Which of the following statements are true about the privacy statement of an organization?

A. Content of the online privacy statement of an organization will depend upon the applicable laws, and may need to address requirements across geographical boundaries and legal jurisdictions

B. As per privacy laws generally it is mandatory to mention the phone contact details of the owner of organization in the online privacy statement where customers can reach out in case of a grievance or incident

C. Online privacy statement is an instrument to demonstrate to stakeholders how the organization gathers, uses, discloses, and manages personal data

D. India's Information Technology (Amendment) Act, 2008 does not require that privacy policy be published on the website

Which of the following privacy principle deals with informed consent of the data subject before sharing the personal information (of the data subject) to third parties for processing?

A. Collection limitation

B. Purpose limitation

C. Disclosure of information

D. Accountability

Which of the following privacy regulation advocates de-identification of personal information?

A. EU Data Protection Directive

B. Canada's PIPEDA

C. Australia's ANPP

D. IT Act of India

Which of the following wasn't prescribed as a privacy principle under the OECD Privacy Guidelines, 1980?

A. Openness

B. Data minimization

C. Security Safeguard

D. Purpose Specification

On September 30, 1970 the ever first data protection law, the ______________ Data Protection Act was passed.

A. Hesse

B. Copenhagen

C. Paris

D. Munich

ABC company is a large US based IT Company that provides a range of services to its clients. The company had developed a cloud based application providing end-to-end services for the medical industry. The application had three modules for: -Patients -Hospitals and Doctors -Insurance and Pharmaceutical companies

Each of the modules was designed to be integrated with others depending on user's choice. For example, a patient could choose to share his/her medical history with his/her doctor (for medical advice) as well as insurance companies (for claims).

The application requires that all registered users of the application read and acknowledge the privacy policy. Additionally, users are required to identify the purpose for which they are providing any personal data in any of the modules. For example, a patient providing his/her medical history and current symptoms can select ‘Medical Advice’ as the purpose for the data being provided.

Few months ago, company launched new services in the applications namely, Business Analytics, Group

Consultations, Insurance Policy purchase, and Medical Trials Management. The new services used all existing data collected over the years from users. The Company's clients/users are based only in three geographical locations - United States, European Union and India. Additionally, to facilitate better performance of its application, the company established one datacenter each in US, Germany and India for its operations. Each of the datacenter provides the following: -US Datacenter - Storage of data for US based users only -Germany Datacenter - Storage of data for EU based users only -India Datacenter - Storage of data for India based users and alternate site for US and Germany Datacenters (used as part of global load balancing) -Services of a cloud service provider are leveraged in US as a Disaster Recovery (DR) site for Indian Datacenter

Recently, the company's Application Support Desk has started receiving user complaints related to unsolicited communications.

These complaints have warranted a review of company's privacy policies as well as practices.

What all will be the directly or indirectly applicable laws on the data stored on US cloud service provider?

i. HIPAA

ii. German Data Protection Act

iii. IT(Amendments) Act, 2008 Sec 43A

iv.

None of the above as data protection laws are not applicable on Cloud Service Providers

A.

iv

B.

i and ii

C.

i, ii and iii

D.

ii and iii

Which one of the following is considered as the first step of evolution in the formation of today's concept of privacy?

A. Fundamental civil liberty

B. Universal declaration of human rights

C. Right to be left alone

D. OECD Privacy Principles

What does PHI stand for, as per HIPAA/ HITECH?

A. Personal healthcare information

B. Public health information

C. Protected health information

D. Personal health information

Which of the following is not a characteristic of sensitive personal data?

A. Personal data is a subset of Sensitive Personal Data

B. Its classification varies from country to country

C. Its an exhaustive list

D. It carries a higher risk of processing

In which of the following stages of the personal information life cycle, should the security aspects be considered?

1.

Collection

2.

Maintenance

3.

Distribution

4.

Disposition

A. 1,2 and 3

B. 2, 3 and 4

C. 2 and 3

D. 1,2,3 and 4