Learning Objective 3 - Chapter 4 (3 marks) Flashcards
what is corporate governance?
A system by which an organisation is directed and controlled; the process where company objectives are established, chieved and monitored.
CG is also concerned with the relationships between the board, management, shareholders and othe releant stakeholders within a legal and regulatory framework
what are the two most important parts of good corporate governance?
Transprarency and accountability
what is a corporate governance framework?
This comprises rules and practices through which a board of directors nsures accountability, fairness, and transparency in a companys relationship with its stakeholders.
what are the four levels that the Corporate Governance framework in the UK operates?
- Through Legislation - The Companies act 2006
- Through Regulation - In particular for listed companies on the London Stock exchange, through the listing rles which is the responsibility of the FCA
- Through reporting; via the UK corporate governance code, which is the responsibility of the Financial Reporting council.
- for all companies not listed on the LSE, adopting equivilnt approaches to corporate governance to those that are listed, as the UK CG code is considered to represent best practice standards of supervision and management by directors and stakeholders
what was the first full UK corporate governance code?
The Cadbury Report, published in 1992.
The initiative to form a committee (Under the chairman of Sir Adrian Cadbury) in order to publish a code of practice followed several high profile corporate failures
what was the corporate governance code formerly known as?
The combined code
What is the FRC and what is its mission?
The Financial Reporting Council
The FRC’s mission is to promote transparency and integrity within business, it sets the UK corporate governance and stewardship codes and UK standards for accounting and actuarial work.
what is the most up to date corporate governance code and when did it come into play?
The 2018 CG code, which came into play 01 Jan 2019, replacing the 2016 code.
what was the 5 main sections of the 2016 code?
- Leadership
- effectiveness
- accountability
- remuneration
- relations with shareholders
what are the 5 main sections of thr 2018 code?
- Board leadership and company purpose
- Division of responsibilities
- Composition, succession and evaluation
- Audit, risk and internal control
- Remuneration
what does the ‘Board leadership and company purpose’ section of the 2018 Corporate Governance code entail?
- the principal that a successful company will be led by an effective board, promoting long term sustainable success and generating value for shareholders
- All directors must act with integrity, lead by example and contribute to wider society
- the board should ensure that there is a framework in place which allows for risk to be assessed and managed
what does the ‘Division of responsibilities’ section of the 2018 Corporate Governance code entail?
-The chair will lead the board and is responsible for its overall effectiveness in directing the company.
- The board should include an appropriate combination of executive and non-executive
(and, in particular, independent non-executive) directors, such that no one individual or
small group of individuals dominates the board’s decision-making.
-The board, supported by the company secretary, should ensure that it has the policies,
processes, information, time and resources it needs in order to function effectively and
efficiently
what does the ‘Composition, succession and evalution’ section of the 2018 Corporate Governance code entail?
- appointments to the board should be formal, thorough and transparent and an effective succession plan should be maintained for board and senior management.
- The board should have a combination of skills, experience and knowledge.
-Annual evaluation of the board should consider its composition, diversity and how effectively members work together to achieve objectives. Individual evaluation should demonstrate whetehr each director continues to contribute effectively
what does the ‘Audit, risk and internal control’ section of the 2018 Corporate Governance code entail?
- The board should establish formal and transparent policies and procedures to ensure the independence and effectiveness of internal and external audit functions.
- the board shouls establish procedures to manage risk, oversee internal framework and determine the nature and extent of principal risks the company is willing to take in order to achieve its long term strategic objectives.
what does the ‘Remuneration’ section of the 2018 Corporate Governance code entail?
- Remuneration policies and practices should be designed to support strategy and promote long term sustainable success. Executive remuneration should be aligned to the companies purpose and values, and linked to the companies long term strategy.
- a formal and transparent procedure should be developed on executive remuneration. no director should be involved in the deciding of their own remuneration outcome.
what 4 things should companies do in terms of going concern, risk management and internal control according to the CG code 2018?
- Identify any material uncertainties in their ability to trade as ongoing concern,
- assess their principal risks and explain how they are being managed
- state whether they are able to continue in operation and meet their liabilities
- monitor their risk management and internal control systems at least annually.
is compliance with the Corporate Governance Code a legal requirement?
