Questions for the DCPP-01 were updated on : Nov 21 ,2025
By collecting, storing, and processing personal information on living individuals electronically, Star
Link Company could qualify as:
B
Explanation:
Data Controller An organization that determines means and purpose for data processing is called a
Data Controller. It may or may not be the organization that directly collects PI from a data subject
but, is accountable for PI usage, security, etc. All organizations are Data Controllers by default for
their employees’ PI. Data Processor An organization that processes PI based on instructions of Data
Controllers. In some instances, it may also be the organization that collect PI directly from the
individuals, on behalf of Data Controller. A BPM organization processing personal information on
behalf of clients would be a data processor. Similarly, a sales agent for a bank would also come under
this category.
Health insurance firm based in the US uses BPM services provided by an Indian company. It was
found that one of the employees of the Indian company exported customer data of the insurance
company to another US-based insurance company. Under which of the below ground, the company
and its executives in India were also subjected to legal action ?
B
Explanation:
Health Insurance Portability and Accountability Act (HIPAA) Defines two types of controls – required
and addressable. Required controls are mandatory for covered entities but for ‘addressable’ controls
entities need to assess whether each implementation specification is a reasonable and appropriate
safeguard in its environment, when analyzed with reference to the likely contribution to protecting
the entity’s electronic protected health information.
Among the following, which of the following is classified as the most important reason for enacting
data protection/privacy laws around the world?
A
Historically, which of these events led to the formation of our current concept of privacy?
C
Explanation:
Following are the overview of global evolution of Privacy: 1890 - Right to be left alone 1940 -
Fundamental civil liberty 1948 - Universal Declaration of Human Rights 1967 - modern definition,
claim of individual 1980 - OECD Privacy Principles
The development of the OECD's privacy principles for promoting free international trade and
international data flows came from which of the following?
A
Explanation:
The earliest formal articulation of Privacy Principles was the formulation of the Code of Fair
Information Practices (also known as Code of Fair Information Principles or FIPS) in the US in 1974.
These are also sometimes referred to as Fair Information Privacy Principles or FIPPs as well. Initially,
five principles were laid down which evolved to eight by 1977. These were developed by a US
government advisory committee under the Department of Health, Education and Welfare (HEW) and
subsequently augmented by a Privacy Protection Study Commission (PPSC). FIPs were developed and
evolved in response to the growing use of automated data systems containing information about
individuals - maintained by both public and private sector organizations In parallel, there was action
in Europe as well. In the 1970s, European nations began to enact privacy laws beginning with
Sweden, Germany and then France. By 1980, the Council of Europe adopted a Convention for the
Protection of Individuals with Regard to Automatic Processing of Personal Data. The Convention was
the first legally binding international treaty on data protection. The Organization for Economic
Cooperation and Development (OECD) proposed similar privacy guidelines around the same time as
the Council of Europe’s original 1980 effort. A group of government experts developed the OECD
Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The OECD adopted
the recommendation, which became applicable on 23 September, 1980. Informally, these are known
as the OECD Guidelines. OECD principles formed the basis of many national data protection
legislations and model codes amongst the OECD countries. The OECD guidelines were endorsed by
the US Federal Trade Commission (FTC) subsequently. They have gone on to become one of the most
widely adopted guidelines in the privacy domain.
Which of the following does not fall under the category of Sensitive Personal Data or Information as
defined in the Information Technology (Reasonable Security Practices and Procedures and Sensitive
Data or Information) Rules, 2011?
A
According to EU authorities, which country has yet to receive adequacy status?
C
Which of the following privacy legislations is synonymous with "Data Handlers"?
B
Specifically, what section of the IT (Amendment) Act, 2008 lays down the provisions for punishment
for the offense of wrongful disclosure of personal information with the intention of causing loss or
gain to another?
D
Explanation:
There are two sections under the IT (Amendment) Act, 2008 that outline liabilities. These are quoted
below: Sec 43A - “Where a body corporate possessing, dealing or handling any sensitive personal
data or information in a computer resource which it owns, controls or operates, is negligent in
implementing and maintaining reasonable security practices and procedures and thereby causes
wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by
way of compensation to the person so affected.” Compensation for failure to implement reasonable
security practices can be upto Rs. 5 Crores (the Adjudicating Officer has the power to award this). A
data subject can further approach a civil court if compensation desired is more than Rs. 5 Crore. Sec
72A - “Save as otherwise provided in this Act or any other law for the time being in force, any person
including an intermediary who, while providing services under the terms of lawful contract, has
secured access to any material containing personal information about another person, with the
intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without
the consent of the person concerned, or in breach of a lawful contract, such material to any other
person, shall be punished with imprisonment for a term which may extend to three years, or with
fine which may extend to five lakh rupees, or with both.”
