Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

ICAEW - CERTIFICATE LEVEL 1 - LAW (2024) > Chapter 13 - Data protection Law > Flashcards

Chapter 13 - Data protection Law Flashcards

1
Q

What is the primary purpose of the Data Protection Act 2018?

A

To protect individuals from misuse of their personal information and to set out principles and rights based on the EU’s GDPR.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

GDPR stands for

A

General Data Protection Regulation (GDPR).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the role data controller?

A

Data controller: Determines the purpose and means of processing personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the role data processor?

A

Data processor: Processes personal data on behalf of the controller.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the role data subject?

A

Data subject: Identifiable individual (not companies) whose personal data is being processed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What types of personal data does the Data Protection Act apply to?

A

Personal data held on computer or manual files by any organization (large or small, profit or non-profit) and includes factual records or opinions about an identifiable living individual.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Who is the UK regulator for data protection under the Act?
A) The Data Protection Agency
B) Information Commissioner
C) General Data Protection Authority
D) Personal Data Committee

A

B) Information Commissioner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

When must be the Information Commissioner be informed of a data breach?

A

 Is the UK regulator for data protection.
 Has statutory powers to enforce compliance with the Act.
 Must be informed with 72 hours of a data breach that affects the rights and freedoms of individuals (in high risk cases the individuals must be informed as well).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the penalties for non-compliance with the Data Protection Act?

A

Criminal conviction if a crime is committed under the Act.

A fine of up to approximately £18 million or 4% of the organization’s global turnover.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What does the principle of lawfulness, fairness, and transparency entail?
A) Data must be obtained legally with clear and honest processing.
B) Data must not be shared with external parties.
C) Data must be kept accurate and up to date.
D) Data must not be used for new purposes.

A

A) Data must be obtained legally with clear and honest processing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the principle of purpose limitation?

A

Data must be recorded and used only for specified and lawful purposes. If used for new purposes, permission must be obtained again.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Define data minimization under the Act.

A

Personal data must be adequate, relevant, and not excessive in relation to the purpose for which it is processed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What does the accuracy principle require?

A

Reasonable steps must be taken to ensure personal data is accurate and up to date. Inaccurate or misleading data must be corrected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the principle of storage limitation?

A

Personal data should not be kept longer than necessary for the purpose it was processed. Data no longer needed should be destroyed or anonymized.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What does the principle of integrity and confidentiality ensure?

A

Appropriate security measures must be in place to protect data from risks, including technical and organizational measures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the right to be informed?

A

Subjects must be informed about the collection and use of their personal data, including its purpose, retention period, and who it is shared with.

17
Q

How does the right to access work?

A

Subjects can access their data verbally or in writing, and it must be provided within one month, usually free of charge.

18
Q

What is the right to rectification?

A

Subjects have the right to have inaccurate or incomplete data corrected within one month of a verbal or written request.

19
Q

Explain the right to erasure.

A

Known as the “right to be forgotten,” subjects can request data to be erased under certain circumstances. A response must be provided within one month.

20
Q

What is the right to data portability?

A

Subjects can obtain their data and reuse it in a different service, such as when switching banks.

21
Q

What does the right to object allow?

A

Subjects can object to the processing of their data, such as to avoid receiving junk mail.

22
Q

When do rights apply in relation to automated decision-making and profiling?

A

Subjects are granted rights where automated decisions or profiling impact them, with strict circumstances regulating such use.

23
Q

Name 4 areas exempt from the provisions of the Act.

A

 Employers may process data in accordance with employment law, eg payroll
 Academic institutions (e.g. universities) if the data processed is for academic purposes
 Scientific and historical research organisations where the principles would impair their core activities
 Individual rights are limited where they can be abused to commit crimes, disrupt legal proceedings or otherwise disrupt public authorities and regulators.

24
Q

When are individual rights limited under the Act?
A) To disrupt private businesses.
B) When used to commit crimes or disrupt public authorities.
C) To improve public services.
D) To gain financial advantage.

A

B) When used to commit crimes or disrupt public authorities.

25
Q

INTERACTIVE QUESTION 33: DATA PROTECTION

Kylie is a data subject of Compliance Bank plc. She has asked to see the information held about her by the bank and paid a fee of £10 to do so. From this, she discovered that some data was inaccurate, as it had not been updated to reflect the fact that Kylie has remarried and changed her name. She is also cross that the bank continues to send her marketing emails for loans that she does not want. Kylie decides to visit her local branch of the bank and asks for the marketing emails to stop within two weeks and for the data to be corrected.

YES OR NO
A Does the bank face a fine for holding inaccurate data on Kylie?
B Was the bank correct in charging Kylie £10 to see her data?
C Must the bank respond within two weeks to Kylie’s demand that the marketing emails cease?
D Must the bank correct the data it holds about Kylie?

