Data management Flashcards
What is the key legislation to consider for this competency?
‘General Data Protection Regulation (GDPR) 2018
Data Protection Act 2018
Freedom of Information Act 2000
Limitation Act 1980
What is GDPR?
‘General Data Protection Regulation (GDPR) 2018
- A major shakeup in data protection laws. GDPR’s reach is global
- Any company that offers goods or services to anyone in the EU or UK may be required to comply
- More comprehensive than DPA 2018
- Significant fines for breaches. Based on company turnover
What are the GDPR principles?
’- Lawfulness, fairness and transparency –
leave the individual fully informed
- Accuracy –
where necessary kept up to date, erase inaccurate personal data without dela - Minimisation –
collect the minimum data you need - Storage –
Retain the data for a necessary limited period and then eras - Purpose – must inform your clients about the Purpose of the data collection
- Accountability –
Record and prove compliance - Security -
Integrity and confidentiality – Keep it secure, locked filing cabinet or fire wall
What is the timescale for reporting a breach under GDPR?
’- You must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it
- If you take longer than this, you must give reasons for the delay
What is Personal Data?
‘Any data that can directly or indirectly identify a person. For example:
- Name, age, address, medical records, financial information, NI number, passport number
- Home address, mobile number, GPS data
- Tracking cookies, IP addresses, social media posts
What is Privacy Sensitive Data?
‘Sensitive data that has a stronger legal protection, including:
- Race & Ethnic background
- Political opinions
- Religious beliefs
- Trade union membership
- Genetics
- Biometrics (where used for identification)
- Health
- Sex life or orientation
What is the Data Protection Act 2018?
‘Data Protection Act 2018
- The UK’s implementation of GDPR.
- Framework for data protection law in the UK, including the way in which GDPR is implemented.
- Enforces how people and company’s should obtain, store, share, and use personal data.
What are the key data protection principles under DPA 2018?
’- Lawfulness, fairness and transparency – leave the individual fully informed
- Accuracy – where necessary kept up to date, erase inaccurate personal data without dela
- Minimisation – collect the minimum data you need
- Storage limitation – Retain the data for a necessary limited period and then eras
- Purpose limitation – must inform your clients about the Purpose of the data collection
- Accountability – Record and prove compliance
- Security - Integrity and confidentiality – Keep it secure, locked filing cabinet or fire wall
What are your rights under DPA 2018?
‘All data subjects have the right to:
- Be informed about how your data is being used
- Access your personal data
- Request for your data to be changed
- Have data erased
- Question the reasoning behind any automated decisions.
- Stop or restrict the processing of your data
What is the Freedom of Information Act 2000?
‘Freedom of Information Act 2000
- It provides individuals or organisations with the right to request information held by a public authority.
- Information must also be published through the public authority’s publication scheme
- This must be approved by the Information Commisioner’s Office (ICO), and is a commitment by a public authority to make certain information available, and a guide on how to obtain it
What is the Limitation Act 1980?
How long can you hold client data?
‘Limitation Act 1980
‘- It is a statute of limitations which provides timescales within which action may be taken (by issuing a claim form) for breaches of the law.
- Claims for negligence can be brought up to 15 years after the act.
- For example, it provides that breaches of an underhand contract are actionable for six years after the event whereas breaches of a deed are actionable for twelve years after the event.
- In most cases, after the expiry of the time periods specified in the Act the remedies available for breaches are extinguished and no action may be taken in the courts in respect of those breaches.
What is a Data Protection Officer (DPO)?
’- If you carry out certain types of processing activities, you have a duty to appoint a DPO.
- A person nominated within a company to ensure that all data processes are in line with the Data Protection and GDPR rules.
What is the Information Commissioner’s Office (ICO)?
’- The regulator for data protection in the UK.
- Data breaches should be reported to them.
- They can tae various actions e.g., inspection of a business, enforcement notices, penalty notices, fines, ban the processing of data etc.
What is a data controller and processor?
‘Data Controller
- Determines the purpose and means of processing personal data
- Has autonomy over the personal data and can decide what happens with it (within the of the law)
- Decides how and for what purpose the data will be collected and used
- Employers are likely to be classed as a controller. Can be an individual e.g. a sole trader
Data Processor
- Processes personal data on behalf of another party (the controller).
- Not an employee, but a separate organisation or person
- Can only process the personal data under the instructions of a controller.
What is structured and unstructured personal data?
’- Structured Personal Data sits in applications and systems with structured data fields and ways of processing, like the Arcadis Way applications.
- Unstructured Personal Data sits in personal files, ad hoc excel sheets or e-mail inboxes.
