Data Protection Flashcards
1
Q
Who does the UK GDPR apply to?
A
controllers and processors
2
Q
What is a controller?
A
a controller determines the purposes and means of processing personal data.
3
Q
What is a processor?
A
a processor is responsible for processing personal data on behalf of a controller.
4
Q
If you are a processor what does the UK GDPR place on you?
A
specific legal obligations
5
Q
If you are a controller and a processor is involved, are you relived of your obligation?
A
No, the UK GDPR places further obligations on you to ensure your contracts with processors comply with the regulations
6
Q
What jurisdiction does the UK GDPR apply to?
A
processing carried out by organisations operating within the UK and to organisations outside of the UK that offer goods or services to individuals within the UK.
7
Q
What is personal data?
A
information that relates to an identified or identifiable individual.
8
Q
What are some examples of identifiers?
A
- name
- address
- cookie identifier
- IP address
9
Q
What should you consider when deciding whether data relates to a person?
A
- the content of the information
- the purposes for which are processing it
- the likely impact or effect of that processing on the individual
10
Q
If information has identifiers removed or replaced, is it still personal data?
A
yes.
11
Q
is anonymous data covered by the UK GDPR?
A
No.
12
Q
If information is inaccurate, is it still personal data?
A
yes.
13
Q
What type of processing of personal data does the UK GDPR apply to?
A
processing that is wholly or partly by automated means or the processing other than by automated means of personal data which forms part of a filing system.
14
Q
Is information about a deceased person, personal data?
A
No.
15
Q
is information about companies or public authorities personal data?
A
No.
16
Q
If you can indirectly identify an individual from the information you have, does this make it personal data?
A
yes.
17
Q
What does it mean that the information has to relate to a person?
A
the data must concern them in some way.
18
Q
What will your obligations under the UK GDPR vary depending on?
A
whether you are a controller, joint controller or processor.
19
Q
Who has the power to take action against controllers and processors under the UK GDPR?
A
the ICO.
20
Q
Who can individuals bring claims against?
A
both controllers and processors.
21
Q
What can individuals bring claims for?
A
for compensation and damages.
22
Q
What must you have to collect personal data?
A
you must identify valued grounds (also known as having a lawful basis) for collecting and using personal data.
23
Q
How must you process personal data?
A
in a way that is fair and that is not unduly detrimental, unexpected or misleading to the individuals concerned.
24
Q
What must you do from the start?
A
you must be clear, open and honest with people about how you will use their personal data.
25
When do you need to be clear about what your purpose for processing is?
from the start
26
What are your document obligations in relation to purposes?
you need to record your purposes as part of your documentation obligations and specify them in your privacy information for individuals.
27
When can you use the personal data for a new purpose?
if it is compatible with your original purpose, you get consent or have a clear obligation or function set out in the law.
28
What are the three things that you must ensure the personal data you are processing is?
1. adequate
2. relevant
3. limited to what is necessary
29
what does adequate mean in this context?
sufficient to properly fulfil your stated purpose
30
what does relevant. mean in this context?
has a rational link to that purpose
31
what does limited to what is necessary mean in this context?
you do not hold more than you need for that purpose
32
What is the data minimisation principle?
personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
33
What are the three principles about data standards?
1. data minimisation
2. accuracy
3. storage limitation
34
What is the storage limitation principle?
personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
35
Can the personal data be stored for longer periods?
yes, insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes.
36
Why is storage limitation important?
it reduces the risk that the personal data becomes irrelevant, excessive, inaccurate or out of date.
37
Are retention policies required?
Yes, to comply with documentation requirements, you need to establish and document standard retention periods for different categories of information you hold whenever possible.
38
What is a retention policy?
it lists the types of record or information you hold, what you use it for and how long you intend to keep it.
39
How should retention periods be set?
the UK GDPR does not dictate how long you should keep personal data. It is up to you to justify it based on your purposes for processing.
40
When should retention periods be reviewed?
you should review whether you still need the personal data at a the end of any standard retention period.
41
If you no longer need the personal data what should you do?
you should erase or anonymise it unless there is a clear justification for keeping it longer.
42
When can you keep personal data indefinitely?
if you are holding it for:
1. archiving purposes in the public interest;
2. scientific or historical research purposes; or
3. statistical purposes.
43
What is the accuracy principle?
personal data shall be accurate and where necessary kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay.
44
What is the definition of inaccurate?
Data Protection Act 2018 - incorrect or misleading as to any matter of fact.
45
What must you do to ensure your records of someone's personal data are not inaccurate or misleading?
1. accurately record the information provided
2. accurately record the source of the information
3. take reasonable steps in the circumstances to ensure the accuracy of the information; and
4. carefully consider any challenges to the accuracy of the information.
46
What should you do if an individual challenges the accuracy of their personal data?
consider whether the information is accurate, if it is not, then delete it or correct it.
47
What is the integrity and confidentiality principle?
you must ensure that you have appropriate security measures in place to protect the personal data you hold.
48
What is the accountability principle?
it requires you to take responsibility for what you do with personal data and how you comply with with the other principles.
