1. Global Manufacturing Co's Human Resources department recently purchased a new software tool. This tool helps evaluate future candidates for executive roles by scanning emails to see what those candidates say and what is said about them.
This provides the HR department with an automated "360 review" that lets them know how the candidate thinks and operates, what their peers and direct reports say about them, and how well they interact with each other.
What is the most important step for the Human Resources Department to take when implementing this new software?
a) Making sure that the software does not unintentionally discriminate against protected groups.
b) Providing notice to employees that their emails will be scanned by the software and creating automated profiles.
c) Ensuring that the software contains a privacy notice explaining that employees have no right to privacy as long as they are running this software on organization systems to scan email systems.
d) Confirming that employees have read and signed the employee handbook where they have been advised that they have no right to privacy as long as they are using the organization's systems, regardless of the protected group or laws enforced by EEOC.
2. According to FERPA, when can a school disclose records without a student's consent?
a) If the disclosure would not reveal a student's student identification number
b) If the disclosure is to provide transcripts to a school where a student intends to enroll
c) If the disclosure is to practitioners who are involved in a student's health care
d) If the disclosure is not to be conducted through email to the third party
3. Which is the best way to view an organization's privacy framework?
a) As a living structure that aligns to changes in the organization
b) As an aspirational goal that improves the organization
c) As an industry benchmark that can apply to many organizations
d) As a fixed structure that directs changes in the organization
4. In which situation would a policy of "no consumer choice" or "no option" be expected?
a) When a customer's street address is shared with a shipping company
b) When a patient's health record is made available to a pharmaceutical company
c) When a job applicant's credit report is provided to an employer
d) When a customer's financial information is requested by the government
5. Which area of privacy is a lead supervisory authority's (LSA) MAIN concern?
a) Special categories of data
b) Data subject rights
c) Cross-border processing
d) Data access disputes
6. An online company's privacy practices vary due to the fact that it offers a wide variety of services. How could it best address the concern that explaining them all would make the policies incomprehensible?
b) Provide only general information about its processing activities and offer a toll-free number for more information.
c) Use a layered privacy notice on its website and in its email communications.
d) Identify uses of data in a privacy notice mailed to the data subject.
7. Many businesses print their employees' photographs on building passes, so that employees can be identified by security staff. This is not with standing the fact that facial images potentially qualify as biometric data under the GDPR.
Why would such practice be permitted?
a) Because photographs qualify as biometric data only when they undergo a "specific technical processing".
b) Because use of biometric data to confirm the unique identification of data subjects benefits from an exemption.
c) Because employees are deemed to have given their explicit consent when they agree to be photographed by their employer.
d) Because photographic ID is a physical security measure which is "necessary for reasons of substantial public interest".
8. WP29's "Guidelines on Personal data breach notification under Regulation 2016/679'' provides examples of ways to communicate data breaches transparently.
Which of the following was listed as a method that would NOT be effective for communicating a breach to data subjects?
a) A direct electronic message
b) A prominent advertisement in print media
c) A notice on a corporate blog
d) A postal notification
9. An unforeseen power outage results in company Z's lack of access to customer data for six hours. According to article 32 of the GDPR, this is considered a breach.
Based on the WP 29's February, 2018 guidance, company Z should do which of the following?
a) Document the loss of availability to demonstrate accountability
b) Notify the supervisory authority about the loss of availability
c) Notify affected individuals that their data was unavailable for a period of time.
d) Conduct a thorough audit of all security systems
10. Which was NOT one of the five priority areas listed by the Federal Trade Commission in its 2012 report, ''Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers"?
a) International data transfers
b) Do Not Track
c) Promoting enforceable self-regulatory codes
d) Large platform providers