www.certfun.com
PDF
IAPP CIPP-A Certification
Exam Syllabus and Exam
Questions
IAPP Exam
Here are all the necessary details to pass the CIPP-A exam on your first attempt.
Get rid of all your worries now and find the details regarding the syllabus, study
guide, practice tests, books, and study materials in one place. Through the
CIPP-A certification preparation, you can learn more on the Information Privacy
Professional/Asia, and getting the IAPP CIPP-A certification gets easy.
www.certfun.com
Information Privacy Professional/Asia
1
www.certfun.com
PDF
How to Earn the IAPP CIPP-A Certification on Your
First Attempt?
Earning the IAPP CIPP-A certification is a dream for many candidates. But, the
preparation journey feels difficult to many of them. Here we have gathered all the
necessary details like the syllabus and essential CIPP-A sample questions to get to the
IAPP Certified Information Privacy Professional/Asia certification on the first attempt.
CIPP-A Information Privacy Professional/Asia Summary:
Exam Name: IAPP Certified Information Privacy Professional/Asia (CIPP-A)
Exam Code: CIPP-A
Exam Price: First Time Candidate: $550 Retake: $375
Duration: 150 mins
Number of Questions: 90
Passing Score: 300 / 500
Books / Training:
○ CIPP/A Body of Knowledge
○ CIPP/A Exam Blueprint
● Schedule Exam: Pearson VUE
● Sample Questions: IAPP CIPP-A Sample Questions
● Recommended Practice: IAPP CIPP-A Certification Practice Exam
●
●
●
●
●
●
●
Information Privacy Professional/Asia
1
www.certfun.com
PDF
Let’s Explore the IAPP CIPP-A Exam Syllabus in Detail:
Topic
Details
Privacy Fundamentals
Modern Privacy Principles
- The Organisation of Economic Cooperation and
Development (OECD) ‘Guidelines Governing the
Protection of Privacy and Trans-border Data Flows of
Personal Data.” (1980)
- The Asia Pacific Economic Cooperation (APEC) privacy
principles
- Fair Information Practices (FIPs)
- Universal Declaration of Human Rights (1948)
- Europe and the General Data Protection Regulation
(GDPR)
Adequacy and the Rest of the - Deemed adequate: New Zealand, Canada, Israel,
World
Argentina, Uruguay
- United States and the EU-U.S. Privacy Shield
- Deemed not adequate: Australia, Mexico, Korea, Taiwan
- Personal data (EU) (HK) (SG)
Elements of personal
- Personally identifiable information (U.S.)
information
- Sensitive personal data information (IND)
- Pseudonymisation, de-identification and anonymisation
Singapore Privacy Laws and Practices
- Singapore government and legal system

Political structure
Legislative history and origins - Social attitudes toward privacy and data protection
- Surveillance and identification
- Constitutional protections
- Common law protections
- Sector-specific protections
- Application and scope
Personal Data Protection Act
2012 (PDPA)

PDPA predecessor: National Internet Advisory
Committee (NIAC) 2002 Report, Report on a Model
Data Protection Code for the Private Sector.

Extraterritorial reach

PDPA definitions
Information Privacy Professional/Asia
2
www.certfun.com
Topic
PDF
Details
- Personal data
- ‘Business contact information’
- ‘Data intermediary’
- Publicly available
- Survivorship

Do Not Call Registry
- ‘Specified message’

PDPA in an employment setting

Exemptions
- Public-sector
- Response to emergency
- National interest
- Investigations in legal proceedings
- Evaluative purposes
- Journalism and media
- Key concepts and practices

Data protection officer

Staff training

Consent and exceptions to consent

Use

Disclosure

Safeguarding/Security

Accountability and openness

Access and correction

Retention and deletion

Transfer out (e.g. APEC, CBPR and PRP)

Data breach notification obligation
- Monetary Authority of Singapore
Enforcement

Regulations and guidances

‘Notices on Prevention of Money Laundering and
Countering the Financing of Terrorism’

Individual’s access and rights

Protection of customer data

Outsourcing
Information Privacy Professional/Asia
3
www.certfun.com
Topic
PDF
Details
- Personal Data Protection Commission (PDPC)
- Decision in appealed commissioner rulings, complaints

Complaint-based vs. audit-based
- Commissioner guidance and published positions
- Managing consent opt-out mechanisms: their use and
limitations, consent to new purposes and documentation
- Penalties and sanctions
- Policy development and implementation

Freedom of information legislation

Data transfers: doctrine of privity of contract for
thirdparties
Hong Kong Privacy Laws and Practices
- Hong Kong government and legal system
- Social attitudes toward privacy and data protection
Legislative history and origins - Surveillance and identification
- Constitutional protections
- Common law protections
- Application and scope
Personal Data (Privacy)
Ordinance (PDPO):

Meaning under PDPO
- Personal data
- Publicly available data
- Sensitive personal data
- ‘Prescribed consent’
- Rights of data subject

Personal Data (Privacy) (Amendment) Ordinance
2012
- ‘The New Guidance on Direct Marketing’

Major Exemptions
- Staff planning and Employment related (including
Personal References)
- Relevant process (Evaluation)
- Crime, etc.
- Legal proceedings, etc.
- Legal professional Privilege and Self-incrimination
- Health and Emergency
Information Privacy Professional/Asia
4
www.certfun.com
Topic
PDF
Details
- Statistics and Research
- Journalism and news media
- Key concepts and practices

Six Data Protection Principles (DPPs) and the
Internet Data Guidance
- DPP1: Data Collections
- DPP2: Accuracy and retention
- DDP3: Data Use
- DPP4: Data security
- DPP5: Openness
- DPP6: Data access and correction

Due diligence exemption and exercise

Guidance on Personal Data Erasure and
Anonymisation

Guidance on employment matters

Data Transfer/Export, Ordinance Section 33
- Data processors
- Model contracts
- The Office of the Privacy Commissioner for Personal
Data
- Commissioner rules
- Commissioner guidance and published positions

Enforcement
Octopus Rewards Ltd.
- Decisions in appealed commissioner rulings, complaints
- Personal Data (Privacy) Advisory Committee
- Managing consent opt-out mechanisms: their use and
limitations, consent to new purposes and documentation
- Enforcement notice
- Policy development and implementation

Law reform proposals for third-party benefit
exception
- Privacy incidents: trends in commissioner expectations
India Privacy Law and Practices
Legislative history and origins - Indian government and legal system
Information Privacy Professional/Asia
5
www.certfun.com
Topic
PDF
Details

Political structure
- Social attitudes toward privacy and data protection
- Surveillance and identification

Credit Information Companies (Regulation) Act
2005
- Constitutional protections

Article 21

The Right to Information Act 2005

The Protection of Human Rights Act 1993
- Common law protections (e.g. 2017 Supreme Court
judgment on the Right to privacy - Puttaswamy judgment)
- Application and scope

Information Technology Act 2000
- Section 43
- Section 66A and its removal

Information Technology (Amendment) Act 2008
(ITAA)
- Section 43A
- Definitions
1. Personal data
2. Sensitive personal data
3. Body corporate
4. Rights of data subjects

Exemptions
- Religious and social, charitable organisations
- Non-commercial organisations
- Non-automated data
Information Technology Act
2000 (IT Act)
- Section 43A and the 2011 Rules: Rules 3-8

Privacy policies required: Rule 3

Data protection principles: Rule 4
- Consent and purpose limitation
- Lawful purpose and minimal collection
Information Privacy Professional/Asia
6
www.certfun.com
PDF
Topic
Details
- Notice and purpose limitation
- Retention
- Use
- Subject access and correction
- Option to refuse or withdraw consent
- Security
- Complaint handling

Disclosure imitations and exceptions: Rule 5

Data processing: Rule 6

Data export restriction: Rule 7

Reasonable security: Rule 8

Information Technology (Intermediary Guidelines
and Digital Media Ethics Code) Rules 2021
- The Ministry of Communication and Information
Technology
- The Department of Electronics and Information (DeitY)
- The Telecom Regulatory Authority of India (TRAI) and Do
Not Call Registry

Banning Free Basics and Net Neutrality
- Commissioner rulings, appeals and complaints
- Penalties and sanctions
Enforcement

IT Act Sections 43(b) and (g)

IT Act Sections 72 and 72A
- Commissioner guidance and published positions
- Grievance officers
- Managing consent opt-out mechanisms: their use and
limitations, consent to new purposes and documentation
- Policy development and implementation

Data transfers: doctrine of privity of contract for
third-parties
- Public-sector exemption
Common themes among principle frameworks
Comparing protections and
principles
- Sensitive data protections
- Children’s data protections
Information Privacy Professional/Asia
7
www.certfun.com
Topic
PDF
Details
- Natural persons vs. legal persons
- Data breach notification
- Public Registers
- Surveillance