A

A Yes, a breach makes the bank liable for a fine
B No, data subjects should not usually be charged
C No, bank has a month to respond
D Yes, Kylie has a right for inaccurate data to be rectified

26
Q

3 Homemade Cakes Ltd holds data about its employees. The company secretary, Stav, seeks your advice as to whether there are any penalties in the event of non-compliance with the Data Protection Act 2018, as he is concerned that certain aspects of it may have been overlooked. He has been told that, if there is breach of the Act, there may be:
(1) a fine of up to £20 million or 5% of the company’s global turnover
(2) a criminal conviction
(3) a court order directing the forfeiture, destruction or erasing of databases
Requirement
Advise Stav on the issue of liability.
A There is potential liability for all of (1), (2) and (3).
B There is potential liability to (2) only.
C There is potential liability to (2) and (3) only.
D There is potential liability to none of the above.

A

3 Correct answer(s):
B There is potential liability to (2) only.
The company could be fined up to £17 million or 4% of its global turnover. Destruction of databases is not a potential penalty under the Act.

27
Q

4 With regard to the EU’s General Data Protection Regulation’s (GDPR) rights and principles, as enacted by the Data Protection Act 2018, are the following statements true or false?
The data controller is obliged to take all necessary steps to ensure that data held about an individual is accurate.
A True B False
The data controller must keep the data subject informed (and supply copies) of all personal data held or processed in respect of that data subject.
C True D False

A

4 Correct answer(s): B False
The data controller is only required to take reasonable steps to ensure accuracy.
Correct answer(s):
D False
There is no such obligation on the data controller. The data subject must request the information in accordance with their right of access.

28
Q

5 With regard to the rights given to data subjects by the Data Protection Act 2018, answer the following.
Requirements
Is the data subject always entitled to compensation in the event that the data controller is found to have inaccurate data?
A Yes
B No
Does the data subject have the right to request that accurate data held about them be destroyed?
C Yes
D No

A

5 Correct answer(s): B No
A claimant may be able to claim compensation if they can show that they have suffered damage as a result of a contravention of the Act. It is not a right granted in the Act itself.
Correct answer(s): C Yes
This is one of the rights given by the Act to protect data subjects and is also known as the right ‘to be forgotten’.

29
Q

7 The Data Protection Act 2018 provides certain rights for data subjects.
Requirements
Are the following true or false in relation to the rights of data subjects set out in the Act?
A data subject has a right to access data held about them unless the data are held in encoded form when access requires a court order.
A True B False
A data subject whose rights have been infringed, in that inaccurate data about them have been held, can take action to rectify the inaccurate data.
C True D False

A

7 Correct answer(s): B False
All data pertaining to a data subject are accessible by the data subject whatever the form in which they are held.
Correct answer(s):
C True
The data subject has the right to have inaccurate data rectified.

30
Q

9 All except one of the following constitute personal data under the Data Protection Act 2018.
Requirement
Which is the exception?
A The fact that a person is persistently late for work.
B The fact that a person’s corporate employer is on the verge of insolvency.
C An opinion that someone is good at their work.
D The intention to promote an employee within six months.

A

9 Correct answer(s):
B The fact that a person’s corporate employer is on the verge of insolvency. The Act applies only to personal data, ie, data about individuals.

31
Q

10 Which of the following statements concerning the Information Commissioner is correct?
A The Information Commissioner has the right to seize hardware containing inaccurate data.
B The Information Commissioner must be informed about every data breach within 72 hours of the breach.
C The Information Commissioner only regulates data protection in the UK.
D The Information Commissioner has the power to issue unlimited fines to organisations for data breaches.

A

10 Correct answer(s):
C The Information Commissioner only regulates data protection in the UK.
The Information Commissioner only regulates data protection in the UK. They do not have the right to seize hardware and only have to be notified of data breaches that affect the rights and freedoms of individuals. They may issue fines, but these are capped at £17.5 million or 4% of global turnover.

32
Q

11 The Data Protection Act 2018 enacts the data protection principles of the EU’s General Data Protection Regulation (GDPR). All of the following except one are such principles.
Requirement
Which is the exception?
A Personal data shall be adequate, relevant and not excessive.
B Personal data shall be accurate and kept up to date where necessary.
C Personal data shall not be kept for longer than is agreed between the data controller and the data subject.
D Personal data shall not be kept unless the purpose of holding the data is recorded and made known to the data subject.

A

11 Correct answer(s):
C Personal data shall not be kept for longer than is agreed between the data controller and the data subject.
There is no applicable concept of agreement between the parties. The data shall not be held for longer than is necessary for the purpose for which they are processed.

33
Q

13 Are the following statements true or false in relation to the Data Protection Act 2018? Non-compliance with the Act can constitute a criminal offence.
A True
B False
The Act only protects facts held about an individual. C True
D False

A

13 Correct answer(s): A True
Non-compliance with the Data Protection Act 2018 can constitute a criminal conviction where a criminal offence has been committed under it (for example for the re-identification of data with an individual after it had been anonymised).
Correct answer(s):
D False
The Data Protection Act 2018 protects opinions held about an individual as well as facts.

ICAEW - CERTIFICATE LEVEL 1 - LAW (2024) (13 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions