EMT Practice Test

1. Question Content...


Question List

Question1: Which of the following aspects of personal information lifecycle management should the privacy function in an organization be concerned with i. Policy definition ii. Policy enforcement iii. IT infrastructure setup iv. Physical infrastructure setup Please select the correct option:

Question2: What are the roles an organization can play from privacy perspective?
i. Data Controller - determines the means and purpose of processing of data which is collected from its end customers ii. Data Controller - determines the means and purpose of processing of data which is collected from its employees iii. Data Sub-Processor - processes personal data on behalf of data processor iv. Joint Controller - determines the means and purpose of data processing along with other data controller Please select correct option:

Question3: With respect to 'Data Minimization' privacy principle, please select the correct statements from the following:

Question4: Company A collects and stores information from people X & Y on behalf of company B.
Which of the following statements are true?

Question5: A global Business Process Management (BPM) organization based in India, headquartered in the US is in receipt of a Request for Proposal (RFP) for a potential deal. The privacy function in this company has just got formulated.
Which of the following stage would be most effective for sales team to involve privacy function?

Question6: A government agency collecting biometrics of citizens can deny sharing such information with Law Enforcement Agencies (LEAs) on which of the following basis?

Question7: A Privacy Impact Assessment (PIA) should ideally accomplish which of the following goals?

Question8: Which law does not require notification of personal data breaches?

Question9: By collecting, storing, and processing personal information on living individuals electronically, Star Link Company could qualify as:

Question10: Which of the following mechanisms or steps are likely to be taken by an organization for implementing privacy program?
i Deploying physical and technology safeguards to protect personal information assets ii. Privacy consideration in product and service design iii. Privacy implementation to focus only on projects impacted by privacy breaches iv. Benchmarking against industry peers' privacy implementation v. Installing privacy enhancing tools and technologies for the projects dealing with organization's intellectual property Please select the correct set of statements from the below options:

Question11: Which of the following does not fall under the category of Personal Financial Information (PFI)?

Question12: A company collects personal information about its employees and requests them to provide accurate
information in order to avail benefits such as life insurance and medical insurance. Employees of the company
have raised concerns about use of their personal information. Due to the concerns, the company has decided to
create a privacy policy. What all should the company include in its privacy policy to address the raised
concerns?

Question13: Which one of the following is considered as the first step of evolution in the formation of today's concept of privacy?

Question14: ____________ is used to identify and reduce privacy risks by analyzing that is processed by the entity and the policies in place to protect the data.

Question15: What is not a best practice for maintaining privacy while sharing any personal information on social networking?

Question16: Which type of data qualify as Sensitive Personal Data or Information under Section 43A of IT (Amendment) Act, 2008?

Question17: Which of the following could be considered as triggers for updating privacy policy?

Question18: Which of the following statement about Personally Identifiable Information (PII) is true?

Question19: Which of the following statement about Personally Identifiable Information (PII) is true?

Question20: A US IT company has created a cloud based application for Canadian consumers only, with servers located in Vancouver, Canada. The application allows its users to publish their short stories, essays or e-books. The purpose of the application, i.e. literary work, is clearly stated in the terms and conditions which are mandatorily acknowledged by each user. With respect to this application, the company must ensure compliance with:

Question21: To establish a privacy organization structure in a bank, which one of the following is least practiced by the industry for the positioning of privacy organization?

Question22: A US IT company has created a cloud based application for Canadian consumers only, with servers located in
Vancouver, Canada. The application allows its users to publish their short stories, essays or e-books. The
purpose of the application, i.e. literary work, is clearly stated in the terms and conditions which are
mandatorily acknowledged by each user. With respect to this application, the company must ensure
compliance with:

Question23: Which of the following are key contributors that would enhance the complexity in implementing security measures for protection personal information?

Question24: Provisions in which of the following legislations in India have or could have a direct conflict with an individual's privacy (though exceptions could have already been defined in the law)?

Question25: Which among the following is the Canadian privacy law?

Question26: A government agency collecting biometrics of citizens can deny sharing such information with Law
Enforcement Agencies (LEAs) on which of the following basis?

Question27: Which of the following statements is true with respect to organization's privacy training and awareness
program?

Question28: In the history of human evolution, erection of walls and fences around one's living spaces is interpreted as arrival of which type of privacy consciousness?

Question29: From the below listed options, identify the new privacy principle that is being advocated in proposed EU General Data Protection Regulation?

Question30: Companies based in EU and willing to transfer data outside the EU/EEA, use model contracts as an instrument.
Which of the following statements are true in reference to above statement?

