PRIVACY IMPACT ASSESSMENT
(PIA): CHAPTER 2 EXAM
QUESTIONS AND THEIR COMPLETE
SOLUTIONS
What is a Privacy Impact Assessment (PIA)?
A process to identify and minimize data privacy risks
associated with collecting personal information.
Why might an organization collect personal data?
For various business purposes, such as processing payroll
taxes or shipping goods and services.
When should an organization complete a PIA?
Any time it intends to collect a new data element from an
individual.
What types of personal data might require a PIA?
Name, date of birth, age, race, sex, address, biometric
identifiers, or any other personal data element.
What is the first step in completing a PIA?
Clearly specify the data that the organization wishes to
collect from a person.
What should an organization document regarding data
collection?
The reasons for collecting the data.
What aspects of data handling should be described in
a PIA?
How the data will be collected, used, and stored.
What should be documented regarding risks in a PIA?
The risks of collecting, using, and storing the data.
,What measures should an organization describe in a
PIA?
The measures that will be taken to reduce the risks
associated with data collection and handling.
Who typically uses the information provided in a PIA?
Organizational leaders to determine if the need for data
collection outweighs the associated risks.
Who might assist in preparing and reviewing a PIA?
Stakeholders such as legal counsel, human resources
professionals, and information security and privacy
professionals.
Is an organization required to share its PIA with other
entities?
No, an organization usually does not need to share its PIA
with other entities.
What are the two general ways of thinking about
privacy concepts?
1. Freedom from government observation and intrusion. 2.
Freedom to control one's own personal information.
What types of identification numbers are considered
private information?
Social Security Numbers (SSN), driver's license numbers,
and passport numbers.
What financial information is considered private?
Bank and credit card account numbers, investment and
retirement account information, and the amount of money
in these accounts.
What health information is considered private?
Diagnoses, prescription drug information, and information
regarding mental illness.
What is biometric data and why is it unique?
, Biometric data includes fingerprints, DNA analysis, and iris
scanning, and is unique to an individual and cannot easily
be changed.
What does criminal history data include?
Criminal charges, the outcome of a criminal case, and any
punishment received.
What type of information does family data
encompass?
Information about family members and relationships.
What is the definition of spyware?
Spyware is unwanted software that secretly gathers
information about a person or system and shares it with an
unknown third party.
How does spyware threaten personal data privacy?
It can record personal information such as account
numbers, usernames, passwords, and internet search
queries.
What is adware and how does it function?
Adware is software that displays advertisements to users,
which can include banner ads, pop-ups, and redirects, and
may also function as spyware.
What is a cookie in the context of web browsing?
A cookie is a small string of text that a website stores on a
user's computer.
What are the two kinds of cookies?
1. First-party cookies: exchanged between a user's
browser and the website being visited. 2. Third-party
cookies: set by one website but readable by another site.
What is the status of comprehensive data privacy law
in the United States?
(PIA): CHAPTER 2 EXAM
QUESTIONS AND THEIR COMPLETE
SOLUTIONS
What is a Privacy Impact Assessment (PIA)?
A process to identify and minimize data privacy risks
associated with collecting personal information.
Why might an organization collect personal data?
For various business purposes, such as processing payroll
taxes or shipping goods and services.
When should an organization complete a PIA?
Any time it intends to collect a new data element from an
individual.
What types of personal data might require a PIA?
Name, date of birth, age, race, sex, address, biometric
identifiers, or any other personal data element.
What is the first step in completing a PIA?
Clearly specify the data that the organization wishes to
collect from a person.
What should an organization document regarding data
collection?
The reasons for collecting the data.
What aspects of data handling should be described in
a PIA?
How the data will be collected, used, and stored.
What should be documented regarding risks in a PIA?
The risks of collecting, using, and storing the data.
,What measures should an organization describe in a
PIA?
The measures that will be taken to reduce the risks
associated with data collection and handling.
Who typically uses the information provided in a PIA?
Organizational leaders to determine if the need for data
collection outweighs the associated risks.
Who might assist in preparing and reviewing a PIA?
Stakeholders such as legal counsel, human resources
professionals, and information security and privacy
professionals.
Is an organization required to share its PIA with other
entities?
No, an organization usually does not need to share its PIA
with other entities.
What are the two general ways of thinking about
privacy concepts?
1. Freedom from government observation and intrusion. 2.
Freedom to control one's own personal information.
What types of identification numbers are considered
private information?
Social Security Numbers (SSN), driver's license numbers,
and passport numbers.
What financial information is considered private?
Bank and credit card account numbers, investment and
retirement account information, and the amount of money
in these accounts.
What health information is considered private?
Diagnoses, prescription drug information, and information
regarding mental illness.
What is biometric data and why is it unique?
, Biometric data includes fingerprints, DNA analysis, and iris
scanning, and is unique to an individual and cannot easily
be changed.
What does criminal history data include?
Criminal charges, the outcome of a criminal case, and any
punishment received.
What type of information does family data
encompass?
Information about family members and relationships.
What is the definition of spyware?
Spyware is unwanted software that secretly gathers
information about a person or system and shares it with an
unknown third party.
How does spyware threaten personal data privacy?
It can record personal information such as account
numbers, usernames, passwords, and internet search
queries.
What is adware and how does it function?
Adware is software that displays advertisements to users,
which can include banner ads, pop-ups, and redirects, and
may also function as spyware.
What is a cookie in the context of web browsing?
A cookie is a small string of text that a website stores on a
user's computer.
What are the two kinds of cookies?
1. First-party cookies: exchanged between a user's
browser and the website being visited. 2. Third-party
cookies: set by one website but readable by another site.
What is the status of comprehensive data privacy law
in the United States?
