Chapter 13 - Data protection Law

Question 1

What is the primary purpose of the Data Protection Act 2018?

Answer 1

To protect individuals from misuse of their personal information and to set out principles and rights based on the EU’s GDPR.

Question 2

GDPR stands for

Answer 2

General Data Protection Regulation (GDPR).

Question 3

What is the role data controller?

Answer 3

Data controller: Determines the purpose and means of processing personal data.

Question 4

What is the role data processor?

Answer 4

Data processor: Processes personal data on behalf of the controller.

Question 5

What is the role data subject?

Answer 5

Data subject: Identifiable individual (not companies) whose personal data is being processed.

Question 6

What types of personal data does the Data Protection Act apply to?

Answer 6

Personal data held on computer or manual files by any organization (large or small, profit or non-profit) and includes factual records or opinions about an identifiable living individual.

Question 7

Who is the UK regulator for data protection under the Act?
A) The Data Protection Agency
B) Information Commissioner
C) General Data Protection Authority
D) Personal Data Committee

Answer 7

B) Information Commissioner

Question 8

When must be the Information Commissioner be informed of a data breach?

Answer 8

 Is the UK regulator for data protection.
 Has statutory powers to enforce compliance with the Act.
 Must be informed with 72 hours of a data breach that affects the rights and freedoms of individuals (in high risk cases the individuals must be informed as well).

Question 9

What are the penalties for non-compliance with the Data Protection Act?

Answer 9

Criminal conviction if a crime is committed under the Act.

A fine of up to approximately £18 million or 4% of the organization’s global turnover.

Question 10

What does the principle of lawfulness, fairness, and transparency entail?
A) Data must be obtained legally with clear and honest processing.
B) Data must not be shared with external parties.
C) Data must be kept accurate and up to date.
D) Data must not be used for new purposes.

Answer 10

A) Data must be obtained legally with clear and honest processing.

Question 11

What is the principle of purpose limitation?

Answer 11

Data must be recorded and used only for specified and lawful purposes. If used for new purposes, permission must be obtained again.

Question 12

Define data minimization under the Act.

Answer 12

Personal data must be adequate, relevant, and not excessive in relation to the purpose for which it is processed.

Question 13

What does the accuracy principle require?

Answer 13

Reasonable steps must be taken to ensure personal data is accurate and up to date. Inaccurate or misleading data must be corrected.

Question 14

What is the principle of storage limitation?

Answer 14

Personal data should not be kept longer than necessary for the purpose it was processed. Data no longer needed should be destroyed or anonymized.

Question 15

What does the principle of integrity and confidentiality ensure?

Answer 15

Appropriate security measures must be in place to protect data from risks, including technical and organizational measures.

Question 16

What is the right to be informed?

Answer 16

Subjects must be informed about the collection and use of their personal data, including its purpose, retention period, and who it is shared with.

Question 17

How does the right to access work?

Answer 17

Subjects can access their data verbally or in writing, and it must be provided within one month, usually free of charge.

Question 18

What is the right to rectification?

Answer 18

Subjects have the right to have inaccurate or incomplete data corrected within one month of a verbal or written request.

Question 19

Explain the right to erasure.

Answer 19

Known as the “right to be forgotten,” subjects can request data to be erased under certain circumstances. A response must be provided within one month.

Question 20

What is the right to data portability?

Answer 20

Subjects can obtain their data and reuse it in a different service, such as when switching banks.

Question 21

What does the right to object allow?

Answer 21

Subjects can object to the processing of their data, such as to avoid receiving junk mail.

Question 22

When do rights apply in relation to automated decision-making and profiling?

Answer 22

Subjects are granted rights where automated decisions or profiling impact them, with strict circumstances regulating such use.

Question 23

Name 4 areas exempt from the provisions of the Act.

Answer 23

 Employers may process data in accordance with employment law, eg payroll
 Academic institutions (e.g. universities) if the data processed is for academic purposes
 Scientific and historical research organisations where the principles would impair their core activities
 Individual rights are limited where they can be abused to commit crimes, disrupt legal proceedings or otherwise disrupt public authorities and regulators.

Question 24

When are individual rights limited under the Act?
A) To disrupt private businesses.
B) When used to commit crimes or disrupt public authorities.
C) To improve public services.
D) To gain financial advantage.

Answer 24

B) When used to commit crimes or disrupt public authorities.

Question 25

INTERACTIVE QUESTION 33: DATA PROTECTION Kylie is a data subject of Compliance Bank plc. She has asked to see the information held about her by the bank and paid a fee of £10 to do so. From this, she discovered that some data was inaccurate, as it had not been updated to reflect the fact that Kylie has remarried and changed her name. She is also cross that the bank continues to send her marketing emails for loans that she does not want. Kylie decides to visit her local branch of the bank and asks for the marketing emails to stop within two weeks and for the data to be corrected. YES OR NO A Does the bank face a fine for holding inaccurate data on Kylie? B Was the bank correct in charging Kylie £10 to see her data? C Must the bank respond within two weeks to Kylie’s demand that the marketing emails cease? D Must the bank correct the data it holds about Kylie?

