Data Management Level 2

Question 1

What is Personal Data?

Answer 1

Information that can be used to identify someone

Question 2

What is GDPR?

Answer 2

General Data Protection Regulation, or UK GDPR (Data Protection Act 2018)

• To give more control over your information.
• sets new standards for protecting personal data in the UK. It revolves around placing stricter limitations on the amount and type of data that organisations

Question 3

What is a data subject?

Answer 3

Person the data relates to.

Question 4

What is a data controller?

Answer 4

A person or business that decides how personal data is collected and determines what information is needed and why.

Question 5

What is a data processor?

Answer 5

A business or sole trader that handles data and personal information on the instructions of another party.

Question 6

What is the Information Commissioner’s Office?

Answer 6

• responsible for legislation relating to data protection.
• They enforce information rules and rights as well as data protection laws.

Question 7

What are the senior management team (SMT), directors, and councillors responsible for in FG?

Answer 7

They authorise the publication of policies, procedures and annual training for all staff on compliance issues

Question 8

What is your line manager responsible for?

Answer 8

Overseeing how personal data is handled within the department.

Question 9

Who has a responsibility within your firm for protecting data?

Answer 9

Everyone has a collective responsibility.

Question 10

What is data minimisation?

Answer 10

Data should be adequate, relevant and limited to what is necessary, in relation to the purposes for which it is processed.

Question 11

How long should data be stored?

Answer 11

6 - 15 years

Question 12

What is a privacy notice?

Answer 12

explains their information rights.

Question 13

What is erasure?

Answer 13

“the right to be forgotten”, the right to the erasure of records means that, in certain circumstances, and if the request is reasonable, people can approach organisations and ask the organisation to remove the information they have on them.

Question 14

What is portability?

Answer 14

• means transferring data from one provider to another.

Question 15

What is Object to Processing ?

Answer 15

• for direct marketing purposes
• by automated means which have a significant impact.
• on the grounds that a data subject’s rights outweigh the legitimate interest of an organisation that continues to process their data.

Question 16

What does it mean to Restrict processing?

Answer 16

You have the right to restrict an organisation’s data processing procedure when it comes to your own personal data.

Question 17

What is a “Subject Access Request”?

Answer 17

SAR
- A request to see any records that relate to them.
Process - discuss with party what information they require before formal response.

1 CALENDAR MONTH TO RESPOND TO A FORMAL SAR.

Question 18

What is a freedom of information request?

Answer 18

• requests directed towards an organisation and their workings rather than relating to the subject themselves.
• includes information about the organisation’s policies, procedures, strategies and operations.

The Freedom of Information Act 2000

Question 19

How do you respond to a FOI?

Answer 19

• check whether the requested information is covered under the Publications Scheme
• If not, refer to line manager or DPO.
• If you’re asked to help compile information to respond to a FOI request, remember that no personal data should be included.

Question 20

What is information security?

Answer 20

The protection from a loss of confidentiality, integrity and availability.

Question 21

What are the GDPR Rights?

Answer 21

• Right to be informed
• Right of access
• Right to rectification
• Right to erasure
• Right to restrict processing
• Right to Data portability
• Right to Object
• Rights in relation to automated decision making and profiling

Question 22

Process for a data breach?

Answer 22

• Inform Data protection officer (Clare Phillipson)
• Report to the Information Commissioners Office within 72 hours
• High risk - inform individuals without undue delay
• Ensure robust detection, investigation and internal reporting procedures in place.
• Keep record of any personal data breaches.

Question 23

What is FGs Data Protection Policy?

Answer 23

• In place to ensure we process all personal data in accordance with data protection laws.
• Protect individual rights with regards to personal data.
• Data protection training and procedures.
• Continuous programme of monitoring, review and improvement to procedures and data handling.
• Have a Data Protection Officer.

Question 24

What are the penalties?

Answer 24

Maximum fine of £17.5 million or 4% of annual global turnover.

Question 25

Principles of the Bribery Act 2010?

Answer 25

PCRCDM

• Proportionality
• Commitment (Top Level)
• Risk Assessment
• Communication
• Due Diligence
• Monitor and Review.

Question 26

What are the types of breaches?

Answer 26

• Disclosure
• Destruction
• Alteration

Question 27

Who is accountable for data breaches?

Answer 27

If not suitable training and security in place then CEO/directors.

If other situation, then Data Protection Officer.

If sole trader, then the individual.

Individuals in a firm can be fined if they destroy evidence of the data breach or seek to access data without permission to do so.

Question 28

What are the principles of GDPR?

Answer 28

Lawfulness, Fairness and Transparency
Purpose limitation
Data minimisation
Accuracy
Storage Limitation
Integrity and Confidentiality
Accountability