49
What are the lawful bases for processing?
1. consent
2. contract
3. legal obligation
4. vital interests
5. public task
6. legitimate interest.
50
When is processing necessary?
most of the lawful bases depend on the processing being necessary. This means it must be more than just useful and more than just standard practice.
51
Why is a lawful basis for processing important?
the principle requires that you process all personal data lawfully, fairly and in a transparent manner.
52
How should you document your lawful basis?
You need to keep a record of which basis you are relying on for each processing purpose, and a justification for why you believe it applies.
53
When is the lawful basis for contracts likely to apply?
You have a lawful basis for processing if:
1. you have a contract with the individual and you need to process their personal data to comply with your obligations under the contract
2. you have a contract with the individual and you need to process their personal data so that they can comply with specific counter-obligations under the contract
3. you haven't yet got a contract with the individual but they have asked you to do something as a first step and you need to process their personal data to do what they ask.
54
When is processing necessary for a contract?
it does not mean that it is the only way to process the contract but it must be more than just useful and more than just part of your standard terms.
55
What must consent be?
unambiguous and involve a clear affirmative action.
56
Can a pre-ticked opt-in box constitute consent?
no.
57
What if you change your mind about consenting?
you have a right to withdraw your consent.
58
What is valid consent?
consent must be freely given and should be obvious requiring a positive action to opt in.
59
How should we obtain, record and manage consent?
make your consent request include:
1. name of your organisation
2. the name of any third party controllers who will rely on the consent
3. why you want the data
4. what you will do with it; and
5. that individuals can withdraw consent at any time.
60
What is the basis for legal obligation?
processing is necessary for compliance with a legal obligation to which the controller is subject.
61
When is processing necessary for compliance with your legal obligation?
it must be a reasonable and proportionate way of achieving compliance with your legal obligation.
62
If you are processing on the basis on legal obligation, what rights does the individual have?
the individual has no right to erasure, right to portability or right to object.
63
What is criminal offence data?
the UK GDPR gives extra protection to "personal data relating to criminal convictions and offences or related security measures"
64
What type of data does criminal offence data include?
data about:
1. criminal activity
2. allegations
3. investigations
4. proceedings
5. unproven allegations; and
6. information relating to the absence of convictions.
65
What are the rules for criminal offence data?
you must always ensure that you processing is generally lawful, fair and transparent and complies with all the other principles and requirements of the UK GDPR.
66
To ensure the processing of criminal offence is lawful what do you need?
an article 6 basis for the processing and you can only process the data if the processing is under the control of official authority or authorised by domestic law.
67
What is special category data
personal data that needs more protection because it is sensitive
68
What must you do to lawfully process special category data?
you must identify a lawful basis under Article 6 of the UK GDPR and a separate condition for processing under Article 9.
69
for special category data does the lawful basis need to e linked to the separate condition for processing?
no.
70
How many conditions for processing special category data are contained in Article 9 of the UK GDPR?
10.
71
Can you begin processing special category data without determining your condition?
no.
72
What does the UK GDPR define special category data as?
data revealing:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
-biometric data.
73
Out of the 10 conditions for processing special category data how many do you need to meet additional conditions?
5.
74
what are the conditions under Article 9 for processing special category data?
1. explicit consent
2. employment, social security and social protection
3. vital interests
4. not-for-profit bodies
5. made public by the data subject
6. legal claims or judicial acts
7. reasons of substantial public interests
8. health or social care
9. public health
10. archiving, research and statistics.
75
What is the lawful basis of legitimate interest?
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interest are override by the interests or fundamental rights and freedoms of the data subject.
76
What is the three part test of legitimate interest?
1. purpose test - are you pursuing a legitimate interest
2. necessity test - is the processing necessary for that purpose
3. balancing test - do the individuals interests override the legitimate interest.
77
When can legitimate interests be relied upon?
it is the most flexible lawful basis but if you choose to rely on it you take extra responsibility for ensuring people's rights and interests are fully considered and protected.
78
When can you rely on public task as a lawful basis to process personal data?
1. in the exercise of official authority; or
2. to perform a specific task in the public interest that is set out in law.
79
Who is the public task lawful basis most relevant to?
public authorities but it can apply to any organisation that exercises official authority own carries out tasks in the public interest.
80
What must you be able to specify if using the public task legitimate interest?
the relevant task, function or power and identify its statutory or common law basis.
81
What is the vital interests lawful basis?
you are likely out use this if you need to process the personal data to protect someone's life.
82
Does the processing need to be necessary for vital interests?
yes, if you can reasonably protect the person's vital interests in a less intrusive way then this basis will not apply.
83
Can you rely on vital interests for health data or other special category data if the individual is capable of giving consent?
No you can't.
84
What is certification?
a way for an organisation to demonstrate compliance with the UK GDPR
85
who approves the certification scheme criteria?
the ICO.
86
What is a data protection fee?
under the 2018 regulations, organisations that determine the purpose for which personal data is processed must pay a data protection fee unless they are exempt.
