13: Data Protection Law

Question 1

About the Data Protection Act 2018?

Answer 1

Concerned with personal data held on computer-based information systems or manual files

Act does not apply to domestic use

Applies to individuals

Not only covers facts about the data subject but also any expression of opinion about them, or intentions of the data controller to them

Also concerned with the processing of data - the use, collection and destruction of it

Overseen by the Office of Information Commission.
- any breach must be reported in 72 hours

Question 2

Key terms within data protection?

Answer 2

Data subject - individual

Personal data - data relating to an individual who can be identified from the data with or without other info in the data controller’s possession

Controller - determines the purpose and means of processing personal data

Processor - responsible for processing personal data on behalf of controller

Question 3

What can non-compliance with DPA2018 lead to?

Answer 3

A criminal conviction when a criminal offence under the Act has been committed

A fine of up to £17.5 million, or 4% of the organisation’s global turnover

Question 4

What are the EU’s GDPR principles?

Answer 4

Lawfulness, fairness and transparency
- must be valid grounds for holding data
- data must be processed fairly
- openness about how data is used

Purpose limitation
- purpose for holding data must be specified from the start
- must be a legitimate purpose

Data minimisation
- data must be adequate, relevant and not excessive

Accuracy
- data shall be accurate and up to date

Storage limitation
- data shall not be kept for longer than is necessary
- should be retention policy which can be justified

Integrity and Confidentiality
- must take appropriate security measures as regards risks

Question 5

What are the rights of data subjects under the Act?

Answer 5

To be informed
- about collection and use of data

Access
- can obtain copies of information within one month of their request

Rectification
- have a right for incorrect data to be corrected
- incomplete data made complete

To erasure/to be forgotten

To restrict processing
- means data can be held but not processed

To data portability
- right to obtain data and reuse it in a different sevice

To object
- right to object to the processing of their data.
- an absolute right in terms of direct marketing, but in other cases it can be refused

Automated decision making and profiling
- can only be used in strict circumstances
- subject has right to into and can request human intervention or to challenge decision

Question 6

What types of data are exempt from the Act?

Answer 6

Processing of employee data by employers

Academic institutions processing data for academic purposes

Scientific and historic research organisations

Principles and rights do not apply!