IAPP CIPP/Canada Sample Questions & Practice Test

Certified Information Privacy Professional/Canada (CIPP/C) preparation focuses on Canadian private-sector and public-sector privacy concepts, consent, access, safeguards, breach response, cross-border handling, and oversight.

Use these 12 original sample questions for initial self-assessment. They are not official IAPP questions and do not reproduce a live exam.

What this route should test

• Canadian privacy principles, consent, access, safeguards, retention, and accountability
• federal/provincial privacy structure and regulator oversight concepts
• practical distinctions between privacy-program controls and legal obligations

Official-source check

Verify current certification names, exam policies, and requirements with the IAPP certification page .

Sample Exam Questions

Question 1

Topic: accountability

What does privacy accountability require from an organization?

• A. Assigning responsibility, implementing policies, training staff, and demonstrating compliance controls
• B. Treating privacy as only a website footer
• C. Outsourcing all responsibility to customers
• D. Keeping no records of privacy decisions

Best answer: A

Explanation: Canadian privacy preparation commonly emphasizes accountability, safeguards, transparency, and responsible data handling.

Question 2

Topic: consent

What makes consent stronger in a privacy context?

• A. It is hidden in unrelated text
• B. It is assumed for any future purpose
• C. It cannot be withdrawn
• D. It is informed, meaningful, tied to a purpose, and obtained before or at collection where required

Best answer: D

Explanation: Meaningful consent depends on clear purpose, timing, and individual understanding.

Question 3

Topic: purpose limitation

Why should purposes be identified before or when personal information is collected?

• A. Purposes are useful only after a complaint
• B. Individuals and organizations need clarity about why information is collected and used
• C. Purpose statements eliminate safeguards
• D. Purpose does not affect privacy obligations

Best answer: B

Explanation: Purpose identification supports meaningful consent, limiting use, and accountability.

Question 4

Topic: safeguards

What should safeguards be proportionate to?

• A. The company’s logo color
• B. The number of office chairs
• C. Sensitivity, amount of information, format, risk, and context
• D. Only the size of the marketing budget

Best answer: C

Explanation: Sensitive or high-risk information requires stronger administrative, technical, and physical safeguards.

Question 5

Topic: access requests

When an individual requests access to personal information, the organization should:

• A. ignore the request by default
• B. verify identity, search relevant records, apply exceptions, respond within required timelines, and document the response
• C. delete all information before review
• D. ask a vendor to decide without instruction

Best answer: B

Explanation: Access handling requires a controlled process, identity verification, exceptions, and evidence.

Question 6

Topic: breach response

What is a key early step after a privacy breach?

• A. Destroy logs
• B. Wait until all media coverage ends
• C. Contain the incident, preserve facts, assess risk of harm, and determine notification or reporting obligations
• D. Notify no one under any circumstances

Best answer: C

Explanation: Breach response requires containment, risk assessment, documentation, and notification analysis.

Question 7

Topic: cross-border processing

Why should cross-border service providers be reviewed?

• A. Personal information may be subject to different legal access, safeguards, contractual, and transparency considerations
• B. Cross-border transfer makes data anonymous
• C. Vendors eliminate privacy obligations
• D. Transfers are never relevant in Canada

Best answer: A

Explanation: Canadian privacy candidates should recognize transparency, safeguards, contractual oversight, and jurisdictional issues.

Question 8

Topic: retention

What is the best retention practice?

• A. Keep all information forever
• B. Delete records before obligations are satisfied
• C. Use retention rules only for paper files
• D. Keep personal information only as long as necessary for identified purposes and legal requirements

Best answer: D

Explanation: Retention should reflect purpose, legal needs, and secure disposal.

Question 9

Topic: employee privacy

Why does employee privacy require separate attention?

• A. Employee data is never personal information
• B. Employers can publish all employee files
• C. HR systems do not need safeguards
• D. Workplace monitoring, HR records, access, consent, and expectations may differ from customer contexts

Best answer: D

Explanation: Employee privacy has distinct expectations, laws, policies, and operational contexts.

Question 10

Topic: regulator interaction

Which action best supports a defensible regulator response?

• A. No documentation
• B. Conflicting stories from different teams
• C. Clear records, timely cooperation, evidence of controls, and remediation tracking
• D. Refusal to identify accountable staff

Best answer: C

Explanation: Oversight interactions depend on credible evidence and accountable remediation.

Question 11

Topic: collection limitation

What is the main risk of collecting more personal information than needed?

• A. Better privacy by default
• B. Increased exposure, compliance burden, and potential misuse
• C. Automatic anonymization
• D. No additional obligations

Best answer: B

Explanation: Collection limitation reduces privacy risk and supports purpose discipline.

Question 12

Topic: openness

What does openness require in a privacy program?

• A. Making privacy policies and practices understandable and available
• B. Concealing all privacy contacts
• C. Refusing to describe processing
• D. Publishing only technical source code

Best answer: A

Explanation: Openness supports transparency and individual trust in privacy handling.