Data Protection Flashcards
Which year was Data Protection Act first passed?
A) 1997
B) 1992
C) 1998
D) 1899
C) 1998
1997 - Copyright and Rights in Database Regulations
1992 - Copyright (Computer Programs) Rights Act
1899 - N/A
Why do we have Data Protection Act 2018 and GDPR 2018 if they’re both about data protection?
DPA 2018 implements parts GDPR which should be implemented by member state law.
It also provides a GDPR style framework for data processing regarding intelligence agencies.
When did GDPR come into effect?
A) 26th May 2018
B) 15th April 2018
C) 25th May 2018
C) 22nd April 2018
C) 25th May 2018
the other days are made up
List the 7 GDPR principles.
1) Lawfulness, Fairness and Transparency
2) Accountability
3) Integrity and Confidentiality
4) Accuracy
5) Data minimization
6) Storage Limitation
7) Purpose Limitation
Which of the following is not an absolute right of a data subject under the GDPR?
A) Right to Erasure
B) Right to Object
C) Right to be Informed
D) Right to portability
A) right to erasure
Other non-absolute rights:
- right to limit processing
- right to rectification
- right to be informed (privacy information does not always have to be shared if the information is already known or the effort to get the information is disproportionately large)
Absolute rights:
- right to access
- right to portability??
- rights in relation to automated decision making and profiling??
- right to object
How many days do organisations get to report any breaches to DP/ GDPR?
1) 72
2) 3
3) 20
4) 14
2) 3 days
1) - 72 refers too 72 hours (or 3 days)
3) 20 refers to the 20 days that public organisations get to respond to FOI request via their publication scheme
4) 14 - random
What is the max that organisations have to pay to the Information Commisioner Office? Challenge: Can you explain why the fee exists? A) £40 B) £50 C) £60 D) £2,900
D) £2, 900
Under the DPA 1998, organizations had to register or ‘notify’ that they were collecting data (i.e. that they were controllers)
Under DPA 2018, this rule to register no longer applies. Instead, you have to pay a fee, based on the size of the organisation (sizes are grouped into 3 tiers).
For organisations already registered under DPA 1998, they only have to pay the fee when that registration expires.
Tier 1 - £40
Tier 2 - £60
Tier 3 - £2,900
Is it mandatory for all organisations to have a DPO?
DPO = data protection officer –> linked to the GDPR principle of Accountability
Only public organisations have to have a DPO.
What classifies as personal data? (Select all that apply)
1) Something that can identify an individual
2) something that can identify an individual when considered in conjunction with other information
3) Any opinions
4) Inaccurate information that’s still about an identifiable individual
1,2, 4
Inaccurate information still counts as long as it’s about an identifiable individual
List all the conditions/ people that the GDPR does NOT apply to.
anything covered by the Law Enforcement Directive
anything to do with national security
any information gathered for personal/ household use
exemptions from transparency obligations and individual rights to safeguard:
1) national security, defence, public security;
2) prevention, investigation, detection or prosecution of criminal offences;
3) other important public interests, in particular economic or financial interests, including budgetary and taxation matters, public health and security;
4) protection of judicial independence and proceedings;
5) breaches of ethics in regulated professions;
6) monitoring, inspection or regulatory functions regarding security, defence, other important public interests or crime/ethics prevention;
7) the protection of the individual, or the rights and freedoms of others;
8) the enforcement of civil law matters.
CONDITION - the essence individual’s rights and freedoms should still be respected and there is a reasonable and democratic reason
