GDPR and data protection

Question 1

What is GdPr?

Answer 1

General Data Protection Regulation (GDPR) is an EU-wide piece of legislation which replaces the Data Protection Acts 1988- 2003. There are a number of new provisions in GDPR that were not previously in the Data Protection Acts 1988-2003, however, 80% of GDPR mirrors the provisions in the previous legislation. GDPR enhances the individual’s data privacy and data rights and builds on the obligations and responsibilities of data controllers. Prior to the commencement of GDPR, EU Member States had the opportunity to legislate for GPDR at a national level. Whilst GDPR is the law and supersedes any national legislation, Ireland’s Data Protection Act 2018 applies elements of GDPR in certain, specific ways in the Irish legal context.

Question 2

On what grounds can data processing be done under GDPR?

Answer 2

Consent
contractual necessity
legal obligation
legitimate interests - where those interests aren’t overridden by the interests rights or freedoms of the person that the data is about (data subject)
vital interests - e.g. for the protection of someone’s life
public task

Question 3

GDPR contains two tiers of fine for breaches. What are these two tiers?

Answer 3

For less serious breaches: Up to 10 million euros, or 2% of global annual turnover, whichever is HIGHER

For more serious breaches: Up to 20 million euros, or 4% of annual turnover, whichever is HIGHER

Question 4

Is GDPR an EU or UK law?

Answer 4

GDPR is an EU regulation, but it is implemented in the UK through the Data Protection Act 2018 which is a UK law and is basically the UK version of the EU’s GDPR

Question 5

Is GDPR applicable around the world?

Answer 5

GDPR is an EU law, but it is applicable to any organisation outside of the EU that has personal data of people who are living in the EU

Question 6

When did GdPr commence?

Answer 6

GDPR commenced across EU Member States, including Ireland, on 25 May 2018. Since that date, GDPR is the law in all EU Member States, including Ireland.

Question 7

What is the minimum age for someone to give consent for the processing of their personal data under GDPR?

Answer 7

16 years old

This can be changed in national implementations of this EU law. In the UK’s implementation of GDPR, which is the Data Protection Act 2018, the age is 13

Question 8

What are GdPr principles?

Answer 8

Schools shall be responsible for, and must be able to, demonstrate compliance with GDPR principles. The principles are:

Fair, transparent and lawful processing: the data subject should know the type of data collected and the reason the school collects that data.

Purpose limitation: schools should only collect data for a specific purpose and keep only for as long as necessary.

Minimisation of processing: schools must only process data that is needed to achieve its processing purpose.

Data accuracy: schools must take every reasonable step to ensure the data they process is accurate and complete.

Storage limitation: schools should hold data in a form that identifies a data subject for as short a time as possible.

Integrity and confidentiality: schools must process data securely to safeguard against unauthorised/ unlawful processing, accidental loss, destruction or damage.

Question 9

What rights are granted to people by GDPR?

Answer 9

Data protection legislation/GDPR, sets out the rights of data subjects including:

The right of access: – Accessing one’s own data can be done via a Subject Access Request (SAR). This means that a data subject can request a copy of all his/her data (or their own child) free of charge and this must be provided within 30 calendar days.

The right to rectification: – This right means that a data subject can ask the data controller to rectify the data the controller holds e.g. if a data subject’s phone number changes.

The right to be forgotten/right to erasure: – This means that a data subject can apply to a data controller to erase all the data which the controller holds on that data subject. This is not an absolute right and is qualified in certain circumstances e.g. where data is being held for a statutory purpose or in line with legislation, for example, the rollbook/ rolla.

The right to restrict processing: – This means that, in certain circumstances, a data subject can apply to a data controller to restrict the processing of his/her data. INTO question and answer guide “Everyone has the right to the protection of personal data” – European Commission The General Data Protection Regulation (GDPR) came into force from 25 May 2018. The new law, which seeks to make the EU ‘fit for the digital age’, governs how we all must collect and process the personal information we hold. The INTO’s legal team provides you with this timely update as you return to school. General data protection regulation INTOUCH sUpplemeNT – sepTember 2018

The right to data portability: – Data portability, in simple terms, means that a data subject can apply to have all of his/her data held with one data controller copied and passed to a new data controller.

