo, claiming that the company did not adequately protect the individual's ePHI, and that he has suffered substantial harm as a result of the exposed data. The patient's attorney has submitted a discovery request for the ePHI exposed in the breach.
Which of the following would be HealthCo's best response to the attorney's discovery request?

• A. Respond with a redacted document only relative to the plaintiff
• B. Turn over all of the compromised patient records to the plaintiff's attorney
• C. Respond with a request for satisfactory assurances such as a qualified protective order
• D. Reject the request because the HIPAA privacy rule only permits disclosure for payment, treatment or healthcare operations

Answer: B

 

NEW QUESTION 49
What are the obligations of a processor that engages a sub-processor?

• A. The processor must obtain the controller's specific written authorization and provide annual reports on the sub-processor's performance.
• B. The processor must receive a written agreement that the sub-processor will be fully liable to the controller for the performance of its obligations in relation to the personal data concerned.
• C. The processor must give the controller prior written notice and perform a preliminary audit of the sub- processor.
• D. The processor must obtain the consent of the controller and ensure the sub-processor complies with data processing obligations that are equivalent to those that apply to the processor.

Answer: B

 

NEW QUESTION 50
What is a legal document approved by a judge that formalizes an agreement between a governmental agency and an adverse party called?

• A. A judgment rider
• B. Common law judgment
• C. A consent decree
• D. Stare decisis decree

Answer: C

 

NEW QUESTION 51
When would a data subject NOT be able to exercise the right to portability?

• A. When the data was supplied to the controller by the data subject.
• B. When the processing is carried out pursuant to a contract with the data subject.
• C. When the processing is necessary to perform a task in the exercise of authority vested in the controller.
• D. When the processing is based on consent.

Answer: C

 

NEW QUESTION 52
Which was NOT one of the five priority areas listed by the Federal Trade Commission in its 2012 report, "Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers"?

• A. Do Not Track
• B. Promoting enforceable self-regulatory codes
• C. Large platform providers
• D. International data transfers

Answer: D

 

NEW QUESTION 53
When does the GDPR provide more latitude for a company to process data beyond its original collection purpose?

• A. When the data serves legitimate interest of third parties.
• B. When the data is protected by technological safeguards.
• C. When the data has been pseudonymized.
• D. When the data subject has failed to use a provided opt-out mechanism.

Answer: A

 

NEW QUESTION 54
Which act violates the Family Educational Rights and Privacy Act of 1974 (FERPA)?

• A. University police provide an arrest report to a student's hometown police, who suspect him of a similar crime
• B. A university posts a public student directory that includes names, hometowns, e-mail addresses, and majors
• C. A newspaper prints the names, grade levels, and hometowns of students who made the quarterly honor roll
• D. A K-12 assessment vendor obtains a student's signed essay about her hometown from her school to use as an exemplar for public release

Answer: D

 

NEW QUESTION 55
Article 5(1)(b) of the GDPR states that personal data must be "collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes." Based on Article 5(1)(b), what is the impact of a member state's interpretation of the word "incompatible"?

• A. It dictates the level of security a processor must follow when using and storing personal data for two different purposes.
• B. It sets the standard for the level of detail a controller must record when documenting the purpose for collecting personal data.
• C. It guides the courts on the severity of the consequences for those who are convicted of the intentional misuse of personal data.
• D. It indicates the degree of flexibility a controller has in using personal data in ways that may vary from its original intended purpose.

Answer: A

 

NEW QUESTION 56
Which of the following became the first state to pass a law specifically regulating the collection of biometric data?

• A. Texas.
• B. Illinois.
• C. California.
• D. Washington.

Answer: B

 

NEW QUESTION 57
What consumer protection did the Fair and Accurate Credit Transactions Act (FACTA) require?

• A. Consumer notice when third-party data is used to make an adverse decision
• B. The right to request removal from e-mail lists
• C. The truncation of account numbers on credit card receipts
• D. The ability for the consumer to correct inaccurate credit report information

Answer: D

 

NEW QUESTION 58
Which of the following statements is most accurate in regard to data breach notifications under federal and state laws:

• A. You must notify the Federal Trade Commission (FTC) in addition to affected individuals if over 500 individuals are receiving notice.
• B. When providing an individual with required notice of a data breach, you must identify what personal information was actually or likely compromised.
• C. When you are required to provide an individual with notice of a data breach under any state's law, you must provide the individual with an offer for free credit monitoring.
• D. The only obligations to provide data breach notification are under state law because currently there is no federal law or regulation requiring notice for the breach of personal information.

