Data Protection

Question 1

Who does the UK GDPR apply to?

Answer 1

controllers and processors

Question 2

What is a controller?

Answer 2

a controller determines the purposes and means of processing personal data.

Question 3

What is a processor?

Answer 3

a processor is responsible for processing personal data on behalf of a controller.

Question 4

If you are a processor what does the UK GDPR place on you?

Answer 4

specific legal obligations

Question 5

If you are a controller and a processor is involved, are you relived of your obligation?

Answer 5

No, the UK GDPR places further obligations on you to ensure your contracts with processors comply with the regulations

Question 6

What jurisdiction does the UK GDPR apply to?

Answer 6

processing carried out by organisations operating within the UK and to organisations outside of the UK that offer goods or services to individuals within the UK.

Question 7

What is personal data?

Answer 7

information that relates to an identified or identifiable individual.

Question 8

What are some examples of identifiers?

Answer 8

• name
• address
• cookie identifier
• IP address

Question 9

What should you consider when deciding whether data relates to a person?

Answer 9

• the content of the information
• the purposes for which are processing it
• the likely impact or effect of that processing on the individual

Question 10

If information has identifiers removed or replaced, is it still personal data?

Answer 10

yes.

Question 11

is anonymous data covered by the UK GDPR?

Answer 11

No.

Question 12

If information is inaccurate, is it still personal data?

Answer 12

yes.

Question 13

What type of processing of personal data does the UK GDPR apply to?

Answer 13

processing that is wholly or partly by automated means or the processing other than by automated means of personal data which forms part of a filing system.

Question 14

Is information about a deceased person, personal data?

Answer 14

No.

Question 15

is information about companies or public authorities personal data?

Answer 15

No.

Question 16

If you can indirectly identify an individual from the information you have, does this make it personal data?

Answer 16

yes.

Question 17

What does it mean that the information has to relate to a person?

Answer 17

the data must concern them in some way.

Question 18

What will your obligations under the UK GDPR vary depending on?

Answer 18

whether you are a controller, joint controller or processor.

Question 19

Who has the power to take action against controllers and processors under the UK GDPR?

Answer 19

the ICO.

Question 20

Who can individuals bring claims against?

Answer 20

both controllers and processors.

Question 21

What can individuals bring claims for?

Answer 21

for compensation and damages.

Question 22

What must you have to collect personal data?

Answer 22

you must identify valued grounds (also known as having a lawful basis) for collecting and using personal data.

Question 23

How must you process personal data?

Answer 23

in a way that is fair and that is not unduly detrimental, unexpected or misleading to the individuals concerned.

Question 24

What must you do from the start?

Answer 24

you must be clear, open and honest with people about how you will use their personal data.

Question 25

When do you need to be clear about what your purpose for processing is?

Answer 25

from the start

Question 26

What are your document obligations in relation to purposes?

Answer 26

you need to record your purposes as part of your documentation obligations and specify them in your privacy information for individuals.

Question 27

When can you use the personal data for a new purpose?

Answer 27

if it is compatible with your original purpose, you get consent or have a clear obligation or function set out in the law.

Question 28

What are the three things that you must ensure the personal data you are processing is?

Answer 28

1. adequate
2. relevant
3. limited to what is necessary

Question 29

what does adequate mean in this context?

Answer 29

sufficient to properly fulfil your stated purpose

Question 30

what does relevant. mean in this context?

Answer 30

has a rational link to that purpose

Question 31

what does limited to what is necessary mean in this context?

Answer 31

you do not hold more than you need for that purpose

Question 32

What is the data minimisation principle?

Answer 32

personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Question 33

What are the three principles about data standards?

Answer 33

1. data minimisation
2. accuracy
3. storage limitation

Question 34

What is the storage limitation principle?

Answer 34

personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed

Question 35

Can the personal data be stored for longer periods?

Answer 35

yes, insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes.

Question 36

Why is storage limitation important?

