QACGDPR Practitioner

avatar
Created by
Patrick Forrest

Cards (252)

  • Data Subjects
    • The person whom the data is about
    • Personal data is that which can identify, either directly or indirectly, a living individual
    • If data can be combined with other sources, it must be considered personal data, even if the individual cannot be directly identified by that data alone
  • Data Controller
    • A person, public authority, agency or body who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed
    • There can be multiple data controllers for a set of data, e.g. councils and police using town centre CCTV systems
    • Currently, the liability for breaches of personal data lies with the data controllers
  • Data Processor
    • Any person (other than an employee of the data controller) who processes the data on behalf of the data controller
    • If a data controller contracts in another company to process their personal data, the other company is a data processor
    • Employees of the data controller who process personal data are not considered data processors but data controllers in their own right
    • A data processor cannot be a data controller for the same set of data, but they can be data controllers in their own right for other data sets
  • Data Processing
    • Storing, handling, processing of any kind of personal data
    • Both data controllers and data processors process data
  • The EU Data Protection Directive (1995) was implemented as the DPA in 1998
  • The EU GDPR retains the eight principles of data protection from the DPA 1998 and extends and strengthens them
  • Changes from DPA 1998 to GDPR
    • Six principles along with accountability requirements defined
    • Principles 6 and 8 of DPA 1998 (data subjects rights and data transfers) remain but separated and expanded
  • The driver for the changes to GDPR was to allow data subjects much more control over their own personal data and organisations must ensure systems facilitate this
  • The GDPR was introduced to standardise the definitions and prevent the fragmentation of implementation, legal uncertainty and redress the public perception that personal data is at risk, particularly when it is processed online
  • The GDPR increases data subjects' rights and redress as well as implements an enforcement regime designed to impact the largest companies who often do not adhere to privacy regulations
  • The GDPR makes it mandatory to report personal data breaches which impact data subjects within 72 hours of becoming aware of the breach
  • The GDPR simplifies the process for data subjects to complain - under the previous system, a data subject had to complain to the national authority of the country that the controller resides in
  • The European Convention on Human Rights (ECHR) is the overarching legislation which drives privacy and data protection within the EU and therefore what supports the UK GDPR
  • Absolute rights
    Rights which the State cannot interfere with, such as the right to life, the right not to be enslaved, the right not to be tortured
  • Qualified rights
    Rights where there is a recognition that the State has to breach that right at times, such as the right to liberty of the person and the right to privacy
  • Any infringement of qualified rights must be necessary, proportionate, appropriate, and justified
  • The Regulation of Investigatory Powers Act (RIPA) 2000 and the Investigatory Powers Act (IPA) enacted the principles of the ECHR
  • The UK Government originally introduced the Human Rights Act (HRA) and the European Commission introduced the EU General Data Protection Regulation (GDPR)
  • The 'UK GDPR' sits alongside an amended version of the DPA 2018
  • The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (LBPR) applies to all organisations who may monitor electronic communications of their employees
  • The LBPR was published at the same time as RIPA and it applies to all organisations who may monitor electronic communications of their employees
  • RIPA was replaced with the Investigatory Powers Act (IPA) at the end of November 2016

    Referred to by privacy campaigners as 'The snoopers charter' it permits the agencies to hack into devices, obtain data from overseas, and allows a multitude of government agencies the rights to browsing data
  • ISPs are now required to retain browsing data for one year
  • UK legislative framework
    • European Convention on Human Rights (ECHR)
    • EU Directive 2002/58/EC e–Privacy directive
    • EU General Data Protection Regulation (GDPR) 2016
    • UK Human Rights Act (HRA)1998
    • EU Directive 2009/136/EC e–Privacy directive (Cookie law)
    • UK Data Protection Act (DPA) 2018
    • UK Privacy and Electronic Communications Regulations (PECR)
    • UK PECR Amendment 2012 (Cookie Law)
    • UK Regulation of Investigatory Powers Act (RIPA) 2000
    • Replaced by Investigatory Powers Act (IPA) 2016
    • Lawful Business Practice Regulations (LBPR) 2000
    • Employment Practices Code
    • Protection of Freedoms Act (PoFA) 2012
  • What an organisation can monitor, how it monitors and what it has to tell its network users is set out in the ICO's Employment Practices Code (EPC) issued in 2011
  • The Information Commissioner's Office (ICO) has confirmed that it is in the process of updating its Employment Practices Code by developing new 'employer–focused guidance', in light of concerns about digital surveillance of employees
  • The current code is a statutory code and sets out for organisations best practice with regard to monitoring to ensure that they remain compliant with privacy legislation
  • The Surveillance Camera Commissioner (SCC) and the Information Commissioner's Office (ICO) have worked together to update the SCC DPIA template, which is specific to surveillance systems
  • The Protection of Freedoms Act was implemented following a raft of Criminal Justice legislation. The Act set out requirements for the retention, destruction and use of personal data such as DNA, fingerprints, etc. It set out the requirement for the Secretary of State to ensure codes of practice were issued for CCTV and ANPR systems. This act also redefined the ICO's role which is superseded by the GDPR supervisory authority articles
  • The Privacy and Electronic Communications directive, 2002/58/EC, sets out the law with regard to how organisations can conduct direct, unsolicited marketing to people by phone, email, text or fax as well as imposing obligations on telecommunications companies with regard to privacy and transmission of personal data
  • This is implemented in the UK as the Privacy and Electronic Communications Regulations (PECR) in 2011, and is usually referred to as the 'Cookie law'
  • The aim of the directive was to address the privacy issues of third parties tracking cookies where profiling can be employed without a data subjects knowledge or consent
  • The implementation of this has been problematic and many sites still default to using an implicit consent where continued use of the site indicates agreement with the cookie privacy policy whether that is read or not
  • The law has not stopped tracking by third parties – in 2015 Facebook lost a case before the European Court of Justice (EUCJ) where they were proven to be tracking people who did not have a Facebook account
  • The privacy directives, particularly the cookie law, have been under review in light of GDPR to bring them in line with the principles set out in the new legislation
  • The Privacy and Electronic Communications Regulations (PECR) are the ICO's implementation of the EU e–Privacy directive on privacy and electronic communications
  • The GDPR is retained in domestic law now the BREXIT transition period has ended, but the UK has the independence to keep the framework under review
  • The 'UK GDPR' sits alongside an amended version of the DPA 2018. The government has published a 'Keeling Schedule' for the UK GDPR, which shows the amendments
  • The key principles, rights and obligations remain the same. However, there are implications for the rules on transfers of personal data between the UK and the EEA
  • The UK GDPR also applies to controllers and processors based outside the UK if their processing activities relate to: offering goods or services to individuals in the UK; or monitoring the behaviour of individuals taking place in the UK