New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

IAPP CIPP/A Exam - Topic 5 Question 77 Discussion

Actual exam question for IAPP's CIPP/A exam
Question #: 77
Topic #: 5
[All CIPP/A Questions]

SCENARIO -- Please use the following to answer the next QUESTION:

Zoe is the new Compliance Manager for the Star Hotel Group, which has five hotels across Hong Kong and Chin

a. On her first day, she does an inspection of the largest property, StarOne. She starts with the hotel reception desk. Zoe sees the front desk assistant logging in to a database as he is checking in a guest. The hotel manager, Bernard, tells her that all guest data, including passport numbers, credit card numbers, home address, mobile number and other information associated with a guest's stay is held in a database. Bernard tells her not to worry about the security of the database because it is operated for Star Hotels by a local service provider called HackProof, who therefore are responsible for all the guest data.

Zoe notices what looks like a CCTV camera in the corner of the reception area. Bernard says they record all activity in the lobby. In fact, last Tuesday he had received a data access request from a lawyer requesting a copy of footage of all lobby activity for the preceding month. The lawyer's covering letter said that his client has never visited the hotel herself, but is investigating whether her husband has been doing so without her knowledge.

Zoe and Bernard head up to the hotel spa. The spa is independently owned by a company called Relax Ltd. Bernard explains that Relax Ltd is a small company and, as they don't have their own database, they transfer data about the spa guests to StarOne staff so that they can upload the data into the HackProof system. Relax Ltd staff can then login and review their guest data as needed.

Zoe asks more about the HackProof system. Bernard tells her that the server for the Hong Kong hotels is in Hong Kong, but there is a server in Shenzhen that has a copy of all the Hong Kong hotel data and supports the properties in China. The data is in China for back up purposes and also is accessible by staff in the China hotels so they can better service guests who visit their hotels in both territories.

How should Bernard respond to the lawyer's request for the CCTV footage?

Show Suggested Answer Hide Answer
Suggested Answer: D

by Gayla at Mar 07, 2025, 02:10 AM

Limited Time Offer

25%

Off

Get Premium CIPP/A Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Floyd
3 months ago
I agree with the decline. No solid reason to hand it over!
upvoted 0 times
...
Lashawn
4 months ago
Definitely not a valid request. They should decline it.
upvoted 0 times
...
Cherry
4 months ago
Wait, can they really just share that footage? Seems risky.
upvoted 0 times
...
Dyan
4 months ago
I think they should provide the footage. It's a valid request.
upvoted 0 times
...
Hillary
4 months ago
Sounds like a clear violation of privacy laws.
upvoted 0 times
...
Amina
5 months ago
I lean towards option D since it seems like there's no crime being investigated directly related to the footage. But I could be wrong about that.
upvoted 0 times
...
France
5 months ago
I feel like the lawyer's request could be valid under certain circumstances, but I'm not confident about the legal professional privilege exemption.
upvoted 0 times
...
Domitila
5 months ago
I think option A makes sense because the request seems questionable. We practiced similar scenarios where the legitimacy of the request was key.
upvoted 0 times
...
Jenifer
5 months ago
I remember discussing data access requests in class, but I'm not sure if this one is valid since the client hasn't visited the hotel.
upvoted 0 times
...
Torie
5 months ago
This is a good test of our understanding of data protection laws. I'm confident I can analyze the scenario and select the best response based on the information provided.
upvoted 0 times
...
Erick
5 months ago
Okay, I think I've got this. The footage is likely considered personal data, so the hotel should provide it within 40 days unless there's a valid exemption. I'm leaning towards option B, but I'll double-check the details.
upvoted 0 times
...
Thaddeus
5 months ago
Hmm, this is a tricky one. I'm not sure if the CCTV footage counts as personal data that needs to be disclosed. I'll have to think carefully about the different exemptions that might apply.
upvoted 0 times
...
Rolland
5 months ago
This question seems straightforward, but I want to make sure I understand all the details before answering. The key seems to be whether the lawyer's request is a valid data access request.
upvoted 0 times
...
Glenna
10 months ago
Ah, the classic 'spouse investigating spouse' scenario. I bet the lawyer's client already knows exactly what's going on and is just trying to gather evidence. Bernard should probably just hand over the footage and let the drama unfold.
upvoted 0 times
...
Lamonica
10 months ago
Hold up, did you say the hotel's data is stored in Shenzhen? That's gotta be a security nightmare! Bernard might want to rethink that whole HackProof arrangement.
upvoted 0 times
Nenita
9 months ago
It's definitely a concern, they should prioritize data security.
upvoted 0 times
...
Judy
9 months ago
I think Bernard should definitely reconsider the data storage arrangement.
upvoted 0 times
...
Ira
9 months ago
I agree, storing sensitive data in China seems risky.
upvoted 0 times
...
...
Micaela
11 months ago
I'm not sure Bernard can decline the request based on the prevention or detection of crime exemption. The lawyer's letter doesn't indicate any suspected criminal activity, so that doesn't seem to apply here.
upvoted 0 times
Cyril
9 months ago
In that case, Bernard could decline to turn over the footage as it is not a valid data access request.
upvoted 0 times
...
Callie
10 months ago
But what if the lawyer's request doesn't meet the criteria for a valid data access request?
upvoted 0 times
...
Frederica
10 months ago
Bernard should provide a copy of the footage within 40 days as it is a data access request.
upvoted 0 times
...
...
Casey
11 months ago
Hmm, this is a tricky one. Bernard should probably provide the footage within 40 days since it's a data access request, even if the lawyer's reasons seem a bit sketchy.
upvoted 0 times
...
Xochitl
11 months ago
But what if there are privacy concerns with sharing the footage? Shouldn't Bernard consider that before providing it?
upvoted 0 times
...
Cyndy
11 months ago
I agree with Justine. It's important to comply with data access requests to ensure transparency and accountability.
upvoted 0 times
...
Fatima
11 months ago
I think Bernard should decline the request as it doesn't seem to be a valid data access request. The lawyer's letter doesn't provide enough information to justify disclosing the CCTV footage.
upvoted 0 times
Edwin
10 months ago
Bernard should definitely decline to turn over the footage.
upvoted 0 times
...
Trinidad
10 months ago
I agree, the lawyer's request seems suspicious.
upvoted 0 times
...
...
Justine
11 months ago
I think Bernard should provide a copy of the footage within 40 days as it is a data access request.
upvoted 0 times
...

Save Cancel