Cipp-A V12.35

IT Certification Guaranteed, The Easy Way!
Exam : CIPP-A
Title : Certified Information Privacy

Professional/Asia (CIPP/A)
Vendor : IAPP
Version : V12.35
1
NO.1 Although the right to privacy is not explicitly granted in the Indian Constitution, privacy
advocates frequently cite Article 21's guarantee of?
A. Personal liberty.
B. Right to property.
C. Equality before the law.
D. Freedom from intrusion.
Answer: A
NO.2 SCENARIO - Please use the following to answer the next QUESTION:
Dracarys Inc. is a large multinational company with headquarters in Seattle, Washington, U.S.A.
Dracarys began as a small company making and selling women's clothing, but rapidly grew through its
early innovative use of online platforms to sell its products. Dracarys is now one of the biggest names
in the industry, and employs staff across the globe, and in Asia has employees located in both
Singapore and Hong Kong.
Due to recent management restructuring they have decided, on the advice of external consultants, to
open an office in India in order to centralize its call center as well as its internal human resource
functions for the Asia region. Dracarys would like to centralize the following human resource
functions in India:
1. The recruitment process;
2. Employee assessment and records management;
3. Employee benefits administration, including health insurance.
Dracarys will have employees on the ground in India managing the systems for the functions listed
above. They have been presented with a variety of vendor options for these systems, and are
currently assessing the suitability of these vendors for their needs.
The CEO of Dracarys is concerned about the behavior of her employees, especially online. After
having proprietary company information being shared with competitors by former employees, she is
eager to put certain measures in place to ensure that the activities of her employees, while on
Dracarys' premises or when using any of Dracarys' computers and networks are not detrimental to
the business.
Dracarys' external consultants are also advising the company on how to increase earnings. Dracary's
management refuses to reduce production costs and compromise the quality of their garments, so
the consultants suggested utilizing customer data to create targeted advertising and thus increase
sales.
Which of the following guidelines does Dracarys NOT need to take into account when implementing
monitoring and surveillance tools?
A. The Indian Information Technology Act of 2000.
B. The Hong Kong guide to monitoring personal data privacy at work.
C. The Hong Kong Code of Practice on Human Resource Management.
D. The Singapore advisory guidelines on the personal data protection act for selected topics
(employment and CCTV).
Answer: A
NO.3 In enforcement cases, what is Singapore's Personal Data Protection Commission (PDPC)
obligated to do?
A. Publish the decisions it makes regarding complaints.
2
B. Provide the complainant with a way to appeal a decision.

C. Publish the name of an organization named in a complaint.
D. Intervene in civil actions to provide assistance to complainants.
Answer: B
NO.4 Which Indian institution is vested with powers under the Credit Information Companies
(Regulation) Act of 2005?
A. The Reserve Bank of India.
B. The National Housing Bank.
C. The Oriental Bank of Commerce.
D. The Securities and Exchange Board of India.
Answer: A
NO.5 Besides the Personal Data Protection Act (PDPA), which of the following is a potential source of
privacy protection for Singapore citizens?
A. Breach of confidence law.
B. The tort of invasion of privacy.
C. Constitutional protections of personal information.
D. International agreements protecting privacy.
Answer: C
NO.6 In India, the obligation to appoint a Grievance Officer applies ONLY to companies that?
A. Deal with sensitive personal data.
B. Conduct cross-border data transfers.
C. Are considered part of the public sector.
D. Lack alternate enforcement mechanisms.
Answer: A
Reference:
https://taxguru.in/corporate-law/compliance-relation-appointment-grievance-officer-provisions-
information-technology-act-2000.html
NO.7 In which of the following cases would a Singaporean be prevented from accessing information
about herself from an organization?
A. The information was collected in the previous 12 months.
B. The information is related to an individual's credit rating.
C. The cost of providing the information proved to be unreasonable.
D. Any personal information about others has been deleted from the document.
Answer: B
NO.8 In 2015, Section 66A of India's IT Act was ruled unconstitutional. What did this section
previously prohibit?
A. Publishing images with sexually explicit content.
B. Tampering with computer source documents.
3
C. Publishing private images of others.

