Data Management Flashcards
Information Commissioner
companies holding data are required to register annually with the Information Commissioner which is an independent body set up to regulate the handling of data
Data Protection Act 2018
- relates to personal data
- aims to create single data protection scheme for anyone doing business in EU and to empower individuals to take control of how their data is used by 3rd parties
- keeps principles of data protection act 1998, but obligations more prescriptive and penalties greater
- gives people stronger rights on how their personal information is stored
Key Requirements of Data Protection Act 2018
- obligation to conduct data protection impact assessments for high risk holding of data
- new rights of individuals to have access to information on what personal data is held and have it erased
- a data controller decides how and why personal data is processed and is directly responsible for GDPR
- new principle of data accountability ensuring that organisations can prove to the information commissioners office how they comply with new regulations
- data security breaches need to be reported to ICO within 72 hours where there is a loss of personal data and a risk of harm to individuals
- increase in fines goes up to 4% global turnover of company or 20 million euros (whatevers greater)
- policed by ICO
Principles of Data Protection Act 2018
- article 5(1) principles relating to storage of personal data states that data must:
- processed lawfully, fairly and in a transparent manner in relation to individuals
- PURPOSE LIMITATION collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposed
- DATA MINIMISATION adequate, relevant and limited to what is necessary
- ACCURACY accurate and kept up to date, every reasonable step must be taken to ensure that personal data that is inaccurate with regards to purposed for which they are process, is erased or rectified without delay
- STORAGE LIMITATION kept in a form which permits identification of data subjects for no longer than is necessary for purposes for which the personal data is processed
- SECURITY procesed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
- Article 5(2) requires that “the Controller shall be responsible for, and be able to demonstrate, compliance with the principles” ACCOUNTABILITY
Individual rights under GDPR
- right to be informed
- right of access
- right to rectification
- right to erasure
- right to restrict processing
- right to data portability (to use for their own purposed)
- right to object
- rights to automated decision making and profiling (as undertaken by insurance companies)
Freedom of Information Act 2000
gives individuals right of access to information held by public bodies
- public body must tell any individual requesting sit of information whether it holds it
- normally public body required to supply it in 20 working days in the format requested
- can charge for the provision of information
Exceptions from Freedom of Information
- contrary to GDPR requirements
- would prejudice a criminal matter under investigation
- would prejudice a persons/organisations commercial interest
Security of data
security of electronic data can be improved using firewalls, encryption, passwords
- understand how an NDA works
Fair processing notice
notice to give to people when you take their data (needs to be easy to understand).
o what info is collected, who is collecting it, why is it being collected, how will it be used, who will it be shared with, what will the effect be on the individual
What is personal data?
Anything that can identify a person eg. name, phone number, IP address, photos
If someone requests their data…
Need to do it within one month and free of charge
6 lawful bases for processing data
- contractual obligation
- legal obligation
- vital interests
- public interest
- legitimate interests
- consent