Topic 24 Flashcards

1
Q

What are the six data protection principles?

A
  1. Processed lawfully, fairly and in a transparent manner in relation to
    individuals.
  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
  3. Adequate, relevant and limited to what is necessary in relation to the
    purposes for which they are processed.
  4. Kept accurate and up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed, although archiving is allowed in certain circumstances.
  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is ‘data subject’?

A

an individual (a natural person) whose personal data is processed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is ‘personal data’?

A

information that can directly or indirectly identify a natural
person. This information can be in any format.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is ‘special categories of personal data’?

A

this data is more sensitive and so needs more protection. Generally (although there are exceptions) such data can only be processed if the individual has given explicit consent. Sensitive data includes information about an individual’s:

— race;
— religious beliefs;
— political persuasion;
— trade union membership;
— sexual orientation;
— health;
— biometric data;
— genetic data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is ‘processing’?

A

this has a very broad meaning, covering all aspects of owning
data, including:

— obtaining the data in the first place;
— recording of the data;
— organisation or alteration of the data;
— disclosure of the data, by whatever means;
— erasure or destruction of the data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is a ‘data controller’?

A

this is the ‘legal’ person who determines the purposes for which data are processed and the way in which this is done. The data controller is normally an organisation/employer, such as a company, partnership or sole trader. They have prime responsibility for ensuring the requirements of the Act are carried out.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a ‘data processor’?

A

this is a person who processes personal data on behalf of
the data controller.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

An organisation must have a lawful basis for processing data, at least one of the following must apply

A

1) Consent – clear consent has been given by the individual to process their personal data for a specific purpose.

2) Contract – the processing is necessary for a contract between the organisation and the individual, or because the individual has asked for certain steps to be taken before entering into a contract.

3) Legal obligation – the processing is necessary for the organisation to
comply with the law.

4) Vital interests – the processing is necessary to protect someone’s life.
5) Public task – the processing is necessary for the organisation to act in the public interest.

6) Legitimate interests – the processing is necessary for the organisation’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the main rights a ‘data subject’ has?

A

„ access personal data through subject access requests (under GDPR, no charge can generally be made for this);

„ correct inaccurate personal data;

„ have personal data erased, in certain cases;

„ object;

„ move personal data from one service provider to another. In order to demonstrate compliance with the GDPR, an organisation must:

„ establish a governance structure with roles and responsibilities;

„ keep a detailed record of all data processing operations;

„ document data protection policies and procedures;

„ carry out data protection impact assessments for high‑risk processing
operations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the ‘lead authority’?

A

This will be the data processing authority (DPA) of the country where the business has its main offices.

The ‘information commissioner’ is the UK’s DPA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the information commissioners powers to enforce GDPR?

A
  • Serve information notices
  • Issue undertakings
  • Serve enforcement notices and ‘stop now’ orders where there has been a breach
  • Conduct consensual assessments (audits)
  • Serve assessment notices
  • Issue monetary penalty notices
  • Prosecute
  • Issue a ban
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are four criminal offences under the GDPR?

A

„ For a data controller to fail to comply with an information
or enforcement notice.

„ Failure to make a proper notification to the Information Commissioner. ‘Notification’ is the way in which a data controller effectively registers with the Information Commissioner’s Office by acknowledging that personal data are being held and by specifying the purpose(s) for which the data are being held.

„ Processing of data without authorisation from the
Commissioner.

„ Intentionally or recklessly re-identifying individuals from data that is pseudonymised – it can no longer be attributed to a specific person without the use of additional information, which is kept separately – or anonymised – it does not relate to a natural person or has been processed so the data subject cannot be identified (ICO, no date).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the maximum fine for GDPR offences?

A

The maximum fine for these offences is the higher of €20m or 4 per cent of an organisation’s worldwide turnover in the EU. In the UK, the maximum penalty is the higher of £17.5m or 4 per cent of total annual worldwide turnover in the previous financial year.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Who is responsible for the regulation of work based pension schemes?

A

The pensions regulator (TPR)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What does the pensions regulator (TPR) aim to do?

A

„ ensure employers enrol their staff onto a work-based pension scheme (known as ‘automatic enrolment’);
„ protect the benefits of a work-based pension scheme, as well as people’s savings;
„ protect the benefits of personal pension schemes where there is a direct pay arrangement;
„ promote good administration of work‑based schemes, as well as people’s savings;
„ reduce the risk of situations arising that might lead to claims for
compensation from the Pension Protection Fund (see section 24.3);
„ maximise employer compliance with duties and safeguards under the
Pensions Act 2008;
„ minimise any adverse impact on the sustainable growth of an employer (TPR, 2022).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

TPR aims to identify and prevent potential problems, they do this be considering the combined effect of what two things?

A

„ the likelihood of the event occurring; and
„ the impact of the event on the scheme and its members.

17
Q

What three powers does the pension regulator have?

A

Investigating schemes
Putting things right
Acting against avoidance

18
Q

What is the pension protection fund (PPF)?

A

to protect members of private sector defined‑benefit pension schemes in the event that a firm becomes insolvent with insufficient funds to maintain full benefits for all its scheme members. The PPF is also responsible for the Fraud Compensation Fund, which provides compensation to occupational pension schemes that suffer a loss as a result of dishonesty.

19
Q

How does the pension protection fund (PFF) fund the compensation payments it makes?

A

„ It imposes a levy on defined‑benefit schemes (there are exceptions for some schemes in certain circumstances).

„ It takes on the assets of schemes that are transferred to the fund.

„ It seeks recovery of assets from insolvent employers.

„ It seeks to grow its funds through investment.

20
Q

What are the two main objectives of a EU single market for insurance?

A

„ provide all EU citizens with access to the widest possible range of insurance products, while ensuring the highest standards of legal and financial protection; and

„ enable an insurance company authorised in any of the member states to pursue its activities throughout the EU.

21
Q

What is the basic task for internal auditors?

A

„ review how an organisation is managing its risks;

„ ascertain whether appropriate controls have been established; and

„ evaluate and suggest improvements to control and governance processes.

22
Q

What are the main responsibilities of a compliance officer?

A

„ production and publication of a compliance manual;

„ maintenance of compliance records such as complaints register and
promotions records;

„ responding to and corresponding with the FCA on compliance matters;

„ ensuring that staff meet FCA requirements as regards recruitment, training, supervision and selling practices.

23
Q

Who must have a compliance officer?

A

Firms that are authorised by the Financial Conduct Authority (FCA) or the Prudential Regulation Authority (PRA) are required to appoint a compliance officer to have oversight of the firm’s compliance function.