7.) Data Protection Flashcards

1
Q

What’s the main aim of data protection legislation

A

To protect individuals from unauthorised use of personal information held on computer and paper records

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What’s the history of data protection legislation in Jersey and the U.K?

A

Data protection legislation stems from the fundamental human right to privacy

In 1950, the council of Europe adopted the European convention on human rights, a ‘convention for the protection of human rights and fundamental freedoms’, which each member state was expected to ratify and implement into their own legislative framework

The convention decreed that every citizen has a right to a private life

Back in the 1970’s, the increasing use of computers prompted concerns about the risks they posed to a citizen’s fundamental right to privacy

In 1981, the council of Europe established basic standards to ensure the free flow of info amongst their members, without infringing on individual’s personal privacy

The UK’s first data protection act was introduced in 1984, and Jersey’s in 1987

Jersey’s 1987 law required both private and public organisations with access to computer held personal data to register with a data protection registrar, who also enforced the law

However, the standards established by the council of Europe in 1981 (to ensure the free flow of info amongst member states, without infringing personal privacy) didn’t explicitly recognise an individual’s right to privacy.

As such, in 1995 the European Commission implemented its directive, aimed explicitly at protecting the right of privacy

In 1998, the UK replaced its 1984 act with the current data protection act 1998, and in 2005 Jersey implemented the data protection (Jersey) law 2005, or the DPJL

The DPJL has been recognised by the European Commission as having ‘ADEQUATE STATUS’, and as a third country outside the EEA, Jersey can now state unequivocally that its data protection regime is compliant with the highest European standards

The DPJL specifies conditions for the processing of data, tightens restrictions on the use of particularly sensitive info and broadens the scope of data to include some paper records

Most significantly with all data protection law across Europe and internationally were the inclusion of basic rules or principles of data handling designed to encourage best data handling practice. These are enforceable principles, and form the bedrock of the DPJL

Its main aim is to protect individual’s rights to privacy, and to ensure they have access to info held about them, and can correct it.

It also protects against excessive collection and unreasonable retention of personal data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Describe the data protection (Jersey) law 2005, or DPJL

A

The DPJL has been recognised by the European Commission as having ‘ADEQUATE STATUS’, and as a third country outside the EEA, Jersey can now state unequivocally that its data protection regime is compliant with the highest European standards

The DPJL specifies conditions for the processing of data, tightens restrictions on the use of particularly sensitive info and broadens the scope of data to include some paper records

Most significantly with all data protection law across Europe and internationally were the inclusion of basic rules or principles of data handling designed to encourage best data handling practice. These are enforceable principles, and form the bedrock of the DPJL

Main aim - protect individual’s rights to privacy, and to ensure they have access to info held about them, and can correct it.

It also protects against excessive collection and unreasonable retention of personal data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Define data/personal data/sensitive data, as set out in the DPJL

A

Data - Manually or electronically recorded info

Personal data - Info about a living individual person who can be identified from that information, or a combination of data which, when brought together, identifies a living person. Info about a company or dead person isn’t covered by the DPJL

To benefit from the provisions of the DPJL, personal info should be biographic, and focus exclusively on the individual.

Sensitive personal data -

REMEMBER THE COMMUNIST STORY

X Racial/ethnic origin

X Political views

X Religious views

X Membership of a trade union

X Health, either physical or mental

X Sex life

X Offences committed, or alleged to have committed

X Criminal convictions or sentences

Info held about an individual falling into any of the above categories requires a much higher level of security and care in its use

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Define processing, as set out in the DPJL

A

The carrying out of any operation on any personal info, including obtaining, holding, using or disclosing the info. Essentially, anything you do with personal info is likely to fall within the term ‘processing’

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Define data subject, as set out in the DPJL

A

The person to whom the info relates. This could be a client or member of staff

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Define data controller and data processor, as set out in the DPJL

A

Data controller - The person who, either alone or in common with other persons, determines the manner in which personal info is to be used. Usually the company itself, though can be a sole trader/individual

Data processor - A person (other than an employee of the data controller) who processes personal info on behalf of a data controller

This arrangement will normally occur when a particular function of the business is outsourced to another company, such as HR or customer service administration. In either case, a comprehensive contract should be in place between the two companies, setting out the expectations of the data controller in relation to how the info should be used

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Why should organisations appoint a data processing officer, despite it not being a legal requirement of the DPJL

A

While not a legal requirement of the DPJL, organisations should appoint a data protection officer to ensure compliance with the legislation

This may be a person within an existing compliance team, or a specific person with a suitable data protection qualification, or experience

Their duties will include training and educating employees on their responsibilities and obligations under the DPJL, so the individual taking on the role must be experienced

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Describe the eight data protection principles of the DPJL

A

X Info must be obtained and processed fairly and lawfully

X Info can only be held for the specified purpose for which it has been gathered, and shouldn’t be further processed in any manner incompatible with that purpose

X Info must be adequate, relevant and not excessive for the purpose

X Info must be accurate and up to date

X Info mustn’t be kept for longer than necessary for that purpose

X Personal data shall be processed in accordance with the rights of data subjects under the law

X Adequate technical and organisational measures should be taken against unauthorised and unlawful processing of personal data, and against accidental loss or destruction of, or damage to, personal data