It is not a legal requirement however it is part of the Stock Exchange Listing Rules. i.e companies are required to state in their annual report that they are in compliance with the code, or if not fully complaint, to detail (explain) where they are not compliant and why.
what is Turnball guidance?
Set up under the chairmanship of Nigel Turnball - set out best practivce on internal control for UK listed companies, and assisted them in applying the section of the UK CGC that deald with internal control.
When was the turnball guidance published?
1999 originally, then updated versions were issued by the FCA in 2005, 2009 wiith the latest being 2014
What were the key changes to the 2014 issue of the ‘turnball guidance’?
The turnball guidance was republished and called ‘Guidance on Risk Management, Internal Control, and Related Financial and Business Reporting’ (the ‘Risk Guidance’). It applies to listed companies for accounting periods beginning on or after 01 October 2014.
what are the legal requirements for compliance to the Corporate Governance Code?
UK companies are not legally required to comply with the CGC, however if the firm is listed on the London Stock Exchange, then compliance (or a reason as to why they are not compliant) is required under the Listing Rules.
what is the stance on CGC for mutual companies?
They have no legal obligation to comply, as with any UK company. However, under The Association of Financial Mutuals (AFM), they have their own version of the code which adapts the requirements to the particular needs of mutual companies.
i.e this includes gudance around the role of shareholders (adapting this to members) and the appointment of directors that have specific experience of the intrests of members. A good example of this is the Met police friendly society, where certain non-exec directors or retired police officers serve.
what were the main intentions of the 2018 publication of the revised Guidance on Audit Committees by the FCA?
This intended to stimulate thinking on how boards can carry out their role most effectively and is designed to help boards with their actions and decisions when reporting on the application of the codes principles.
The key areas addressed:
1. Making sure best practice is followed out, the audit committes arrangements need to be proportionate to the task, and will vary according to the sixe, complexity etc.
2. The audit commitee has a particular role, acting independently from the executive, to ensure that the interests of the shareholders are properly protected in relation to financial reporting and internal control, while directors have a duty to act in the interests of the company. If there is any dispute between the board and the audit committee, this is to be resolved at board level
3.The guidance contains recommendations about the conduct of the audit committee’s relationship with the board, exec management and internal and external auditors.
4. The management is under obligation to ensure the audit committee is kept properly informed.
what are the 7 main roles and responsibilities of the audit committee?
- Monitoring the integrity of the companies financial statements
- Reviewing the companies internal financial records
- Monitoring and reviewing the effectiveness of the companies internal audit function
- Making recommendations to the board regrding appointment of ext auditor and approving remuneration and terms for the engagement of the ext auditor
- Reviewing and monitoring the ext auditors independence and objectivity in the audit process
-developing and implementing policy on the engagement of an ext auditor - to report to the board, identifying any matters where is considers that action or imrpovement is needed
when did the FRC publish the Guidance on Board Effectiveness?
2018
What does the Guidance on Board Effectiveness, as published by the FRC in 2018 relate to?
Primarily, sections A & B of the CGC on leadership and effectiveness of the board
Who developed the Guidance on Board Effectiveness after the FRC published it in 2018? and what were the main topics dealt with?
The Institute of Chartered Secretaries and Administrators (ICSA).
The main topics:
-Board leadership and company purchase
- Division of responsibilities
- Audit, Risk, and internal control
- Remuneration
what is Germans version as adopted by the UK CGC?
The Deutscher Corporate Governance Kodex
What is the Australian version of the UK CGC?
The Corporate Governance Principals and Recommendations
What is the South East Asian CGC version?
South East Asia Corporate Governance Initiative - launched in 2014
What isthe USA approach to CGC?
The USA take a different approach. Companies with a listing on a stock exchange in the USA are required to comply with requirements of the Sarbanes-Oxley Act 2002 (SOX). Therefore this legilsation is relevant for many UK companies that have a US stock exchange share listing.
The results of the SOX legislation continue to receive mixed reviews, although a 2017 study published by the American Accounting Association provides evidence that the requirements SOX set for financial reporting and public audits have, in fact, served as an extremely effective warning process in detecting corporate fraud.
what other countries have adopted a SOX type law?
apan, Germany, France, Italy, Australia, Israel, India, South Africa and Turkey
in terms of company law, what is the difference for publicly listed companies?
