Data protecton -law Flashcards
Explain the term Manual data
Physical data recorded as part of a filing system. e.g. CV on file, interviewer notes
Explain the term Automated data
Data held electronically
The Data Protection Acts 1988-2003 regulate the processing of personal data of a living person which is in the possession of a Data Controller
explain Sensitive personal data
Data in relation to
1. Racial or ethnic origin, political opinions, religious or philosophical
beliefs
2. Trade union membership
3. Physical/mental health or condition, or sexual life
4. Information in relation to the commission or alleged commission
of any offence, related proceedings/disposal of proceedings or sentences.
In general the express permission of the data subject must be obtained before sensitive personal data can be gathered or processed. (some exceptions)
Give a definition for data controller
controls the content and use of personal data. Must be a person recognised in law i.e. a natural person, organisation or body corporate.
Explain the term Data Processor
any person other than the Data Controller who processes the data on behalf of the DC
Registration with the Office of the Data Protection Commissioner
Financial institutions, government/public bodies, telecoms and internet providers businesses mainly involved in direct marketing, data processing, debt collection, credit references
Give a defition for a data subject
A living person who is the subject of personal data.
e.g. Workers (past/present/future), customers, employees, students.
Explain the six lawful bases
A business will need to look at the data it holds on a Data Subject and then refer to the six lawful bases to decide which one it can rely on for processing of the Data Subject’s personal data.
list the six Lawful bases
Consent
* Legal Obligation
* Vital Interest
* Legitimate Interest
* Performance of a Contract
* Public Interest
Explain the term concent
For example a customer must be given the option to opt in to receiving marketing emails
Explain the term Legal Obligation
For example Safety Health and Welfare at Work Act 2005 ,
You must retain all accident reports and incident report forms for 10 years
Revenue Commissioners, Working Time Act.
explain the term Vital interest
For example it is permissible to hand over someone’s information in a medical emergenc
explain the term Legitmate interest
For example sending appointment reminders to customers, although there can be no marketing material included
Explain the term Performance of a contract
For example an employer requiring specific information from an employee so that they can enter into a contract of employment
Explain the term Pubic interest
For example the Central Statistics Office carrying out a census.
Explain the six principals of GDPR
Lawfulness, fairness and transparency
Tell the Data Subject why you are collecting their data and what you will be doing with it, and explain the lawful basis/bases that it is relying upon
Purpose Limitations
Data can only be used for a specific processing purpose that the subject has been made aware of and no other additional purpose, without further consent
Data Minimisation
Only ask the Data Subject for the least amount of information that you need to satisfy one of the 6 lawful bases
Accuracy
Data held must be up to date and accurate
Storage Limitations
Cannot keep Data Subject’s information indefinitely without grounds to do so. The business must have a Data Retention Policy in place
Integrity and Confidentiality
Protect against unlawful processing or accidental loss, destruction or damage.
Describe consent to processing
Data Controller must be able to demonstrate that the Data Subject consented to processing
Must be genuine consent, given freely (Data Subject informed of their right not to consent without detriment). Consent must be active not passive.
Data Subject must be clear as to what they are consenting to Any request for consent must be clear
Where consent is sought in conjunction with other matters it must be distinguishable from the other matters
The consent must be in an intelligible and easily accessible format, using clear and plain language
Data Subject has the right to withdraw consent at any time (should be highlighted once every 12 months)It is not legal to make consent necessary to the completion of a contract where such consent is not necessary for the performance of that contract
Consent for processing of child’s data must be given by the parents of that child or persons acting in ‘loco parentis’ where the child is under the age of 16
Data Controllers are required to have adequate systems in place to verify individual ages and gather relevant consents
Where a service is provided directly to a child a privacy notice must be drafted in a clear and plain way, so that the child can understand it.
Describe the 8 principals of the gdpr and data protection act
To obtain and process information fairly
To keep information only for one or more specified, explicit and lawful purposes
To use and disclose it only in ways compatible with these purposes
To keep it safe and secure
To keep it accurate, complete, and up-to-date
To ensure that it is adequate, relevant and not excessive
To retain for no longer than is necessary for the purpose
* To give a copy to an individual on request
List the rights of a data subjuct
To establish the existence of personal data
* To access their personal data
* To have personal data corrected or erased where appropriate * Articles 16 and 17 of GDPR give individuals a right to
rectification or erasure (right to be forgotten) * To object to disclosure of the data to 3rd parties.
Describe the right to erasure
Applies anywhere in the EU where:
* Information has been retained for excessive period of time
* Consent to process has been withdrawn
* Data has been unlawfully processed
* No compelling reason to justify continued processing by
the data controller or erasure is required to comply with a legal obligation
The right of erasure includes the right to have information removed from appearing in internet search results (carried out against data subject’s name)
Data controller must comply as soon as practicable or in any event not less than 1 month.
What are the roles and powers of the data protection commissioner ?
Conduct investigations to ensure compliance
Issue enforcement notices to Data Controllers and Data Processors Authorise persons to enter premises to inspect personal data
Explain thecorrection powers of the data protection commissioner
These include the right to:
* Issue a warning to the data controller /processor that intended
data is likely to infringe a relevant provision
* Issue a reprimand to the data controller/processor where they
have infringed a relevant provision
* Order the data controller/processer to comply with a data subject’s
request to exercise their rights under a relevant provision * Order a data controller/processor to bring processing into
compliance in a specified manner and within a specified time
period
* Impose temporary or definite limitations including a ban on
processing
* Impose a restriction on processing by the data
controller/processor
* Serve an enforcement notice on the controller/processor to take
such steps as the DPC considers necessary for those purposes.
Explain administrative fines
Breach of an Order of the DPC can result in administrative fines of up to €20m
or
in the case of an undertaking, up to 4% of total worldwide
annual turnover of the preceding financial year, whichever is the greater
list the sanctiond ofr the data commissioner
Criminal Sanctions
*Brought by the Office of the Data Protection Commissioner
*Punishable by fines of up to €3,000 per offence on summary conviction, up to €100,000 on indictment
*Offences by electronic communications companies relating to security obligations €5,000 on summary conviction
€50,000 (natural person on indictment)
€100,000 (body corporate on indictment
Explain the term forfeiture
Forfeiture
Court can order that the data material or data equipment connected with the offence be forfeited or destroyed. Must give the owner of the data or other interested parties a chance to show just cause for avoiding forfeiture
