EMT Practice Test

1. Question Content...


Question List

Question1: A country should allow its citizens to access specific information owned by the government in order to
bring transparency in the government administration processes. This is the basis for formulation of which
of the following rights in India?

Question2: As a privacy assessor, what would most likely be the first artifact you would ask for while assessing an
organization which claims that it has implemented a privacy program?

Question3: Which of the following statements is true in respect of the India specific government projects such as
Aadhaar, National Population Register (NPR), etc. that can have privacy implications?

Question4: Which of the following is not required by an organization in US, resorting to EU-US Safe Harbor
provisions, to transfer personal information from EU member nation to US?

Question5: One of the main objectives of 'Do Not Track' technology is to

Question6: Which of the following does not fall under the category of Personal Financial Information (PFI)?

Question7: From the following list, identify the technology aspects that are specially designed for upholding the
privacy:
i. Data minimization
ii. Intrusion prevention system
iii. Data scrambling
iv. Data loss prevention
v. Data portability
vi. Data obfuscation
vii. Data encryption
viii. Data mirroring
Please select the correct set of aspects from below options:

Question8: As part of the environment scanning to identify security risks to personal information, which of the following
environments would be least relevant for the organization?

Question9: A Privacy Impact Assessment (PIA) should ideally accomplish which of the following goals?

Question10: A US IT company has created a cloud based application for Canadian consumers only, with servers
located in Vancouver, Canada. The application allows its users to publish their short stories, essays or e-
books. The purpose of the application, i.e. literary work, is clearly stated in the terms and conditions which
are mandatorily acknowledged by each user. With respect to this application, the company must ensure
compliance with:

Question11: Effective 2013, HIPAA Omnibus rule applies to which of the following?

Question12: What are the roles an organization can play from privacy perspective?
i. Data Controller - determines the means and purpose of processing of data which is collected from its
end customers
ii. Data Controller - determines the means and purpose of processing of data which is collected from its
employees
iii. Data Sub-Processor - processes personal data on behalf of data processor
iv. Joint Controller - determines the means and purpose of data processing along with other data
controller
Please select correct option:

Question13: Which of the following are key contributors that would enhance the complexity in implementing security
measures for protection personal information?

Question14: A privacy lead assessor assessing your company for DSCI's privacy certification gets to know that your
payroll process has been outsourced to a third party service provider. So, he/she is reviewing your
contract with that service provider to ascertain which privacy related clauses are incorporated in the
contract. What could be the possible reasons for reviewing the contract?

Question15: For negligence in implementing and maintaining the reasonable security practices and procedures for
protecting Sensitive Personal Data or Information (SPDI) as mentioned in Section 43A and associated
rules under IT (Amendment) Act, 2008, a corporate entity may be liable to pay compensation of up
to___________

Question16: Which of the following could be considered as triggers for updating privacy policy?

Question17: Please select the incorrect statement in context of "Online Privacy":

Question18: Which type of data qualify as Sensitive Personal Data or Information under Section 43A of IT
(Amendment) Act, 2008?

Question19: Which of the following categories of information are generally protected under privacy laws?

Question20: A government agency collecting biometrics of citizens can deny sharing such information with Law
Enforcement Agencies (LEAs) on which of the following basis?

Question21: A multinational company with operations in several parts within EU and outside EU, involves international
data transfer of both its employees and customers. In some of its EU branches, which are relatively larger
in size, the organization has a works council. Most of the data transferred is personal, and some of the
data that the organization collects is sensitive in nature, the processing of some of which is also
outsourced to its branches in Asian countries.
For the outsourced work of its customers' data processing, in order to initiate data transfer to another
organizations outside EU, which is the most appropriate among the following?

Question22: A ministry under government of India plans to collect citizens' information related to their education,
medical condition, economic status, caste and religion. As per the privacy requirements mentioned under
Sec 43A of IT (Amendment) Act, 2008, the citizens' 'Consent' would be mandatory for which of the
following elements before their collection?

Question23: What does PHI stand for, as per HIPAA/ HITECH?

Question24: Privacy enhancing tools aim to allow users to take one or more of the following actions related to their
personal data that is sent to, and used by online service providers, merchants or other users:
i. Increase control over their personal data
ii. Choose whether to use services anonymously or not
iii. Obtain informed consent about sharing their personal data
iv. Opt-out of behavioral advertising or any other use of data
Please select correct option from below:

Question25: With respect to privacy monitoring and incident management process, which of the below should be a part
of a standard incident handling process?
I. Incident identification and notification
II. Investigation and remediation
III. Root cause analysis
IV. User awareness training on how to report incidents
Please select the correct option:

Question26: A multinational company with operations in several parts within EU and outside EU, involves international
data transfer of both its employees and customers. In some of its EU branches, which are relatively larger
in size, the organization has a works council. Most of the data transferred is personal, and some of the
data that the organization collects is sensitive in nature, the processing of some of which is also
outsourced to its branches in Asian countries.
Which of the following are not mandatory pre-requisite before transferring sensitive personal data to its
Asian branches?

Question27: Companies based in EU and willing to transfer data outside the EU/EEA, use model contracts as an
instrument. Which of the following statements are true in reference to above statement?

Question28: Which of the following statements are true about the privacy statement of an organization?

Question29: Which of the following doesn't contribute, or contributes the least, to the growing data privacy
challenges in today's digital age?

Question30: Which one of the following is considered as the first step of evolution in the formation of today's concept of
privacy?

Question31: Which of the following provides the legal basis for an Adjudicating Officer in every Indian state & union
territory, with the powers of a civil court, to hear complaints and order compensation to the affected
individuals?

Question32: Company A collects and stores information from people X & Y on behalf of company B.
Which of the following statements are true?

Question33: A company collects personal information about its employees and requests them to provide accurate
information in order to avail benefits such as life insurance and medical insurance. Employees of the
company have raised concerns about use of their personal information. Due to the concerns, the company
has decided to create a privacy policy. What all should the company include in its privacy policy to address
the raised concerns?