They have to not only abide by the standard company law as all companies are, but also have to abide by ‘listing rules’, which effectively have the force of law.
What do the listing rules dictate?
The contents of the prospectus for a company seeking a listing for the first time.
There is an ongoing obligation to disclose sensitive information, and communicate on new share offers, rights issued, and potential or actual takeover bids for the company.
The Listing Rules require quoted companies to produce half yearly financial reports as well as annual reports.
what is the process called whena company seeks a listing for the first company?
An Initial Public Offering ‘IPO’
What do all public companies and The London stock exchange have in common
They are both required to abide by the Listing Rules.
what is the main legislation currently covering limited companies in the UK
The companies act 2006
What does the Companies Act 2006 include regulation affecting?
- Company formation
- Statutory reporting
- Company meetings
- Responsibilities of company directors and officers
what does companies house do?
Keeps public record of companies registered in the UK
What are the three statutory functions done by companies house?
- Incorporate and dissolve limited companies
- Exampine and store company information under the Companies Act and related legislation
- Make this available to the public
who is responsible for making sure information about the company & its accounts are sent off to companies house?
The company director has a personal responsibility to do this.
what must a company do before it wants to enter into any contracts or undertake any business?
Register with companies house, as without registration, it has no legal existence.
if a company wants to issue shares, what must it do?
it must register as a public company and comply with certain additional rules such as having allotted share capital of at least £50,000
what do the registration documents set out?
1 - companies name
2- whether the company is public or private
3 - whether the liability of the members of the company is limited and if so, if this is by shares or by guarentee. If the company is to be limited by shares, the document must also include a statement of capital and the initial shareholdings.
4 - the situation of the companies registered office. (in the UK )
5 - The statement of the proposed officers
6 - the proposed articles of association
what are the two types of documents that companies are legally required to submit to companies house as part of statutory requirements?
- Confirmation statement
-Reports and accounts
what is a confirmation statement?
this is essentially an information document, including the company’s registered address, the principal business activities, information about the company’s directors, company secretary (where applicable), shareholders and the companies share capital.
how often must a confirmation statement be issued to companies house?
At least once every 12 months.. The company has 28 days from the date to which the return is made to do this. The return is a summary of the company’s details to a particular date, being the ‘made up date’
the latest date that it may be made up is the anniversary of the previous return
what does the companies act say about the retaining of accounting records?
Companies Act requires that every company must keep accounting records which are sufficient to show the company’s transactions.
i.e, to:
- disclose with reasonable accuracy & at any time, the financial position of the company at that time
- enable the directors to ensure that any accounts required to be prepared comply with the requirements of the act
what are the accounts useful for?
Investors and other stakeholders who want to know the condition of the company in which they have invested their capital and to assess the performance of the directors.
Creditors, to obtain reassurance that their debts will be paid or alert them to any possibility that it may not be paid
By law, what must the accounts show in terms of view?
They must show a true and fair view.
what is there to aid companies to give a true and fair view of their economic position?
to aid this process, companies are required to comply with accounting standards, i.e preparing their consolidated accounts;
companies listed on the London Stock Exchange have to follow International Financial Reporting Standards
For most companies, what 3 things will the annual accounts include?
- Income statement (profit and loss account)
- A balance sheet signed by a director
-A directors report signed by a director or the company secretary.
what is the set of required documents (income statement, balance sheet and directors report) when grouped together, called?
The annual report and financial statements
what is a directors report and when is it required?
This is a report that should include a fair view of the company’s business and a description of the principal risks and uncertainties facing the company
This is required by the CA 2006 to include a business review, unless the company is subject to the small companies regime.
what 5 things must the business review include if it is a quoted company?
- The main trends and factors likely to affect the future development, performance and position of the company’s business
info about:
-environmental matters
-the company’s employees
-social and community issues
-info about which persons to with whom the company has contractual or other arrangements which are essential to the business.
what is a directors remuneration report?
