IAPP cipp-c practice test

A company wants to invest in DEI initiatives within their organization and plans to survey employees
by asking for locality, age, salary, gender, ethnicity, religion, sexual orientation, physical/mental
disabilities, department, and job level.
The best solution to protect the personal information collected in the survey is to?

• A. Use a pseudonym to identify employees.
• B. Choose a survey tool located in Canada.
• C. Encrypt the sensitive information collected and stored.
• D. Adjust all survey question so that no identifying information nan he collected

What must an organization do to fulfill the Personal Information Protection and Electronic
Documents Act’s (PIPEDA) transparency requirements when transferring personal information to a
foreign country?

• A. Inform customers if data is to be transferred outside of Canada and solicit additional consent.
• B. Give individuals with an existing business relationship the right to refuse transfer of their information.
• C. Advise customers that their data may be accessed by another jurisdiction's courts or law enforcement.
• D. Provide new customers with a measure-by-measure comparison of relevant foreign laws with Canadian laws.

Which case, brought before the Federal Court, helped determine that the Office of the Privacy
Commissioner of Canada (OPC) had jurisdiction to investigate complaints about United States
companies collecting, using and disclosing the personal information of individuals within Canada?

• A. TJX Winners - Homesense.
• B. Facebook: 2019.
• C. Blood Tribe.
• D. Abika.com.

A private sector daycare’s portal for parents stores their children’s photos, allergy information and
date of birth. A parent has asked about the portal’s security requirements and in three months still
not has received an answer. What is missing from the daycare’s procedures?

• A. Ensuring transparency.
• B. Responding to the parent's request within 30 days.
• C. Ensuring strong encryption and security measures.
• D. Completing a real risk of significant harm assessment (RROSH).

Which act also includes references to the Privacy Act?

• A. The Access to Information Act.
• B. The Children's Online Privacy Protection Act
• C. The Telecommunications Intercept and Access (TIA) Act.
• D. The Personal Information Protection and Electronic Documents Act

Which of the following provincial health acts is NOT considered substantially similar to the Personal
Information Protection and Electronic Documents Act (PIPEDA)?

• A. New Brunswick's Personal Health Information Privacy and Access Act (PHIPAA)
• B. Ontario's Personal Health Information Protection Act (PHIPAA)
• C. Nova Scotia's Personal Health Information Act (PHIPAA)
• D. lAberta's Health Information Act (PHIA)

Which question is NOT part of the Office of the Privacy Commissioner of Canada’s (OPC’s) four-point
test for establishing whether providing access to genetic testing results goes beyond what is
necessary or reasonable?

• A. Are there less privacy-invasive alternatives?
• B. Are the collection and the use proportionate to the benefits gained?
• C. Are the validity and accuracy of individual test results guaranteed to be accurate?
• D. Is the personal information likely to be effective in achieving a legitimate business purpose?

What is required of a private sector organization that is subject to a finding by a Canadian federal or

• A. In Québec, comply with the finding as a binding decision.
• B. Comply with findings of the Privacy Commissioner of Canada only.
• C. In all jurisdictions, adopt and apply the finding within 30 days of the published report.
• D. In Ontario only, apply for judicial review within a provincial court in order to accept or refute the finding.

After an investigation under the Privacy Act, the Privacy Commissioner could do any of the following
EXCEPT?

• A. Proceed to federal court to determine if the institution improperly withheld information from an individual.
• B. Order an institution to take remedial action if it determines that the Act has been breached.
• C. Recommend solutions to institutions to address identified shortcomings.
• D. Compel institutions to give oral or written evidence.

In Ontario, personal information can be withheld from disclosure in a Freedom of Information (FOI)
request. The following information is included in a record that is the subject of a FOI request being
handled by a hospital: employee name, employee title, employee designation, employee
educational history, employee personal cell phone number, and feedback about the employee from a
colleague.
Which of the following statements is accurate regarding what can be released?

• A. Employee name and title can only be released if the employee consents
• B. The employee designation is not to be released as it is considered employment history.
• C. Employee name, title, and designation can be released as it is not classified as personal information.
• D. No employee information can be released as it is information that was collected throughout the course of employment.