Answer 36

it reduces the risk that the personal data becomes irrelevant, excessive, inaccurate or out of date.

Question 37

Are retention policies required?

Answer 37

Yes, to comply with documentation requirements, you need to establish and document standard retention periods for different categories of information you hold whenever possible.

Question 38

What is a retention policy?

Answer 38

it lists the types of record or information you hold, what you use it for and how long you intend to keep it.

Question 39

How should retention periods be set?

Answer 39

the UK GDPR does not dictate how long you should keep personal data. It is up to you to justify it based on your purposes for processing.

Question 40

When should retention periods be reviewed?

Answer 40

you should review whether you still need the personal data at a the end of any standard retention period.

Question 41

If you no longer need the personal data what should you do?

Answer 41

you should erase or anonymise it unless there is a clear justification for keeping it longer.

Question 42

When can you keep personal data indefinitely?

Answer 42

if you are holding it for:
1. archiving purposes in the public interest;
2. scientific or historical research purposes; or
3. statistical purposes.

Question 43

What is the accuracy principle?

Answer 43

personal data shall be accurate and where necessary kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay.

Question 44

What is the definition of inaccurate?

Answer 44

Data Protection Act 2018 - incorrect or misleading as to any matter of fact.

Question 45

What must you do to ensure your records of someone’s personal data are not inaccurate or misleading?

Answer 45

1. accurately record the information provided
2. accurately record the source of the information
3. take reasonable steps in the circumstances to ensure the accuracy of the information; and
4. carefully consider any challenges to the accuracy of the information.

Question 46

What should you do if an individual challenges the accuracy of their personal data?

Answer 46

consider whether the information is accurate, if it is not, then delete it or correct it.

Question 47

What is the integrity and confidentiality principle?

Answer 47

you must ensure that you have appropriate security measures in place to protect the personal data you hold.

Question 48

What is the accountability principle?

Answer 48

it requires you to take responsibility for what you do with personal data and how you comply with with the other principles.

Question 49

What are the lawful bases for processing?

Answer 49

1. consent
2. contract
3. legal obligation
4. vital interests
5. public task
6. legitimate interest.

Question 50

When is processing necessary?

Answer 50

most of the lawful bases depend on the processing being necessary. This means it must be more than just useful and more than just standard practice.

Question 51

Why is a lawful basis for processing important?

Answer 51

the principle requires that you process all personal data lawfully, fairly and in a transparent manner.

Question 52

How should you document your lawful basis?

Answer 52

You need to keep a record of which basis you are relying on for each processing purpose, and a justification for why you believe it applies.

Question 53

When is the lawful basis for contracts likely to apply?

Answer 53

You have a lawful basis for processing if:
1. you have a contract with the individual and you need to process their personal data to comply with your obligations under the contract
2. you have a contract with the individual and you need to process their personal data so that they can comply with specific counter-obligations under the contract
3. you haven’t yet got a contract with the individual but they have asked you to do something as a first step and you need to process their personal data to do what they ask.

Question 54

When is processing necessary for a contract?

Answer 54

it does not mean that it is the only way to process the contract but it must be more than just useful and more than just part of your standard terms.

Question 55

What must consent be?

Answer 55

unambiguous and involve a clear affirmative action.

Question 56

Can a pre-ticked opt-in box constitute consent?

Answer 56

no.

Question 57

What if you change your mind about consenting?

Answer 57

you have a right to withdraw your consent.

Question 58

What is valid consent?

Answer 58

consent must be freely given and should be obvious requiring a positive action to opt in.

Question 59

How should we obtain, record and manage consent?

Answer 59

make your consent request include:
1. name of your organisation
2. the name of any third party controllers who will rely on the consent
3. why you want the data
4. what you will do with it; and
5. that individuals can withdraw consent at any time.

Question 60

What is the basis for legal obligation?

Answer 60

processing is necessary for compliance with a legal obligation to which the controller is subject.