This has to be submitted by the directors of a quoted company
-must be approved by the board of directors and signed by a director or the secretary of the company.
-must include a detailed summary of any performance conditions for share options & long term incentive schemes and why these were chosen.
-details of directors service contracts, salaries, fees, bonuses, share options, long term incentive schemes, pensions, retirement benefits, compensation for past directors & sums to third parties for directors services.
what is the main influence on directors reports?
The Large & medium sized companies and groups accounts and reports (amendment) regulations 2013 - issued by the Association of British Insurers (ABI
what is a chairman’s statement?
This is usually included in the annual report & is normally a broad statement about the company’s activities attributed to the company’s chairman. This is not required by the companies Act.
is there any obligations on auditors regarding Chairman’s or directors Statements/reports?
External auditors are not required to judge weather the content of either the directors or chairman’s reports are true and fair. However, they would be obliged to report to the shareholders any inconsistency that arose between these statements and the rest of the annual report
what are the rules around the submission of annual accounts?
There are special rules for small & medium companies however all companies have to keep accounting records and all limited companies have to submit these to companies house.
Quoted companies must ensure that their report and accounts are available on their website.
in what time frame do companies have to submit their accounts?
Private companies must file within 9 months of the year end and private have to submit theirs within 6 months.
do all companies need a company secretary?
All public companies have to have a company secretary, as required by the Companies Act 2006.
What does the CA 2006 impose on companies regarding a company secretary?
The Companies Act 2006 requires all public companies to have a company secretary,
although a private company need not have one.
The 2006 Act imposes a duty on the directors of companies to:
take all reasonable steps to secure that the secretary…of the company is a person who appears to them to have the requisite knowledge and
experience to discharge the functions of secretary of the company
what are the key roles of a company secretary?
guiding a chairman and board on their responsibilities under the rules and regs
-supporting the chairman in ensuring the board functions efficiently and effectively
-ensuring good information flows within the board and its committees and between senior management and non-exec directors, as well as facilitating induction and assisting with professional development as required
- developing and overseeing the systems that ensure the company complies with all applicable codes, legal and statutory requirements
-overseeing day to day admin
- responsible for facilities, HR, Insurance, investor relations, pensions, admin,
according to the FRCs guidance on Risk management, Internal Control and Related Financial and Business Reporting, who has the responsibility for risk management and internal control?
The board ultimately takes on this responsibility
what does the FRC guidance set out in relation to the boards responsibility for risk management and internal control?
They provide a high level overview of the factors they should consider regarding design, implementation, monitoring and review of risk management and internal control systems
what does the FRC guidance not set out in relation to the boards responsibility for risk management and internal control?
It does not set out, in detail, the procedure by which a company designs and implements its risk management and internal control systems `
what does the FRC guidance not set out in relation to the boards responsibility for risk management and internal control?
It does not set out, in detail, the procedure by which a company designs and implements its risk management and internal control systems `
who should corporate governance and effective risk management be adopted by?
all operational managers and staff within the organisation
what is the first line of defence?
The front - line staff / managers. It is the responsibility of these managers to make sure that risks are identified and controlled in keeping with the strategy and control environment
what might be in place to support operational managers in being the first line of defence?
Firms usually have a team of risk management who coordinate the risk activities and act as advisors and monitors to the senior management and board. This may be made up of risk analysts, health and safety specialists, regulatory and compliance advisors .
Who is the control of risk assigned to?
The management most closely involved with the activity.
Who will be in control of risks associated with fraudulent claims?
The head of claims
Who will be in control of risks associated with service interruptions
The head of IT
Who will be in control of risks associated with ensuring the accuracy of accounting records
The Finance Director
what is the second line of defence for risk management?
The risk management department, supporting operational / department managers / compliance / security
who is the third line of defence for risk management?
The internal audit team / risk and control owners
what are the four ways to ensure effective management of risks in underwriting?
- Limits of authority for individual underwriters
- second review of quotations by senior underwriters
- regular review of pricing schedules
-monitoring of aggregation (or risk accumulation) practices
what are the 3 ways that risk is managed in claims?
- All claims payments are reviewed by second member of staff
- Claim validity checking
- Reinsurance coverage reviewed by senior management
what are the 3 ways that risk is managed in claims?
