IAPP cipp-a practice test

SCENARIO – Please use the following to answer the next QUESTION:
Delilah is seeking employment in the marketing department of Good Mining Private Limited, an
industry leader in drilling mines in Singapore. Delilah, while filling in the standard paper application
form, is asked to provide details about emergency contacts, medical history, blood type and her
insurance policy. These fields need to be filled in no matter which department Delilah applies to. The
form also asks Delilah to expressly consent to the collection, use and disclosure of her personal data.
A week after submitting the form, Delilah is invited by Evan, the Director of Marketing at Good
Mining, to coffee. Just before Delilah leaves, she gives her business card containing her current
business contact information to Evan. Evan then uses the business card to add Delilah's details to
Good Mining's business development database, which is kept on a local server. Good Mining uses the
database to inform people about networking and client events that Good Mining organizes.
Why is Good Mining Private's standard form NOT compliant with Singapore's data protection law?

• A. It is not available in an electronic format.
• B. It does not contain the contact information for the HR manager.
• C. It asks for Delilah's consent to use and disclose her personal data.
• D. It asks for details that are not relevant to the job Delilah is applying for.

Which of the following does Singapore's PDPC NOT have the power to do?

• A. Order an organization to stop collecting personal data.
• B. Order an organization to destroy collected personal data.
• C. Order an organization to award compensation to a complainant.
• D. Order an organization to pay a financial penalty to the government.

SCENARIO – Please use the following to answer the next QUESTION:
Singabank is a boutique bank in Singapore. After being notified during the hiring process, Singabank
employees are subject to constant and thorough monitoring and tracking through CCTV cameras,
computer monitoring software and keyboard loggers. Singabank does this to ensure its employees
are complying with Singabank's data security policy. Bigbank is now considering acquiring
Singabank's retail banking division. As part of its due diligence, Bigbank is seeking for Singabank to
disclose to it all of its surveillance material on its employees, whether or not they are part of the
retail banking division. Jimmy works in Singabank's investment banking division.
What would make Singabank's monitoring of its employees illegal?

• A. If the employees did not explicitly consent to it.
• B. If the bank's data security policy was being overhauled.
• C. If the bank collected employees' sensitive personal information.
• D. If the employees were not provided contact information to ask Question:s about the monitoring.

SCENARIO – Please use the following to answer the next QUESTION:
Singabank is a boutique bank in Singapore. After being notified during the hiring process, Singabank
employees are subject to constant and thorough monitoring and tracking through CCTV cameras,
computer monitoring software and keyboard loggers. Singabank does this to ensure its employees
are complying with Singabank's data security policy. Bigbank is now considering acquiring
Singabank's retail banking division. As part of its due diligence, Bigbank is seeking for Singabank to
disclose to it all of its surveillance material on its employees, whether or not they are part of the
retail banking division. Jimmy works in Singabank's investment banking division.
Assuming the monitoring was legal, can Singabank disclose Jimmy's personal data to Bigbank?

• A. No, because Jimmy is not in the division that Bigbank seeks to acquire.
• B. No, because the data was collected for the express purpose of complying with Singabank's privacy policies.
• C. Yes, if Singabank informs Jimmy of the disclosure of his personal data before it occurs.
• D. Yes, if Jimmy's personal data is necessary for Bigbank to determine whether to proceed with the acquisition.

In which of the following cases would a Singaporean be prevented from accessing information about
herself from an organization?

• A. The information was collected in the previous 12 months.
• B. The information is related to an individual's credit rating.
• C. The cost of providing the information proved to be unreasonable.
• D. Any personal information about others has been deleted from the document.

Which of the following principles of the OECD guidelines and Council of European Convention
principles does Singapore's PDPA incorporate?

• A. Disclosures to third parties included in access requests.
• B. Additional protections for sensitive personal data.
• C. The ability to opt-out from direct marketing.
• D. The right of deletion of data on request.

SCENARIO – Please use the following to answer the next QUESTION:
B-Star Limited is a Singapore based construction company with many foreign construction workers.
B-Star's HR team maintains two databases. One (the "simple database") contains basic details from a
standard in- processing form such as name, local address and mobile number. The other database
(the "sensitive database") contains information collected by the HR Department as part of Annual
Review Interviews. With the workers' cooperation, this database has expanded to include far-
reaching sensitive information such as medical history, religious beliefs, ethnicity and educational
levels of immediate family members. Carl left B- Star's employment yesterday, and has flown back
home, rendering him unreachable. Today B-Star, without Carl's consent, wants to conduct research
using Carl's medical records in the sensitive database.
Can B-Star legally conduct this research using Carl's medical data?

• A. Yes, because Carl gave his consent for his sensitive personal data to be collected during his employment.
• B. No, an organization is not allowed to use sensitive personal data without an individual's consent unless absolutely necessary.
• C. No, because the research is taking place after Carl has left B-Star's employment.
• D. Yes, if the research is deemed to be in the public interest.

A Singapore employer can do all of the following without obtaining an employee's consent EXCEPT?

• A. Share an employee's personal data with a company that provides financial planning.
• B. Disclose personal health data to a public agency during a health crisis.
• C. Use computer monitoring software on an employee's computers.
• D. Use closed-circuit television surveillance in the workplace.

Which control is NOT included in the requirements established by the Monetary Authority of
Singapore (MAS) for financial institutions in order to deter money-laundering and financial aid to
terrorism (AML/CFT)?

• A. Identifying and knowing customers.
• B. Sharing personal information with the PDPC.
• C. Conducting regular reviews of customer accounts.
• D. Monitoring and reporting suspicious financial transactions.

All of the following are guidelines the PDPC gives about anonymised data EXCEPT?

• A. Anonymised data is not personal data.
• B. Any data that has been anonymised bears the same risks for re-identification.
• C. Data that has been anonymised satisfies the "cease to retain" requirement of Section 25.
• D. Organizations should consider the risk of re-identification if it intends to publish or disclose anonymised data.