CPA Exam Lab
All patterns
Confidentiality and privacy

The Privacy Guard

Privacy is about personal data specifically: de-identify by the right method, apply the right regime, and start the breach clock on time.

How the exam words it

The playbook

  1. 1Split the concepts: confidentiality protects any sensitive business data, while privacy governs personal data about individuals and their rights over it.
  2. 2Rank de-identification: masking hides displayed values, pseudonymization replaces identifiers with reversible tokens, and anonymization irreversibly strips identity (the strongest).
  3. 3Match the regime to the data: HIPAA covers protected health information held by covered entities, and GDPR covers the personal data of individuals in the EU.
  4. 4Apply data minimization (collect only what is needed) and meet the notification clock: GDPR requires notifying the supervisory authority within 72 hours of awareness.

The trap

Treating privacy and confidentiality as the same, or calling pseudonymization irreversible. Privacy is specific to personal data, and only anonymization removes identity for good.

How the exam varies it

The same pattern, re-skinned along these axes:

Privacy versus confidentialityDe-identification method: masking, pseudonymization, or anonymizationRegulatory scope (HIPAA versus GDPR) and the breach-notification clock

Drill this pattern

8 questions of The Privacy Guard from across the AUD topics. Clear it by getting 5 right with a streak of 3.

Shows up in 2 ISC topics