- All claims payments are reviewed by second member of staff
- Claim validity checking
- Reinsurance coverage reviewed by senior management
What are three ways that risk is controlled in finance?
- Daily reconciliation between ledgers and bank accounts
- limited authorities for authorising accounts payable
-Anti-money laundering measures
What are 4 ways risk is managed in human resources?
- Reference checks for new employees
- A scheme of regular training and development for all staff
- Audit of expenses claimed
- Absence monitoring
what are 4 ways risk is managed in IT?
- Back up records on a daily basis
- Relocation contingency plans
- Anti-Virus and intrusion software
- Data security and quality management
what are the four main facets for risk management in insurance companies?
1- Strategic
2- Insurance / underwriting and reserving
3- investment/market
4 - credit
what is considered the dominant risk amongst most organisations?
Reputation, however this is usually not deemed a risk in its own right, but rather as a result of lack of something else i.e staff training
what do strategic risks refer to for an insurance firm?
i.e takeover bids, starting new lines of business, opening branches in new locations etc
what do insurance and reserving risks refer to?
This relates to the potential for the loss ratio to be higher than that which was assumed in the business plan. I.e the adequacy of pricing premiums
i.e insurers must keep funds in place to pay the claims once discussions and investigations have completed.
what is deemed as investment/market risks for insurers?
This includes losses due to the reduction in value of investments of returns that are below the planned level. Causes to these losses may be because of the insurers investment portfolio or because of more general market wide downturn
what is deemed a credit risk for insurers?
Credit risks is those that relate to premium payments by clients and also for reinsurance recoveries. Losses due to non-payment of premiums is likely to be minimal for personal lines because most lines of insurances, payment is required before cover commences and for commercial lines, notice of cancellation will be issued if premiums are not paid in a given time frame.
also, where an insurer takes a large claim payment there may be reinsurance protection in place. There is a credit risk that a reinsurer may become insolvent if not financially sound.
what is an operational risk deemed as for insurers?
This includes all risks that are not included in the other categories essentially. i.e risks for property damage to the insurers offices and equipment, fraud by employees, breach of regulatory rules, EL claims etc
what is classed as a group risk for insurance companies?
this includes risks that emerge when a firm is a part of a wider group. i.e the UK group may rely on the parent for solvency capital, technical support and centralised services such as actuarial and admin. If the strategy at the centre changes, the UK firm may not be able to fulfil its business aims.
what exercise might the board carry out when assessing risks and circumstances & looking at effectiveness and adequacy of controls?
a cost benefit exercise would be carried out to assist in the decision making.
in order to bring structure and coherence to risk management activities in an organisation, what must risk managers do?
They use an established framework, or standard to guide them.
What is a standard that has been adopted the most amongst the standards that have been published by various organisations over the past 20 years?
the UK Risk Management Standard
how / why was the UK Risk Management Standard published?
This was compiled and published as a joint venture between Institute of Risk Management and the Association of Insurance and Risk Managers (AIRMIC) and ALARM (the Public Risk Management Association). It has since been adopted by the Federation of European Risk Management Association (FERMA)
What is at the heart of any risk management standard?
A flow process for the risk management - where each step follows on from previous work.
I.e risk identification must be undertaken before risk estimation can take place.
What are the 6 parts of the risk management process according to the UK Risk Management Standard?
1 - The organisation creates strategic objectives
2- Risk Assessment, Risk Analysis, Risk Evaluation
3 - Risk Reporting, threats and opportunities
4 - Decision
5 - Risk Treatment
6- Residual Risk Reporting
7 - Monitoring
When is a formal audit usually done in the risk management process according to The UK Risk Management Standard
Between the risk reporting and decision making stages
what is another main international standard of risk management standards for organisations of any size?
the ISO 31000 (and the associated ISO 31010 - risk identification techniques)
What does corporate governance say about a role of an audit committee?
good CG requires that firms have an audit committee made up of two or three (two in smaller companies) non-exec directors.
If it is a small company, the chairman may be a member but cannot be the chair of the audit committee, as long as they were considered independent on appointment as chairman.
At least one member of the committee must have the recent and relevant financial experience.
who answers any questions to shareholders regarding audit?
