11f The Data Protection Act 2018 Flashcards
What is personal data?
Data relating to an individual who can be identified from the data with or without other information in the data controllers possession.
What is data controller?
A person who alone, jointly or in common with other persons determine the purposes for and manner for which data is to be processed.
What is a data processor?
Person other than the employee of the data controller who processes the data provided by the data controller.
What should you do when finding out there is a breach of the data protection rules?
- Asses the severity
- Any breach should be reported to ICO within 72 hours.
- Inform directly without delay who is affected if there is a breach likely to be of high risk to the rights and freedoms of data subjects.
What happens if the Data Protection Act is not complied with?
This is a criminal offence leading to a fine of up to £17 million or 4% of the organisations global turnover.
What data does the act apply to?
Computer based and manual files but not domestic use.
What principles must all data be processed in line with?
- Lawful, fairness and transparency - held for valid reasoning, processed fairly and must be transparent as to why they’re holding it.
- Purpose limitation - Grounds for holding must be specified and explicit. Purpose must be provided up front and if changed consent is obtained.
- Data minimisation - data adequate to fulfil its purpose, relevant to that purpose and not excessive.
- Accuracy - steps taken to make sure data is correct and not misleading.
- Storage limitation - not held for longer than necessary.
- Integrity and confidentiality - adequate security measures to protect against risks to the data.
What are the rights of the data subjects?
- To be informed: why their datas being collected, how long it’s being retained for and who it’s shared with.
- Gain access to data held on them, request can be verbal or writing and should be provided within 1 month.
- Correct/complete data held (in some circumstances can be rejected). Request should be responded to within 1 month.
- Request data to be erased and should be given response within 1 month.
- Request data is held not processed.
- Obtain data given to data controller and use it for another service.
- Object the use of their data.
- When used to make automated decisions, individual can request info about the processing of data, request human intervention and challenge decisions made based on automated services.
What data is exempt from the Data Protection Act?
- Info kept for personal, recreational, family and household use.
- Data relating to national security.
- Info used for prevention of crime.
- Info used for assessments and collection of tax.
- Confidential references.v
- Processing of employee data by employers
- Academic institutions processing for academic puporses
- Scientific and historic research organisations