D. Sending offensive messages.
Answer: D
NO.9 Under the General Data Protection Regulation (GDPR), European Union member states may be
allowed to transfer personal data to the United States in some cases.
Which of the following could NOT be used as a legitimate means of doing this?
A. A consent derogation.
B. A certification mechanism.
C. The Safe Harbor Framework.
D. Binding Corporate Rules (BCR).
Answer: C
NO.10 Which of the following does Singapore's PDPC NOT have the power to do?
A. Order an organization to stop collecting personal data.
B. Order an organization to destroy collected personal data.
C. Order an organization to award compensation to a complainant.
D. Order an organization to pay a financial penalty to the government.
Answer: D
functions in India:
the business.
sales.
4
Dracarys and their vendor of choice must draft a contract that establishes agreement regarding all of
the following factors EXCEPT?
A. Breach notification.
B. Data retention periods.
C. Employee recruitment process.
D. Data subject consent provisions.
Answer: D
Delilah is seeking employment in the marketing department of Good Mining Private Limited, an
industry leader in drilling mines in Singapore. Delilah, while filling in the standard paper application
form, is asked to provide details about emergency contacts, medical history, blood type and her
insurance policy. These fields need to be filled in no matter which department Delilah applies to. The
form also asks Delilah to expressly consent to the collection, use and disclosure of her personal data.
A week after submitting the form, Delilah is invited by Evan, the Director of Marketing at Good
Mining, to coffee. Just before Delilah leaves, she gives her business card containing her current
business contact information to Evan. Evan then uses the business card to add Delilah's details to
Good Mining's business development database, which is kept on a local server. Good Mining uses the
database to inform people about networking and client events that Good Mining organizes.
Why is Good Mining Private's standard form NOT compliant with Singapore's data protection law?
A. It is not available in an electronic format.
B. It does not contain the contact information for the HR manager.
C. It asks for Delilah's consent to use and disclose her personal data.
D. It asks for details that are not relevant to the job Delilah is applying for.
Answer: D
Singabank is a boutique bank in Singapore. After being notified during the hiring process, Singabank
employees are subject to constant and thorough monitoring and tracking through CCTV cameras,
computer monitoring software and keyboard loggers. Singabank does this to ensure its employees
are complying with Singabank's data security policy. Bigbank is now considering acquiring Singabank's
retail banking division. As part of its due diligence, Bigbank is seeking for Singabank to disclose to it all
of its surveillance material on its employees, whether or not they are part of the retail banking
division. Jimmy works in Singabank's investment banking division.
What would make Singabank's monitoring of its employees illegal?
A. If the employees did not explicitly consent to it.
B. If the bank's data security policy was being overhauled.
C. If the bank collected employees' sensitive personal information.
D. If the employees were not provided contact information to ask Question:s about the monitoring.
Answer: A
NO.14 Under what circumstances are smart identity cards required of Hong Kong citizens?
A. When opening bank accounts.
B. When using public transit systems.
5
C. When seeking government services.

D. When making substantial purchases.
Answer: C
NO.15 On what group does Singapore's PDPA impose disclosure restrictions that Hong Kong and
India do not?
A. Government officials.
B. Children under 13.
C. The deceased.
D. The clergy.
Answer: A
NO.16 Which method ensures the greatest security when erasing data that is no longer needed,
according to the Hong Kong Office of the Privacy Commissioner?
A. Strip-shredding paper copies of data.
B. Crosscut shredding paper copies of data.
C. Deleting electronic files containing data.
D. Reformatting USB memory devices containing data.
Answer: B
Zoe is the new Compliance Manager for the Star Hotel Group, which has five hotels across Hong Kong
and Chin a. On her first day, she does an inspection of the largest property, StarOne. She starts with
the hotel reception desk. Zoe sees the front desk assistant logging in to a database as he is checking
in a guest. The hotel manager, Bernard, tells her that all guest data, including passport numbers,
credit card numbers, home address, mobile number and other information associated with a guest's
stay is held in a database. Bernard tells her not to worry about the security of the database because it
is operated for Star Hotels by a local service provider called HackProof, who therefore are responsible
for all the guest data.
Zoe notices what looks like a CCTV camera in the corner of the reception area. Bernard says they
record all activity in the lobby. In fact, last Tuesday he had received a data access request from a
lawyer requesting a copy of footage of all lobby activity for the preceding month. The lawyer's
covering letter said that his client has never visited the hotel herself, but is investigating whether her
husband has been doing so without her knowledge.
Zoe and Bernard head up to the hotel spa. The spa is independently owned by a company called
Relax Ltd. Bernard explains that Relax Ltd is a small company and, as they don't have their own
database, they transfer data about the spa guests to StarOne staff so that they can upload the data
into the HackProof system. Relax Ltd staff can then login and review their guest data as needed.
Zoe asks more about the HackProof system. Bernard tells her that the server for the Hong Kong
hotels is in Hong Kong, but there is a server in Shenzhen that has a copy of all the Hong Kong hotel
data and supports the properties in China. The data is in China for back up purposes and also is
accessible by staff in the China hotels so they can better service guests who visit their hotels in both
territories.
Assuming that Section 33 is in force, which of the following would NOT help Zoe to facilitate the
cross-border transfer from Hong Kong to China?
6
A. Consent of the guest in writing to the transfer.

B. Amending StarOne's privacy policy to refer to the transfer.
C. Putting in place Model Clauses between the relevant entities.
D. China being included as a "White List" country for data transfer.
Answer: A
Singabank is a boutique bank in Singapore. After being notified during the hiring process, Singabank
employees are subject to constant and thorough monitoring and tracking through CCTV cameras,
computer monitoring software and keyboard loggers. Singabank does this to ensure its employees
are complying with Singabank's data security policy. Bigbank is now considering acquiring Singabank's
retail banking division. As part of its due diligence, Bigbank is seeking for Singabank to disclose to it all
of its surveillance material on its employees, whether or not they are part of the retail banking
division. Jimmy works in Singabank's investment banking division.
Assuming the monitoring was legal, can Singabank disclose Jimmy's personal data to Bigbank?
A. No, because Jimmy is not in the division that Bigbank seeks to acquire.
B. No, because the data was collected for the express purpose of complying with Singabank's privacy
policies.
C. Yes, if Singabank informs Jimmy of the disclosure of his personal data before it occurs.
D. Yes, if Jimmy's personal data is necessary for Bigbank to determine whether to proceed with the
acquisition.
Answer: C
NO.19 A Singapore employer can do all of the following without obtaining an employee's consent
EXCEPT?
A. Share an employee's personal data with a company that provides financial planning.
B. Disclose personal health data to a public agency during a health crisis.
C. Use computer monitoring software on an employee's computers.
D. Use closed-circuit television surveillance in the workplace.
Answer: A
NO.20 Which Hong Kong body has recommended legislation that provides for the right of civil action
to be taken when private information is publicly disclosed?
A. Hong Kong's Court of Final Appeal.
B. Hong Kong Law Reform Commission.
C. Office of the Privacy Commissioner for Personal Data.
D. Standing Committee of the National People's Congress of the PRC.
Answer: B
NO.21 Section 43A was amended by India's IT Rules 2011 to include?

