A private sector daycare's portal for parents stores their children's photos, allergy information and date of birth. A parent has asked about the portal's security requirements and in three months still not has received an answer. What is missing from the daycare's procedures?
A. Ensuring transparency.
B. Responding to the parent's request within 30 days.
C. Ensuring strong encryption and security measures.
D. Completing a real risk of significant harm assessment (RROSH).
What is critical to consider when an organization responsible for a large number of records wants to outsource the storage of those records?
A. Determining if the personal information stored on the records will be used for data matching.
B. Putting into place a contractual agreement between the organization and the records storage company.
C. Conducting a Privacy Impact Assessment (PIA) prior to establishing a relationship with the storage company.
D. Establishing that consent gathered from individuals by the organization in order to store their personal information was informed and meaningful.
Information collected must be made anonymous where technologically possible.
A. File an error report describing the nature of the errors.
B. Amend any information that the woman finds to be erroneous.
C. Request that the woman complete a new set of forms with correct information.
D. Provide the woman with the names of any third parties who have had access to her information.
According to the federal court ruling in the Eastman Case, video cameras in the workplace are considered to be collecting personal information?
A. At the moment a recording occurs.
B. When a camera is on, even if it is not yet recording.
C. As soon as the data is saved to a workplace server.
D. When someone within the organization views the recording.
In 2014, Google was alleged to have violated the Family Educational Rights and Privacy Act (FERPA) through its Apps for Education suite of tools. For what specific practice did students sue the company?
A. Scanning emails sent to and received by students
B. Making student education records publicly available
C. Relying on verbal consent for a disclosure of education records
D. Disclosing education records without obtaining required consent
SCENARIO
Please use the following to answer the next QUESTION:
Cheryl is the sole owner of Fitness Coach, Inc., a medium-sized company that helps individuals realize their physical fitness goals through classes, individual instruction, and access to an extensive indoor gym. She has owned the company
for ten years and has always been concerned about protecting customer's privacy while maintaining the highest level of service. She is proud that she has built long-lasting customer relationships.
Although Cheryl and her staff have tried to make privacy protection a priority, the company has no formal privacy policy. So Cheryl hired Janice, a privacy professional, to help her develop one.
After an initial assessment, Janice created a first of a new policy. Cheryl read through the draft and was concerned about the many changes the policy would bring throughout the company. For example, the draft policy stipulates that a
customer's personal information can only be held for one year after paying for a service such as a session with personal trainer. It also promises that customer information will not be shared with third parties without the written consent of the
customer. The wording of these rules worry Cheryl since stored personal information often helps her company to serve her customers, even if there are long pauses between
their visits. In addition, there are some third parties that provide crucial services, such as aerobics instructors who teach classes on a contract basis. Having access to customer files and understanding the fitness levels of their students helps
instructors to organize their classes.
Janice understood Cheryl's concerns and was already formulating some ideas for revision. She tried to put Cheryl at ease by pointing out that customer data can still be kept, but that it should be classified according to levels of sensitivity.
However, Cheryl was skeptical. It seemed that classifying data and treating each type differently would cause undue difficulties in the company's day-to-day operations. Cheryl wants one simple data storage and access system that any
employee can access if needed.
Even though the privacy policy was only a draft, she was beginning to see that changes within her company were going to be necessary. She told Janice that she would be more comfortable with implementing the new policy gradually over a
period of several months, one department at a time. She was also interested in a layered approach by creating documents listing applicable parts of the new policy for each department.
Based on the scenario, which of the following would have helped Janice to better meet the company's needs?
A. Creating a more comprehensive plan for implementing a new policy
B. Spending more time understanding the company's information goals
C. Explaining the importance of transparency in implementing a new policy
D. Removing the financial burden of the company's employee training program
SCENARIO
Please use the following to answer the next QUESTION:
Cheryl is the sole owner of Fitness Coach, Inc., a medium-sized company that helps individuals realize their physical fitness goals through classes, individual instruction, and access to an extensive indoor gym. She has owned the company for ten years and has always been concerned about protecting customer's privacy while maintaining the highest level of service. She is proud that she has built long-lasting customer relationships.
Although Cheryl and her staff have tried to make privacy protection a priority, the company has no formal privacy policy. So Cheryl hired Janice, a privacy professional, to help her develop one.
After an initial assessment, Janice created a first of a new policy. Cheryl read through the draft and was concerned about the many changes the policy would bring throughout the company. For example, the draft policy stipulates that a customer's personal information can only be held for one year after paying for a service such as a session with personal trainer. It also promises that customer information will not be shared with third parties without the written consent of the customer. The wording of these rules worry Cheryl since stored personal information often helps her company to serve her customers, even if there are long pauses between their visits. In addition, there are some third parties that provide crucial services, such as aerobics instructors who teach classes on a contract basis. Having access to customer files and understanding the fitness levels of their students helps instructors to organize their classes.
Janice understood Cheryl's concerns and was already formulating some ideas for revision. She tried to put Cheryl at ease by pointing out that customer data can still be kept, but that it should be classified according to levels of sensitivity. However, Cheryl was skeptical. It seemed that classifying data and treating each type differently would cause undue difficulties in the company's day-to-day operations. Cheryl wants one simple data storage and access system that any employee can access if needed.
Even though the privacy policy was only a draft, she was beginning to see that changes within her company were going to be necessary. She told Janice that she would be more comfortable with implementing the new policy gradually over a period of several months, one department at a time. She was also interested in a layered approach by creating documents listing applicable parts of the new policy for each department.
What is the best reason for Cheryl to follow Janice's suggestion about classifying customer data?
A. It will help employees stay better organized
B. It will help the company meet a federal mandate
C. It will increase the security of customers' personal information (PI)
D. It will prevent the company from collecting too much personal information (PI)
Which of the following best describes an employer's privacy-related responsibilities to an employee who has left the workplace?
A. An employer has a responsibility to maintain a former employee's access to computer systems and company data needed to support claims against the company such as discrimination.
B. An employer has a responsibility to permanently delete or expunge all sensitive employment records to minimize privacy risks to both the employer and former employee.
C. An employer may consider any privacy-related responsibilities terminated, as the relationship between employer and employee is considered primarily contractual.
D. An employer has a responsibility to maintain the security and privacy of any sensitive employment records retained for a legitimate business purpose.
Which action is prohibited under the Electronic Communications Privacy Act of 1986?
A. Intercepting electronic communications and unauthorized access to stored communications
B. Monitoring all employee telephone calls
C. Accessing stored communications with the consent of the sender or recipient of the message
D. Monitoring employee telephone calls of a personal nature
Most states with data breach notification laws indicate that notice to affected individuals must be sent in the "most expeditious time possible without unreasonable delay." By contrast, which of the following states currently imposes a definite limit for notification to affected individuals?
A. Maine
B. Florida
C.
D. New York
E. California