An organization based in California, USA is implementing a new online helpdesk solution for recording customer call information. The organization considers the capture of personal data on the online helpdesk solution to be in the interest of the company in best servicing customer calls.
Before implementation, a privacy technologist should conduct which of the following?
A. A Data Protection Impact Assessment (DPIA) and consultation with the appropriate regulator to ensure legal compliance.
B. A privacy risk and impact assessment to evaluate potential risks from the proposed processing operations.
C. A Legitimate Interest Assessment (LIA) to ensure that the processing is proportionate and does not override the privacy, rights and freedoms of the customers.
D. A security assessment of the help desk solution and provider to assess if the technology was developed with a security by design approach.
An organization is concerned that its aging IT infrastructure will lead to Increased security and privacy risks. Which of the following would help mitigate these risks?
A. Vulnerability management.
B. Data Loss Prevention.
C. Code audits.
D. Network Centricity.
To comply with the Sarbanes-Oxley Act (SOX), public companies in the United States are required to annually report on the effectiveness of the auditing controls of their financial reporting systems. These controls must be implemented to prevent unauthorized use, disclosure, modification, and damage or loss of financial data.
Why do these controls ensure both the privacy and security of data?
A. Modification of data is an aspect of privacy; unauthorized use, disclosure, and damage or loss of data are aspects of security.
B. Unauthorized use of data is an aspect of privacy; disclosure, modification, and damage or loss of data are aspects of security.
C. Disclosure of data is an aspect of privacy; unauthorized use, modification, and damage or loss of data are aspects of security.
D. Damage or loss of data are aspects of privacy; disclosure, unauthorized use, and modification of data are aspects of privacy.
SCENARIO
Clean-Q is a company that offers house-hold and office cleaning services. The company receives requests from consumers via their website and telephone, to book cleaning services. Based on the type and size of service, Clean-Q then contracts individuals that are registered on its resource database - currently managed in-house by Clean-Q IT Support. Because of Clean-Q's business model, resources are contracted as needed instead of permanently employed. The table below indicates some of the personal information Clean-Q requires as part of its business operations:

Clean-Q has an internal employee base of about 30 people. A recent privacy compliance exercise has been conducted to align employee data management and human resource functions with applicable data protection regulation. Therefore,
the Clean-Q permanent employee base is not included as part of this scenario.
With an increase in construction work and housing developments, Clean-Q has had an influx of requests for cleaning services. The demand has overwhelmed Clean-Q's traditional supply and demand system that has caused some
overlapping bookings.
Ina business strategy session held by senior management recently, Clear-Q invited vendors to present potential solutions to their current operational issues. These vendors included Application developers and Cloud-Q's solution providers,
presenting their proposed solutions and platforms.
The Managing Director opted to initiate the process to integrate Clean-Q's operations with a cloud solution (LeadOps) that will provide the following solution one single online platform: A web interface that Clean-Q accesses for the purposes
of resource and customer management. This would entail uploading resource and customer information.
A customer facing web interface that enables customers to register, manage and submit cleaning service requests online.
A resource facing web interface that enables resources to apply and manage their assigned jobs.
An online payment facility for customers to pay for services.
What is a key consideration for assessing external service providers like LeadOps, which will conduct personal information processing operations on Clean-Q's behalf?
A. Understanding LeadOps' costing model.
B. Establishing a relationship with the Managing Director of LeadOps.
C. Recognizing the value of LeadOps' website holding a verified security certificate.
D. Obtaining knowledge of LeadOps' information handling practices and information security environment.
Implementation of privacy controls for compliance with the requirements of the Children's Online Privacy Protection Act (COPPA) is necessary for all the following situations EXCEPT?
A. A virtual jigsaw puzzle game marketed for ages 5-9 displays pieces of the puzzle on a handheld screen. Once the child completes a certain level, it flashes a message about new themes released that day.