The right to object to certain processing: – Save for compelling legitimate reasons, this right means that a data subject can object to the processing of his/her data based on his/her particular situation or state of mind.

Question 10

GDPR prohibits personal data being transferred to a country outside of the EU except for hwen

Answer 10

The country’s data laws are adequate as assessed by the European Commission
- Or, there’s a standard contractual clause approved by the European Commission that grants safeguards to that personal data
- Or, Binding Corporate Rules (BCRs) have been organised and approved by the relevant data protection authorities. BCRs are internal rules within multinational companies to aid personal data transfer within the company including to non-EU countries. These BCRs even though their internal to the particular company need approval from the relevant data protection authorities
- Explicit consent is given by the data subject
- Its necessary for a contract to be performed

Question 11

Who does GDPR affect?

Answer 11

GDPR affects all data subjects. An individual under GDPR is known as the ‘data subject’; that is, they are the subject of the data collected about them by the organisation. In schools, a data subject is a pupil; a parent/guardian; a teacher; a school secretary; any employee of the school. All data subjects had certain rights protected under the previous data protection legislation. GDPR enhances and builds on these rights.

Question 12

What is data processing?

Answer 12

Processing is the legal term used to describe various acts including the collection, recording, organisation, structuring, storage, alteration, use of, retrieval, disclosure or transmission of information/data.

Question 13

Why do we collect data? are we entitled to collect data?

Answer 13

Yes, schools are entitled to collect personal data about pupils through the enrolment process and/or through expressions of interest in relation to enrolment. This is legitimate for the purposes of providing education services to pupils. Additional information may be collected from third parties, including former schools and through school activities and interaction(s) during the course of the pupil’s time at school. Schools also collect personal data about parents and guardians through the enrolment process or expressions of interest for enrolment. Additional personal data may be collected through interactions during the course of the pupil’s time at school. In addition, schools are also places of employment and so personal data is

Question 14

What are processing
grounds?

Answer 14

A processing ground is the legal reason for which data is collected, processed and retained – in other words, the legal reason why we are allowed to collect, process and retain certain data. Schools collect and process personal data about teachers, other employees, volunteers, pupils, parents/guardians for a variety of legitimate purposes and are entitled to rely on a number of legal grounds to do so. Schools require this data to perform the duties and responsibilities of the school and to comply with legal and statutory obligations. In addition, schools require this personal data to pursue the legitimate interests of the school and any dealings it may have with relevant third parties, for example, the Department of Education and Skills. The legitimate interests upon which schools rely are the effective operation and management of the school, managing the education and welfare needs of pupils; the employment of teachers and other members of staff; the management of volunteers and other approved school-related matters. Schools, generally but not exclusively, process personal data on the basis of the following lawful purposes:

a. Legal obligation
Schools process personal data to comply with legal and statutory obligations, including but not limited to, those under the Education Act 1998 (as Amended), the Education (Welfare) Act 2000, the Employment Equality Acts 1998-205, the Education for Persons with Special Needs (EPSEN) Act 2004, the Health Act 1947, the Children First Act 2015, the Child Protection Procedures for Primary and Post- Primary Schools 2017, the Teaching Council Acts 2001-2015 and Safety Health and Welfare at Work legislation.

b. Legitimate interests
Schools may also process personal data in order to:

enable pupils to develop to their full potential and meet the educational, social, physical and emotional requirements;

employ members of staff;

enable parents/guardians to be contacted in the case of emergency, or school closures;

inform parents/guardians of their child’s educational progress;

secure and benefit from the support and services of relevant third parties.

Further information about the lawful processing conditions of personal data is contained in Article 6 of GDPR.

Question 15

What is consent?

Answer 15

The processing of some pupils’ personal data requires consent. For example, the school needs to be sure that parents have consented to allowing photographs of their child to be taken by the school, which may be displayed on the school’s website or on social media platforms or in the print media. Consent can be withdrawn at any time by contacting the school.

Please note: consent regarding data under GDPR is different to consent received from parents for the purposes of allowing their child attend, for example, a school trip/tour. That type of consent must still be sought in the usual way by the school, in line with advice from the school patron and/or insurer(s).

Question 16

What is a data controller?

Answer 16

A data controller determines what data the organisation/school needs to collect, why that data is needed, how it will be collected, how it will be stored and for how long. The data controller in schools is the board of management. Data controllers are required to store data which they process confidentially and securely. If a security or data breach arises, a data controller, by law, must report the breach to the Data Commissioner within 72 hours. This is not optional, but a legal requirement. In schools, it is advisable to create a culture of awareness and support about GDPR and data privacy. It is vital that all colleagues feel that they can immediately report to the principal/management if they are concerned that they may have inadvertently caused a data breach at the earliest opportunity. The concern can then be reported to the Data Commissioner. GDPR compliance at school involves looking at – or auditing – the data that is collected in the school. In other words, what data is collected by the school, how and why it is collected, retained, updated, stored, and/or accessed in respect of pupils, employees and third parties. It is vital to foster a conversation about data privacy awareness among staff. Whilst there is an onus on the board of management as data controller, there is an onus on all individuals who handle the data of others to be prudent in that regard. Having a discussion about the types of data processed in the school and the importance of reporting any breach in a prompt manner in a supportive culture is advised. This may involve a discussion amongst staff around the need to make some changes in how the school processes (collects, retains, stores and interacts with) the data collected.

Question 17

What is a data processor?

Answer 17

A data processor processes data on behalf of the data controller, for example, a service provider to the data controller, i.e. the board of management. A good example of a data processor for schools would be a third-party service provider of IT services.

It is important to ensure that within the agreement or contract a school has in place between the data controller (board of management) and a third-party service provider that the following is clarified:

a. The personal data are processed only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation.

b. The confidentiality and security of the data being processed is ensured by the third-party service provider.

c. The third-party service provider gives an undertaking to the data controller that they respect and are compliant with the data subjects’ rights.

d. The third-party service provider can engage subcontractors with the data controller’s approval.

e. Where necessary/appropriate, that the third-party service provider will delete or return the data to the data controller at the end of the provision of services arrangement unless European Union or Member State law requires the continued storage of that data.

f. The processor makes available to the controller all information necessary to demonstrate compliance with the obligations under European Union or Member State law.

Regarding the engagement of third-party data processors/service providers by a board of management, members are advised to continue to consult with their relevant school patron for advice.

Question 18

What is data retention?

Answer 18

Data retention means holding on to data relating to a data subject. A school should only retain personal data for as long as it is necessary to fulfil the purposes the information was collected for, including any legal, accounting or reporting requirements. Some data is required, by the State, to be retained indefinitely, because of legal requirements, e.g. rollbook data. The retention period(s) of other types of data collected by the school is a matter for each individual board of management to decide. Members are advised to continue to consult with their relevant school patron and school insurers for advice in this regard.

Question 19

does my school need a data Protection Policy?

Answer 19

Yes, all organisations that process data require a data protection policy. If your school already has a data protection policy, that’s great. However, you should check to make sure that the legislation referred to in the policy is GDPR and the Data Protection Act 2018, and not the previous legislation. If GDPR and the Data Protection Act 2018 is not reflected in your school Data Protection Policy, the policy will need to be reviewed. It is anticipated that most schools will need to update their Data Protection Policy and, in this regard, please refer to the INTO website where further advice and resources are available.

Some key elements of your school’s Data Protection Policy should include:

The purpose of the policy.
The data controller’s commitment to data protection principles/rights under GDPR and the Data Protection Act, 2018.
The name of the data controller (i.e. the BOM).
The lawful basis of the processing of data.
Details of when consent is required and that it can be withdrawn.
The categories/types of pupil data collected, processed, retained, shared by the school. The categories/types of BOM data processed, retained, shared by the school.
Data security measures taken.
CCTV, including purpose and use of CCTV data in the school.
Rights of data subjects and how to access them.
Contact details for the Data Protection Commission.
All other policies which may interlink: e.g. Child Protection Policy; Anti- Bullying Policy; Code of Behaviour/ Discipline; CCTV Policy; ICT Policy; Acceptable Use Policy; SPHE Policy etc.

