FullDPA

avatar
Created by
Patrick Forrest

Cards (1061)

  • The Data Protection Act 2018 makes provision for the regulation of the processing of information relating to individuals
  • Personal data
    Any information relating to an identified or identifiable living individual
  • Identifiable living individual
    A living individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual
  • Processing
    An operation or set of operations which is performed on information, or on sets of information, such as collection, recording, organisation, structuring or storage, adaptation or alteration, retrieval, consultation or use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, or restriction, erasure or destruction
  • Data subject
    The identified or identifiable living individual to whom personal data relates
  • Controller
    The person who, alone or jointly with others, determines the purposes and means of the processing of personal data
  • Processor
    A person who processes personal data on behalf of the controller
  • Filing system
    Any structured set of personal data which is accessible according to specific criteria, whether held by automated means or manually and whether centralised, decentralised or dispersed on a functional or geographical basis
  • The Commissioner
    The Information Commissioner
  • The data protection legislation
    The GDPR, the applied GDPR, the Data Protection Act 2018, regulations made under the Act, and regulations made under section 2(2) of the European Communities Act 1972 which relate to the GDPR or the Law Enforcement Directive
  • The GDPR
    Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)
  • The applied GDPR
    The GDPR as applied by Chapter 3 of Part 2 of the Data Protection Act 2018
  • The Law Enforcement Directive
    Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA
  • The Data Protection Convention
    The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data which was opened for signature on 28 January 1981, as amended up to the day on which the Data Protection Act 2018 is passed
  • Part 2 of the Data Protection Act 2018 supplements the GDPR and applies a broadly equivalent regime to certain types of processing to which the GDPR does not apply
  • Part 3 of the Data Protection Act 2018 makes provision about the processing of personal data by competent authorities for law enforcement purposes and implements the Law Enforcement Directive
  • Part 4 of the Data Protection Act 2018 makes provision about the processing of personal data by the intelligence services
  • Part 5 of the Data Protection Act 2018 makes provision about the Information Commissioner
  • Part 6 of the Data Protection Act 2018 makes provision about the enforcement of the data protection legislation
  • Part 7 of the Data Protection Act 2018 makes supplementary provision, including provision about the application of the Act to the Crown and to Parliament
  • Controller
    Where personal data is processed only for purposes and by means required by an enactment, the person on whom the obligation to process the data is imposed by the enactment is the controller
  • Public authority and public body
    Public authorities and public bodies under the law of the UK are: a public authority as defined by the Freedom of Information Act 2000, a Scottish public authority as defined by the Freedom of Information (Scotland) Act 2002, and any other authority or body specified or described by the Secretary of State in regulations. They are only considered public authorities or public bodies for the purposes of the GDPR when performing a task carried out in the public interest or in the exercise of official authority vested in them.
  • Lawfulness of processing
    Processing of personal data that is necessary for the administration of justice, the exercise of a function of either House of Parliament, the exercise of a function conferred on a person by an enactment or rule of law, the exercise of a function of the Crown, a Minister of the Crown or a government department, or an activity that supports or promotes democratic engagement is considered to be processing in the public interest or in the exercise of official authority for the purposes of the GDPR
  • Child's consent in relation to information society services
    The age of consent for a child to give valid consent for the processing of their personal data in relation to information society services is 13 years, not 16 years as stated in the GDPR. The term "information society services" does not include preventive or counselling services.
  • Special categories of personal data and criminal convictions etc data
    Processing of special categories of personal data and personal data relating to criminal convictions and offences or related security measures must meet specific conditions set out in Schedule 1 of the Data Protection Act 2018 in order to be lawful under the GDPR.
  • The Secretary of State may amend Schedule 1 of the Data Protection Act 2018 to add, vary or remove conditions and safeguards for the processing of special categories of personal data and criminal convictions etc data.
  • Regulations under this section, and consequentially amend this section
  • Regulations under this section are subject to the affirmative resolution procedure
  • Special categories of personal data
    Circumstances in which the processing of personal data is carried out subject to the conditions and safeguards referred to in Article 9(3) of the GDPR (obligation of secrecy)
  • Circumstances in which special categories of personal data is carried out
    • By or under the responsibility of a health professional or a social work professional
    • By another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law
  • References to personal data relating to criminal convictions and offences or related security measures
    Personal data relating to the alleged commission of offences by the data subject, or proceedings for an offence committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing
  • Limits on fees that may be charged by controllers
    1. Secretary of State may by regulations specify limits
    2. Secretary of State may by regulations require controllers to produce and publish guidance about the fees
  • Regulations under this section are subject to the negative resolution procedure
  • Obligations of credit reference agencies
    • Controller's obligations under Article 15(1) to (3) of the GDPR are taken to apply only to personal data relating to the data subject's financial standing, unless the data subject has indicated a contrary intention
    • Where the controller discloses personal data, the disclosure must be accompanied by a statement informing the data subject of their rights under section 159 of the Consumer Credit Act 1974
  • Significant decision
    A decision that, in relation to a data subject, produces legal effects concerning the data subject, or similarly significantly affects the data subject
  • Qualifying significant decision
    A significant decision that is required or authorised by law, and does not fall within Article 22(2)(a) or (c) of the GDPR
  • Automated decision-making authorised by law: safeguards
    1. Controller must notify the data subject in writing that a decision has been taken based solely on automated processing
    2. Data subject may request the controller to reconsider the decision or take a new decision not based solely on automated processing
    3. Controller must consider the request, comply with it, and inform the data subject of the steps taken and the outcome
  • The Secretary of State may by regulations make further provision to provide suitable measures to safeguard a data subject's rights, freedoms and legitimate interests in connection with the taking of qualifying significant decisions based solely on automated processing
  • Regulations under subsection (7) may amend this section, and are subject to the affirmative resolution procedure
  • Schedules that make provision for exemptions from, and restrictions and adaptations of the application of, rules of the GDPR
    • Schedule 2
    • Schedule 3
    • Schedule 4