X Personal data shall not be transferred to a country or territory outside the EEA, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Describe the data protection procedures that the DPJL advises organisations to put into place

A

Procedures should be put in place regarding the:

O Handling
O Use
O Manner

…in which data is accessed and maintained, as well as data security, access to info and the retention and weeding of personal info

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Why might a financial institution require personal data from a customer

A

The customer must be made aware from the first contact that the financial institution will require significant amounts of data in order to:

X Conform to KYC (know your client) regulations

X Provide a suitable and appropriate level of service

X Validate information, possibly from third parties, such as medical records for a life assurance policy

The customer will need to be advised when their phone conversations are being recorded, and for what purposes, in order to ensure compliance with the first data protection principle (info must be obtained and processed fairly and lawfully). The customer will need to be reassured about the confidentiality of the info being maintained

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Describe the enhanced rights of customers under the DPJL/data protection (Jersey) law 2005

A

X Right of access to personal data held about them

X Right to request an organisation stop processing personal data about them which causes harm or distress

X Right to request an organisation stop processing personal data for direct marketing purposes

X Right to request an organisation to ensure that no decisions are taken which significantly affect an individual and are solely based on the processing by automatic means

X Right to compensation for any breach of the law which causes damage or distress

X Right to apply to the court to have inaccurate data rectified, blocked, erased or destroyed

Further details on these rights can be found within part 2 of the DPJL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the implications of the DPJL/data protection (Jersey) law 2005 for financial organisations

A

Organisations must take steps to ensure that they don’t breach the legislation:

X The company must provide the customer with specific info on collecting their personal data, including:

O Identity of the data controller (usually the organisation)

O The purposes for which their personal data will be used

O Any other relevant info, such as any disclosures likely to be made to third parties

X The company must obtain consent to divulge info to other associated companies for the purpose of cross-selling or marketing their products (usually, the client ticks a opt-in or opt-out box for this)

X If the personal data is maintained elsewhere, or via a data holding centre, the customer should be advised of this in the terms and conditions of service

X Any company holding personal info must be registered to hold such data with the relevant data protection authority in that jurisdiction

X The purposes for which they hold the data must be specified

X The data must be accurate and up to date. This would be done either annually, or on an ongoing basis, usually in conjunction with trigger events, such as changes to a customer’s account profile

X The data must be secure, and alternative arrangements in place by way of disaster recovery plans should have something happen resulting in loss of data, whether in a paper or electronic format:

O Data subject access requests should be verified to ensure identification

O Data which the company is obliged to provide must be supplied within 40 days of the request. Note that this is the maximum term, and data should be provided as soon as it’s available

O Employees should be made aware of their obligations and understand what to do should a request for information, known as a subject access request, be received

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Describe the certain specified info that companies are under a legal obligation to provide to the customer, upon collection of their personal data, one of the implications of the DPJL/data protection (Jersey) law 2005 for financial organisations

A

Note DO NOT CONFUSE with customer’s rights of the 8 data protection principles

X The identity of the data controller (usually the name of the organisation)

X The purposes for which their personal data will be used

X Any other relevant info, such as any disclosures likely to be made to third parties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Describe the data arrangements that financial organisations must put in place to secure customer data, and protect it in the event of a disaster, one of the implications of the DPJL/data protection (Jersey) law 2005 for financial organisations

A

Data must be secure, and alternative arrangements/disaster recovery plans must be put in place to protect against something happening that results in loss of data, whether in a paper/electronic format:

O Data subject access requests should be verified to ensure identification

O Data which the company is obliged to provide must be supplied within 40 days of the request. Note that this is the maximum term, and data should be provided as soon as it’s available

O Employees should be made aware of their obligations and understand what to do should a request for information, known as a subject access request, be received

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the penalties applicable to financial organisations that don’t comply with the principles of the DPJL/data protection (Jersey) law 2005

A

This may result in enforcement action being taken against the organisation. Failing to comply with an enforcement notice, or the committing of an offence under the DPJL may result in criminal proceedings being taken against the organisation

The maximum fine that can be imposed by the courts is £5,000 for most offences. However, the offence of knowingly or recklessly providing the data protection commissioner with false or misleading information carries a maximum sentence of 5 years in prison, in addition to a fine

Criminal proceedings under the DPJL can only be instigated with the authority of the attorney general. However individuals have been known to take civil action against organisations under the DPJL in recent years

17
Q

When was Jersey’s most recent data protection law brought into force?

A

2005

I.e. The data protection (Jersey) law 2005, or the DPJL

18
Q

Describe sensitive personal data, as set out by the DPJL

A

Remember the COMMUNIST story

The DPJL creates a separate category for more sensitive personal info, as below:

Vladimir’s RACIAL/ETHNIC ORIGIN was Russian Slav. His POLITICAL VIEWS were communist. Naturally, this meant his RELIGIOUS VIEWS were atheist, and he was a MEMBER OF A TRADE UNION. He had no issues with HEALTH, EITHER PHYSICAL OR MENTAL, and had an excellent SEX LIFE. His criminal record was clean, with no OFFENCES COMMITTED, OR ALLEGED TO HAVE COMITTED. As such, he had no CRIMINAL CONVICTIONS OR SENTENCES

Note that info held about an individual falling into any of the above categories requires a much higher level of security and care in its use