Question 20

What is a subject access request?

Answer 20

A Subject Access Request (or SAR) is exactly the same as a Data Access Request, in that a data subject can apply to a data controller to be given a copy of any information on record relating to the data subject, which is kept on computer or in a structured manual filing system operated by the data controller. In schools, teachers can make a SAR to the data controller, board of management as their employer, in relation to their own data only. Parents/guardians can make a SAR to the data controller, board of management, on behalf of their own child. Under GDPR, a SAR can be done by writing to the data controller/board of management requesting copy of the personal data held in relation to the data subject. A SAR must be complied with within 30 calendar days, whether it arises during a school closure or not. Failure to comply within this timeframe may be reported to the Data Commissioner. Crucially, GDPR provides that copy of the data is provided to the data subject free of charge.

Question 21

does my school use ccTv?

Answer 21

If your school uses CCTV, data subjects should be informed through visible and clearly legible notices inside and outside the school. While it is a good idea to have a CCTV policy, at the very least, use of CCTV in the school must be noted within the school Data Protection Policy. In addition, please note that it is advisable to specify the basis – or purpose for the use of CCTV. Is it for security purposes only? Is it for health and safety purposes also? Whatever the purpose, it must be specified in your policy. Please note that if CCTV is used for health and safety purposes – i.e. for investigations into bullying etc, data subjects would be entitled to seek a copy of a recording should they wish to. Should any SAR be made in relation to CCTV, please note that, before release, the recording must be redacted/pixelated so that the only visible person is the relevant data subject. Pixilation is a process which may incur fees, so it is a good idea to have a discussion about this with the board of management. In addition, it is a good idea to note the duration period of a CCTV recording in the school policy – i.e. whether it lasts for 25/28/30 days etc., before restarting.

Question 22

What is a data breach?

Answer 22

A data breach is where, accidentally, inadvertently or unlawfully, personal data are destroyed, lost, disclosed or accessed, transmitted, stored or otherwise processed. Schools, as data controllers, are required to store data which they process confidentially and securely. If a data breach does happen or you have concerns that it may have happened, you must report your concern to your principal/the board of management immediately. The relevant data subject must also be informed. The reason for the immediate requirement of reporting is that the data controller, by law, must report the breach to the Data Commissioner within 72 hours. This timeframe is not optional, but a legal requirement.

Question 23

Data and privacy

Answer 23

Privacy and anonymity are not explicitly addressed in UK Intellectual Property law, but they may be relevant in certain situations.

For example, in the context of copyright infringement claims, the identity of the alleged infringer may be relevant in determining liability and damages. If a copyright owner believes that their work has been infringed, they may seek to obtain the identity of the alleged infringer through a court order, such as a Norwich Pharmacal order.

In this context, the privacy and anonymity of the alleged infringer may be protected by certain legal principles, such as data protection laws and the right to respect for private and family life under the Human Rights Act. However, these rights may be balanced against the copyright owner’s right to protect their intellectual property.

In addition, individuals who wish to remain anonymous when engaging in certain intellectual property-related activities, such as registering a trademark or filing a patent application, may be able to do so by using a proxy or third-party representative. However, the use of proxies or third parties may not always be permitted or advisable, depending on the specific circumstances.

Question 24

Social Media & Cookies

Answer 24

Social media and cookies are not directly related to UK Intellectual Property law, but they may have implications for intellectual property rights and data protection.

Social media platforms, such as Facebook, Twitter, and Instagram, allow users to share content, including copyrighted material. In some cases, users may infringe on the copyright owner’s exclusive rights by sharing or distributing their work without permission. In these cases, the copyright owner may be able to take legal action to stop the infringement and obtain damages.

