Which of the following categories of information are generally protected under privacy laws?
A . Personally Identifiable Information (PII)
B . Sensitive Personal Information (SPI)
C . Trademark, copyright and patent information
D . Organizations’ confidential business information
Answer: A
After the rules were notified under section 43A of the IT (Amendment) Act, 2008, a clarification was issued by the government which exempted the service providers, which get access to/processes Sensitive Personal Data or information (SPDI) under contractual agreement with a legal entity located within or outside India.
Which privacy principle provisions notified under Sec 43A were exempted for the service providers?
A . Consent
B . Privacy policy (which is published)
C . Access and Correction
D . Disclosure of information
Answer: B
With respect to ‘Data Minimization’ privacy principle, please select the correct statements from the following:
A . Right to object by the data subject for minimizing the collection of personal information
B . Data controllers should limit the amount of data collected to what is directly relevant and necessary to accomplish a specified purpose
C . Data controllers should retain the data only for as long as is necessary to fulfil the purpose for which it was collected
D . Process of analyzing and minimizing the collected data into useful information
Answer: A
A multinational company with operations in several parts within EU and outside EU, involves international data transfer of both its employees and customers. In some of its EU branches, which are relatively larger in size, the organization has a works council. Most of the data transferred is personal, and some of the data that the organization collects is sensitive in nature, the processing of some of which is also outsourced to its branches in Asian countries.
Which of the following are not mandatory pre-requisite before transferring sensitive personal data to its Asian branches?
A . Notifying the data subject
B . Conducting risk assessment for the processing involved
C . Determining adequacy status of the country
D . Self-certifying to Safe Harbor practices and reporting to Federal Trade Commission
Answer: D
Which of the following laws does not have a mandatory personal data breach notification requirement?
A . General Data Protection Regulation, 2016
B . Information Technology (Amendment) Act, 2008
C . Japanese Act on the Protection of Personal Information
D . UK Data Protection Act, 2018
Answer: B
Explanation:
Reference: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1680152
XYZ & Co., an Indian hospital specialized in dealing with cancer treatment has organized a free health checkup camp for women in a specific district, after seeking due permission from competent authorities. During the camp the hospital staffs will be feeding the medical records of these women into the computer connected to hospital network system.
Does the said hospital need to notify its privacy policy to the women attending the camp and seek their consent regarding the collection and processing of such information?
A . No, since it is a free checkup camp for their welfare
B . Yes, in the any language as per the wishes of said hospital
C . No, since the law does not require the same in this case
D . Yes, in the language such women would understand
Answer: B
From the below listed options, identify the new privacy principle that is being advocated in proposed EU General Data Protection Regulation?
A . Right to be informed prior to sharing of data
B . Right to modify data
C . Right to be forgotten
D . Right to object data collection and processing
Answer: C
With reference to APEC privacy framework, when personal information is to be transferred to another person or organization, whether domestically or internationally, “the ______________ should obtain the consent of the individual and exercise due diligence and take reasonable steps to ensure that the recipient person or organization will protect the information consistently with APEC information privacy principles”.
A . Personal Information Owner
B . Personal Information Controller
C . Personal Information Processor
D . Personal Information Auditor
Answer: B
Explanation:
Reference: https://iapp.org/news/a/gdpr-matchup-the-apec-privacy-framework-and-cross-border-privacy-rules/
As per GDPR, the adequacy decision is taken the European Commission based on its findings and assessment of privacy laws of the third country, territory, sector, etc. The ____________ is required to provide the Commission with an opinion for the assessment of the adequacy of the level of protection in a third country or international organization, including for the assessment whether a third country, a territory or one or more specified sectors within that third country, or an international organization.
A . European Data Protection Board
B . Article 29 Working Party
C . Lead Supervisory Authority
D . Convention 108 Council
Answer: A
Explanation:
Reference: https://books.google.com.pk/books?id=rKXaDwAAQBAJ&pg=PA141&lpg=PA141&dq=GDPR+is +required+to+provide+the+Commission+with+an+opinion+for+the+assessment+of+the+adequacy+of+the+level+of+protection+in+a+third+country+or+international+organization,+including+for+the+assessment+whether+a+third+country,+a+territory+or+one+or+more+specified+sectors+within+that+third+country,+or+an +international+organization&source=bl&ots=iTGUl_dS9C&sig=ACfU3U1_Q4wLavcnbA58JvJ8ek3PZ6YVqg&hl=en&sa=X&ved=2ahUKEwjk4NTnyp_pAhXCRBUIHXqIDj4Q6AEwDHoECBQQAQ#v=onepage&q=GDPR%20is%20required%20to%20provide%20the%20Commission%20with%20an%20opinion%20for%20the%20assessment%20of%20the%20adequacy%20of%20the%20level%20of%20protection%20in%20a%20third%20country%20or%20international%20organization%2C%20including%20for%20the%20assessment%20whether%20a%20third%20country%2C%20a%20territory%20or%20one%20or%20more%20specified%20sectors%20within%20that%20third%20country%2C%20or%20an%20international%20organization&f=false
Which among the following is the Canadian privacy law?
A . COPPA
B . PIPEDA
C . HIPAA
D . IT Act of Canada
Answer: B