Tutorial 8 Flashcards
what is the DPA 2018?
data protection act 2018
legislation enforced by the information commissioner’s office (ICO) to protect personal data processing and data stored on computers, digital media etc.
what does the DPA 2018 define?
defines how organisations, businesses and governments use personal data
anonymisation = ?
the process of rendering data into a form which doesn’t identify individuals
consent = ?
freely given, specific, informed and unambiguous indication of the subject’s wishes to agree to the processing of their personal data
data breach = ?
a breach of security leading to the accidental/unlawful destruction/loss/misuse of data
data controller = ?
natural or legal person which determines the purposes of the processing of personal data
data processor = ?
a natural or legal person which processes personal data on behalf of the controller
data protection impact assessment (DPIA) = ?
a method of identifying and addressing privacy risks in compliance with data protection laws
data protection officer (DPO) = ?
a role within an organisation responsible for enabling compliance with data protection legislation
data sharing agreement = ?
legal contract outlining the information that parties agree to share
data subject = ?
any living individual who is the subject of personal data held by an organisation
employee = ?
a full time or part time paid officer of an organisation
filing system = ?
a structured set of personal data
information owner = ?
a member of staff that has responsibility for a set of information
personal data = ?
information relating to an identifiable natural person
processing = ?
operations which is performed on personal data
(e.g., collection, recording, structuring, organisation, storage etc.)
profiling = ?
any form of automated processing of personal data intended to evaluate certain aspects relating to personal data of a natural person
restricted = ?
a classification of information which (if disclosed to unauthorised recipients) could have a negative impact on the rights of the individuals
third party = ?
natural or legal person other than the data subject, controller or processor
what are the principles of the DPA 2018?
- lawfulness, fairness & transparency
- purpose limitation
- data minimisation
- accuracy
- storage
- security
- accountability
lawfulness, fairness & transparency principle of DPA 2018?
organisations & controllers must be transparent when seeking individuals for data collection
purpose limitation principle of DPA 2018?
specifies that personal data must be used for the specific purpose for which the data subjects gave consent
data minimisation principle of DPA 2018?
collect only the necessary and relevant data - nothing more
accuracy principle of DPA 2018?
controllers must verify that the data they process & collect is accurate - not misleading
storage principle of DPA 2018?
controllers shouldn’t store personal data for longer than necessary
security principle of DPA 2018?
organisations & controllers must ensure personal data is securely kept
accountability principle of DPA 2018?
every organisation that stores or processes personal data must comply with regulatory obligations
GDPR?
general data protection regulation
encompasses the processing of personal data wholly or partly by automated means
since the UK left EU, what happened to GDPR?
the UK now has its own version of the GDPR called UK-GDPR
same as normal GDPR but its complemented by the DPA 2018 which provides UK specific details
under the GDPR rights, what are the two categories of data?
personal data
sensitive personal data
personal data = ?
information that helps identify the person related to some degree of accuracy
what happens if sensitive personal information is disclosed?
in contrast to GDPR breach, if disclosed or misused, disclosure of sensitive personal information can result in data theft or identity fraud
sensitive personal information needs an extra layer of security controls (e.g., encrypted, password-protected etc.)
examples of sensitive personal data
biometric data (individual’s physical characteristics e.g., DNA, hand geometry, facial patterns)
health data (medical history)
genetic data (data associated with inherited characteristics)
individual data (political views, sexual orientation)
financial data (e.g., credit card details)
classified data
business-related data
web data (e.g., IP Address)
online selling / e-commerce = ?
the process of selling goods/services via an internet or mobile app
before customers place an order, what must be made clear by online traders?
- ‘pay now’ button
- clear delivery options
- clear costs
- language options
- VAT number
- any contingent conditions
when must online traders confirm the contract?
ASAP
e.g., with an email
after an order is placed, an e-commerce company must…
- confirm the contract ASAP
- provide contract copy
- deliver goods within 30 days (unless agreed otherwise)
distance selling = ?
selling goods/services through digital TV, by mail or by phone/text message
what are the rules regarding accepting returns & giving refunds?
consumers have a right to cancel their order for a limited time even if the goods aren’t faulty
refund must be offered if informed within 14 days of receipt
company must refund customer within 14 days
the consumer rights act 2015?
outlines what rights a consumer has and what company’s obligations are as a goods/services provider in the event of a dispute
rules regarding website by law?
must make reasonable adjustments to be suitable for all, including disabled users
must every website contain a ‘website’s terms of use’
yes including conditions that the customer agrees to when using the company’s website
payment card industry (PCI) compliance?
offering customers multiple ways to pay provides a more convenient checkout experience with less friction
online traders must ensure this is secure
e.g., security measure like payment card industry data security standard (PCI DSS)
how often must signatures for traders be by ink in the UK?
rarely
normally a name at the end of an email suffices
which documents can be signed electronically?
- commercial contracts
- employment contracts
- corporate resolutions
- NDA’s
- consumer transactions
- procurement
which transactions can’t be signed electronically?
- wills/testamentary dispositions
- real estate
- banking
- lending
- statutory agreements
- government filings
what are the consequences of non-compliance with a particular method of signing?
the document or transaction is invalid
computer misuse act 1990?
protects personal data held by organisations from unauthorised access and modification
act makes the following illegal
- unauthorised access to computer material
- unauthorised access to computer materials with intent to commit a further crime
- unauthorised modification of data
- supplying anything which can be used in computer misuse offences
e.g., hacking, blackmail, viruses, computer fraud
failure to comply with the computer misuse act leads to…
fines and potentially imprisonment