By collecting, storing, and processing personal information on living individuals electronically, Star
Link Company could qualify as:
B
Explanation:
Data Controller An organization that determines means and purpose for data processing is called a
Data Controller. It may or may not be the organization that directly collects PI from a data subject
but, is accountable for PI usage, security, etc. All organizations are Data Controllers by default for
their employees PI. Data Processor An organization that processes PI based on instructions of Data
Controllers. In some instances, it may also be the organization that collect PI directly from the
individuals, on behalf of Data Controller. A BPM organization processing personal information on
behalf of clients would be a data processor. Similarly, a sales agent for a bank would also come under
this category.
Health insurance firm based in the US uses BPM services provided by an Indian company. It was
found that one of the employees of the Indian company exported customer data of the insurance
company to another US-based insurance company. Under which of the below ground, the company
and its executives in India were also subjected to legal action ?
B
Explanation:
Health Insurance Portability and Accountability Act (HIPAA) Defines two types of controls required
and addressable. Required controls are mandatory for covered entities but for addressable controls
entities need to assess whether each implementation specification is a reasonable and appropriate
safeguard in its environment, when analyzed with reference to the likely contribution to protecting
the entitys electronic protected health information.
Among the following, which of the following is classified as the most important reason for enacting
data protection/privacy laws around the world?
A
Historically, which of these events led to the formation of our current concept of privacy?
C
Explanation:
Following are the overview of global evolution of Privacy: 1890 - Right to be left alone 1940 -
Fundamental civil liberty 1948 - Universal Declaration of Human Rights 1967 - modern definition,
claim of individual 1980 - OECD Privacy Principles
The development of the OECD's privacy principles for promoting free international trade and
international data flows came from which of the following?
A
Explanation:
The earliest formal articulation of Privacy Principles was the formulation of the Code of Fair
Information Practices (also known as Code of Fair Information Principles or FIPS) in the US in 1974.
These are also sometimes referred to as Fair Information Privacy Principles or FIPPs as well. Initially,
five principles were laid down which evolved to eight by 1977. These were developed by a US
government advisory committee under the Department of Health, Education and Welfare (HEW) and
subsequently augmented by a Privacy Protection Study Commission (PPSC). FIPs were developed and
evolved in response to the growing use of automated data systems containing information about
individuals - maintained by both public and private sector organizations In parallel, there was action
in Europe as well. In the 1970s, European nations began to enact privacy laws beginning with
Sweden, Germany and then France. By 1980, the Council of Europe adopted a Convention for the
Protection of Individuals with Regard to Automatic Processing of Personal Data. The Convention was
the first legally binding international treaty on data protection. The Organization for Economic
Cooperation and Development (OECD) proposed similar privacy guidelines around the same time as
the Council of Europes original 1980 effort. A group of government experts developed the OECD
Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The OECD adopted
the recommendation, which became applicable on 23 September, 1980. Informally, these are known
as the OECD Guidelines. OECD principles formed the basis of many national data protection
legislations and model codes amongst the OECD countries. The OECD guidelines were endorsed by
the US Federal Trade Commission (FTC) subsequently. They have gone on to become one of the most
widely adopted guidelines in the privacy domain.
Which of the following does not fall under the category of Sensitive Personal Data or Information as
defined in the Information Technology (Reasonable Security Practices and Procedures and Sensitive
Data or Information) Rules, 2011?
A
According to EU authorities, which country has yet to receive adequacy status?
C
Which of the following privacy legislations is synonymous with "Data Handlers"?
B
Specifically, what section of the IT (Amendment) Act, 2008 lays down the provisions for punishment
for the offense of wrongful disclosure of personal information with the intention of causing loss or
gain to another?
D
Explanation:
There are two sections under the IT (Amendment) Act, 2008 that outline liabilities. These are quoted
below: Sec 43A - Where a body corporate possessing, dealing or handling any sensitive personal
data or information in a computer resource which it owns, controls or operates, is negligent in
implementing and maintaining reasonable security practices and procedures and thereby causes
wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by
way of compensation to the person so affected. Compensation for failure to implement reasonable
security practices can be upto Rs. 5 Crores (the Adjudicating Officer has the power to award this). A
data subject can further approach a civil court if compensation desired is more than Rs. 5 Crore. Sec
72A - Save as otherwise provided in this Act or any other law for the time being in force, any person
including an intermediary who, while providing services under the terms of lawful contract, has
secured access to any material containing personal information about another person, with the
intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without
the consent of the person concerned, or in breach of a lawful contract, such material to any other
person, shall be punished with imprisonment for a term which may extend to three years, or with
fine which may extend to five lakh rupees, or with both.
The Qatar Concerning Privacy and Protection of Personal Data Act, 2016 addresses different types of
personal data, including:
B
Explanation:
Page No 18 of PBok Addendum: The law is applicable to only personal data that is electronically
processed or obtained, collected and extracted for electronic processing or when a combination of
traditional and electronic processing is used. Following are situations where the law is not applicable:
Any personal data (1) processed by individuals privately and when done in a family context & (2)
gathered for official surveys and statistics The law is applicable to all residents of Qatar. It does not
differentiate between Qataris and nonQataris.