Chapter 13 - Data protection Law Flashcards

You may prefer our related Brainscape-certified flashcards:
1
Q

What is the primary purpose of the Data Protection Act 2018?

A

To protect individuals from misuse of their personal information and to set out principles and rights based on the EU’s GDPR.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

GDPR stands for

A

General Data Protection Regulation (GDPR).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the role data controller?

A

Data controller: Determines the purpose and means of processing personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the role data processor?

A

Data processor: Processes personal data on behalf of the controller.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the role data subject?

A

Data subject: Identifiable individual (not companies) whose personal data is being processed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What types of personal data does the Data Protection Act apply to?

A

Personal data held on computer or manual files by any organization (large or small, profit or non-profit) and includes factual records or opinions about an identifiable living individual.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Who is the UK regulator for data protection under the Act?
A) The Data Protection Agency
B) Information Commissioner
C) General Data Protection Authority
D) Personal Data Committee

A

B) Information Commissioner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

When must be the Information Commissioner be informed of a data breach?

A

 Is the UK regulator for data protection.
 Has statutory powers to enforce compliance with the Act.
 Must be informed with 72 hours of a data breach that affects the rights and freedoms of individuals (in high risk cases the individuals must be informed as well).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the penalties for non-compliance with the Data Protection Act?

A

Criminal conviction if a crime is committed under the Act.

A fine of up to approximately £18 million or 4% of the organization’s global turnover.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What does the principle of lawfulness, fairness, and transparency entail?
A) Data must be obtained legally with clear and honest processing.
B) Data must not be shared with external parties.
C) Data must be kept accurate and up to date.
D) Data must not be used for new purposes.

A

A) Data must be obtained legally with clear and honest processing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the principle of purpose limitation?

A

Data must be recorded and used only for specified and lawful purposes. If used for new purposes, permission must be obtained again.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Define data minimization under the Act.

A

Personal data must be adequate, relevant, and not excessive in relation to the purpose for which it is processed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What does the accuracy principle require?

A

Reasonable steps must be taken to ensure personal data is accurate and up to date. Inaccurate or misleading data must be corrected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the principle of storage limitation?

A

Personal data should not be kept longer than necessary for the purpose it was processed. Data no longer needed should be destroyed or anonymized.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What does the principle of integrity and confidentiality ensure?

A

Appropriate security measures must be in place to protect data from risks, including technical and organizational measures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the right to be informed?

A

Subjects must be informed about the collection and use of their personal data, including its purpose, retention period, and who it is shared with.

17
Q

How does the right to access work?

A

Subjects can access their data verbally or in writing, and it must be provided within one month, usually free of charge.

18
Q

What is the right to rectification?

A

Subjects have the right to have inaccurate or incomplete data corrected within one month of a verbal or written request.

19
Q

Explain the right to erasure.

A

Known as the “right to be forgotten,” subjects can request data to be erased under certain circumstances. A response must be provided within one month.

20
Q

What is the right to data portability?

A

Subjects can obtain their data and reuse it in a different service, such as when switching banks.

21
Q

What does the right to object allow?

A

Subjects can object to the processing of their data, such as to avoid receiving junk mail.

22
Q

When do rights apply in relation to automated decision-making and profiling?

A

Subjects are granted rights where automated decisions or profiling impact them, with strict circumstances regulating such use.

23
Q

Name 4 areas exempt from the provisions of the Act.

A

 Employers may process data in accordance with employment law, eg payroll
 Academic institutions (e.g. universities) if the data processed is for academic purposes
 Scientific and historical research organisations where the principles would impair their core activities
 Individual rights are limited where they can be abused to commit crimes, disrupt legal proceedings or otherwise disrupt public authorities and regulators.

24
Q

When are individual rights limited under the Act?
A) To disrupt private businesses.
B) When used to commit crimes or disrupt public authorities.
C) To improve public services.
D) To gain financial advantage.

A

B) When used to commit crimes or disrupt public authorities.

25
Q

INTERACTIVE QUESTION 33: DATA PROTECTION

Kylie is a data subject of Compliance Bank plc. She has asked to see the information held about her by the bank and paid a fee of £10 to do so. From this, she discovered that some data was inaccurate, as it had not been updated to reflect the fact that Kylie has remarried and changed her name. She is also cross that the bank continues to send her marketing emails for loans that she does not want. Kylie decides to visit her local branch of the bank and asks for the marketing emails to stop within two weeks and for the data to be corrected.

YES OR NO
A Does the bank face a fine for holding inaccurate data on Kylie?
B Was the bank correct in charging Kylie £10 to see her data?
C Must the bank respond within two weeks to Kylie’s demand that the marketing emails cease?
D Must the bank correct the data it holds about Kylie?

A

A Yes, a breach makes the bank liable for a fine
B No, data subjects should not usually be charged
C No, bank has a month to respond
D Yes, Kylie has a right for inaccurate data to be rectified