Data Protection Workshop: How the Law Affects You Practice Questions

Transcription

1 Data Protection Workshop: How the Law Affects You Practice Questions 1. Which of the following is not personal data covered by the Data Protection Act (pick one or more): A. Comments about an individual in an . B. A paper file on a named student. C. Data in the Library s database about a student s book borrowing. D. Information about a person in the minutes of a meeting. E. One of the School s HR policies. F. Data about a company which supplies us with goods and services. 2. Which of the following are sensitive personal data (pick one or more)? A. Ethnic origins. B. Nationality. C. Political views. D. Trade union membership. E. Salary/personal finances. 3. Which of the following are not rights which individuals have under the Data Protection Act? A. To prevent us from using their data for direct marketing. B. To receive a copy of data about them in permanent form. C. To inspect files about them at SOAS. D. To require us to correct, block or erase inaccurate data. E. To prevent us from processing any data about them. 4. You cannot request information about yourself under the Freedom of Information Act. True or false? 5. We can only process data with the consent of the data subject. True or false? 6. Which of the following should ideally be included in a data collection notice (pick one or more)? A. An explanation of why the data is needed, and how it will be used. B. The parts of SOAS which will use the data. C. Any third parties to whom the data will be transferred. D. How long the data will be kept. E. Who they can contact to exercise their rights. F. All of the above. 7. It s illegal to process data unless the processing is covered by our notification with the Information Commissioner. True or false? 8. Assuming that all the other Data Protection Principles have all been met, which of the following is not a valid transfer of data outside the EEA under the eighth Data Protection Principle (pick one or more)? A. The transfer is to a country approved by the EC. B. The transfer is for valid commercial reasons. C. The data subject has consented to the transfer. D. The transfer is in the legitimate interests of SOAS, and does not prejudice the rights or legitimate interests of the data subject. E. The transfer is necessary for a performing a contract with the data subject. 9. The Data Protection Act prevents us from holding duplicate copies of data. True or false? 10. You receive a telephone call from the parent of a student. They haven t heard from her for some weeks, and they think that she may have changed address without telling them. They re really concerned about her, as she usually rings every week. They ask if the School could give them her up to date address and phone number. What do you do? 18 Oct

2 11. Data subjects do not have a right of access to (pick one or more): A. Copies of job references written by SOAS and held by SOAS. B. Their examination marks. C. CCTV footage which shows them entering the School. D. Copies of job references received by SOAS. E. The grades of their co-workers in the same department. 12. If data is no longer needed for the purposes for which it was gathered, it must be destroyed. True or false? 13. If the police ask us for personal data, we are legally obliged to release it to them. True or false? 14. The School is considering commissioning a survey of its students. The survey data will be gathered and analysed by an external contractor. Certain data will need to be transferred to the survey contractor to carry out the survey (assume that it is a web based survey which will be publicised by the contractor will get students names, addresses and certain demographic information to allow the data to be analysed, e.g. by sex and nationality). Assume that two companies are in contention, one in France and the other in the US. What are the Data Protection issues that we would need to consider in order to do this legally? 15. Good records management is vital for Data Protection because (pick one or more): A. We need to be able to find data to answer requests. B. We need to make sure that personal data is not kept for longer than necessary. C. Personal data needs to be protected against unauthorised access. D. Personal data needs to be protected against accidental loss or destruction. E. We can be named and shamed by the Information Commissioner if our record keeping is poor. Peter Garrod Data Management Officer (pg7@soas.ac.uk) 18 Oct

