11. Data protection. Flashcards
T/F: data protection legislation applies only to that collected or recorded in electronic form.
FALSE
The most recent primary legislation regarding data protection in the UK is the …
Data Protection Act (2018)
The Data Protection Act (2018) implements and supplements the EU’s ….
General Data Protection Regulation (GDPR)
GDPR: General Data Protection R*
regulation
“…” means any information relating to an identified or identifiable living individual.
personal data
“Personal data” means any information relating to an [I or I LI]*
identified or identifiable living individual
“processing” information can involve: C*, R, S, A, D, C, D
collection
“processing” information can involve: C, R*, S, A, D, C, D
recording
“processing” information can involve: C, R, S*, A, D, C, D
storage
“processing” information can involve: C, R, S, A*, D, C, D
adaptation
“processing” information can involve: C, R, S, A, D*, C, D
disclosure
“processing” information can involve: C, R, S, A, D, C*, D
combination
“processing” information can involve: C, R, S, A, D, C, D*
destruction
Data protection (does / does not) require safeguards where automated decision making occurs on the basis of information provided by/collected on data subjects.
does
DC* determine the purpose and means of processing personal data.
data controllers
DP* are responsible for processing personal data on behalf of a controller.
data processors
DS* are identified or identifiable individuals (not companies) to whom personal data relates.
data subjects
A limited company (can / can not) be a ‘data subject’.
can not
Data protection legislation applies to … organisations.
all
Opinions, as distinguished from facts, (do / do not) fall within the scope of data protection legislation.
do
The person responsible for data regulation in the UK is the …
Information Commissioner
Data protection law in the UK uses a (prescriptive / risk based) approach.
risk based
Information which an individual has published about themselves, for example a professional profile, (is / is not) nevertheless covered by data protection legislation.
is
Any data breach must be reported to the information commissioner within …
72 hours
Individuals whose data is subject to a breach need only be informed directly if the case is …
high risk
Data protection principles: LFAT* (G, C, OAH), PL (S, E, L), DM (A, R, NE), A (C), SL (RP), I (CAS)
lawfullness, fairness and transparency
Data protection principles: LFAT (G*, C, OAH), PL (S, E, L), DM (A, R, NE), A (C), SL (RP), I (CAS)
grounds for holding the data
Data protection principles: LFAT (G, C*, OAH), PL (S, E, L), DM (A, R, NE), A (C), SL (RP), I (CAS)
clarity in how the data is used
Data protection principles: LFAT (G, C, OAH*), PL (S, E, L), DM (A, R, NE), A (C), SL (RP), I (CAS)
openness and honesty in how the data is used from the start
Data protection principles: LFAT (G, C, OAH), PL* (S, E, L, CfNP), DM (A, R, NE), A (C), SL (RP), I (CAS)
purpose limitation
Data protection principles: LFAT (G, C, OAH), PL (S, E, L)*, DM (A, R, NE), A (C), SL (RP), I (CAS)
the purpose for recording the data must be specified, explicit and legitimate
Data protection principles: LFAT (G, C, OAH), PL (S, E, L), DM* (A, R, NE), A (C), SL (RP), I (CAS)
data minimisation
Data protection principles: LFAT (G, C, OAH), PL (S, E, L), DM (A*, R, NE), A (C), SL (RP), I (CAS)
adequate - sufficient to fulfil the purpose and no more
Data protection principles: LFAT (G, C, OAH), PL (S, E, L), DM (A, R*, NE), A (C), SL (RP), I (CAS)
relevant - linked rationally to the purpose
Data protection principles: LFAT (G, C, OAH), PL (S, E, L), DM (A, R, NE*), A (C), SL (RP), I (CAS)
not excessive - limited to what is necessary to fulfil the purpose
Data protection principles: LFAT (G, C, OAH), PL (S, E, L), DM (A, R, NE), A* (C), SL (RP), I (CAS)
accuracy - reasonable steps must be taken to ensure the data is not incorrect or misleading
Data protection principles: LFAT (G, C, OAH), PL (S, E, L), DM (A, R, NE), A (C*), SL (RP), I (CAS)
correction of data which is found to be inaccurate or misleading
Data protection principles: LFAT (G, C, OAH), PL (S, E, L), DM (A, R, NE), A (C), SL* (RP), I (CAS)
storage limitation - data should not be kept for longer than is necessary for the purpose for which it was collected
Data protection principles: LFAT (G, C, OAH), PL (S, E, L), DM (A, R, NE), A (C), SL (RP*), I (CAS)
retention policy - data which is no longer needed should be destroyed or anonymised
Data protection principles: LFAT (G, C, OAH), PL (S, E, L), DM (A, R, NE), A (C), SL (RP), I* (CAS)
integrity - data processing must take appropriate security measures as regards risks that might arise
Data protection principles: LFAT (G, C, OAH), PL (S, E, L), DM (A, R, NE), A (C), SL (RP), I (CAS*)
confidentiality and security
Data protection principles: LFAT (G, C, OAH), PL (S, E, L, CfNP*), DM (A, R, NE), A (C), SL (RP), I (CAS)
consent - if the data is used for a new purpose
A business must have a valid ‘…’ in order to process personal data.
