The Data Protection Act Flashcards
What does the DPA do?
It limits the data held by individual organisations to only that which they need. It stops them holding excessive quantities of data on individuals that they don’t need.
Describe personal data.
Any data which relates to a living, identifiable individual.
Describe data. (DPA)
Anything that is held which can be said to be part of a record. This covers both manual and computer data. If you store data on people, such as their health or educational records, whether it is on paper or on a computer, it is data.
Describe processing. (DPA)
Obtaining, recording or holding the information or data. It also covers any operation performed on it.
What are some operations when processing data? (DPA)
Operations include organising, changing retrieving it or using it in some way. This also includes disclosing it or destroying it.
What is the data subject?
The data subject is the living identifiable human being about whom the data is being held.
What is the data controller?
This is the individual in the company who is responsible for making sure that all the provisions of the DPA are being complied with.
What is the data processor?
This is any person (other than an employee of the data controller) who processes the data on behalf of the data controller. Big companies hire third party companies to process their data for them.
Describe the recipient.
These are individuals who are given the data in order to do some form of processing on it. They are usually employees of the data controller or are data processors.
What is a third party?
This is the person who receives the data for processing. A company may need to pass on its data to certain people in order to do its job, for example schools give references and information to the government.
What is an information commissioner?
This is the individual who is responsible for ensuring that the DPA is being adhered to, by giving advice, running training sessions and investigating complaints.
What is the right to subject access?
You are allowed to see what information is being held on you by a company. You need to write to the data controller and request a copy (and pay an administrative charge). The company then have to provide the information within a reasonable amount of time from receiving the request.
What is the right to prevent processing likely to cause damage or distress?
If the processing of the data is going to cause you damage or distress, you can ask the company to stop. The level of it needs to be quite high, if the company doesn’t think it is causing damage or stress it is up to the courts to decide.
What is the right to prevent processing for the purposes of direct marketing?
Direct marketing is mail that is sent to you advertising goods and services. You can request that is is stopped.
What are the rights in relation to automated decision making?
Some decisions are taken by a computer. Credit checks are an example. Points are awarded for things such as time in work, owning your own home and based on the amount of points you get, a decision is made as to whether you get a credit card. You can request for a person to make the decision instead of a computer.
What is the right to compensation if damage and distress if suffered by the act being contravened?
If you can prove that the data controller did not follow the requirements of the act meaning you suffered both damage and distress, you are entitled to compensation.
What is the right to rectify, block or erase incorrect data?
If the held data is wrong, you can get it changed.
Here are some possible reasons for exemption from the DPA:
National security, crime and taxation (you can’t see your records), health, education and social work (if giving the subject access will cause them harm), domestic purposes (data held on your own computer, such as a mailing list for Christmas cards).
Personal data shall be processed fairly and lawfully:
This means that there should be consent for the processing to occur.
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or purposes:
When a company wants to collect and hold personal data, it must let the information commissioner know what it is going to hold and what it is going to do with it.
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed:
They can’t hold more information than necessary. It must all be relevant.
Personal data shall be accurate and, where necessary, kept up to date:
The company must endeavour to ensure that it only has accurate information on you. This may entail them sending out the information they hold for you to check. If they find any inaccurate information, they must correct it.
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes:
You can’t hold data forever. Eventually it will no longer meet the purpose.
Personal data shall be processed in accordance with the rights of data subjects under this act:
The data subject has certain rights. These include access to the data, the right to correct data if is wrong, the right to compensation if the processing has caused damage and distress and the right to prevent processing from causing damage and distress.
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss, or destruction of, or damage to, personal data:
The company must ensure that there is sufficient security in place to prevent the data being deleted or being stolen. Back ups should be taken to restore deleted data.
Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensure an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data:
This is to ensure that data is only given to companies in other countries where there is a similar law to the UK’s DPA.
What is the Computer Misuse Act (1990)?
It was introduced to protect data held by companies from hackers.
What are the four main provisions of the computer misuse act?
Unauthorised access to computer material, unauthorised access with intent to commit or facilitate the commission of further offences, unauthorised acts with intent to impair, or with recklessness as to impairing, operation of a computer AND making, supplying or obtaining articles for use in computer misuse offences.
CMA: Unauthorised access to computer material:
This covers entering a computer system without permission by guessing or discovering an individual’s password. This is hacking.
CMA:Unauthorised access with intent to commit or facilitate the commission of further offences:
This is in addition to entering the computer system. This could be to gain access to a suer account and use it to transmit illegal material.
CMA: Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of a computer:
This is making changes to the contents of a computer or denying access to the computer through Denial of Service attacks.
CMA: Making, supplying or obtaining articles for use in computer misuse offences:
This involves malicious scripts or software that will modify the original code.
What are the benefits of the Computer Misuse Act?
Until the introduction of the CMA, theft of electricity was the only crime a hacker could be charged with. The Act allows companies a legal recourse if their security has been compromised.
What are the problems of the Computer Misuse Act?
Accidental intrusion is not a crime. You have to be able to prove who was responsible.
What is the Copyright, Design and Patents act (1988)?
Among many items, the act makes it illegal to steal or create unauthorised copies of software. It also covers manuals, books, CDs and music.
What are the benefits of the copyright, designs and patents act (1988)?
A lot of time and effort goes in to the production of software, books and music. The people who put in that effort deserve to be rewarded with royalties. This ensures that happens.
What are problems with the copyright, designs and patents act (1988)?
When you buy software, you are merely buying a licence to use it. You can get site and network licences so it can go on lots of computers.