Question31: Company A collects and stores information from people X & Y on behalf of company B.
Which of the following statements are true?

Question32: The primary concern from privacy governance perspective for a leading bank is that the personnel working in non-production environment are not always security cleared to operate with the customers' Personal Identifiable Information (PII) used in the production environment. This practice represents a security vulnerability where data can be copied by unauthorized personnel and security measures associated with standard production level controls can be easily bypassed.
What technology solutions can be implemented by the organization to overcome this situation:

Question33: Which of the following are needed for projects like DNA profiling, UIDAI, and statistical collection of individuals ?

Question34: From the following list, identify the technology aspects that are specially designed for upholding the privacy:
i. Data minimization
ii. Intrusion prevention system
iii. Data scrambling
iv. Data loss prevention
v. Data portability
vi. Data obfuscation
vii. Data encryption
viii. Data mirroring
Please select the correct set of aspects from below options:

Question35: A non-public document issued by a data controller that directs data processors to adhere to certain privacy
principles while processing personal information may be referred to as:

Question36: If XYZ & Co. collects, stores and processes personal information of living persons, electronically in a
structured filing system, then XYZ could be a:

Question37: What does PHI stand for, as per HIPAA/ HITECH?

Question38: Which of the following privacy legislations is synonymous with "Data Handlers"?

Question39: Which of the following is not a driver for increased privacy-related concerns and subsequent regulatory
responses from various governments around the world?

Question40: Privacy enhancing tools aim to allow users to take one or more of the following actions related to their personal data that is sent to, and used by online service providers, merchants or other users:
i. Increase control over their personal data
ii. Choose whether to use services anonymously or not
iii. Obtain informed consent about sharing their personal data
iv. Opt-out of behavioral advertising or any other use of data
Please select correct option from below:

Question41: Which of the following is not required by an organization in US, resorting to EU-US Safe Harbor
provisions, to transfer personal information from EU member nation to US?

Question42: Which of the following activities form part of an organization's Visibility over Personal Information (VPI)
initiative, according to DSCI Privacy Framework (DPF)?

Question43: APPI, the Act for the Protection of Personal Information, applies to:

Question44: Which of the following could be considered as the most beneficial aspect of implementing Privacy Enhancing Technologies or Tools (PETs)?

Question45: Which of the following factor is least likely to be considered while implementing or augmenting data security solution for privacy protection:

Question46: Under which of the following conditions can a company in India may transfer sensitive personal information (SPI) to any other company or a person in India, or located in any other country?

Question47: Choose from the options below to group privacy principles into user centric (requiring people's involvement) and organization centric (restricted to processes within the organization) categories:

Question48: When you're based in the EU and willing to share data outside the EU/EEA, then you can use model contracts. In reference to the above statement, which of the following is true?

Question49: Complete the sentence:
The Gramm-Leach-Bliley Act (GLBA) of US regulates the privacy practices adopted by financial institutions, requiring them to provide adequate security of the customer records. It lays various obligations on the financial institutions but allows such financial institutions to share the non-public information of customers (after properly notifying their consumers in a manner mentioned in the Act) with

Question50: Which of the following doesn't contribute, or contributes the least, to the growing data privacy
challenges in today's digital age?

Question51: You are part of a team that has been created by Indian government to create India's privacy law based on
recommendations in Justice AP Shah's Report. Which of the following provisions should be addressed in the
law?

Question52: Which of the following statement about Personally Identifiable Information (PII) is true?

Question53: After the rules were notified under section 43A of the IT (Amendment) Act, 2008, a clarification was issued by the government which exempted the service providers, which get access to/processes Sensitive Personal Data or information (SPDI) under contractual agreement with a legal entity located within or outside Indi a. Which privacy principle provisions notified under Sec 43A were exempted for the service providers?

Question54: Select the element(s) of APEC cross border privacy rules system from the following list:
i. self-assessment
ii. compliance review
iii. recognition/acceptance by APEC members
iv. dispute resolution and enforcement
Please select correct option:

Question55: Which of the following factor is least likely to be considered while implementing or augmenting data security solution for privacy protection:

Question56: According to the EU-US Safe Harbour Framework, which of the following is not required when transferring personal information from EU member nations to the US?

Question57: Privacy enhancing tools aim to allow users to take one or more of the following actions related to their personal data that is sent to, and used by online service providers, merchants or other users:
i. Increase control over their personal data
ii. Choose whether to use services anonymously or not
iii. Obtain informed consent about sharing their personal data
iv. Opt-out of behavioral advertising or any other use of data
Please select correct option from below:

Question58: What are the roles an organization can play from privacy perspective?
i. Data Controller - determines the means and purpose of processing of data which is collected from its end
customers
ii. Data Controller - determines the means and purpose of processing of data which is collected from its
employees
iii. Data Sub-Processor - processes personal data on behalf of data processor
iv. Joint Controller - determines the means and purpose of data processing along with other data controller
Please select correct option:

Question59: Which of the following does not fall under the category of Sensitive Personal Data or Information as defined in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Data or Information) Rules, 2011?