Question 61

When is processing necessary for compliance with your legal obligation?

Answer 61

it must be a reasonable and proportionate way of achieving compliance with your legal obligation.

Question 62

If you are processing on the basis on legal obligation, what rights does the individual have?

Answer 62

the individual has no right to erasure, right to portability or right to object.

Question 63

What is criminal offence data?

Answer 63

the UK GDPR gives extra protection to “personal data relating to criminal convictions and offences or related security measures”

Question 64

What type of data does criminal offence data include?

Answer 64

data about:
1. criminal activity
2. allegations
3. investigations
4. proceedings
5. unproven allegations; and
6. information relating to the absence of convictions.

Question 65

What are the rules for criminal offence data?

Answer 65

you must always ensure that you processing is generally lawful, fair and transparent and complies with all the other principles and requirements of the UK GDPR.

Question 66

To ensure the processing of criminal offence is lawful what do you need?

Answer 66

an article 6 basis for the processing and you can only process the data if the processing is under the control of official authority or authorised by domestic law.

Question 67

What is special category data

Answer 67

personal data that needs more protection because it is sensitive

Question 68

What must you do to lawfully process special category data?

Answer 68

you must identify a lawful basis under Article 6 of the UK GDPR and a separate condition for processing under Article 9.

Question 69

for special category data does the lawful basis need to e linked to the separate condition for processing?

Answer 69

no.

Question 70

How many conditions for processing special category data are contained in Article 9 of the UK GDPR?

Answer 70

10.

Question 71

Can you begin processing special category data without determining your condition?

Answer 71

no.

Question 72

What does the UK GDPR define special category data as?

Answer 72

data revealing:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
-biometric data.

Question 73

Out of the 10 conditions for processing special category data how many do you need to meet additional conditions?

Answer 73

5.

Question 74

what are the conditions under Article 9 for processing special category data?

Answer 74

1. explicit consent
2. employment, social security and social protection
3. vital interests
4. not-for-profit bodies
5. made public by the data subject
6. legal claims or judicial acts
7. reasons of substantial public interests
8. health or social care
9. public health
10. archiving, research and statistics.

Question 75

What is the lawful basis of legitimate interest?

Answer 75

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interest are override by the interests or fundamental rights and freedoms of the data subject.

Question 76

What is the three part test of legitimate interest?

Answer 76

1. purpose test - are you pursuing a legitimate interest
2. necessity test - is the processing necessary for that purpose
3. balancing test - do the individuals interests override the legitimate interest.

Question 77

When can legitimate interests be relied upon?

Answer 77

it is the most flexible lawful basis but if you choose to rely on it you take extra responsibility for ensuring people’s rights and interests are fully considered and protected.

Question 78

When can you rely on public task as a lawful basis to process personal data?

Answer 78

1. in the exercise of official authority; or
2. to perform a specific task in the public interest that is set out in law.

Question 79

Who is the public task lawful basis most relevant to?

Answer 79

public authorities but it can apply to any organisation that exercises official authority own carries out tasks in the public interest.

Question 80

What must you be able to specify if using the public task legitimate interest?

Answer 80

the relevant task, function or power and identify its statutory or common law basis.

Question 81

What is the vital interests lawful basis?

Answer 81

you are likely out use this if you need to process the personal data to protect someone’s life.

Question 82

Does the processing need to be necessary for vital interests?

Answer 82

yes, if you can reasonably protect the person’s vital interests in a less intrusive way then this basis will not apply.

Question 83

Can you rely on vital interests for health data or other special category data if the individual is capable of giving consent?

Answer 83

No you can’t.

Question 84

What is certification?

Answer 84

a way for an organisation to demonstrate compliance with the UK GDPR

Question 85

who approves the certification scheme criteria?

Answer 85

the ICO.

Question 86

What is a data protection fee?

Answer 86

under the 2018 regulations, organisations that determine the purpose for which personal data is processed must pay a data protection fee unless they are exempt.