B. An interactive toy copies a child's behavior through gestures and kid-friendly sounds. It runs on battery power and automatically connects to a base station at home to charge itself.
C. A math tutoring service commissioned an advertisement on a bulletin board inside a charter school. The service makes it simple to reach out to tutors through a QR-code shaped like a cartoon character.
D. A note-taking application converts hard copies of kids' class notes into audio books in seconds. It does so by using the processing power of idle server farms.
A company configures their information system to have the following capabilities:
1.
Allow for selective disclosure of attributes to certain parties, but not to others.
2.
Permit the sharing of attribute references instead of attribute values - such as "I am over 21" instead of birthday date.
3.
Allow for information to be altered or deleted as needed. These capabilities help to achieve which privacy engineering objective?
A. Predictability.
B. Manageability.
C. Disassociability.
D. Integrity.
What is true of providers of wireless technology?
A. They have the legal right in most countries to control and use any data on their systems.
B. They can see all unencrypted data that crosses the system.
C. They are typically exempt from data security regulations.
D. They routinely backup data that crosses their system.
An individual drives to the grocery store for dinner. When she arrives at the store, she receives several unsolicited notifications on her phone about discounts on items at the grocery store she is about to shop at. Which type of privacy problem does the represent?
A. Intrusion.
B. Surveillance.
C. Decisional Interference.
D. Exposure.
An organization is evaluating a number of Machine Learning (ML) solutions to help automate a customer-facing part of its business From a privacy perspective, the organization should first?
A. Define their goals for fairness
B. Document the distribution of bias scores
C. Document the False Positive Rates (FPR).
D. Define how data subjects may object to the processing
SCENARIO
Carol was a U.S.-based glassmaker who sold her work at art festivals. She kept things simple by only accepting cash and personal checks.
As business grew, Carol couldn't keep up with demand, and traveling to festivals became burdensome. Carol opened a small boutique and hired Sam to run it while she worked in the studio. Sam was a natural salesperson, and business
doubled. Carol told Sam, "I don't know what you are doing, but keep doing it!"
But months later, the gift shop was in chaos. Carol realized that Sam needed help so she hired Jane, who had business expertise and could handle the back-office tasks. Sam would continue to focus on sales. Carol gave Jane a few weeks to
get acquainted with the artisan craft business, and then scheduled a meeting for the three of them to discuss Jane's first impressions.
At the meeting, Carol could not wait to hear Jane's thoughts, but she was unprepared for what Jane had to say. "Carol, I know that he doesn't realize it, but some of Sam's efforts to increase sales have put you in a vulnerable position. You are
not protecting customers' personal information like you should."
Sam said, "I am protecting our information. I keep it in the safe with our bank deposit. It's only a list of customers' names, addresses and phone numbers that I get from their checks before I deposit them. I contact them when you finish a piece
that I think they would like. That's the only information I have! The only other thing I do is post photos and information about your work on the photo sharing site that I use with family and friends. I provide my email address and people send me
their information if they want to see more of your work. Posting online really helps sales, Carol. In fact, the only complaint I hear is about having to come into the shop to make a purchase."
Carol replied, "Jane, that doesn't sound so bad. Could you just fix things and help us to post even more online?"
`I can," said Jane. "But it's not quite that simple. I need to set up a new program to make sure that we follow the best practices in data management. And I am concerned for our customers. They should be able to manage how we use their
personal information. We also should develop a social media strategy."
Sam and Jane worked hard during the following year. One of the decisions they made was to contract with an outside vendor to manage online sales. At the end of the year, Carol shared some exciting news. "Sam and Jane, you have done
such a great job that one of the biggest names in the glass business wants to buy us out! And Jane, they want to talk to you about merging all of our customer and vendor information with theirs beforehand."
When initially collecting personal information from customers, what should Jane be guided by?
A. Onward transfer rules.
B. Digital rights management.
C. Data minimization principles.
D. Vendor management principles