The chair of the audit committee
for financial years beginning on or after 01 January 2016, companies are required to have a full statutory audit by an external audit if they satisfy two of these three:
- A turnover exceeding £10.2m
- Net assets exceeding £5.1m
- More than 50 employees
what kinds of companies are always subject to statutory external audits, no matter their size?
Investment firms
insurance companies
public companies
An auditors report will state, whether in their opinion the annual accounts…:
- give a true and fair view
- Have been prepared in accordance with the relevant financial reporting framework
- Have been prepared in accordance with the requirements of this Act (and, where applicable, Article 4 of the IAS Regulation)
An auditors report will state, whether in their opinion the annual accounts…:
- give a true and fair view
- Have been prepared in accordance with the relevant financial reporting framework
- Have been prepared in accordance with the requirements of this Act (and, where applicable, Article 4 of the IAS Regulation)
what report emphasised the importance of an internal audit?
The Turnball report - as it stated that its main role is to evaluate risk and monitor the effectiveness of the systems of internal control.
What is an alternative name for a chief internal auditor?
The Chief Audit Executive
what does the scope of an internal audit include?
These are primarily conducted to address the needs of legal / accounting requirements.
what 5 ways can internal audits assist directors with implementation of good CG?
- Maintaining a good internal control by reviewing how a company identifies and manages risk
- Reviewing board reports to ensure that they present a balanced and understandable view point
- ensuring the directors are up to date with new accounting and auditing issues i.e international accounting standards
- Communicating with the external auditors and ensuring a unified approach to work
- Ensuring that the board receives the correct communications and info required from ext auditors
what is the primary focus of compliance work?
to ensure that processes and activities carried out in the firm are in compliance with established operational procedures and meet the requirements of the regulator
how must data be maintained?
in a way that can be readily accessed by the appropriate staff Pricing actuaries and underwriting staff will use the data as input to their risk prediction software. it is important that any chases in the way data is collected or stored is known to the actuaries and UW’s
when is being able to affirm the accuracy of data important?
When providing reports and analysis to senior management, i.e if deciding whether to enter or continue a class of business.
Who imposes a requirement on accurate record keeping?
the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018)
what does data quality and accuracy refer to?
The challenge of ensuring that data is reliable and complete
when is a data cleanse needed?
Sometimes, data is collected on an inconsistent basis and a data cleanse will occur to bring each line of data into a standard format. I.e this is common when two businesses merge together who have collected data in different ways in the past
what is the biggest emerging challenge for insurers and AI (Artificial intelligence) systems?
AI is commonly ised to determine acceptance and terms for insurance application, so if there is a lack of accuracy and quality in this data, this can lead to unjust treatment in customers.
what is classed as input data in terms of AI ?
Data about a risk / individual
what is classed as output data in terms of AI?
The accuracy of decisions or predictions about a risl / individual
what needs to be done with confidential paper records?
They need to be stored in a secure, lockable cabinet or desk, and marked as private and confidential. access should be restricted to trusted individuals
what needs to be done with confidential electrical records?
These need to be restricted to individuals that are trusted. i.e via password systems or encryption. companies must guard against hacking of their databases via antivirus and fire wall protection software
in 2015, what did the ICO state the most common data security issues were?
- Data being posted or faxed to incorrect recipients
- theft / loss of paperwork `
what is insider dealing / insider trading?
The misuse of confidential information by making investment decisions using information that should be confidential.
what are the consequences of insider dealing / trading
This is a civil offence, and is defined in the Financial Services and Markets Act 2000
what does the Financial Services and Markets Act 2000 cover regarding insider trading?
That this is a civil offence.
Makes reference to the following behaviour:
- Insider dealing: When an insider deals, or tries to deal on the basis of inside information
- improper disclosure; where an insider improperly discloses inside info to another
what does the Financial Services and Markets Act 2000 cover regarding insider trading?
That this is a civil offence.
Makes reference to the following behaviour:
- Insider dealing: When an insider deals, or tries to deal on the basis of inside information
- improper disclosure; where an insider improperly discloses inside info to another perosn
what should be done within a company to prevent confidential information from leaving the ‘insider’ group?