Question60: A company collects personal information about its employees and requests them to provide accurate
information in order to avail benefits such as life insurance and medical insurance. Employees of the
company have raised concerns about use of their personal information. Due to the concerns, the company
has decided to create a privacy policy. What all should the company include in its privacy policy to address
the raised concerns?

Question61: Which of the following laid foundation for the development of OECD privacy principles for the promotion of
free international trade and trans border data flows?

Question62: XYZ is a successful startup that acquired a respectable size & scale of operations in last 3 years, handling business process services for small & medium scale enterprises, largely in US & Europe. They are at the stage of closing a deal with a new banking client and working out the details of privacy related obligations in contract. Ensuring effective enforcement of which of the below listed privacy principles is client's accountability, even after outsourcing its loan approval process to XYZ?
1. Notice
2. Choice and Consent
3. Collection Limitation
4. Use Limitation
5. Access and Correction
6. Security
7. Disclosure to third Party
Please select the correct set of principles from below listed options:

Question63: What is not a compulsory pre-requisite before a company with headquarters in the EU transfers sensitive personal data to its Asian subsidiaries?

Question64: Company A collects and stores information from people X & Y on behalf of company B. Which of the following statements are true?

Question65: From the following list, identify the technology aspects that are specially designed for upholding the privacy:
i. Data minimization
ii. Intrusion prevention system
iii. Data scrambling
iv. Data loss prevention
v. Data portability
vi. Data obfuscation
vii. Data encryption
viii. Data mirroring
Please select the correct set of aspects from below options:

Question66: A multinational company with operations in several parts within EU and outside EU, involves international data transfer of both its employees and customers. In some of its EU branches, which are relatively larger in size, the organization has a works council. Most of the data transferred is personal, and some of the data that the organization collects is sensitive in nature, the processing of some of which is also outsourced to its branches in Asian countries.
For exporting EU branch employees' data to Asian Countries for processing, which of the following instruments could be used for legal data transfer?

Question67: Select the element(s) of APEC cross border privacy rules system from the following list:
i. self-assessment
ii. compliance review
iii. recognition/acceptance by APEC members
iv. dispute resolution and enforcement
Please select correct option:

Question68: According to which of the following data privacy laws does "challenging compliance" fall under?

Question69: Which of the following could be considered as triggers for updating privacy policy?

Question70: A multinational company with operations in several parts within EU and outside EU, involves international data transfer of both its employees and customers. In some of its EU branches, which are relatively larger in size, the organization has a works council. Most of the data transferred is personal, and some of the data that the organization collects is sensitive in nature, the processing of some of which is also outsourced to its branches in Asian countries.
Which of the following are not mandatory pre-requisite before transferring sensitive personal data to its Asian branches?

Question71: Which of the following categories of information are generally protected under privacy laws?

Question72: Which of the following privacy regulation advocates de-identification of personal information?

Question73: A public domain or freely accessible piece of information cannot be construed as sensitive personal data or information under Indian law.

Question74: A US IT company has created a cloud based application for Canadian consumers only, with servers located in Vancouver, Canada. The application allows its users to publish their short stories, essays or e-books. The purpose of the application, i.e. literary work, is clearly stated in the terms and conditions which are mandatorily acknowledged by each user. With respect to this application, the company must ensure compliance with:

Question75: A Privacy Impact Assessment (PIA) should ideally accomplish which of the following goals?

Question76: As per Article 33 of GDPR, in case of a personal data breach, the data controller has to inform the supervisory authority within ___________ of becoming aware of the breach.

Question77: What conditions apply in India for a company to transfer sensitive personal information (SPI) to another Indian company or individual, or to a person residing in any other country?

Question78: Which of the following aspects of personal information lifecycle management should the privacy function in an organization be concerned with i. Policy definition ii. Policy enforcement iii. IT infrastructure setup iv. Physical infrastructure setup Please select the correct option:

Question79: A country should allow its citizens to access specific information owned by the government in order to
bring transparency in the government administration processes. This is the basis for formulation of which
of the following rights in India?

