CIPP/US Study Guide PDF
Document Details
Uploaded by FelicitousMossAgate
null
2017
IAPP
null
Tags
Related
- US Private Sector Privacy Chapter 01 Introduction 01052024 PDF
- US Private Sector Privacy Chapter 01 Introductionv2p1 PDF
- US Private Sector Privacy Chapter 01 Introductionv2p2 PDF
- US Private Sector Privacy Chapter 03 PDF
- MGT 6727 Spring Semester 2024 Privacy Chapter 3 PDF
- US Private Sector Privacy PDF
Summary
This study guide provides preparation materials for the Certified Information Privacy Professional/United States (CIPP/US) certification exam, offered by the IAPP. It includes an explanation of the certification program structure, key knowledge areas, recommended preparation steps, an exam blueprint, example questions, and general exam information.
Full Transcript
IPP/US CIPP/US CIPP/US CIPP/US CIP P/US CIPP/US CIPP/US CIPP/US CIPP/ Certified Information Privacy Professional/United States (CIPP/US) Study Guide Effective September 2017 CIPP/US Study Guide 1 WELCOME Congratulations on taking the first step toward achieving an IAPP privacy certification. Thi...
IPP/US CIPP/US CIPP/US CIPP/US CIP P/US CIPP/US CIPP/US CIPP/US CIPP/ Certified Information Privacy Professional/United States (CIPP/US) Study Guide Effective September 2017 CIPP/US Study Guide 1 WELCOME Congratulations on taking the first step toward achieving an IAPP privacy certification. This study guide contains the basic information you need to get started: • • • • • • • An explanation of the IAPP certification program structure Key areas of knowledge for the CIPP/US program Recommended steps to help you prepare for your exam A detailed body of knowledge for the CIPP/US program An exam blueprint Example questions General exam information CIPP/US Study Guide 2 The IAPP Certification Program Structure The IAPP currently offers three certification programs: The Certified Information Privacy Professional (CIPP), the Certified Information Privacy Manager (CIPM) and the Certified Information Privacy Technologist (CIPT). The CIPP is the “what” of privacy. Earning this designation demonstrates your mastery of a principles-based framework in information privacy in a legal or practical specialization. Within the CIPP, there are five concentrations: • • • • • Asian privacy (CIPP/A) Canadian privacy (CIPP/G) European privacy (CIPP/E) U.S. government privacy (CIPP/G) U.S. private-sector privacy (CIPP/US) The CIPM is the “how” of operations. Earning this designation shows you understand how to manage privacy in an organization through process and technology. The CIPT is the “how” of technology. Earning this designation shows you know how to manage and build privacy requirements and controls into technology. There are no concentrations within the CIPM or CIPT—they cross all jurisdictions and industries. Requirements for IAPP Certification 1. You must pay an annual maintenance fee of $125 USD OR 2. You can become a member of the IAPP—with access to numerous benefits like discounts, networking opportunities, members-only resources and more—for just $250 USD, which includes your annual maintenance fee. More information about IAPP membership, including levels, benefits and rates, is available on the IAPP website at iapp.org/join. CIPP/US Study Guide 3 CIPP/US Key Areas of Knowledge The Certified Information Privacy Professional/United States (CIPP/US) program launched in October 2004 as the first professional certification ever to be offered in information privacy. The CIPP/US credential demonstrates a strong foundation in U.S. privacy laws and regulations and understanding of the legal requirements for the responsible transfer of sensitive personal data to/from the U.S., the EU and other jurisdictions. Subject matter areas covered include: • The U.S. legal system: definitions, sources of law and sectoral model for privacy enforcement • U.S. federal laws for protection of personal data: FCRA and FACTA, HIPAA, GLBA, COPPA and DPPA • U.S. federal regulation of marketing practices: TSR, DNC, CAN-SPAM, TCPA and JFPA • U.S. state data breach notification and select state laws • Regulation of privacy in the U.S. workplace: FCRA, EPP, ADA and ECPA plus best practices for privacy and background screening, employee testing, workplace monitoring, employee investigation and termination of employment CIPP/US Study Guide 4 Preparation Privacy certification is an important effort that requires advance preparation. Deciding how you will prepare for your exams is a personal choice that should include an assessment of your professional background, scope of privacy knowledge and your preferred method of learning. In general, the IAPP recommends that you plan for a minimum of 30 hours of study time in advance of your exam date; however, you might need more or fewer hours depending on your personal choices and professional experience. The IAPP recommends you prepare in the following manner: 1. Review the Body of Knowledge The body of knowledge for the CIPP/US program is a comprehensive outline of the subject matter areas covered by the CIPP/US exam. Review it carefully to help determine which areas merit additional focus in your preparation. See pages 6–9. 2. Review the Exam Blueprint The CIPP/US exam blueprint on page 10 specifies the number of items from each area of the body of knowledge that will appear on the exam. Studying the blueprint can help you further target your primary study needs. 3. Study the CIPP/US Textbook U.S. Private-sector Privacy is the authoritative reference for the CIPP/US program. The IAPP strongly recommends you take the time to carefully read and study the textbook. The print version of the official CIPP/US, as well as the Foundations of Information Privacy and Data Protection, are included free with the purchase of the CIPP/US online and live training classes. An electronic version of the textbook is also available for purchase. 4. Get Certification Training The IAPP offers both in-person certification prep classes and online training to help you prepare for your exams.You can find a list of scheduled classes and/or purchase downloadable online training in the IAPP store. 5. Take the CIPP/US Sample Questions Sample questions are a great way to gain familiarity with the format and content of the actual designation exams. They are available for purchase in a downloadable PDF file containing the questions, an answer key and an explanation of each correct answer. Sample questions are included free with the purchase of CIPP/US online and live training classes. 6. Review other IAPP Preparation Resources Additional resources are available on the IAPP website, including a searchable glossary of terms. CIPP/US Study Guide 5 CIPP/US Common Body of Knowledge Outline I. Introduction to the U.S. Privacy Environment A. Structure of U.S. Law a. Branches of government b. Sources of law i. Constitutions ii. Legislation iii. Regulations and rules iv. Case law v. Common law vi. Contract law c. Legal definitions i. Jurisdiction ii. Person iii. Preemption iv. Private right of action d. Regulatory authorities i. Federal Trade Commission (FTC) ii. Federal Communications Commission (FCC) iii. Department of Commerce (DoC) iv. Department of Health and Human Services (HHS) v. Banking regulators 1. Federal Reserve Board 2. Comptroller of the Currency vi. State attorneys general vii. Self-regulatory programs and trust marks e. Understanding laws i. Scope and application ii. Analyzing a law iii. Determining jurisdiction iv. Preemption B. Enforcement of U.S. Privacy and Security Laws a. Criminal versus civil liability b. General theories of legal liability i. Contract ii. Tort iii. Civil enforcement c. Negligence d. Unfair and deceptive trade practices (UDTP) e. Federal enforcement actions f. State enforcement (Attorneys General (AGs), etc.) g. Cross-border enforcement issues (Global Privacy Enforcement Network (GPEN)) h. Self-regulatory enforcement (PCI, Trust Marks) CIPP/US Study Guide 6 C. Information Management from a U.S. Perspective a. Data classification b. Privacy program development c. Incident response programs d. Training e. Accountability f. Data retention and disposal (FACTA) g. Vendor management i. Vendor incidents h. International data transfers i. U.S. Safe Harbor ii. Binding Corporate Rules (BCRs) iii. Standard Contractual Clauses iv. Other approved transfer mechanisms h. Other key considerations for U.S.-based global multinational companies i. GDPR requirements i. Resolving multinational compliance conflicts i. EU data protection versus e-discovery II. Limits on Private-sector Collection and Use of Data A. Cross-sector FTC Privacy Protection a. The Federal Trade Commission Act b. FTC Privacy Enforcement Actions c. FTC Security Enforcement Actions d. The Children’s Online Privacy Protection Act of 1998 (COPPA) B. Medical a. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) i. HIPAA privacy rule ii. HIPAA security rule b. Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 c. The 21st Century Cures Act of 2016 d. Confidentiality of Alcohol and Drug Abuse Patient Records i. 42 CFR Part 2 C. Financial a. The Fair Credit Reporting Act of 1970 (FCRA) b. The Fair and Accurate Credit Transactions Act of 2003 (FACTA) c. The Financial Services Modernization Act of 1999 (“Gramm-Leach-Billey” or GLBA) i. GLBA privacy rule ii. GLBA security rule d. Red Flags Rule e. Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 f. Consumer Financial Protection Bureau D. Education a. Family Educational Rights and Privacy Act of 1974 CIPP/US Study Guide 7 E. Telecommunications and Marketing a. Telemarketing sales rule (TSR) and the Telephone Consumer Protection Act of 1991 (TCPA) i. The Do-Not-Call registry (DNC) b. Combating the Assault of Non-solicited Pornography and Marketing Act of 2003 (CAN-SPAM) c. The Junk Fax Prevention Act of 2005 (JFPA) d. The Wireless Domain Registry e. Telecommunications Act of 1996 and Customer Proprietary Network Information f. Video Privacy Protection Act of 1988 (VPPA) g. Cable Communications Privacy Act of 1984 i. Video Privacy Protection Act Amendments Act of 2012 (H.R. 6671) III. Government and Court Access to Private-sector Information A. Law Enforcement and Privacy a. Access to financial data i. Right to Financial Privacy Act of 1978 ii. The Bank Secrecy Act b. Access to communications i. Wiretaps ii. Electronic Communications Privacy Act (ECPA) 1. Emails 2. Stored records 3. Pen registers c. The Communication Assistance to Law Enforcement Act (CALEA) B. National Security and Privacy a. Foreign Intelligence Surveillance Act of 1978 (FISA) i. Wiretaps ii. Emails and stored records iii. National security letters b. Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA-Patriot Act) c. The USA Freedom Act of 2015 d. The Cybersecurity Information Sharing Act of 2015 (CISA) C. Civil Litigation and Privacy a. Compelled disclosure of media information i. Privacy Protection Act of 1980 b. Electronic discovery IV. Workplace Privacy A. Introduction to Workplace Privacy a. Workplace privacy concepts i. Human resources management b. U.S. agencies regulating workplace privacy issues i. Federal Trade Commission (FTC) ii. Department of Labor iii. Equal Employment Opportunity Commission (EEOC) iv. National Labor Relations Board (NLRB) v. Occupational Safety and Health Act (OSHA) vi. Securities and Exchange Commission (SEC) CIPP/US Study Guide 8 c. U.S. Anti-discrimination laws i. The Civil Rights Act of 1964 ii. Americans with Disabilities Act (ADA) iii. Genetic Information Nondiscrimination Act (GINA) B. Privacy before, during and after employment a. Employee background screening i. Requirements under FCRA ii. Methods 1. Personality and psychological evaluations 2. Polygraph testing 3. Drug and alcohol testing 4. Social media b. Employee monitoring i. Technologies 1. Computer usage (including social media) 2. Location-based services (LBS) 3. Mobile computing 4. Email 5. Postal mail 6. Photography 7. Telephony 8. Video ii. Requirements under the Electronic Communications Act of 1986 (ECPA) iii. Unionized worker issues concerning monitoring in the U.S. workplace c. Investigation of employee misconduct i. Data handling in misconduct investigations ii. Use of third parties in investigations iii. Documenting performance problems iv. Balancing rights of multiple individuals in a single situation d. Termination of the employment relationship i. Transition management ii. Records retention iii. References V. State Privacy Laws A. Federal vs. state authority B. Marketing laws C. Financial data a. Credit history b. California SB-1 D. Data security laws a. SSN b. Data destruction c. Security procedures E. Data breach notification laws a. Elements of state data breach notification laws b. Key differences among states today c. Recent developments i. Tennessee SB 2005 ii. Illinois HB 1260 iii. California AB 2828 iv. New Mexico HB 15 v. Other significant state amendments CIPP/US Study Guide 9 CIPP/US Exam Format The CIPP/US is a 2.5 hour exam comprised of 90 multiple choice items. Some of the multiple choice items are associated with scenarios. There are no essay questions. Each correct answer is worth one point. Exam Blueprint The exam blueprint indicates the minimum and maximum number of items included on the CIPP/US exam from the major areas of the body of knowledge. Questions may be asked from any of the topics listed under each area.You can use this blueprint to guide your studying. I. Min Max Introduction to the U.S. Privacy Environment 25 35 A. Structure of U.S. Law Branches of government, sources of law, legal definitions, regulatory authorities, understanding laws B. Enforcement of U.S. Privacy and Security Laws Criminal vs. civil liability, general theories of legal liability 6 9 6 9 C. Information Management from a U.S. Perspective 11 Data classification, privacy program development, incident response programs, training, accountability, data retention and disposal (FACTA), vendor management, international data transfers, other key considerations for U.S.