Answer 25

A Yes, a breach makes the bank liable for a fine B No, data subjects should not usually be charged C No, bank has a month to respond D Yes, Kylie has a right for inaccurate data to be rectified

Question 26

3 Homemade Cakes Ltd holds data about its employees. The company secretary, Stav, seeks your advice as to whether there are any penalties in the event of non-compliance with the Data Protection Act 2018, as he is concerned that certain aspects of it may have been overlooked. He has been told that, if there is breach of the Act, there may be: (1) a fine of up to £20 million or 5% of the company’s global turnover (2) a criminal conviction (3) a court order directing the forfeiture, destruction or erasing of databases Requirement Advise Stav on the issue of liability. A There is potential liability for all of (1), (2) and (3). B There is potential liability to (2) only. C There is potential liability to (2) and (3) only. D There is potential liability to none of the above.

Answer 26

3 Correct answer(s): B There is potential liability to (2) only. The company could be fined up to £17 million or 4% of its global turnover. Destruction of databases is not a potential penalty under the Act.

Question 27

4 With regard to the EU’s General Data Protection Regulation’s (GDPR) rights and principles, as enacted by the Data Protection Act 2018, are the following statements true or false? The data controller is obliged to take all necessary steps to ensure that data held about an individual is accurate. A True B False The data controller must keep the data subject informed (and supply copies) of all personal data held or processed in respect of that data subject. C True D False

Answer 27

4 Correct answer(s): B False The data controller is only required to take reasonable steps to ensure accuracy. Correct answer(s): D False There is no such obligation on the data controller. The data subject must request the information in accordance with their right of access.

Question 28

5 With regard to the rights given to data subjects by the Data Protection Act 2018, answer the following. Requirements Is the data subject always entitled to compensation in the event that the data controller is found to have inaccurate data? A Yes B No Does the data subject have the right to request that accurate data held about them be destroyed? C Yes D No

Answer 28

5 Correct answer(s): B No A claimant may be able to claim compensation if they can show that they have suffered damage as a result of a contravention of the Act. It is not a right granted in the Act itself. Correct answer(s): C Yes This is one of the rights given by the Act to protect data subjects and is also known as the right ‘to be forgotten’.

Question 29

7 The Data Protection Act 2018 provides certain rights for data subjects. Requirements Are the following true or false in relation to the rights of data subjects set out in the Act? A data subject has a right to access data held about them unless the data are held in encoded form when access requires a court order. A True B False A data subject whose rights have been infringed, in that inaccurate data about them have been held, can take action to rectify the inaccurate data. C True D False

Answer 29

7 Correct answer(s): B False All data pertaining to a data subject are accessible by the data subject whatever the form in which they are held. Correct answer(s): C True The data subject has the right to have inaccurate data rectified.

Question 30

9 All except one of the following constitute personal data under the Data Protection Act 2018. Requirement Which is the exception? A The fact that a person is persistently late for work. B The fact that a person’s corporate employer is on the verge of insolvency. C An opinion that someone is good at their work. D The intention to promote an employee within six months.

Answer 30

9 Correct answer(s): B The fact that a person’s corporate employer is on the verge of insolvency. The Act applies only to personal data, ie, data about individuals.

Question 31

10 Which of the following statements concerning the Information Commissioner is correct? A The Information Commissioner has the right to seize hardware containing inaccurate data. B The Information Commissioner must be informed about every data breach within 72 hours of the breach. C The Information Commissioner only regulates data protection in the UK. D The Information Commissioner has the power to issue unlimited fines to organisations for data breaches.

Answer 31

10 Correct answer(s): C The Information Commissioner only regulates data protection in the UK. The Information Commissioner only regulates data protection in the UK. They do not have the right to seize hardware and only have to be notified of data breaches that affect the rights and freedoms of individuals. They may issue fines, but these are capped at £17.5 million or 4% of global turnover.

Question 32

11 The Data Protection Act 2018 enacts the data protection principles of the EU’s General Data Protection Regulation (GDPR). All of the following except one are such principles. Requirement Which is the exception? A Personal data shall be adequate, relevant and not excessive. B Personal data shall be accurate and kept up to date where necessary. C Personal data shall not be kept for longer than is agreed between the data controller and the data subject. D Personal data shall not be kept unless the purpose of holding the data is recorded and made known to the data subject.

Answer 32

11 Correct answer(s): C Personal data shall not be kept for longer than is agreed between the data controller and the data subject. There is no applicable concept of agreement between the parties. The data shall not be held for longer than is necessary for the purpose for which they are processed.

Question 33

13 Are the following statements true or false in relation to the Data Protection Act 2018? Non-compliance with the Act can constitute a criminal offence. A True B False The Act only protects facts held about an individual. C True D False

Answer 33

13 Correct answer(s): A True Non-compliance with the Data Protection Act 2018 can constitute a criminal conviction where a criminal offence has been committed under it (for example for the re-identification of data with an individual after it had been anonymised). Correct answer(s): D False The Data Protection Act 2018 protects opinions held about an individual as well as facts.