Chapter 13 - Data protection Law Flashcards
What is the primary purpose of the Data Protection Act 2018?
To protect individuals from misuse of their personal information and to set out principles and rights based on the EU’s GDPR.
GDPR stands for
General Data Protection Regulation (GDPR).
What is the role data controller?
Data controller: Determines the purpose and means of processing personal data.
What is the role data processor?
Data processor: Processes personal data on behalf of the controller.
What is the role data subject?
Data subject: Identifiable individual (not companies) whose personal data is being processed.
What types of personal data does the Data Protection Act apply to?
Personal data held on computer or manual files by any organization (large or small, profit or non-profit) and includes factual records or opinions about an identifiable living individual.
Who is the UK regulator for data protection under the Act?
A) The Data Protection Agency
B) Information Commissioner
C) General Data Protection Authority
D) Personal Data Committee
B) Information Commissioner
When must be the Information Commissioner be informed of a data breach?
Is the UK regulator for data protection.
Has statutory powers to enforce compliance with the Act.
Must be informed with 72 hours of a data breach that affects the rights and freedoms of individuals (in high risk cases the individuals must be informed as well).
What are the penalties for non-compliance with the Data Protection Act?
Criminal conviction if a crime is committed under the Act.
A fine of up to approximately £18 million or 4% of the organization’s global turnover.
What does the principle of lawfulness, fairness, and transparency entail?
A) Data must be obtained legally with clear and honest processing.
B) Data must not be shared with external parties.
C) Data must be kept accurate and up to date.
D) Data must not be used for new purposes.
A) Data must be obtained legally with clear and honest processing.
What is the principle of purpose limitation?
Data must be recorded and used only for specified and lawful purposes. If used for new purposes, permission must be obtained again.
Define data minimization under the Act.
Personal data must be adequate, relevant, and not excessive in relation to the purpose for which it is processed.
What does the accuracy principle require?
Reasonable steps must be taken to ensure personal data is accurate and up to date. Inaccurate or misleading data must be corrected.
What is the principle of storage limitation?
Personal data should not be kept longer than necessary for the purpose it was processed. Data no longer needed should be destroyed or anonymized.
What does the principle of integrity and confidentiality ensure?
Appropriate security measures must be in place to protect data from risks, including technical and organizational measures.