The Qatar Concerning Privacy and Protection of Personal Data Act, 2016 addresses different types of
personal data, including:
B
Explanation:
Page No 18 of PBok Addendum: The law is applicable to only personal data that is electronically
processed or obtained, collected and extracted for electronic processing or when a combination of
traditional and electronic processing is used. Following are situations where the law is not applicable:
Any personal data (1) processed by individuals privately and when done in a family context & (2)
gathered for official surveys and statistics The law is applicable to all residents of Qatar. It does not
differentiate between Qataris and nonQataris.
Regarding projects such as Aadhaar, the National Population Register (NPR), etc. that involve national
government projects specific to India, which of the following statements is accurate?
D
Explanation:
The requesting entity is expected to inform the individual, at the time of e-KYC authentication, what
information will be shared with it by UIDAI on authentication and the purpose for which the
information would be used. It is expected that notice is provided in the local language as well – to
ensure that the individual understands clearly what he/she is getting into. Any other entity other
than the requesting entity that collects individual’s Aadhaar number or even a document containing
the Aadhaar number is also required to inform the individual the purpose of collection, whether it is
mandatory and what are the alternatives. Consent After providing notice, the requesting entity is
required to obtain the consent of the individual before collecting the identity information. The
information may be collected in physical or, preferably, in electronic form. A record or log of the
consent is also required to be maintained in the format specified by UIDAI. A requesting entity can do
e-KYC authentication on behalf of a third party and share the e-KYC data with the third party for a
specific purpose. However, it needs to take consent of the individual for this purpose. For any sharing
of e-KYC data with a third party, a separate consent for each such sharing is required. The individual
himself/herself may share their data with other entities. However, those entities cannot further
share the data with any other entity without obtaining the individual’s consent every single time it
does a share. Similarly, any other entity other than the requesting entity that collects individual’s
Aadhaar number or any document containing the Aadhaar number is also required to obtain the
consent of the individual for the collection, storage and usage of the individual’s Aadhaar number for
the purpose specified. The individual has the freedom to revoke any of the earlier consent(s) given,
and requesting entity would be required to delete e-KYC data along with ceasing its ability to share
further. Usage and Purpose The requesting entity can use the identity information of an individual
only for the purpose specified to the individual at the time of authentication or e-KYC. Similarly, any
other entity other than the requesting entity that collects individual’s Aadhaar number or any
document containing the Aadhaar number can use the Aadhaar number only for those purposes
specified to the individual at the time of obtaining his consent. Any other entity other than the
requesting entity that collects individual’s Aadhaar number or any document containing the Aadhaar
number is not permitted to share the Aadhaar number with any other person without obtaining the
consent of the individual. Disclosure The core biometric information collected under the Act is not
allowed to be shared with anyone for any reason whatsoever. This is applicable to UIDAI as well as all
agencies in the ecosystem. A requesting entity can share the identity data, including the e-KYC data,
with third parties for any lawful purposes provided specific consent from the individual for the same
has been obtained. However, the third party, in turn, cannot share it further with any other third
party except to complete a transaction- that too only if the individual has given specific consent.
A growing economy has made it more important now than ever before for India to have
comprehensive laws on __________.
C
Explanation:
India has established privacy regime through a patchwork of legislations and regulations, unlike the
European countries that have horizontal privacy laws. The Information Technology Act - IT Act 2000 –
was amended in 2008 to regulate privacy aspects and to provide assurance to customers that their
privacy is protected through the use of ‘reasonable security practices’. It achieved its purpose to
some extent, but it does not satisfy all the requirements and expectations of a comprehensive
privacy law. To address this, the Indian government is working on a comprehensive Privacy
Protection Bill, which is likely to be based on Justice AP Shah Report, to which DSCI and NASSCOM
have contributed as members.
Which of the following are needed for projects like DNA profiling, UIDAI, and statistical collection of
individuals ?
C
Explanation:
Projects like UIDAI (Unique Identification Authority of India), NATGRID (National Intelligence Grid),
CCTNS (Crime and Criminal Tracking Network and Systems), CMS (Central Monitoring System) etc in
India are taking off – which may have direct impact on privacy of individuals.This necessitates
appropriate focus resultant legislations and regulatory measures for privacy to ensure safeguards and
controls are put in place to support these kinds of projects.
According to RTI Act, under which conditions can a government department refuse to release
information?
A, D
APPI, the Act for the Protection of Personal Information, applies to:
B
Explanation:
The APPI is applicable to all businesses handling personal information for business use; however,
national government, local governments and incorporated administrative agencies are excluded
from the scope. The APPI is applicable to businesses in or outside Japan that collect personal
information of Japanese citizens.