Question80: If XYZ & Co. collects, stores and processes personal information of living persons, electronically in a structured filing system, then XYZ could be a:

Question81: With reference to APEC privacy framework, when personal information is to be transferred to another person or organization, whether domestically or internationally, "the ______________ should obtain the consent of the individual and exercise due diligence and take reasonable steps to ensure that the recipient person or organization will protect the information consistently with APEC information privacy principles".

Question82: Who should be designated as a grievance officer in IT (Amendment) Act, 2008 to redress grievance(s) from information providers?

Question83: A multinational company with operations in several parts within EU and outside EU, involves international data transfer of both its employees and customers. In some of its EU branches, which are relatively larger in size, the organization has a works council. Most of the data transferred is personal, and some of the data that the organization collects is sensitive in nature, the processing of some of which is also outsourced to its branches in Asian countries.
For the outsourced work of its customers' data processing, in order to initiate data transfer to another organizations outside EU, which is the most appropriate among the following?

Question84: Rakesh is leading a project to develop a wellness products website wherein customers can find product information, perform product comparison, and provide reviews. In order to purchase, compare and review the products, customers are required to register on the site. Rakesh and team have come up with a lengthy registration form with all the fields marked as mandatory, though all not required for the primary purpose. As a privacy professional, what is your observation?

Question85: Which of the following statements are true about the privacy statement of an organization?

Question86: For negligence in implementing and maintaining the reasonable security practices and procedures for
protecting Sensitive Personal Data or Information (SPDI) as mentioned in Section 43A and associated
rules under IT (Amendment) Act, 2008, a corporate entity may be liable to pay compensation of up
to___________

Question87: A multinational company with operations in several parts within EU and outside EU, involves international
data transfer of both its employees and customers. In some of its EU branches, which are relatively larger in
size, the organization has a works council. Most of the data transferred is personal, and some of the data that
the organization collects is sensitive in nature, the processing of some of which is also outsourced to its
branches in Asian countries.
For the outsourced work of its customers' data processing, in order to initiate data transfer to another
organizations outside EU, which is the most appropriate among the following?

Question88: A company collects personal information about its employees and requests them to provide accurate information in order to avail benefits such as life insurance and medical insurance. Employees of the company have raised concerns about use of their personal information. Due to the concerns, the company has decided to create a privacy policy. What all should the company include in its privacy policy to address the raised concerns?

Question89: XYZ is a successful startup that acquired a respectable size & scale of operations in last 3 years, handling
business process services for small & medium scale enterprises, largely in US & Europe. They are at the stage
of closing a deal with a new banking client and working out the details of privacy related obligations in
contract. Ensuring effective enforcement of which of the below listed privacy principles is client's
accountability, even after outsourcing its loan approval process to XYZ?
I. Notice
II. Choice and Consent
III. Collection Limitation
IV. Use Limitation
V. Access and Correction
VI. Security
VII. Disclosure to third Party
Please select the correct set of principles from below listed options:

Question90: From the below listed options, identify the new privacy principle that is being advocated in proposed EU General Data Protection Regulation?

Question91: Choose the correct statement:
Projects like DNA profiling, UIDAI, collection of individual's statistics, etc.

Question92: What are the roles an organization can play from privacy perspective?
i. Data Controller - determines the means and purpose of processing of data which is collected from its
end customers
ii. Data Controller - determines the means and purpose of processing of data which is collected from its
employees
iii. Data Sub-Processor - processes personal data on behalf of data processor
iv. Joint Controller - determines the means and purpose of data processing along with other data
controller
Please select correct option:

Question93: Which of the following factor is least likely to be considered while implementing or augmenting data security
solution for privacy protection:

Question94: Among the following options, which would be the most appropriate for the transfer of Personal and Sensitive data from an EU company to another organization outside the EU?

Question95: Which of the following is not required by an organization in US, resorting to EU-US Safe Harbor provisions, to transfer personal information from EU member nation to US?

Question96: As a privacy assessor, what would most likely be the first artifact you would ask for while assessing an organization which claims that it has implemented a privacy program?

Question97: In the history of human evolution, erection of walls and fences around one's living spaces is interpreted as arrival of which type of privacy consciousness?

Question98: A non-public document issued by a data controller that directs data processors to adhere to certain privacy principles while processing personal information may be referred to as:

Question99: How does the APEC privacy framework differ from the EU Data Protection Directive in the following way?

Question100: Which section of the IT (Amendment) Act, 2008 lays down the provision of punishment for offense of wrongful disclosure of personal information with the intent to cause wrongful loss or wrongful gain?

Question101: APEC privacy framework envisages common principles such as Notice, Collection limitation, Use Limitation, Access and Correction, Security/Safeguards, and Accountability. But it differs from the EU Data Protection Directive in which of the below aspect?