Tutorial 8

Question 1

what is the DPA 2018?

Answer 1

data protection act 2018

legislation enforced by the information commissioner’s office (ICO) to protect personal data processing and data stored on computers, digital media etc.

Question 2

what does the DPA 2018 define?

Answer 2

defines how organisations, businesses and governments use personal data

Question 3

anonymisation = ?

Answer 3

the process of rendering data into a form which doesn’t identify individuals

Question 4

consent = ?

Answer 4

freely given, specific, informed and unambiguous indication of the subject’s wishes to agree to the processing of their personal data

Question 5

data breach = ?

Answer 5

a breach of security leading to the accidental/unlawful destruction/loss/misuse of data

Question 6

data controller = ?

Answer 6

natural or legal person which determines the purposes of the processing of personal data

Question 7

data processor = ?

Answer 7

a natural or legal person which processes personal data on behalf of the controller

Question 8

data protection impact assessment (DPIA) = ?

Answer 8

a method of identifying and addressing privacy risks in compliance with data protection laws

Question 9

data protection officer (DPO) = ?

Answer 9

a role within an organisation responsible for enabling compliance with data protection legislation

Question 10

data sharing agreement = ?

Answer 10

legal contract outlining the information that parties agree to share

Question 11

data subject = ?

Answer 11

any living individual who is the subject of personal data held by an organisation

Question 12

employee = ?

Answer 12

a full time or part time paid officer of an organisation

Question 13

filing system = ?

Answer 13

a structured set of personal data

Question 14

information owner = ?

Answer 14

a member of staff that has responsibility for a set of information

Question 15

personal data = ?

Answer 15

information relating to an identifiable natural person

Question 16

processing = ?

Answer 16

operations which is performed on personal data

(e.g., collection, recording, structuring, organisation, storage etc.)

Question 17

profiling = ?

Answer 17

any form of automated processing of personal data intended to evaluate certain aspects relating to personal data of a natural person

Question 18

restricted = ?

Answer 18

a classification of information which (if disclosed to unauthorised recipients) could have a negative impact on the rights of the individuals

Question 19

third party = ?

Answer 19

natural or legal person other than the data subject, controller or processor

Question 20

what are the principles of the DPA 2018?

Answer 20

• lawfulness, fairness & transparency
• purpose limitation
• data minimisation
• accuracy
• storage
• security
• accountability

Question 21

lawfulness, fairness & transparency principle of DPA 2018?

Answer 21

organisations & controllers must be transparent when seeking individuals for data collection

Question 22

purpose limitation principle of DPA 2018?

Answer 22

specifies that personal data must be used for the specific purpose for which the data subjects gave consent

Question 23

data minimisation principle of DPA 2018?

Answer 23

collect only the necessary and relevant data - nothing more

Question 24

accuracy principle of DPA 2018?

Answer 24

controllers must verify that the data they process & collect is accurate - not misleading

Question 25

storage principle of DPA 2018?

Answer 25

controllers shouldn’t store personal data for longer than necessary

Question 26

security principle of DPA 2018?

Answer 26

organisations & controllers must ensure personal data is securely kept

Question 27

accountability principle of DPA 2018?

Answer 27

every organisation that stores or processes personal data must comply with regulatory obligations

Question 28

GDPR?

Answer 28

general data protection regulation

encompasses the processing of personal data wholly or partly by automated means

Question 29

since the UK left EU, what happened to GDPR?

Answer 29

the UK now has its own version of the GDPR called UK-GDPR

same as normal GDPR but its complemented by the DPA 2018 which provides UK specific details

Question 30

under the GDPR rights, what are the two categories of data?

Answer 30

personal data

sensitive personal data

Question 31

personal data = ?

Answer 31

information that helps identify the person related to some degree of accuracy

Question 32

what happens if sensitive personal information is disclosed?

Answer 32

in contrast to GDPR breach, if disclosed or misused, disclosure of sensitive personal information can result in data theft or identity fraud

sensitive personal information needs an extra layer of security controls (e.g., encrypted, password-protected etc.)

Question 33

examples of sensitive personal data

Answer 33

biometric data (individual’s physical characteristics e.g., DNA, hand geometry, facial patterns)

health data (medical history)

genetic data (data associated with inherited characteristics)

individual data (political views, sexual orientation)

financial data (e.g., credit card details)

classified data

business-related data

web data (e.g., IP Address)

Question 34

online selling / e-commerce = ?

Answer 34

the process of selling goods/services via an internet or mobile app

Question 35

before customers place an order, what must be made clear by online traders?

Answer 35

• ‘pay now’ button
• clear delivery options
• clear costs
• language options
• VAT number
• any contingent conditions

Question 36

when must online traders confirm the contract?

Answer 36

ASAP

e.g., with an email

Question 37

after an order is placed, an e-commerce company must…

Answer 37

• confirm the contract ASAP
• provide contract copy
• deliver goods within 30 days (unless agreed otherwise)

Question 38

distance selling = ?

Answer 38

selling goods/services through digital TV, by mail or by phone/text message

Question 39

what are the rules regarding accepting returns & giving refunds?

Answer 39

consumers have a right to cancel their order for a limited time even if the goods aren’t faulty

refund must be offered if informed within 14 days of receipt

company must refund customer within 14 days

Question 40

the consumer rights act 2015?

Answer 40

outlines what rights a consumer has and what company’s obligations are as a goods/services provider in the event of a dispute

Question 41

rules regarding website by law?

Answer 41

must make reasonable adjustments to be suitable for all, including disabled users

Question 42

must every website contain a ‘website’s terms of use’

Answer 42

yes including conditions that the customer agrees to when using the company’s website

Question 43

payment card industry (PCI) compliance?

Answer 43

offering customers multiple ways to pay provides a more convenient checkout experience with less friction

online traders must ensure this is secure

e.g., security measure like payment card industry data security standard (PCI DSS)

Question 44

how often must signatures for traders be by ink in the UK?

Answer 44

rarely

normally a name at the end of an email suffices

Question 45

which documents can be signed electronically?

Answer 45

• commercial contracts
• employment contracts
• corporate resolutions
• NDA’s
• consumer transactions
• procurement

Question 46

which transactions can’t be signed electronically?

Answer 46

• wills/testamentary dispositions
• real estate
• banking
• lending
• statutory agreements
• government filings

Question 47

what are the consequences of non-compliance with a particular method of signing?

Answer 47

the document or transaction is invalid

Question 48

computer misuse act 1990?

Answer 48

protects personal data held by organisations from unauthorised access and modification

act makes the following illegal
- unauthorised access to computer material
- unauthorised access to computer materials with intent to commit a further crime
- unauthorised modification of data
- supplying anything which can be used in computer misuse offences

e.g., hacking, blackmail, viruses, computer fraud

Question 49

failure to comply with the computer misuse act leads to…

Answer 49

fines and potentially imprisonment