An ‘insider list’ should be made. This should be limited to trusted persons, and if anyone is removed from this list it should be known to all other insiders.
who does UK GDPR relate to as of Jan 2021??
This applies to the controllers and processors in the UK.
Prior to Jan 2021, what regs applies in the UK relating to GDPR?
The European Union GDPR.
what is classed as sensitive personal data?
- Race
- Ethnic origin
- politics
- trade union membership
- genetics
- religion
- biometrics (where used for ID purposes)
- health
- sex life; or /
- sexual orientation
what is the most significant addition in the Jan 2021 UK GDPR regs to the European Union GDPR?
The emphasis on accountability = the UK GDPR requires firms to show how they comply with the principals. I.e by documenting the decisions they take about processing activity
what 6 data protection principals apply under the UK GDPR?
1 - Lawfulness, fairness, transparency - data should be processed lawfully
2- purpose limitation - data should be collected for a specified, explicit reason
3 - Data minimisation - should be adequate, relevant and limited to what is necessary
4 - Accuracy
5-storage limitation - kept in a form which permits identification of data subjects for no longer than necessary
6 - integrity and confidentiality - should be processed in a manner than ensures security of the personal data.
why is establishing a lawful basis important?
firms need to identify a lawful basis before they can process personal data and document it. This is significant because the lawful basis that is used has an effect on an individuals rights
What are the 6 lawful bases for processing data?
1 - Consent - must be given
2 - Contract - the processing is necessary for a contract a firm has with an individual OR because they have asked the firm to take specific steps before entering into the contract
3 - Legal obligation - the processing is necessary for the firm to comply with the law
4 - vital interests - the processing is necessary to protect an individuals life
5 - public tasks - processing is necessary in public interest
6 legitimate interests - processing is necessary for a firms legitimate interests, unless there is a good reasons that the individuals whos data is being processed can override this.
what are the 8 rights to individuals under GDPR?
- Rights to be informed
- right of access
- right to rectification
- right to erasure
- right to restrict processing
- right to data portability
- right to object
- rights in relation to automated decision making and profiling
what two good practice tools are legally required to be put into place regarding accountability?
privacy impact assessments
- privacy by design
where are breach notifications reported to?
The ICO (information commissioners office), and in some cases the individuals that are affected
what does ICO stand for?
information commissioners office
what has been put in place to ensure that the protection of individuals afforded by the UK GDPR is not undermined?
restrictions have been imposed on the transfer of personal data outside of the UK to third countries.
do the UK GDPR rules apply to firms operating in the EEA post brexit and those who send data to the UK?
Yes - these UK transfer rules pretty much mirror the EU GDPR rules, but the UK has the independence to keep this framework under review
what was the main reason for implementation of the Data Protection Act 2018?
To coincide with the implementation of the EU GDPR (as this was prior to the EU GDPR) and the Law Enforcement Directiive (LED)
what are the main elements of the DPA 2018 for general data processing?
- Implement GDPR standards across all general data processing
- Provide clarity on the definitions of terms used prior to brexit e.g definition of personal data
- Ensure that sensitive health, social care and education data can continue to be processed with confidentiality in mind.
-provide appropriate right to access restrictions - set the age to parental consent for online use to 13. This was supported by the ICO/
what is the age that parental consent for online use is no longer needed?
13
what are the main elements of the DPA 2018 for Regulation and enforcement?
- enact additional powers for the ICO (information commissioners office) who will continue to regulate data protection
- allows the ICO to levy higher administration fines on data controllers and processors for breaches (up to 17.5M£ or 4% of global annual global turnover
- empower the ICO to bring criminal proceedings for offences where a data controller or processor alters records with intent to prevent disclosure following a SAR
what is the Information Commissioners Office (ICO)?
This is an independent government authority that oversees the UK compliance with general data protection.
They uphold information rights in the public interest
Any one holding personal data for anything other than domestic use is legally obliged to notify the ICO unless they are exempt
What is the ICO’s view on changes to GDPR now that the UK has left the EU?
The ICO confirmed that it is in favour of the changes introduced by GDPR and sees no
need to amend the legislation now that the UK has left the EU.