A. A definition of what constitutes reasonable security practices.
B. A requirement for the creation of a data protection authority.
C. A list of cases in which privacy policies are not necessary.
7
D. A clarification regarding the role of non-automated data.

Answer: A
Reference:
https://tahseen.ae/media/3481/india_information-technology-reasonable-security-practices-and-
procedures-and-sensitive-personal-data-or-information-rules-2011.pdf
NO.22 Besides the Personal Data Protection Act (PDPA), which of the following is a potential source
of privacy protection for Singapore citizens?
A. Constitutional protections of personal information.
B. International agreements protecting privacy.
C. The tort of invasion of privacy.
D. Breach of confidence law.
Answer: A
NO.23 Hong Kong's New Guidance on Direct Marketing clarified that direct marketing rules under
the new regime do NOT apply if what condition exists?
A. The data subject's personal data is collected from public registers or third parties.
B. The products or services are being offered by the organization's parent company.
C. The data subject has already given consent for other services offered by the company.
D. The products or services are being offered for the exclusive use of an individual's organization.
Answer: C
NO.24 Which of the following is NOT a way that the Singapore government can monitor its citizens?
A. Through the national identity card system.
B. Through the electronic road pricing system.
C. Through a personal computer registration system.
D. Through an online service that holds an individual's medical records.
Answer: D
NO.25 In June 2011, the Hong Kong Privacy Commissioner determined that data subject consent is
NOT valid if it is what?
A. Provided by the data subject solely in verbal form.
B. Used for a directly related but separate purpose.
C. Bundled with other terms of the agreement.
D. Intended for direct marketing purposes.
Answer: C
NO.26 Cases in which an Indian company is accused of violating provisions of India's IT Act must be
heard by?
A. The High Court.
B. A Grievance Officer.
C. An Adjudicating Officer.
D. The Cyber Appellate Tribunal.
8
Answer: A
Bharat Medicals is an established retail chain selling medical goods, with a presence in a number of
cities throughout Indi a. Their strategic partnership with major hospitals in these cities helped them
capture an impressive market share over the years. However, with lifestyle and demographic shifts in
India, the company saw a huge opportunity in door-to-door delivery of essential medical products.
The need for such a service was confirmed by an independent consumer survey the firm conducted
recently.
The company has launched their e-commerce platform in three metro cities, and plans to expand to
the rest of the country in the future. Consumers need to register on the company website before
they can make purchases. They are required to enter details such as name, age, address, telephone
number, sex, date of birth and nationality - information that is stored on the company's servers.
(Consumers also have the option of keeping their credit card number on file, so that it does not have
to be entered every time they make payment.) If ordered items require a prescription, that
authorization needs to be uploaded as well. The privacy notice explicitly requires that the consumer
confirm that he or she is either the patient or has consent of the patient for uploading the health
information. After creating a unique user ID and password, the consumer's registration will be
confirmed through a text message sent to their listed mobile number.
To remain focused on their core business, Bharat outsourced the packaging, product dispatch and
delivery activities to a third party firm, Maurya Logistics Ltd., with which it has a contractual
agreement. It shares with Maurya Logistics the consumer name, address and other product-related
details at the time of every purchase.
If consumers underwent medical treatment at one of the partner hospitals and consented to having
their data transferred, their order requirement will be sent to their Bharat Medicals account directly,
thereby doing away with the need to manually place an order for the medications.
Bharat Medicals takes regulatory compliance seriously; to ensure data privacy, it displays a privacy
notice at the time of registration, and includes all the information that it collects. At this stage of their
business, the company plans to store consumer information indefinitely, since the percentage of
repeat customers and the frequency of orders per customer is still uncertain.
When collecting personal data, Bharat Medicals does NOT need to inform the consumer of what?
