ISC2 Certified Cloud Security Professional (CCSP) Practice Question
A U.S.-based software vendor is preparing to migrate several customer datasets to a public IaaS provider. During the data-classification workshop, four example datasets are identified:
Proprietary source code covered by a non-disclosure agreement (NDA) with the customer.
Spreadsheets containing employees' medical diagnosis and treatment information from the company's on-site clinic.
Logs that store customers' full names, postal addresses, and Social Security numbers captured during account registration.
Web-site clickstream records that have been fully anonymized and cannot be re-identified.
From a cloud-privacy perspective, which dataset is most accurately categorized as contractual private data rather than regulated private data?
Proprietary source code provided by a customer and protected solely by a non-disclosure agreement.
Fully anonymized web clickstream data that cannot be linked back to individual users.
Customer registration logs that record full names, mailing addresses, and Social Security numbers.
Employee medical records containing diagnosis and treatment details from the company clinic.
Contractual private data is protected primarily through agreements between parties; if it is disclosed, the primary recourse is a breach-of-contract claim. Examples include trade secrets, proprietary business plans, and intellectual property that are not specifically governed by privacy statutes. In contrast, regulated private data-such as protected health information (PHI) under HIPAA or personally identifiable information (PII) like Social Security numbers-is subject to statutory or regulatory mandates that impose specific handling, breach-notification, and protection requirements.
Dataset 1 (proprietary source code under NDA) fits the definition of contractual private data: its confidentiality is enforced through contract, and no dedicated privacy law dictates how it must be protected. Datasets 2 and 3 both contain regulated data-PHI and sensitive PII respectively-subject to U.S. laws such as HIPAA and state breach-notification statutes. Dataset 4, although anonymized, no longer qualifies as personal data only because re-identification is not reasonably possible; therefore, it falls outside privacy regulations, but it is not 'private data' in the contractual sense described in the scenario. Thus, the dataset best classified as contractual private data is the proprietary source code under NDA.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is contractual private data?
Open an interactive chat with Bash
How is regulated private data different from contractual private data?
Open an interactive chat with Bash
Why doesn't anonymized web clickstream data qualify as regulated or contractual private data?
Open an interactive chat with Bash
ISC2 Certified Cloud Security Professional (CCSP)
Legal, Risk and Compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .