CIPP/US PRACTICE EXAM II 2026 FINAL
ASSESSMENT PAPER PRIVACY PROGRAM
MANAGEMENT COMPREHENSIVE QUESTIONS
AND ANSWERS VERIFIED A+
◉ Personal vs. Non-personal Information Answer: Personal
Information is any information that relates to or describes an
individual. Non personal information is any data that couldn't
reasonably relate to an identified or identifiable individual.
◉ Sensitive Data (According to the EU Data Protection Directive)
Answer: Referred to as "Special Categories of Data", this is
information that reveals racial origin, political opinions, religious or
philosophical beliefs, trade union membership, or data concerning
health or sex life. Noted that health data is classified as sensitive in
most countries.
◉ Source of Information (3 types and what they are) Answer: 1.
Public Records are information collected by and maintained by
government and available to the public
2. Publicly available data is data in any form that is accessible to the
interested public
3. Non-public information is data that has not been made available
to the public.
,◉ Data Controller Answer: Person or entity that determines the
purpose and means of the processing of personal data.
◉ Data Processor Answer: The person or entity that processes
personal data on behalf of the controller.
◉ Data Subject Answer: The person about whom the personal data
relates or describes.
◉ Privacy Policy Answer: An internal statement that describes an
organization's information handling practices and procedures.
Directed at employees and agents of the organization.
◉ Privacy Notice Answer: AN external statement that is directed to
an organization's potential and actual customers or users. Describes
how the organization will process personal information and
typically describes options a data subject has with respect to the
organization's processing of personal information.
◉ Administrative Safeguards (and examples) Answer: Management
related policies and procedures for protecting personal information.
An incident management plan and privacy policy are examples.
,◉ Physical Safeguards Answer: Mechanisms that physically protect
or prevent access to a resource. Examples include cable locks for
laptops and security guards to prevent unauthorized access.
◉ Technical Safeguards Answer: Information technology Measures
that protect personal information. Examples include password
authentication schemes, encryption, and smart cards.
◉ Privacy Impact Assessment (PIA) (What is it and when should it
occur) Answer: A systematic process for identifying potential
privacy related risks of a proposed system. When conducting, an
organization analyzes how information is collected, stored,
protected, shared, and managed to ensure that an organization has
consciously incorporated privacy protection measures throughout
the lifecycle of the data. It should be carried out whenever a new
data processing system or project is proposed or when there are
revisions to existing data practices.
◉ Privacy Audit or Assessment (What is it, when does it happen and
who performs it) Answer: A systematic examination of an
organization's compliance with its privacy policy and procedures,
applicable laws, and other agreements and contracts concerning
personal information. Audits should be conducted on a regular basis
or at the request of a regulatory authority. Typically conducted by
internal taskforce, but if they were the ones that developed the
program it may make sense to have a third party.
, ◉ Data Lifecycle (4 stages) Answer: 1. Collection 2. Use 3. Disclosure
4. Retention or destruction
◉ FIPS (Fair Information Principles) (Description and 5 Core
principles) Answer: Guidelines that represent widely accepted
doctrines concerning fair processing information. It is the
foundation of many international privacy initiatives like OECD
guidelines for Protection of Privacy and Trans-border flows of
Personal Data. The core principles of privacy are:
1. Notice and awareness (customers should be given notice of the
practices before information is collected)
2. Choice and Consent (consumers should have options)
3. Access and participation (Customers should have the ability to
view and contest information collected about them
4. Integrity and Security (Organizations should ensure data collected
is accurate and secure)
5. Enforcement and Redress (Enforcement measures should be
implemented to ensure organizations follow FIP)
◉ Opt-in consent Answer: Occurs when a data subject affirmatively
and explicitly indicates the desire to have his data processed by an
organization. Usually reserved for more intrusive processing.
ASSESSMENT PAPER PRIVACY PROGRAM
MANAGEMENT COMPREHENSIVE QUESTIONS
AND ANSWERS VERIFIED A+
◉ Personal vs. Non-personal Information Answer: Personal
Information is any information that relates to or describes an
individual. Non personal information is any data that couldn't
reasonably relate to an identified or identifiable individual.
◉ Sensitive Data (According to the EU Data Protection Directive)
Answer: Referred to as "Special Categories of Data", this is
information that reveals racial origin, political opinions, religious or
philosophical beliefs, trade union membership, or data concerning
health or sex life. Noted that health data is classified as sensitive in
most countries.
◉ Source of Information (3 types and what they are) Answer: 1.
Public Records are information collected by and maintained by
government and available to the public
2. Publicly available data is data in any form that is accessible to the
interested public
3. Non-public information is data that has not been made available
to the public.
,◉ Data Controller Answer: Person or entity that determines the
purpose and means of the processing of personal data.
◉ Data Processor Answer: The person or entity that processes
personal data on behalf of the controller.
◉ Data Subject Answer: The person about whom the personal data
relates or describes.
◉ Privacy Policy Answer: An internal statement that describes an
organization's information handling practices and procedures.
Directed at employees and agents of the organization.
◉ Privacy Notice Answer: AN external statement that is directed to
an organization's potential and actual customers or users. Describes
how the organization will process personal information and
typically describes options a data subject has with respect to the
organization's processing of personal information.
◉ Administrative Safeguards (and examples) Answer: Management
related policies and procedures for protecting personal information.
An incident management plan and privacy policy are examples.
,◉ Physical Safeguards Answer: Mechanisms that physically protect
or prevent access to a resource. Examples include cable locks for
laptops and security guards to prevent unauthorized access.
◉ Technical Safeguards Answer: Information technology Measures
that protect personal information. Examples include password
authentication schemes, encryption, and smart cards.
◉ Privacy Impact Assessment (PIA) (What is it and when should it
occur) Answer: A systematic process for identifying potential
privacy related risks of a proposed system. When conducting, an
organization analyzes how information is collected, stored,
protected, shared, and managed to ensure that an organization has
consciously incorporated privacy protection measures throughout
the lifecycle of the data. It should be carried out whenever a new
data processing system or project is proposed or when there are
revisions to existing data practices.
◉ Privacy Audit or Assessment (What is it, when does it happen and
who performs it) Answer: A systematic examination of an
organization's compliance with its privacy policy and procedures,
applicable laws, and other agreements and contracts concerning
personal information. Audits should be conducted on a regular basis
or at the request of a regulatory authority. Typically conducted by
internal taskforce, but if they were the ones that developed the
program it may make sense to have a third party.
, ◉ Data Lifecycle (4 stages) Answer: 1. Collection 2. Use 3. Disclosure
4. Retention or destruction
◉ FIPS (Fair Information Principles) (Description and 5 Core
principles) Answer: Guidelines that represent widely accepted
doctrines concerning fair processing information. It is the
foundation of many international privacy initiatives like OECD
guidelines for Protection of Privacy and Trans-border flows of
Personal Data. The core principles of privacy are:
1. Notice and awareness (customers should be given notice of the
practices before information is collected)
2. Choice and Consent (consumers should have options)
3. Access and participation (Customers should have the ability to
view and contest information collected about them
4. Integrity and Security (Organizations should ensure data collected
is accurate and secure)
5. Enforcement and Redress (Enforcement measures should be
implemented to ensure organizations follow FIP)
◉ Opt-in consent Answer: Occurs when a data subject affirmatively
and explicitly indicates the desire to have his data processed by an
organization. Usually reserved for more intrusive processing.
