GDPR and other laws (Lecture 7) Flashcards

1
Q

List some laws relating to Information Security

A

Computer Misuse Act 1990

Obscene Publications Act 1964

Police And Criminal Evidence Act 1984

Network and Information Systems Regulations 2018

General Data Protection Regulations 2018

Data Protection Act 1998, 2018

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

The Computer Misuse Act 1990 relates to what offences?

A

Unauthorised access to computer material

Unauthorised access with intent to commit or facilitate a crime

Unauthorised modification of computer material

Making, supplying or obtaining anything which can be used in computer misuse offences

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The Obscene Publications Act 1964 relates to what offences?

A

Act aims to strengthen law for preventing the publication for gain of obscene matter and the publication of things intended for the production of obscene matter

includes distribution, circulation, selling, letting, hiring

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is PACE 1984

A

Police And Criminal Evidence Act

Governs police powers of investigation involving arrest, detention, interrogation, entry and search of premises and personal searches

Code B outlines powers to enter and search premises and seize possessions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is Network and Information Systems Regulations 2018?

A

Applies to two groups of organisations: Operators of Essential Services (OES) and Relevant Digital Service Providers (RDSP’s)

NIS relates to any incident that has an impact on a service , where the impact produces a significant disruptive effect

IOC is the competent authority for RDSP’s and they can enforce NIS and issue fines of up to £17 million

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What defines a Relevant Digital Service?

A

Provide one or more of the following:

Online search engine
Online marketplace
Cloud computing service

Have to have head office in UK or have nominated a UK representative

Have more than 50 staff and a turnover or balance sheet of more than €10 million

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is PECR 2003

A

Privacy and Electronic Communications Regulations 2003

Derived from EU law. Implement European Directive 2002/58/EC AKA e-privacy directive

Compliments the GDPR and sets out more specific privacy rights on electronic communications

Specific rules on marketing calls, emails, texts and faxes, cookies, keeping communications services secure, customer privacy with regards to traffic and location data and itemised billing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the Data Protection Act 1998, 2018

A

Designed to protect personal data stored on computers or in organised paper filing systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the GDPR

A

General Data Protection Regulations 2018

designed to give people more control about how their data is used, shared and stored

Requires organisations to be more accountable and transparent about how they use someone’s data

Organisations must demonstrate compliance and prove they are being implemented

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What can the ICO do using powers under DPA 2018

A

Serve information notices requiring organisations provide specified information within a certain time

Conduct onsite assessments, enter premises, access documents and interview people. Also issue enforcement notices and fines

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is a data controller?

A

A company that collects information about customers, suppliers, employees etc

In relation to personal data, means a person who determines the purposes for which and the manner in which any personal data are to be processed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is a data processor?

A

An organisation which processes data for other entities but they do not determine the purpose for their processing, what is collected, how it is processed or how long it is retained.

In relation to personal data, means any person (other than an employee off the data controller) who processes the data on behalf of the data controller

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are your rights as a data subject? (8)

A

The right to be informed

The right of access

The right to rectification

The right to erasure (be forgotten)

The right to restrict processing

The right to data portability

The right to object

Rights in relation to automated decision making and profiling

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Explain the Right to Be Informed

A

Individuals have the right to be informed about the collection and use of their personal data. Key transparency requirement under GDPR

Must provide individuals with information including purposes for processing their personal data, your retention period and who it will be shared with (privacy information)

Must be provided at the time of data collection

Must be regularly reviewed and updated if necessary. Must bring any new uses of their data to their attention before processing is started

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Explain Right of Access

A

Subject access

Gives individuals the right to access and obtain a copy of their personal data as well as other supplementary information

Can make verbal or written requests for the information and it should be disclosed securely

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Explain Right to Rectification

A

Gives the right for individuals to have inaccurate personal data rectified or completed if it is incomplete

Can make request verbally or in writing

This right is closely linked to controllers obligations under the accuracy principle of GDPR

17
Q

Explain the Right to Erasure (right to be forgotten)

A

The right to have personal data erased. Individuals can make requests verbally or in writing

Right is not absolute and only applies in certain circumstances

18
Q

Explain the Right to Restrict Processing

A

Individuals have the right to request restriction or suppression of their personal data

Not an absolute right and only applies in certain circumstances

When processing is restricted you are permitted to store the personal data but not use it

19
Q

Explain the Right to Data Portability

A

Allows individuals to obtain and reuse their personal data for their own purposes across different services

Allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability

Enables individuals to take advantage of applications and services that can use this data to find them a better deal or help understand spending habits

Only applies to information an individual has provided to a controller

20
Q

Explain the Right to Object

A

In certain circumstances individuals have the right to object to the processing of their personal information

Absolute right to stop data being used for direct marketing

Can continue processing if there is a compelling reason to do so

Must tell individuals about right to object

21
Q

Explain Rights in Relation to Automated Decision Making and Profiling

A

Provides safeguards for individuals against the risk that a potentially damaging decision is taken by solely automated means (without human intervention)

Unless decision is required or authorised by law

A ‘qualifying significant decision’ is defined as a decision which significantly affects or produces an adverse legal affect on an individual and is authorised by law

Must ensure that the individuals are able to obtain human intervention, express their point if view and obtain an explanation of the decision and challenge it

22
Q

List specific requirements Article 5 of GDPR sets out about how data controllers should collect, process and manage data

A

Processed lawfully, fairly and in a transparent manner

Collected for specified, explicit and legitimate purposes

Adequate, relevant and limited to what is necessary for the processing purposes

Accurate and where necessary kept up-to-date

Kept to permit identification of data subjects for no longer than is necessary for processing purposes

Processed in a manner that ensures appropriate security of the personal data

23
Q

What is the 3 part test in GDPR?

A

Purpose test - is there a legitimate interest behind the processing?

Necessity test - is the processing necessary for that purpose

Balancing test - is the legitimate interest overridden by the individuals interests, rights or freedoms?