Cookies, on the other hand, are small files that are stored on a user’s device when they visit a website. They can be used to track user behavior and preferences, including their interests, location, and online activity. The use of cookies is regulated by data protection laws, such as the General Data Protection Regulation (GDPR), which requires websites to obtain user consent before using cookies.

In the context of intellectual property, cookies may be used to collect data on users’ online behavior and preferences, which can be used to target advertisements and promotional content. This may have implications for trademark and branding, as well as for copyright and related rights.

Question 25

The Freedom of Information Act

Answer 25

The Freedom of Information Act 2000 (FOIA) is a UK law that provides public access to information held by public authorities, such as government departments, local authorities, and NHS bodies. The Act aims to promote transparency and accountability by giving individuals the right to request information held by public authorities and to receive a response within a set timeframe.

Under the FOIA, any person can make a request for information, regardless of their nationality, location, or reason for making the request. The request must be made in writing and include the requester’s name and address, a description of the information requested, and any other relevant details. The public authority then has 20 working days to respond to the request.

The FOIA may be relevant to UK Intellectual Property in certain situations, such as when requesting information on the registration and status of a trademark or patent application. However, the FOIA does not generally apply to information held by private companies or individuals, including intellectual property owners, unless they are contracted to provide services on behalf of a public authority.

In addition, the FOIA includes exemptions that may allow public authorities to withhold certain types of information, such as information that is protected by intellectual property rights or that would breach someone’s privacy. However, these exemptions are subject to a public interest test, which means that the public authority must consider whether the public interest in releasing the information outweighs the interest in withholding it.

Question 26

Data Privacy in Software Development:
At a glance

Answer 26

The UK GDPR requires you to put in place appropriate technical and organisational measures to implement the data protection principles effectively and safeguard individual rights. This is ‘data protection by design and by default’.

In essence, this means you have to integrate or ‘bake in’ data protection into your processing activities and business practices, from the design stage right through the lifecycle.

This concept is not new. Previously known as ‘privacy by design’, it has always been part of data protection law. The key change with the UK GDPR is that it is now a legal requirement.

Data protection by design is about considering data protection and privacy issues upfront in everything you do. It can help you ensure that you comply with the UK GDPR’s fundamental principles and requirements, and forms part of the focus on accountability.

Question 27

What are the underlying concepts of data protection by design and by default?

Answer 27

+ The underlying concepts are essentially expressed in the seven ‘foundational principles’ of privacy by design, as developed by the Information and Privacy Commissioner of Ontario.

1. ‘Proactive not reactive; preventative not remedial’
2. ‘Privacy as the default setting’
3. ‘Privacy embedded into design’
4. ‘Full functionality – positive-sum, not zero sum’
5. ‘End-to-end security – full lifecycle protection’
6. ‘Visibility and transparency – keep it open’
7. ‘Respect for user privacy – keep it user-centric

Question 28

How do we do this in practice?

(underlying concepts of data protection by design and by default)

Answer 28

Consider Data Protection as part of the design and implementation of systems.

Make data protection an essential functional component of your processing systems and services.

Only process the personal data that you need in relation to your purposes.

Personal data should be automatically protected in your IT system.

Identify and contact information of those responsible for data protection.

Adopt a ‘plain language policy for any public documents

Allow individuals to decide what to do with their personal information

Offer strong privacy defaults, user-friendly options and controls

Question 29

How does data protection by design and by default link to Data Protection Impact Assessments (DPIAs)?

Answer 29

+ A DPIA is a tool that you can use to identify and reduce the data protection risks of your processing activities.
+ DPIAs are an integral part of data protection by design and by default.
+ They can help determine the type of technical and organisational measures you need in order to ensure your processing complies with the data protection principles.
+ A DPIA is only required in certain circumstances – for example, where the processing is likely to result in a risk to rights and freedoms

Question 30

What is the role of privacy-enhancing
technologies (PETs)?

Answer 30

European Union Agency for Cybersecurity (ENISA) refers to PETs as: ‘software and hardware solutions.

Such as systems encompassing technical processes, methods or knowledge to achieve specific privacy or data protection functionality or to protect against risks of privacy of an individual or a group of natural persons.’

