Data Protection Flashcards
What replaced the Act of 1984 for Data Protection?
The Data Protection Act 1998 to allow for the incorporation of the EU Data Protection Directive of 1995
What is the Data protection Act in place for?
- To allow private individuals a degree of control over how their personal data is used by organisations
Who is responsible for enforcing the act
Information commissioner, an independent UK regulator also responsible for the Freedom of Information Act 2000
The Commissioner also has responsibility for promoting good practice in handling personal information
The Act sets out eight data protection principles?
- Must be processed fairly and lawfully, data controller is required to tell the individual what information will be processed and why and whether it is disclosed to others
- Can only be processed for limited purposes
- Must be adequate and relevant for the purpose but not excessive
- Must be accurate and up to date
- Must not be kept for longer than is necessary
- Must be processed in accordance with the individual’s rights
- must be kept secure
- Must not be transferred outside the European Economic Area unless country to which it is transferred has comparable data protection rules.
What are the seven rights of individuals under Data Protection Act?
1) Right to subject access up to a fee of £10
2) Right to prevent processing
3) Right to prevent processing for direct marketing
4) Rights in relation to automated decision making
5) Right to compensation
6) Right to rectification, blocking, erasure and destruction
7) Right to ask the Information Commissioner to assess whether the act has been contravened
What can the Information Commissioner do if they believe infringement?
- Serve information notice
- Issues undertakings committing a company to a course of action
- Serve a ‘stop now’ order
- Conduct audits
- Serve assessment notices
- Issue monetary penalty notices - up to £500,000 for serious breaches on or after 6th April 2010
- Prosecute for criminal offences
- Report to parliament any concerns
What is the maximum penalty for failing to notify Information Commission or processing without authroisation
£5000 unless goes to crown court then unlimited
EU law
- Fines of 4% annual turnover or 2% of annual turnover for specified breaches
- Need to notify within 72 hours Information Commissioner
The EU General Data Protection Regulation agreed Dec 2015