A. The recipients of the collected data.
B. The name of the body collecting the data.
C. The type of safeguards protecting the data.
D. The options the subject has to access his data.
Answer: D
NO.28 How can the privacy principles issued in 1980 by the Organisation for Economic Cooperation
and Development (OECD) be defined?
A. Guidelines governing the protection of privacy and trans-border data flows issued in collaboration
with the Federal Trade Commission.
B. Guidelines governing the protection of privacy and trans-border data flows of personal data in
states that are members.
C. Mandatory rules governing the protection of privacy and trans-border data flows within the
European Union.
9
D. Mandatory rules governing the protection of privacy and trans-border data flows among binding
member states.
Answer: B
NO.29 What does NOT need to be considered when determining the retention schedule for sensitive
personal data?
A. Business needs.
B. Amount of data.
C. Storage capacity.
D. Regulatory requirements.
Answer: C
NO.30 Both Sections 72 and 72A of India's IT Act 2000 involve unauthorized access of personal
information. One main difference between the sections is that 72A does what?
A. Stipulates that disclosure has to have occurred.
B. Specifies imprisonment as a possible penalty.
C. Adds a provision about wrongful loss or gain.
D. Includes the concept of consent.
Answer: B
Fitness For Everyone ("FFE") is a gym on Hong Kong Island that is affiliated with a network of gyms
throughout Southeast Asi a. When prospective members of the gym stop in, call in or submit an
inquiry online, they are invited for a free trial session. At first, the gym asks prospective clients only
for basic information: a full name, contact number, age and their Hong Kong ID number, so that FFE's
senior trainer Kelvin can reach them to arrange their first appointment.
One day, a potential customer named Stephen took a tour of the gym with Kelvin and then decided
to join FFE for six months. Kelvin pulled out a registration form and explained FFE's policies, placing a
circle next to the part that read "FEE and affiliated third parties" may market new products and
services using the contact information provided on the form to Stephen "for the duration of his
membership." Stephen asked if he could opt-out of the marketing communications. Kelvin shrugged
and said that it was a standard part of the contract and that most gyms have it, but that even so
Kelvin's manager wanted the item circled on all forms. Stephen agreed, signed the registration form
at the bottom of the page, and provided his credit card details for a monthly gym fee. He also
exchanged instant messenger/cell details with Kelvin so that they could communicate about personal
training sessions scheduled to start the following week.
After attending the gym consistently for six months, Stephen's employer transferred him to another
part of the Island, so he did not renew his FFE membership.
One year later, Stephen started to receive numerous text messages each day from unknown
numbers, most marketing gym or weight loss products.
Suspecting that FFE shared his information widely, he contacted his old FFE branch and asked
reception if they still had his information on file. They did, but offered to delete it if he wished. He
was told FFE's process to purge his information from all the affiliated systems might take 8 to 12
weeks. FFE also informed him that Kelvin was no longer employed by FFE and had recently started
working for a competitor. FFE believed that Kelvin may have shared the mobile contact details of his
10
clients with the new gym, and apologized for this inconvenience.
Which of the following practices would likely violate Hong Kong's Data Protection Principle 1
regarding data collection?
A. FFE's collection of full name from prospective clients.
B. FFE affiliates' receipt of Stephen's contact information.
C. FFE's collection of age and HKID from prospective clients.
D. FFE's collection of Stephen's messenger cell details through Kelvin.
Answer: D
territories.
How should Bernard respond to the lawyer's request for the CCTV footage?
A. Decline to turn over the footage as it is not a valid data access request.
B. Provide a copy of the footage within 40 days as it is a data access request.
C. Provide a copy of the footage to the lawyer under the exemption for legal professional privilege.
D. Decline to turn over the footage as there is no basis for it to be disclosed under the exemption for
prevention or detection of crime.
Answer: D
NO.33 Which was NOT listed as an individual right in the 1998 Fair Information Practice Principles
(FIPPs)?
A. Notice.
B. Choice.
C. Right to erasure.
11
D. Right to data access.