lawful basis
Most lawful bases require that processing is ‘…’ for a specific purpose. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.
necessary
Most lawful bases require that processing is ‘necessary’ for a SP*. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.
specific purpose
If a buisiness intends to process data, it must determine its … before it begins processing, and should document it.
lawful basis
If a buisiness intends to process data, it must determine its lawful basis before it begins processing, and should …
document it
Lawful bases for data processing: C* (E and for a SP), C, LO, VI (PoL), PT, LI
consent
Lawful bases for data processing: C (E and for a SP)*, C, LO, VI (PoL), PT, LI
explicit and for a specific purpose
Lawful bases for data processing: C (E and for a SP), C*, LO, VI (PoL), PT, LI
contract, including pre-contractual negotiations
Lawful bases for data processing: C (E and for a SP), C, LO*, VI (PoL), PT, LI
legal obligation
Lawful bases for data processing: C (E and for a SP), C, LO, VI* (PoL), PT, LI
vital interest
Lawful bases for data processing: C (E and for a SP), C, LO, VI (PoL*), PT, LI
protection of life
Lawful bases for data processing: C (E and for a SP), C, LO, VI (PoL), PT*, LI
public task
Lawful bases for data processing: C (E and for a SP), C, LO, VI (PoL), PT, LI*
legitimate interest
Rights under the GDPR: TBI*, A, R, E, RP, DP, O, ADM and P
to be informed
Rights under the GDPR: TBI, A*, R, E, RP, DP, O, ADM and P
access
Rights under the GDPR: TBI, A, R*, E, RP, DP, O, ADM and P
rectification
Rights under the GDPR: TBI, A, R, E*, RP, DP, O, ADM and P
erasure
Rights under the GDPR: TBI, A, R, E, RP*, DP, O, ADM and P
restrict processing
Rights under the GDPR: TBI, A, R, E, RP, DP*, O, ADM and P
data portability
Rights under the GDPR: TBI, A, R, E, RP, DP, O*, ADM and P
to object
Rights under the GDPR: TBI, A, R, E, RP, DP, O, ADM and P*
automated decision making and profliing
An individual excercising their right to access and receive a copy of their personal data and other supplementary information is commonly referred to as a … or ‘SAR’.
subject access request
Exemptions from GDPR must be determined on a … basis.
case by case
Exceptions from GDPR: DP*, LE, IS
domestic purposes
Exceptions from GDPR: DP, LE*, IS
law enforcement
Exceptions from GDPR: DP, LE, IS*
intelligence services
Grounds for exemption from GDPR: C/L/PP*, R/P/J, J/R/A, H/SW/E/CA, F/M/N, R/E, IAOP, NS/D
Crime, law and public protection.
Grounds for exemption from GDPR: C/L/PP, R/P/J*, J/R/A, H/SW/E/CA, F/M/N, R/E, IAOP, NS/D
Regulation, parliament and the judiciary.
Grounds for exemption from GDPR: C/L/PP, R/P/J, J/R/A*, H/SW/E/CA, F/M/N, R/E, IAOP, NS/D
Journalism, research and archiving.
Grounds for exemption from GDPR: C/L/PP, R/P/J, J/R/A, H/SW/E/CA*, F/M/N, R/E, IAOP, NS/D
Health, social work, education and child abuse.
Grounds for exemption from GDPR: C/L/PP, R/P/J, J/R/A, H/SW/E/CA, F/M/N*, R/E, IAOP, NS/D
Finance, management and negotiations.
Grounds for exemption from GDPR: C/L/PP, R/P/J, J/R/A, H/SW/E/CA, F/M/N, R/E*, IAOP, NS/D
References and exams.
Grounds for exemption from GDPR: C/L/PP, R/P/J, J/R/A, H/SW/E/CA, F/M/N, R/E, IAOP*, NS/D
Information about other people.
Grounds for exemption from GDPR: C/L/PP, R/P/J, J/R/A, H/SW/E/CA, F/M/N, R/E, IAOP, NS/D*
National security and defence.
