ACA L 13 - The Data Protection Act 2018

Purpose of the Data Protection Act 2018

Protect individuals from misuse of info about them
Sets out data protection principles that apply to anyone who processes personal data

The Data Protection Act 2018 embodies principles/rights of...

...EU's General Data Protection Regulation (GDPR)

Data controller

Determine purpose/means of processing personal data
Delegates processing (not responsibility) to processor

Data processor

Doer
Process personal data on behalf of controller

Personal subject

Identified/identifiable individual (not company) to whom personal data relates

The Act applies where personal data is held

On computer or manual files
By any organisation (irrespective of size/nature)

Personal data

Any info relating to an identifiable living person
Includes recording of facts and expression of opinion about a person

Information Commissioner

UK regulator for data protection
Has statutory powers to enforce compliance with the Act

If a data breach occurs which affects rights/freedoms of individuals, what is the protocol?

Notify Information Commissioner within 72 hours of data breach
In high risk case, must notify individuals as well

Non-compliance with Data Protection Act 2018 is a crime and may lead to following consequences

Criminal conviction and/or
Fine up to approx £18 million (determined in EUR so depends on Ex rate)
Or 4% organisation's global turnover

Data protection principles

Lawfulness/fairness/transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity/confidentiality (security)

Principle of lawfulness/fairness/transparency

Valid grounds to hold data
Personal data must be processed fairly
Clarity re how data is used from start

Principle of purpose limitation

Purpose for recording data must be recorded and made clear to data subject from start
May only obtain personal data for specified/lawful purposes
If data used for a new purpose, permission must be sought again

Principle of data minimisation

Personal data shall be adequate/relevant/not excessive in relation to its purpose

Principle of accuracy

Reasonable steps shall be taken to ensure personal data is not incorrect/misleading
Ongoing processing shall be accurate/up to date
Data which is found to be inaccurate/misleading must be corrected

Principle of storage limitation

Personal data shall not be kept for longer than is necessary for its purpose
Retention policy must be justifiable
Data should be destroyed/anonymised if no longer needed

Principle of integrity/confidentiality (security)

Appropriate security measures shall be taken in data processing
Appropriate technical/organisational measures in place to protect data

Data subjects have the right to

Be informed
Access
Rectification
Erasure
Data portability
Object
Rights in relation to automated decision-making/profiling

Exemptions from the Act

1) ERs may process data in accordance with employment law
2) Academic institutions where data is processed for academic purposes
3) Scientific/historical research organisations where principles would impair their core activities
4) Individual rights are limited if open to abuse (to commit crimes/disrupt legal proceedings or public authorities and regulators)

Right to be informed

About collection/use of their personal data
Includes purpose/retention period/who info is shared with

Right of access

Must be completed within 1 month of written/verbal request
Typically free of charge

Right to rectification

Inaccurate info held about subjects shall be rectified
Incomplete info shall be made complete
Must be completed within 1 month of written/verbal request

Right to erasure

'Right to be forgotten'
Only applies in certain circumstances
Must receive a response within 1 month (not necessarily a yes)

Right to data portability

Obtain data they have given to data controller and reuse it in a different service (eg switching banks)

Right to object

Refuse processing of their data (eg avoid junk mail)

Rights in relation to automated decision-making and profiling

Where data held about them used to make automated decisions
Or data evaluation about them is automatic (profiling)
Strict circumstances where such processes can be used

Can a data controller be either an individual or a company?

Yes

In the event of non-compliance with the Data Protection Act 2018, which penalties may be enforced?
Fine of up to £20 million or 5% of the company's global turnover
Criminal conviction
Court order directing the forfeiture, destruction or erasing of databases

Criminal conviction only

The Information Commissioner only regulates data protection in the UK. True or false?

True

Personal data shall not be kept for longer than is agreed between the data controller and the data subject. True or false?

False - no concept of agreement between the parties, data shall not be held for longer than is necessary for the purpose for which they are processed

The Act only protects facts held about an individual. True or false?

False - protects opinions as well as facts about individuals

Which element of ESG does the Data Protection Act 2018 relates to?

Governance

Personal data shall not be kept unless the purpose of holding the data is recorded and made known to the data subject. True or false?

True

Is the data subject always entitled to compensation in the event that the data controller is found to have inaccurate data?

No - may be able to claim compensation if they can show that they have suffered damage as a result of a contravention of the Act but not a right granted in the Act itself

To comply with data protection principles, organisations must have a justified data retention policy. True or false?

True