Answer: B
NO.34 Which of the following topics was NOT addressed in India's Information Technology Act 2000
(IT Act)?
A. Digital signatures.
B. Censorship limitations.
C. Electronic transactions.
D. Cybersecurity procedures.
Answer: D
NO.35 Hong Kong's definition of a data user in the original PDPO applies to all of the following
EXCEPT?
A. Trust corporations.
B. Third-party processors.
C. Private sector organizations.
D. Limited liability partnerships.
Answer: B
NO.36 Increases in which of the following were a major reason for the enactment of Hong Kong's
Amendment Ordinance in 2012?
A. Law enforcement requests.
B. Biometric authentication.
C. Direct marketing practices.
D. Data breach reports.
Answer: C
NO.37 Under India's IT Rules 2011, data subjects have the right to correct inaccuracies in personal
information collected about them only if?
A. They are also the providers of the information.
B. They confirm their consent to maintain the information.
C. They are able to prove the legitimacy of the corrections.
D. They request the corrections within a specified amount of time.
Answer: A
Delilah is seeking employment in the marketing department of Good Mining Private Limited, an
industry leader in drilling mines in Singapore. Delilah, while filling in the standard paper application
form, is asked to provide details about emergency contacts, medical history, blood type and her
insurance policy. These fields need to be filled in no matter which department Delilah applies to. The
form also asks Delilah to expressly consent to the collection, use and disclosure of her personal data.
A week after submitting the form, Delilah is invited by Evan, the Director of Marketing at Good
Mining, to coffee. Just before Delilah leaves, she gives her business card containing her current
business contact information to Evan. Evan then uses the business card to add Delilah's details to
12
Good Mining's business development database, which is kept on a local server. Good Mining uses the
database to inform people about networking and client events that Good Mining organizes.
Why is it legal for Evan to add the information on Delilah's business card to the business
development database?
A. Because Delilah "consented" to her business contact information being used by Good Mining by
passing it to Evan voluntarily.
B. Because any business contact information can be freely used, collected or disclosed by Good
Mining.
C. Because Good Mining does not export the information to a cloud vendor.
D. Because Delilah initiated the relationship with Good Mining.
Answer: B
NO.39 In the area of human rights, what separates Singapore from many other Asian countries?
A. It is not a member of the Association of Southeast Asian Nations (ASEAN).
B. It has not signed the International Covenant on Civil and Political Rights.
C. It has not adopted the ASEAN Human Rights Declaration.
D. It is not a member of the United Nations.
Answer: B
recently.
13
Which of the following is NOT true for Maurya Logistics?
A. It must have a privacy policy on its website describing its data processing practices.
B. It must obtain consent from Bharat Medicals consumers before processing their data.
C. It must process Bharat Medicals' consumer data only according to agreed contractual terms.
D. It must protect any unauthorized access any of Bharat Medicals consumer data that it obtained.
Answer: B
NO.41 In Singapore, a potential employer can collect all of the following data on an individual in the
pre-employment phase EXCEPT?
A. Postings from social media websites.
B. Information from a background check.
C. Information about the individual's children.
D. The individual's university attendance records.
Answer: B
NO.42 What emerged as the main reason for creating a comprehensive data protection law when
Singapore ministers met between 2005 and 2011?
A. To control increasing technological threats.
B. To raise Singapore's human rights standing.
C. To limit the scope of governmental surveillance.
D. To enhance Singapore's economic competitiveness.
Answer: D
NO.43 In 2013-14, the Indian Supreme Court ruled in Puttaswamy v Union of India that requiring a
Unique Identification Number was unconstitutional if what?
A. It was restricted to residents of India.
B. It was necessary for proving citizenship.
C. It was required in order to obtain government services.
D. It was used to gather information to discriminate against minorities.
Answer: A
NO.44 Which provision of Hong Kong's Personal Data (Privacy) Ordinance (PDPO) strengthens the
purpose limitation principle (DPP3)?
A. Notice; because the data subject must be provided with the purpose of the collection.
B. Public domain; because the data subjects must agree to the purpose before their information is
made publicly available.
C. Prescribed consent; because the data subject must give express consent to their personal
information being used for additional purposes.
D. Finality; because the purpose for collection of personal information from the subject must be
directly related to a function of the collector.
Answer: A
14
NO.45 Which concept is NOT an element of Cross Border Privacy Rules (CBPR)?
A. Enforcement by Accountability Agents.
B. Self-assessment against CBPR Question:naire.
C. Consultation with Privacy Enforcement (PE) Authority.
D. Dispute resolution via the Accountability Agent's compliance program.
Answer: B
NO.46 In what case would a foreign company NOT be liable for breaches of Singapore's PDPA?
A. If it has a physical office in Singapore.
B. If it is storing information in Singapore.
C. If it is collecting personal information in Singapore.
D. If it collects information from Singaporeans living abroad.
Answer: D
NO.47 In Hong Kong's revised Breach Guidance Note of 2015, what course of action did the
Commissioner recommend that companies take immediately after experiencing a breach?
A. Proceed under the assumption that the breach is a threat to personal safety.
B. Enlist the aid of law enforcement to determine the cause of the breach.
C. Quickly issue a notification to the data subjects affected by the breach.
D. Immediately gather essential information in relation to the breach.
Answer: B
Reference:
https://www.pcpd.org.hk/english/resources_centre/publications/files/
DataBreachHandling2015_e.pdf
https://www.pcpd.org.hk/english/resources_centre/publications/files/
DataBreachHandling2015_e.pdf
NO.48 Protection of which kind of personal information is NOT explicitly mentioned in the privacy
laws of Hong Kong, Singapore, and India?
A. Sensitive data.
B. Children's data.
C. Outsourced data.
D. Extraterritorial data.
Answer: B
NO.49 What was the basis for the "TrustSg" mark, which was designed to build confidence in e-
commerce transactions before the PDPA was enacted?
A. The Fair Information Practice Principles.
B. The Model Data Protection Code.
C. The Electronic Transactions Act.
D. The 1995 European Directive.
Answer: B
Reference:
15
https://static1.squarespace.com/static/5746cdb3f699bb4f603243c8/
t/575f5443a3360c785eab4cc2/1465865429526/china.pdf (21)
NO.50 What personal information is considered sensitive in almost all countries with privacy laws?
A. Marital status.
B. Health information.
C. Employment history.
D. Criminal convictions.
Answer: B
territories.
Members of Relax Ltd's staff are concerned about the data sharing with StarOne. How should Zoe
respond to their concerns?
A. Inform the staff that Relax Ltd can transfer the data to StarOne given they are in the same
premises and guests would reasonably expect that.
B. Inform the staff that Relax Ltd should not transfer the data to StarOne without a privacy notice
identifying StarOne as a class of transferee.
C. Inform the staff that Relax Ltd should not transfer the data to StarOne without the guest's opt-in
consent to do so.
D. Inform the staff that Relax Ltd can transfer the data as Section 33 is not in force.
Answer: C
NO.52 Which of the following principles of the OECD guidelines and Council of European Convention
16
principles does Singapore's PDPA incorporate?

