DATA PROTECTION Flashcards
Data protection act
Protect individuals from misuse of information about them.
Data protection principles which applies to anyone who processes personal data.
Act embodies principles and rights to EU’s General Data Protection Regulations.
Data controllers - determine purpose and means of processing personal data
Data processors - responsible for processing personal data on behalf of a controller.
Personal subjects - identified or identifiable individuals (not companies) to whom personal data relates.
Scope
Personal data held on computer or manual files (any company)
Personal data - any info related to an identifiable living person, includes the recording of facts but also expression of opinion about an individual.
Information commissioner:
- Uk regulator for data protection
- statutory powers to enforce compliance
- must be informed with 72 hours of a data breach that affects the rights and freedoms of individuals (in high risk cases the individual must be informed as well)
Non- compliance:
- May be criminal conviction if crime has been committed under the act.
- Fine of up to £18m or 4% of organisations global turnover.
Data protection principles
Lawfulness, fairness and transparency:
- Must be valid grounds for holding data.
- Personal data should be processed fairly and must be clarity, openness and honesty in how data is used from the start.
Purpose limitation:
- Purpose for recording data must be recorded and made clear to data subject from the start.
- Personal data only used for a purpose specified and lawful.
- Data used for new purpose needs permission.
Data minimisation:
- Personal data shall be adequate relevant and not excessive in relation to purpose which it has been processed.
Accuracy:
- Reasonable steps to ensure personal data is not incorrect or misleading must be corrected.
Storage limitation:
- Not kept for longer than neccessary
- No retention policy that can be justified
- Data no longer required should be destroyed or anonymised
Integrity and confidentially:
- Data processing must take appropriate security measures relating to risks that may arise.
- Appropriate technical and organisational measures should be in place to protect data.
Rights of data subjects
Right to be informed:
- Collection and use
- Purpose, retention period and who it shall be shared with
Access:
- right to access info held about them
- Request verbally or in writing
- Must be provided within 1 MONTH (usually free)
Rectification:
- Inaccurate data to be rectified
- Must be completed within 1 month or verbal of written
Right to erasure:
- Right to be forgotten
- Information to be erased
- Applies in certain circumstances
- Response must be given within 1 month
Right to data portability:
- Right to obtain data that they have given the data controller to reuse in another service
Right to object:
- Right to object processing of data e.g avoid junk Mail
Rights in relation to automated decision making and profiling:
- Granted rights where data held about them is used to make automated decisions, or where data evaluation about them is automated (profiling), strict circumstances where these processes can be used.
Exemption from the act
- Employers may process data in accordance with employment law e.g payroll
- Academic institutions e.g. uni if processed for academic purposes.
- Scientific and historical research organisations where principles would impair their core activities.
- Individual rights limited where they can be abused to commit crimes, disrupt legal proceedings or disrupt public authorities and regulators
