Which of the following provincial health acts is NOT considered substantially similar to the Personal Information Protection and Electronic Documents Act (PIPEDA)?

A. New Brunswick's Personal Health Information Privacy and Access Act (PHIPAA)

B. Ontario's Personal Health Information Protection Act (PHIPA).

C. Nova Scotia's Personal Health Information Act (PHIA).

D. Alberta's Health Information Act (HIA).

According to the Canadian Standards Association (CSA) Model Code, how long should personal information be retained?

A. Personal information should not be retained at all.

B. Personal information should be retained indefinitely as long as consent has been given.

C. Personal information should be retained for at least two years after the last administrative use.

D. Personal information should be retained as long as necessary for the fulfillment of the purpose of the collection.

ABC Corp uses a third-party provider to perform data analytics and sends the following data sets to the third party to run some reports: name, customer ID, age, transaction activity, transaction date, location, outcome, customer type. If ABC Corp wants the third party to send all the data sets to their US based marketing partner for a new use, they must?

A. Encrypt data in transit.

B. Anonymize the personal data before sending.

C. Seek additional consent from their customers.

D. Ensure the marketing partner has equal or stronger protections than Canada.

What is the Generally Accepted Privacy Principles (GAPP) framework?

A. An information management model that is widely recognized across many Canadian industries.

B. A comprehensive guide for industry best practices as delineated by the Canadian federal Privacy Commissioner.

C. A template for Privacy Impact Assessments (PIAs) that are conducted within private sector organizations in Canada.

D. A principles-based privacy approach advocated by Canada's leading accounting industry group and its U.S.-based counterpart.

Federal laws establish which of the following requirements for collecting personal information of minors under the age of 13?

A. Implied consent from a minor's parent or guardian, or affirmative consent from the minor.

B. Affirmative consent from a minor's parent or guardian before collecting the minor's personal information online.

C. Implied consent from a minor's parent or guardian before collecting a minor's personal information online, such as when they permit the minor to use the internet.

D. Affirmative consent of a parent or guardian before collecting personal information of a minor offline (e.g., in person), which also satisfies any requirements for online consent.

What does the Massachusetts Personal Information Security Regulation require as it relates to encryption of personal information?

A. The encryption of all personal information of Massachusetts residents when all equipment is located in Massachusetts.

B. The encryption of all personal information stored in Massachusetts-based companies when all equipment is located in Massachusetts.

C. The encryption of personal information stored in Massachusetts-based companies when stored on portable devices.

D. The encryption of all personal information of Massachusetts residents when stored on portable devices.

SCENARIO

Please use the following to answer the next QUESTION:

A US-based startup company is selling a new gaming application. One day, the CEO of the company receives an urgent letter from a prominent EU-based retail partner. Triggered by an unresolved complaint lodged by an EU resident, the

letter describes an ongoing investigation by a supervisory authority into the retailer's data handling practices.

The complainant accuses the retailer of improperly disclosing her personal data, without consent, to parties in the United States. Further, the complainant accuses the EU-based retailer of failing to respond to her withdrawal of consent and

request for erasure of her personal data. Your organization, the US-based startup company, was never informed of this request for erasure by the EU-based retail partner. The supervisory authority investigating the complaint has threatened

the suspension of data flows if the parties involved do not cooperate with the investigation. The letter closes with an urgent request: "Please act immediately by identifying all personal data received from our company."

This is an important partnership. Company executives know that its biggest fans come from Western Europe; and this retailer is primarily responsible for the startup's rapid market penetration.

As the Company's data privacy leader, you are sensitive to the criticality of the relationship with the retailer.

Upon review, the data privacy leader discovers that the Company's documented data inventory is obsolete. What is the data privacy leader's next best source of information to aid the investigation?

A. Reports on recent purchase histories

B. Database schemas held by the retailer

C. Lists of all customers, sorted by country

D. Interviews with key marketing personnel

California's SB 1386 was the first law of its type in the United States to do what?

A. Require commercial entities to disclose a security data breach concerning personal information about the state's residents

B. Require notification of non-California residents of a breach that occurred in California

C. Require encryption of sensitive information stored on servers that are Internet connected

D. Require state attorney general enforcement of federal regulations against unfair and deceptive trade practices

What role does the U.S. Constitution play in the area of workplace privacy?

A. It provides enforcement resources to large employers, but not to small businesses

B. It provides legal precedent for physical information security, but not for electronic security

C. It provides contractual protections to members of labor unions, but not to employees at will

D. It provides significant protections to federal and state governments, but not to private-sector employment

What was the original purpose of the Federal Trade Commission Act?

A. To ensure privacy rights of U.S. citizens

B. To protect consumers

C. To enforce antitrust laws

D. To negotiate consent decrees with companies violating personal privacy