A. Disclosures to third parties included in access requests.
B. Additional protections for sensitive personal data.
C. The ability to opt-out from direct marketing.
D. The right of deletion of data on request.
Answer: C
NO.53 Which of the following entities do NOT fall under India's Right to Information Act of 2005?
A. High courts.
B. State legislatures.
C. Law enforcement agencies.
D. National Security Guard.
Answer: D
Reference:
https://cic.gov.in/sites/default/files/Section%2024%20of%20the%20RTI%20Act%20-%20Ankur%
20Mishra.pdf (9)
NO.54 In India's IT Rules 2011, which is included in the definition of "sensitive personal data"?
A. Tax records.
B. IP addresses.
C. Next of kin.
D. Sexual Orientation.
Answer: D
NO.55 What clarification did India make in a 2011 Press Note regarding their Sensitive Personal Data
Rules?
A. That the rules apply to data subjects located outside of India.
B. That the rules apply to persons or companies collecting sensitive data within India.
C. That the data processor must provide notice to the data subject before data is processed.
D. That sensitive personal data or information includes passwords, financial information, medical
records, and
Answer: D
biometric information.
NO.56 Which of the following is NOT a substantial source of privacy protection for Hong Kong
citizens?
A. The Communications and Surveillance Ordinance.
B. The Universal Declaration of Human Rights.
C. The Bill of Rights Ordinance.
D. The Basic Law.
Answer: A
NO.57 Hong Kong's Personal Data (Privacy) Ordinance (PDPO) was primarily inspired by which of the
17
following?
A. Asia's APEC Privacy Framework.
B. Macau's Personal Data Protection Act.
C. South Korea's Public Agency Data Protection Act.
D. Europe's Data Protection Directive (Directive 95/46/EC).
Answer: D
NO.58 Under the PDPO, what are Hong Kong companies that make use of personal data required to
do?
A. Appoint an official compliance officer.
B. Register with the appropriate data authority.
C. Honor all data subject requests for correcting personal information.
D. Provide contact information of persons handling data access requests.
Answer: C
territories.
HackProof reports to Zoe that a copy of the entire guest database has been exfiltrated by a hacker.
What is Zoe's best course of action?
A. Zoe must immediately notify all guests, the police and the Privacy Commissioner of the breach.
B. Zoe does not need to do anything as there is no mandatory breach notification requirement in
Hong Kong.
C. Zoe must report the breach to the Privacy Commissioner and make an action plan together with
the Commissioner.
18
D. Zoe should consider if there is a real risk of harm to the guests and take appropriate action based
on her assessment.
Answer: D
NO.60 What benefit does making data pseudonymous offer to data controllers?
A. It ensures that it is impossible to re-identify the data.
B. It eliminates the responsibility to report data breaches.
C. It allows for further use of the data for research purposes.
D. It eliminates the need for a policy specifying data subject access rights.
Answer: A
recently.
Which type of information collected by Bharat Medicals is considered sensitive personal information
under the Information Technology Rules?
A. Prescription details.
B. Location data.
C. Nationality.
D. Religion.
19
Answer: A
NO.62 Which control is NOT included in the requirements established by the Monetary Authority of
Singapore (MAS) for financial institutions in order to deter money-laundering and financial aid to
terrorism (AML/CFT)?
A. Identifying and knowing customers.
B. Sharing personal information with the PDPC.
C. Conducting regular reviews of customer accounts.
D. Monitoring and reporting suspicious financial transactions.
Answer: A
Reference:
https://www.mas.gov.sg/-/media/MAS/Regulations-and-Financial-Stability/Regulatory-and-
Supervisory-Framework/Anti_Money-Laundering_Countering-the-Financing-of-Terrorism/Guidance-
for- Effective-AML-CFT-Transaction-Monitoring-Controls.pdf (page 3)
https://www.mas.gov.sg/-/media/MAS/Regulations-and-Financial-Stability/Regulatory-and-
Supervisory-Framework/Anti_Money-Laundering_Countering-the-Financing-of-Terrorism/Guidance-
for- Effective-AML-CFT-Transaction-Monitoring-Controls.pdf (page 3)
NO.63 Increases in which of the following were a major reason for the enactment of Hong Kong's
Amendment Ordinance in 2012?
A. Direct marketing practices.
B. Law enforcement requests.
C. Biometric authentication.
D. Data breach reports.
Answer: A
recently.
20
If a patient withdraws consent provided to one of the partner hospitals regarding the transfer of their
data, which of the following would be true?
A. The patient cannot purchase medications from Bharat Medicals.
B. The hospital has the right to refuse withdrawal of consent since it has a partnership with Bharat
Medicals.
C. The hospital will obtain the necessary medications from Bharat Medicals and provide them directly
to patient.
D. The patient can buy medications from Bharat Medicals by uploading prescription to the Bharat
Medicals website.
Answer: D
NO.65 Which personal data element is NOT considered a special category of data under the General
Data Protection Regulation (GDPR)?
A. Physical or mental health data.
B. Financial information.
C. Race or ethnic origin.
D. Political opinions.
Answer: A
NO.66 The "due diligence" exemption in Hong Kong's PDPO was meant to apply to?
A. Third-party data processors located in foreign countries.
B. Companies researching the viability of business mergers.
C. Service providers hosting customer information in the cloud.
D. Direct marketers acting in the best interest of their company.
Answer: A
NO.67 Which of the following is NOT excluded from the scope of Singapore's Do Not Call registry?
A. Messages that promote investment opportunities.
B. Messages that conduct market research.
C. Messages from charitable organizations.
D. Messages from political candidates.
Answer: B
21
Which of the following FFE data retention policies would be permitted under Section 26 of the
Personal Data (Privacy) Ordinance and Hong Kong Data Protection Principle 2 regarding accuracy and
retention?
A. Retain the data of members who have been suspended for non-payment, in the event that the