The idea of shaping technology according to privacy principles has been discussed for many years, addressing among other the principles of data minimisation, anonymisation and pseudonymisation. This led to the term Privacy Enhancing Technologies (PETs), which covers the broader range of technologies that are designed for supporting privacy and data protection.

Question 31

International Transfers of Data within Systems

Answer 31

Data protection by design also applies in the context of international transfers in cases where you intend to transfer personal data overseas to a third country that does not have an adequacy decision.

You need to ensure that, whatever mechanism you use, appropriate safeguards are in place for these transfers. As detailed in Recital 108, these safeguards need to include compliance with data protection by design and by default.

Question 32

WHat is a data controller and data processor?

Answer 32

+ The Data Controller - determines the purposes for which and the means by which personal data is processed.

+ The Data Processor - processes personal data only on behalf of the controller.

Question 33

What is Personal
Data?

Answer 33

+ “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

This means personal data has to be information that relates to an individual. That individual must be identified or identifiable either directly or indirectly from one or more identifiers or from factors specific to the individual.

Question 34

What are the two ways UK GDPR covers the processing of personal data?

Answer 34

personal data processed wholly or partly by automated means (that is, information in electronic form); and

personal data processed in a non-automated manner which forms part of, or is intended to form part of, a ‘filing system’ (that is, manual information in a filing system).

Question 35

What are the categories of personal data?

Answer 35

Some of the personal data you process can be more sensitive in nature and therefore requires a higher level of protection. The UK GDPR refers to the processing of these data as ‘special categories of personal data’. This means personal data about an individual’s:

race;
ethnic origin;
political opinions;
religious or philosophical beliefs;
trade union membership;
genetic data;
biometric data (where this is used for identification purposes);
health data;
sex life;
or sexual orientation

Personal data can include information relating to criminal convictions and offences. This also requires a higher level of protection.

Question 36

Is pseudonymised data still personal data?

Answer 36

Pseudonymisation is a technique that replaces or removes information in a data set that identifies an individual.

The UK GDPR defines pseudonymisation as:

• “…the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”

Question 37

What about anonymised data?

Answer 37

The UK GDPR does not apply to personal data that has been anonymised. Recital 26 explains that:

“…The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not, therefore, concern the processing of such anonymous information, including for statistical or research purposes.”

This means that personal data that has been anonymised is not subject to the UK GDPR. Anonymisation can therefore be a method of limiting your risk and a benefit to data subjects too. Anonymising data wherever possible is therefore encouraged.

Question 38

Data protection Act 2018

Answer 38

The UK Data Protection Act 2018 (DPA 2018) is the primary piece of legislation governing data protection in the United Kingdom.

The DPA 2018 replaced the previous Data Protection Act 1998 and implemented the General Data Protection Regulation (GDPR) into UK law.

The DPA 2018 applies to the processing of personal data by organizations operating in the UK, regardless of whether they are based in the UK or overseas.

The Act sets out rules and principles for the collection, use, storage, and sharing of personal data.

Under the DPA 2018, individuals have the right to access their personal data held by an organization, to have their data corrected if it is inaccurate, and to request that their data be deleted.

Organizations are also required to obtain individuals’ consent before processing their personal data and to ensure that the data is processed securely and in accordance with the law.

The DPA 2018 also sets out specific provisions for the processing of special categories of personal data, such as health data, and places additional obligations on organizations to ensure that such data is processed in a lawful and appropriate manner.

In addition, the DPA 2018 establishes the Information Commissioner’s Office (ICO) as the UK’s independent regulator for data protection.

The ICO is responsible for enforcing the DPA 2018 and ensuring that organizations comply with the rules and principles set out in the Act.

Question 39

Formative 7

InnovateTech has been developing a new app that uses machine learning algorithms to provide personalized recommendations to its users. To improve the accuracy of its recommendations, InnovateTech has been trying to obtain user data from AnalyticsFirst, which has a vast database of consumer behavior patterns. However, AnalyticsFirst has refused to share its data, citing concerns about user privacy and data protection. AnalyticsFirst argues that sharing such data could put them in breach of the UK Data Protection Act 2018, which requires companies to take appropriate measures to protect personal data.