-based multinational companies (including GDPR requirements), resolving multinational compliance conflicts II. Limits on Private-sector Collection and Use of Data 17 22 28 A. Cross-sector FTC Privacy Protection The FTC Act, FTC privacy enforcement actions, FTC security enforcement actions, COPPA 5 6 B. Healthcare HIPAA, HITECH, GINA, The 21st Century Cures Act of 2016, Confidentiality of Alcohol and Drug Abuse Patient Records 5 6 C. Financial Measure, align, audit, communicate, monitor 8 10 D. Education FERPA 2 3 E. Telecommunications and Marketing 2 3 CIPP/US Study Guide 10 III. Min Max Government and Court Access to Private-sector Information 0 3 A. Law Enforcement and Privacy Access to financial data, access to communications, CALEA B. National Security and Privacy FISA, USA-Patriot Act, USA Freedom Act, Cybersecurity Information Sharing Act (CISA) 0 1 0 1 C. Civil Litigation and Privacy Compelled disclosure of media information, electronic discovery 0 1 8 12 A. Overview of Workplace Privacy Workplace privacy concepts, U.S. agencies regulating workplace privacy issues, U.S. anti-discrimination laws 3 5 B. Privacy Before, During and After Employment Employee background screening, employee monitoring, investigation of employee misconduct, termination of employment relationship, working with third parties 5 7 7 11 A. Federal vs. State authority 2 3 B. Marketing Laws 2 3 C. Financial Data 0 1 D. Data Security Laws 0 1 E. Data Breach Notification Laws 3 3 IV. Workplace Privacy V. State Privacy Laws CIPP/US Study Guide 11 Example Questions 1. All of the following are considered acceptable for U.S.-based multinational transportation companies to achieve compliance with the EU Data Protection Directive except A. Global consent B. Safe Harbor C. Binding corporate rules D. Model contracts 2. Under the Children’s Online Privacy Protection Act, which is an accepted means for an organization to validate parental consent when it intends to disclose a child’s information to a third party? A. Email a consent form and the parent can provide consent by responding to the email. B. Email a consent form and the parent can provide consent by signing and mailing back the form. C. Email a consent form and request that the parent provide a mailing address or phone number for additional contact. D. Email a consent form to the parent allowing 30 days to object to the data disclosure. 3. All of the following are considered acceptable lines of questioning by U.S. employers to applicants in the pre-employment process except A. Questions about the applicant’s duration of stay on the job or any anticipated absences. B. Questions regarding any medical conditions or disabilities that would inhibit the performance of the job function. C. Questions on whether an applicant has applied for or received worker’s compensation. D. Questions about the applicant’s height or weight as this relates to a specific job function. CIPP/US Study Guide 12 General Exam Information The IAPP offers testing via computer-based delivery at test centers worldwide. There are approximately 800 Kryterion High-stakes Online Secured Testing (HOST) locations around the world where IAPP certification exams are administered. The IAPP also offers testing at our major annual conferences. Event-based testing is paper-pencil format. You can find detailed information about how to register for exams, as well as exam-day instructions in the IAPP Certification Information Candidate Handbook, on our website at iapp.org/certify. Questions? The IAPP recognizes that privacy certification is an important professional development effort requiring commitment and preparation. We thank you for choosing to pursue certification, and we welcome your questions and comments regarding our certification program. Please don’t hesitate to contact us at [email protected] or +1 603.427.9200. CIPP/US Study Guide 13 Example Questions: Answers 1. All of the following are considered acceptable for U.S.-based multinational transportation companies to achieve compliance with the EU Data Protection Directive except A. Global consent B. Safe Harbor C. Binding corporate rules D. Model contracts 2. Under the Children’s Online Privacy Protection Act, which is an accepted means for an organization to validate parental consent when it intends to disclose a child’s information to a third party? A. Email a consent form and the parent can provide consent by responding to the email. B. Email a consent form and the parent can provide consent by signing and mailing back the form. C. Email a consent form and request that the parent provide a mailing address or phone number for additional contact. D. Email a consent form to the parent allowing 30 days to object to the data disclosure. 3. All of the following are considered acceptable lines of questioning by U.S. employers to applicants in the pre-employment process except A. Questions about the applicant’s duration of stay on the job or any anticipated absences. B. Questions regarding any medical conditions or disabilities that would inhibit the performance of the job function. C. Questions on whether an applicant has applied for or received worker’s compensation. D. Questions about the applicant’s height or weight as this relates to a specific job function. CIPP/US Study Guide 14