data is needed to seek compensation in a court of law.
B. Retain all member data and documents in original form for two years after account termination, to
better inform marketing efforts focused on re-activating accounts of former customers.
C. Retain an anonymous data set after account termination indicating dates of membership, age, and
other statistical data, to be included in aggregate reports about gym membership trends.
D. Retain copies of files of customers who utilized personal trainer services for six months after
account termination, to allow trainers to respond to inquiries from personal physicians about
training-related injuries.
Answer: C
NO.69 All of the following are exempt from Section 43A of India's IT Rules 2011 EXCEPT?
A. Charitable groups.
B. Sole proprietorships.
C. Government agencies.
D. Religious organizations.
Answer: C
22
functions in India:
the business.
sales.
What must Dracarys confirm about the vendor in India in order to centralize elements of its Human
Resource function?
A. That the vendor submits for approval from Dracarys a privacy notice explaining how personal data
will be protected under the Indian Information Technology Act.
B. That the vendor files requests for transfer of personal data out of India through the offices of the
privacy commissioners of Hong Kong and Singapore.
C. That the vendor is bound by legally enforceable obligations to provide the personal data a
standard of protection that is at least comparable to the protection under the Singapore PDPA.
D. That the vendor adheres to the same sector privacy rules followed by Dracarys headquarters
based in Seattle regarding the transfer of personal data.
Answer: A
NO.71 What term is defined by the European Commission to mean any data that relates to an
identified or identifiable individual?
A. Personally identifiable information.
B. Sensitive information.
C. Personal data.
D. Identified data.
Answer: C
23
Which of the following types of text messages are permissible, regardless of Stephen's withdrawal of
consent?
A. From the FFE retention department, offering a special discount for reactivating membership.
B. From health care services provided by Hong Kong's Hospital Authority or Department of Health.
C. From an FFE affiliate that provides a mechanism to opt out of further communications by reply-
texting "OO."
D. From an FFE affiliate in the region Stephen was transferred to, offering services similar to those he
purchased previously.
Answer: C
NO.73 All of the following are guidelines the PDPC gives about anonymised data EXCEPT?
A. Anonymised data is not personal data.
B. Any data that has been anonymised bears the same risks for re-identification.
C. Data that has been anonymised satisfies the "cease to retain" requirement of Section 25.
D. Organizations should consider the risk of re-identification if it intends to publish or disclose
anonymised data.
Answer: C
Reference:
https://www.pdpc.gov.sg/-/media/Files/PDPC/New_DPO_Connect/nov_15/pdf/Anonymisation.pdf
24
NO.74 How are the scope of Singapore's Personal Data Protection Act and the scope of India's IT
Rules similar?
A. They only apply to the private sector.
B. They allow exemptions for military personnel.
C. They apply to controllers and processors alike.
D. They impose obligations on individuals acting in a domestic capacity.
Answer: C
NO.75 How is the transparency of the complaint process treated in both Hong Kong and Singapore?
A. A complainant must alert all individuals potentially affected by the complaint.
B. Investigations into complaints in Hong Kong and Singapore are open to the public.
C. The Hong Kong and Singapore Commissioner may require the complainants to identify themselves
before carrying out any investigation into the complaint.
D. The Hong Kong and Singapore commissioners are obliged to start investigations when receiving a
complaint and inform the respondent of the personal details of the complainant.
Answer: C
NO.76 Who is NOT potentially liable when an employee in a Singapore corporation or partnership
breaches the PDPA?
A. A corporate officer.
B. The employee.
C. The employer.
D. A partner.
Answer: A
NO.77 Which of the following would NOT be exempt from Singapore's PDPA?
A. A government automobile registration website.
B. A private party room at a popular restaurant.
C. A documentary filmed at a rock concert.
D. A video from a store's dosed-circuit TV.
Answer: D
NO.78 How was the Supreme Court's ruling in the Maneka Gandhi v Union of India case significant to
Indian law?
A. It expanded the interpretation of right to life under Article 21 of the Constitution.
B. It established that privacy is a fundamental right granted by the Constitution under Article 21.
C. It upheld that the impounding of passports for "public interest" is allowable under Section 10(3)(c)
of the Passports Act.
D. It ruled that under Article 32 of the Constitution individuals may file writ petitions when they feel
their rights
Answer: D
were violated.
25
NO.79 In which situation would a data intermediary based in Singapore be liable for breaches
against the PDPA?
A. When it fails to provide an individual access to his or her data.
B. When it does not provide anonymous transactions with an individual.
C. When it fails to inform an individual it is processing data from a controller.
D. When it processes data contrary to the provisions established in the contract.
Answer: D
NO.80 Section 43A of India's IT Rules 2011 requires which of the following for a privacy policy?
A. It should be available and produced on request.
B. It should be published on the website of the body corporate.
C. It should be emailed or faxed to data providers by the body corporate.
D. It should be shown to the data provider at the time of data collection.
Answer: A
Reference:
rules-2011-
NO.81 Which European-influenced safeguard was NOT included in Hong Kong or Singapore's
personal data protection acts, but was subsequently adopted as a consideration in regulatory
guidelines?
A. Controls on automated decision making.
B. Additional protection for sensitive personal data.
C. Legitimate interest as a legal basis for processing.
D. Notice requirements when data is collected from third parties.
Answer: D