InnovateTech argues that they only want to use the data to improve the accuracy of their recommendations and that they will take all necessary measures to protect user privacy. InnovateTech also points out that the Data Protection Act allows for the sharing of data where there is a legitimate interest, provided that the rights of individuals are not compromised. Despite several rounds of negotiations and mediation, the two companies have not been able to reach a mutually agreeable solution. InnovateTech has considered taking legal action to obtain the data but is unsure if this would be legal under the Data Protection Act.

In this case study, the UK Data Protection Act 2018 plays a crucial role in determining the legality of sharing user data between the two companies. The Act requires companies to take appropriate measures to protect personal data, but it also allows for the sharing of data where there is a legitimate interest.

As legal counsel for InnovateTech how would you describe this case study and advise InnovateTech.

Answer 39

The case study as a dispute between InnovateTech, a company developing a personalised recommendation app, and AnalyticsFirst, a company with a database of consumer behaviour patterns. InnovateTech seeks to obtain user data from AnalyticsFirst to enhance the accuracy of their recommendations, while AnalyticsFirst refuses to share the data due to concerns about user privacy and compliance with the UK Data Protection Act 2018.

Legitimate Interest Assessment: InnovateTech should conduct a legitimate interest assessment (LIA) to determine whether their interest in obtaining user data outweighs the privacy rights and interests of the individuals involved. The LIA should consider factors such as the necessity of the data for improving the accuracy of recommendations, the impact on user privacy, and any reasonable alternatives to obtaining the data.

Data Protection Impact Assessment (DPIA): InnovateTech should also conduct a DPIA, which is a more comprehensive assessment of the data processing activities and potential risks to individuals’ privacy and data protection rights. The DPIA will help identify and mitigate any potential risks and demonstrate compliance with the Data Protection Act.

Privacy by Design: InnovateTech should ensure that their app and data processing practices are designed with privacy in mind. Implementing privacy-enhancing measures, such as data minimization, pseudonymization, and encryption, can help protect user privacy and demonstrate compliance with data protection principles.

Data Sharing Agreement: If InnovateTech and AnalyticsFirst decide to proceed with data sharing, they should establish a data sharing agreement that clearly outlines the purposes, limitations, and safeguards for data sharing. The agreement should address issues such as data security, confidentiality, and compliance with applicable data protection laws.

Question 40

Mock question 5

You are a privacy advocate who has been asked to evaluate a digital company’s use of cookies on their website. After conducting an investigation, you discover that the company is unlawfully collecting personal information through cookies without obtaining proper consent from their website visitors. The company claims that they are using this information to improve their website’s user experience and to provide targeted advertising.

Identify the legal and ethical issues surrounding the company’s use of cookies to collect personal information. Evaluate the risks associated with the company’s actions in terms of data privacy and security. Recommend specific measures that the company can take to ensure that their use of cookies is lawful and ethical.

Answer 40

The legal and ethical issues surrounding the company’s use of cookies to collect personal information include the violation of data protection laws and the invasion of individuals’ privacy. Under the GDPR, companies must obtain the freely given, specific, informed, and unambiguous consent of individuals before collecting and processing their personal data, including through the use of cookies. In this case, the company has failed to obtain proper consent from its website visitors, which constitutes a breach of the GDPR. Moreover, the company’s use of personal information for targeted advertising may infringe on individuals’ privacy, as it involves the processing of sensitive data and the creation of individual profiles without individuals’ knowledge or consent.

The risks associated with the company’s actions include reputational damage, legal penalties, and loss of customer trust. Data breaches and cyber-attacks are also possible risks, as personal information collected through cookies may be vulnerable to unauthorized access or theft.

To ensure that their use of cookies is lawful and ethical, the company should obtain proper consent from individuals through an opt-in mechanism that clearly explains the purposes and scope of data processing. The company should also implement appropriate technical and organizational measures to ensure the security and confidentiality of personal information, such as encryption, access controls, and regular audits