Answer: B

 

NEW QUESTION 59
SCENARIO
Please use the following to answer the next QUESTION:
Declan has just started a job as a nursing assistant in a radiology department at Woodland Hospital. He has also started a program to become a registered nurse.
Before taking this career path, Declan was vaguely familiar with the Health Insurance Portability and Accountability Act (HIPAA). He now knows that he must help ensure the security of his patients' Protected Health Information (PHI). Therefore, he is thinking carefully about privacy issues.
On the morning of his first day, Declan noticed that the newly hired receptionist handed each patient a HIPAA privacy notice. He wondered if it was necessary to give these privacy notices to returning patients, and if the radiology department could reduce paper waste through a system of one-time distribution.
He was also curious about the hospital's use of a billing company. He Questioned whether the hospital was doing all it could to protect the privacy of its patients if the billing company had details about patients' care.
On his first day Declan became familiar with all areas of the hospital's large radiology department. As he was organizing equipment left in the halfway, he overheard a conversation between two hospital administrators. He was surprised to hear that a portable hard drive containing non-encrypted patient information was missing. The administrators expressed relief that the hospital would be able to avoid liability. Declan was surprised, and wondered whether the hospital had plans to properly report what had happened.
Despite Declan's concern about this issue, he was amazed by the hospital's effort to integrate Electronic Health Records (EHRs) into the everyday care of patients. He thought about the potential for streamlining care even more if they were accessible to all medical facilities nationwide.
Declan had many positive interactions with patients. At the end of his first day, he spoke to one patient, John, whose father had just been diagnosed with a degenerative muscular disease. John was about to get blood work done, and he feared that the blood work could reveal a genetic predisposition to the disease that could affect his ability to obtain insurance coverage. Declan told John that he did not think that was possible, but the patient was wheeled away before he could explain why. John plans to ask a colleague about this.
In one month, Declan has a paper due for one his classes on a health topic of his choice. By then, he will have had many interactions with patients he can use as examples. He will be pleased to give credit to John by name for inspiring him to think more carefully about genetic testing.
Although Declan's day ended with many Questions, he was pleased about his new position.
Based on the scenario, what is the most likely way Declan's supervisor would answer his question about the hospital's use of a billing company?

• A. By describing how the billing system is integrated into the hospital's electronic health records (EHR) system
• B. By pointing out that contracts are in place to help ensure the observance of minimum security standards
• C. By suggesting that Declan look at the hospital's publicly posted privacy policy
• D. By assuring Declan that third parties are prevented from seeing Private Health Information (PHI)

Answer: B

 

NEW QUESTION 60
Under Article 58 of the GDPR, which of the following describes a power of supervisory authorities in European Union (EU) member states?

• A. The discretion to carry out goals of elected officials within the member state.
• B. The right to access data for investigative purposes.
• C. The authority to select penalties when a controller is found guilty in a court of law.
• D. The ability to enact new laws by executive order.

Answer: B

 

NEW QUESTION 61
SCENARIO
Looking back at your first two years as the Director of Personal Information Protection and Compliance for the Berry Country Regional Medical Center in Thorn Bay, Ontario, Canada, you see a parade of accomplishments, from developing state-of-the-art simulation based training for employees on privacy protection to establishing an interactive medical records system that is accessible by patients as well as by the medical personnel. Now, however, a question you have put off looms large: how do we manage all the data-not only records produced recently, but those still on hand from years ago? A data flow diagram generated last year shows multiple servers, databases, and work stations, many of which hold files that have not yet been incorporated into the new records system. While most of this data is encrypted, its persistence may pose security and compliance concerns. The situation is further complicated by several long-term studies being conducted by the medical staff using patient information. Having recently reviewed the major Canadian privacy regulations, you want to make certain that the medical center is observing them.
You also recall a recent visit to the Records Storage Section, often termed "The Dungeon" in the basement of the old hospital next to the modern facility, where you noticed a multitude of paper records. Some of these were in crates marked by years, medical condition or alphabetically by patient name, while others were in undifferentiated bundles on shelves and on the floor. The back shelves of the section housed data tapes and old hard drives that were often unlabeled but appeared to be years old. On your way out of the dungeon, you noticed just ahead of you a small man in a lab coat who you did not recognize. He carried a batch of folders under his arm, apparently records he had removed from storage.
Which cryptographic standard would be most appropriate for protecting patient credit card information in the records system?

• A. Obfuscation
• B. Asymmetric Encryption
• C. Symmetric Encryption
• D. Hashing

Answer: B

 

NEW QUESTION 62
......

Get 100% Real Free Certified Information Privacy Professional CIPP-C Sample Questions: https://actualtests.latestcram.com/CIPP-C-exam-cram-questions.html