Questions for the CIPP-C were updated on : Nov 21 ,2025
Page 1 out of 6. Viewing questions 1-15 out of 76
Question 1
What is required through the "circle of care" concept under Canadian health information privacy law?
A. Health information custodians or trustees be specified only by applicable law or regulation
B. An individual's consent may be implied unless the individual has refused consent or if the purpose of the disclosure is not to provide health care.
C. Notification to the individual be made in the event of a data breach of personal health information (PHI) by an organization that is based in Canada
D. Consent must be expressed or implied when a custodian discloses personal health information (PHI) to another custodian for the purpose of providing health care.
Answer:
D
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 2
Which province requires its government bodies to store and access personal information exclusively in Canada unless additional consent is obtained, or if outside storage is judged necessary?
A. Nova Scotia
B. Québec.
C. Ontario.
D. Alberta.
Answer:
B
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 3
Which action will help a business prove compliance under Canada’s Anti-Spam Legislation (CASL)?
A. Demonstrating the dissolution of a personal relationship before communication was sent.
B. Keeping records of express and implied consent of commercial electronic messages.
C. Posting a list of CASL guidelines on a company's website for customers to read.
D. Providing an opt-out mechanism.
Answer:
B
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 4
Under the Personal Information Protection and Electronic Documents Act (PIPEDA), an organization must maintain a record of every breach of security safeguards involving personal information for a minimum of?
A. 3 months.
B. 12 months.
C. 24 months.
D. 36 months
Answer:
C
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 5
A private organization called Vision 3072 must verify the information they are collecting is up to date in order to avoid misinformed actions or decisions. Which privacy principle is intended to make sure this verification is happening?
A. Integrity.
B. Accuracy.
C. Accountability.
D. Limiting purposes.
Answer:
B
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 6
The movement toward comprehensive privacy and data protection laws can be attributed to a combination of three major factors: the need to remedy past injustices, the need to promote a digital economy and the need to ensure consistency with?
A. Self-regulatory laws.
B. Pan-European laws.
C. Pan-Asian laws.
D. Global laws.
Answer:
D
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 7
A boutique hotel in Montreal seeks to attract travelers from Europe but wants to avoid becoming subject to the GDPR’s requirements. Which of the following activities is most likely to result in a finding that the hotel is subject to the GDPR?
A. Placing advertisements on travel websites accessible in Europe.
B. Collecting contact information for foreign business leaders from public directories.
C. Sending discount offers to guests who previously registered using a foreign address.
D. Translating the hotel's registration page into German based on the visitor's IP address.
Answer:
D
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 8
What is the Generally Accepted Privacy Principles (GAPP) framework?
A. An information management model that is widely recognized across many Canadian industries.
B. A comprehensive guide for industry best practices as delineated by the Canadian federal Privacy Commissioner.
C. A template for Privacy Impact Assessments (PIAs) that are conducted within private sector organizations in Canada.
D. A principles-based privacy approach advocated by Canada’s leading accounting industry group and its U.S.-based counterpart.
Answer:
D
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 9
Which of the following existing frameworks is least effective in addressing emerging AI issues while specific AI legislation is being decided?
A. The Canada Consumer Product Safety Act.
B. The Motor Vehicle Safety Act.
C. The Copyright Act.
D. The Criminal Code.
Answer:
B
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 10
All items below could be considered sensitive personal information, EXCEPT?
A. Credit score.
B. Date of birth.
C. Medical history.
D. Educational transcripts.
Answer:
B
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 11
Which of the following incidents will require reporting to OPC?
A. A sales report with aggregated information that was sent to the wrong person internally.
B. A file with client ID, sales amount and sales date that was sent to the wrong processors who cannot identify the clients.
C. An organization’s point-of-sale system that was subject to an attempted hack that was blocked by the organization’s firewall.
D. As part of a freedom of information request, a nursing home that released an e-mail with everybody’s e-mail address in the "to" section unredacted.
Answer:
A
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 12
According to the federal court ruling in the Eastman Case, video cameras in the workplace are considered to be collecting personal information?
A. At the moment a recording occurs.
B. When a camera is on, even if it is not yet recording.
C. As soon as the data is saved to a workplace server. D When someone within the nrnani7atinn views the recording
Answer:
A
User Votes:
A
50%
B
50%
C
50%
Discussions
0/ 1000
Question 13
An Alberta resident has signed up for a health wellness "app" developed by a British Columbia based software provider that stores the data in British Columbi a. The application has various non-healthcare related uses. The individual inputs their name and email address in the application to subscribe to health and wellness tips. The collection and use of the individual’s name and email address by the British Columbia based scheduling app would fall under what legislation?
A. Alberta’s Health Information Act (HIA).
B. Alberta’s Personal Information Protection Act (PIPA).
C. Alberta’s Freedom of Information and Protection of Privacy Act (FOIP).
D. The Personal Information Protection and Electronic Documents Act (PIPEDA).
Answer:
D
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 14
A small commercial business in Canada was preparing a mailing to its customers when the letters and the envelopes were mismatched, causing 500 of 1000 letters to be sent to the wrong recipients. The letters contained the name and mailing address of the clients as well as account numbers and account balances. The business has discovered this error as clients called to report receiving the wrong letter and expressing concern that their information has been breached. Which of the following is the most appropriate next step to take?
A. All 1000 clients must be sent new letters.
B. The 500 clients who were impacted must be immediately notified.
C. The Office of the Privacy Commissioner (OPC) must be immediately notified.
D. A risk assessment must be completed to determine the real risk of significant harm (RROSH) to the clients.
Answer:
D
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 15
Oversight authorities allow the following types of consent EXCEPT?
A. Implied consent at the time of collection.
B. Verbal consent given to the person collecting the information.
C. Written consent included with the information that is collected.
D. General consent covering all activities associated with the personal information.