3 Data Protection Workshop: How the Law Affects You Answers to Practice Questions Question 1 A: This is personal data. Expressions of opinion about an individual are personal data, and in addition, the data is held in electronic form. B: This is personal data (either because it is a relevant filing system, or as a result of the amendments brought in by the FoI Act). The student would have a right of access to it if they submitted a request. C: This is personal data (it relates to an individual and is in electronic form). D: This is personal data, regardless of whether the minutes are in paper or electronic form. If in paper form only, the individual would need to tell us where to look if they submitted a requests, as the minutes are unlikely to be structured by reference to individuals or criteria relating to individuals. E: This is not personal data, but there would be a right of access under the FoI Act. F: This is not personal data. Data on corporate bodies is not protected by the Data Protection Act. The Data Protection Act will apply if the supplier is an unincorporated individual (e.g. a sole trader). DPA will also cover any data which we hold about the individual employees of a supplier or contractor. Question 2 The correct answers are A, C and D. B: Nationality is not sensitive personal data, although data on an individual s ethnic or racial origins is. E: Curiously, an individual s finances are not treated as sensitive personal data! Question 3 The correct answers are: C: The Data Protection Act does not give data subjects any right to demand on-site access to their data (although we can agree to make the data available in this way if we wish to). E: Individuals can serve us with a section 10 notice, but we do not have to accept it if we think that the notice is unjustified (e.g. the processing is unlikely to cause them substantial damage or substantial distress ), or if an exemption from the section 10 right applies (e.g. the processing is necessary for performing a contract with the data subject). Question 4 True. Information about the person making a request is exempt under section 40(1) of the Freedom of Information Act. People who submit FoI requests for data about themselves will be asked to re-submit their requests as Data Protection requests. Question 5 False. While consent is usually desirable, it s not absolutely essential there are many situations where processing without consent is fair and lawful, although we do have a general obligation to inform individuals (as far as is practicable) how their data will be processed, when we gather the data. Question 6 The correct answer is F. In practical terms, A, C and E are really essential; the others are desirable. The collection notice should also state that by completing the form, the data subject consents to the purposes described in the notice. Question 7 True, as far as processing which we are required to notify is concerned. We are not required to notify the processing of paper format data. Certain types of processing which virtually all organisations carry out (such as staff administration or keeping accounts) are also exempt from the requirement to notify, although you can notify voluntarily. Question 8 The correct answers are B and D. 18 Oct

4 B: Valid commercial reasons is not sufficient grounds for transferring personal data outside the EEA, and is also not sufficient for the transfer (as a form of processing) to be fair and lawful under the First Data Protection Principle. D: This is valid grounds for processing non-sensitive personal data under the First Data Protection Principle, but it does not satisfy the requirements of the Eighth Data Protection Principle. Question 9 False. However, unnecessary duplication will make it more difficult to meet the requirements of the DPA, as each copy has to be managed in accordance with the DPA. Central management of data is more efficient and is to be preferred. Question 10 You should definitely not release the data over the telephone you have no way of knowing that the caller is genuine, and students can choose not to have any contact with parents or other relatives (even if they re being supported by them financially). The best way to handle this would be to offer to act as an intermediary: i. State that you cannot confirm or deny whether X is a student (the fact that someone is a student at SOAS is itself personal data); ii. Offer to pass on any message from the enquirer and the enquirer s contact details to X, if they are indeed a student. iii. Then contact the student and determine what the situation is. Question 11 A: Correct. B: Incorrect. Data subjects do have a right of access to examination marks, but we do not have to provide the data until 40 days after the announcement of the results or 5 months after receipt of the request (whichever is earlier). C: Incorrect. D: Incorrect. E: There is no right of access under the Data Protection Act, but the Information Commissioner has indicated that grades of staff members could be legitimately released under Freedom of Information. This part of the data subject s request would have to be treated as an FoI request. Question 12 True, in most cases. However, personal data can be retained indefinitely if it s being used for research purposes (including preservation as historical archives). Use of personal data for research/historical purposes does not conflict with the requirement that data should not be used for purposes other than those for which it was gathered. Question 13 False. The exemption in section 29 of the Data Protection Act which allows personal data to be disclosed for law enforcement purposes is permissive. We do not have to disclose the data if we are not satisfied that the investigation is a legitimate one, or that failure to disclose would prejudice the investigation. In practice, data will normally be disclosed to law enforcement agencies if it is requested in the proper way: i.e. using a written section 29 form which explains why the data is needed. Question 14 The contractor will be acting as a data processor (processing data on our behalf), so we need to make sure that we meet the requirements of the DPA in terms of data processing arrangements. This includes ensuring that the contractor has adequate security in place and that we have a written contract with the contractor which reflects this obligation. As the contractor is processing data on our behalf, the processing should normally be fair and lawful (in the sense of the first Data Protection Principle) if it would be fair and lawful to process the data ourselves. 18 Oct

5 Other issues to consider: We should make sure that students are informed via a data collection notice how the information they supply will be held and used, including the fact that it will be transferred to a data processor. If we select the contractor in the US, we will need to make sure that we meet one of the conditions for transferring data outside the EEA (this is not an issue for the supplier in France). Question 15 All true except for E. Strictly speaking, the Commissioner does not have this power under the Data Protection Act. However, the Commissioner can investigate our record keeping practices under provisions in the Freedom of Information Act, and can issue a non-binding practice recommendation specifying what steps we should take to conform to the Records Management Code issued under the FoI Act (no practice recommendations have been issued yet). The RM Code sets out general principles which organisations subject to FoI should aim to achieve in their records management systems. 18 Oct