National identity systems
- SingPass
- HKID
- India’s UIDAI

Legislation

Hong Kong: PCPD Code of Practice on Identity
Card Number and Other Personal Identifiers, 1997
- Data processing and export
- Intermediaries
- Extraterritorial operations
- ‘Domestic’ use
- Breadth of exemption

Hong Kong
- Chinese central government organisations
- Media

Rights of the data subject
Singapore
- Public-sector
- Public authorities
- Publicly available information
- ‘Public agency’
- Business contracted by Singapore government


Information Privacy Professional/Asia
India
- Limited application for ‘sensitive data’
- Limited application to ‘providers’ not data subjects
- Freedom of speech
- Lack of openness
8
www.certfun.com
PDF
Experience the Actual Exam Structure with CIPP-A Sample
Questions:
Before jumping into the actual exam, it is crucial to get familiar with the IAPP Certified
Information Privacy Professional/Asia (CIPP-A) exam structure. For this purpose, we
have designed real exam-like sample questions. Solving these questions is highly
beneficial to getting an idea about the exam structure and question patterns. For more
understanding of your preparation level, go through the Information Privacy
Professional/Asia CIPP-A practice test questions. Find out the beneficial sample
questions below
Answers for CIPP-A Sample Questions
01. Who is NOT potentially liable when an employee in a Singapore corporation or
partnership breaches the PDPA?
a) A corporate officer.
b) The employee.
c) The employer.
d) A partner.
Answer: a
02. All of the following are guidelines the PDPC gives about anonymised data
EXCEPT?
a) Anonymised data is not personal data.
b) Any data that has been anonymised bears the same risks for re-identification.
c) Data that has been anonymised satisfies the “cease to retain” requirement of
Section 25.
d) Organizations should consider the risk of re-identification if it intends to publish or
disclose anonymised data.
Answer: c
03. In India, the obligation to appoint a Grievance Officer applies ONLY to
companies that?
a) Deal with sensitive personal data.
b) Conduct cross-border data transfers.
c) Are considered part of the public sector.
d) Lack alternate enforcement mechanisms.
Information Privacy Professional/Asia
Answer: a
9
www.certfun.com
PDF
04. Which of the following would NOT be exempt from Singapore’s PDPA?
a) A government automobile registration website.
b) A private party room at a popular restaurant.
c) A documentary filmed at a rock concert.
d) A video from a store’s dosed-circuit TV.
Answer: d
05. Both Sections 72 and 72A of India’s IT Act 2000 involve unauthorized access
of personal information. One main difference between the sections is that 72A
does what?
a) Stipulates that disclosure has to have occurred.
b) Specifies imprisonment as a possible penalty.
c) Adds a provision about wrongful loss or gain.
d) Includes the concept of consent.
Answer: b
06. Which European-influenced safeguard was NOT included in Hong Kong or
Singapore’s personal data protection acts, but was subsequently adopted as a
consideration in regulatory guidelines?
a) Controls on automated decision making.
b) Additional protection for sensitive personal data.
c) Legitimate interest as a legal basis for processing.
d) Notice requirements when data is collected from third parties.
Answer: d
07. Hong Kong’s definition of a data user in the original PDPO applies to all of the
following EXCEPT?
a) Trust corporations.
b) Third-party processors.
c) Private sector organizations.
d) Limited liability partnerships.
Information Privacy Professional/Asia
Answer: b
10
www.certfun.com
PDF
08. The products or services are being offered for the exclusive use of an
individual’s organization.
a) Third-party data processors located in foreign countries.
b) Companies researching the viability of business mergers.
c) Companies researching the viability of business mergers.
d) Direct marketers acting in the best interest of their company.
Answer: a
09. How is the transparency of the complaint process treated in both Hong Kong
and Singapore?
a) A complainant must alert all individuals potentially affected by the complaint.
b) Investigations into complaints in Hong Kong and Singapore are open to the public.
c) The Hong Kong and Singapore Commissioner may require the complainants to
identify themselves before carrying out any investigation into the complaint.
d) The Hong Kong and Singapore commissioners are obliged to start investigations
when receiving a complaint and inform the respondent of the personal details of the
complainant.
Answer: c
10. Increases in which of the following were a major reason for the enactment of
Hong Kong’s Amendment Ordinance in 2012?
a) Direct marketing practices.
b) Law enforcement requests.
c) Biometric authentication.
d) Data breach reports.
Information Privacy Professional/Asia
Answer: a
11