NO.82 In the Asia-Pacific Economic Cooperation (APEC) Privacy Framework, what exception is
allowed to the Access and Correction principle?
A. Paper-based records.
B. Publicly-available information.
C. Foreign intelligence.
D. Unreasonable expense.
Answer: B
Reference:
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj5zqzzs_jwAh
XDRBUIHUjACjcQFjAAegQIBhAD&url =https%3A%2F%2Fwww.apec.org%2F-
%2Fmedia%2FAPEC%2FPublications%2F2005%2F12%2FAPEC- Privacy
-Framework%2F05_ecsg_privacyframewk.pdf&usg=AOvVaw0O1-P2AWJ-BA0TYPGcIJgD
=https%3A%2F%2Fwww.apec.org%2F-%2Fmedia%2FAPEC%2FPublications%2F2005%2F12%2FAPEC-
Privacy-Framework%2F05_ecsg_privacyframewk.pdf&usg=AOvVaw0O1-P2AWJ-BA0TYPGcIJgD
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj5zqzzs_jwAh
XDRBUIHUjACjcQFjAAegQIBhAD&url =https%3A%2F%2Fwww.apec.org%2F-
%2Fmedia%2FAPEC%2FPublications%2F2005%2F12%2FAPEC- Privacy
-Framework%2F05_ecsg_privacyframewk.pdf&usg=AOvVaw0O1-P2AWJ-BA0TYPGcIJgD
26
NO.83 In what way are Hong Kong citizens protected from direct marketing in ways that India and
Singapore citizens are not?
A. Subscribers must have explicitly indicated that they did not object to their data being collected
and used for marketing purposes.
B. Subscribers can opt out of the use of their data for marketing purposes after collection by
withdrawing consent.
C. Data subjects must be notified on a website if their data is being used for marketing purposes.
D. Data subjects are protected from the secondary use of personal data for marketing purposes.
Answer: A
NO.84 In addition to adhering to the data export principle of section 43A of India's IT Act 2000, data
exporters in India must also follow principles of?
A. Privity of contract.
B. Disclosure limitation.
C. Mandatory registration.
D. Third party assessment.
Answer: C
NO.85 In Hong Kong, which of the following are exempt from personal data access requests until
after the project to which the data is related has been concluded?
A. Hospital administrators.
B. Financial institutions.
C. News organizations.
D. Non-profit groups.
Answer: C
27
Assuming that Kelvin received a commission for sharing his former client list with the new employer,
and the new employer used Stephen's data to engage in direct marketing to Stephen, which of the
following penalties could Kelvin face under Part VI A of the Ordinance?
A. No penalty, as FFE and the new employer are the responsible parties.
B. Violation of the terms of his employment agreement.
C. A maximum $500,000 HKD fine.
D. Up to five years imprisonment.
Answer: B
B-Star Limited is a Singapore based construction company with many foreign construction workers.
B-Star's HR team maintains two databases. One (the "simple database") contains basic details from a
standard in- processing form such as name, local address and mobile number. The other database
(the "sensitive database") contains information collected by the HR Department as part of Annual
Review Interviews. With the workers' cooperation, this database has expanded to include far-
reaching sensitive information such as medical history, religious beliefs, ethnicity and educational
levels of immediate family members. Carl left B- Star's employment yesterday, and has flown back
home, rendering him unreachable. Today B-Star, without Carl's consent, wants to conduct research
using Carl's medical records in the sensitive database.
Can B-Star legally conduct this research using Carl's medical data?
A. Yes, because Carl gave his consent for his sensitive personal data to be collected during his
employment.
B. No, an organization is not allowed to use sensitive personal data without an individual's consent
unless absolutely necessary.
C. No, because the research is taking place after Carl has left B-Star's employment.
D. Yes, if the research is deemed to be in the public interest.
Answer: B
NO.88 Based on the model contract released by the Privacy Commissioner for Personal Data (PDPC),
Hong Kong, all of the following sections are recommended to be put into a contract to address
Ordinance 33 (Data transfer/export) of Hong Kong's Personal Data Privacy Ordinance (PDPO)
EXCEPT?
A. Liability and indemnity.
B. Exemptions and Definitions.
C. Termination of the contract.
D. Obligations of the Transferee.
28
Answer: A
functions in India:
the business.
sales.
Dracary's existing client data sets have been anonymised but the CEO is concerned about re-
identification and the risks of using the data for further analysis.
What should the CEO do?
A. Assess the business risk of further processing in the absence of any regulations on anonymised
data.
B. Refer to India's Information Technology Act and the 2011 rules 3-8 for guidance on handling
anonymised data.
C. Obtain the consent of the data subjects because anonymous data must be treated as personal
data at all times.
D. Adhere to the Singapore guidelines on anonymization and the Hong Kong Guidance on Personal
Data Erasure and Anonymization.
Answer: A
NO.90 Which jurisdiction was the first to consider IP addresses to be personal information?
A. India.
B. Hong Kong.
C. The United States.
D. The European Union.
29
Answer: D
NO.91 Which of the following countries will continue to enjoy adequacy status under the GDPR,
pending any future European Commission decision to the contrary?
A. Argentina.
B. Mexico.
C. Taiwan.
D. Korea.
Answer: A
NO.92 According to India's IT Rules 2011, a body corporate operating in India is required to appoint
what kind of authority?
A. A Chief Risk Officer.
B. A Grievance Officer.
C. A Data Protection Officer.
D. A Chief Technology Officer.
Answer: B
30

Cipp-A V12.35

Uploaded by

Copyright:

Available Formats

Cipp-A V12.35

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cipp-A V12.35

Uploaded by

Copyright:

Available Formats

IT Certification Guaranteed, The Easy Way!

Title : Certified Information Privacy

B. Provide the complainant with a way to appeal a decision.

C. Publishing private images of others.

C. When seeking government services.

A. Consent of the guest in writing to the transfer.

NO.21 Section 43A was amended by India's IT Rules 2011 to include?

D. A clarification regarding the role of non-automated data.

D. Right to data access.

principles does Singapore's PDPA incorporate?

You might also like