Pass the BCS BCS Practitioner PDP9 Questions and answers with CertsForce

The crime and taxation exemption in Schedule 2, Part 1, Paragraph 2 of the Data Protection Act 2018 (DPA 2018) provides an exemption from the UK GDPR’s transparency obligations and most individual rights, including the right of access, but only if complying with them would prejudice the prevention or detection of crime, or the apprehension or prosecution of offenders. This means that the public authority does not need to disclose details of the investigation to the individual who submitted the subject access request, as doing so would be likely to hinder the investigation and enable the individual to evade justice. The public authority should assess the likelihood of prejudice on a case-by-case basis and document its reasons for relying on the exemption. The other options are incorrect because:

The legal and professional privilege exemption in Schedule 2, Part 1, Paragraph 19 of the DPA 2018 applies to personal data that is subject to an obligation of confidentiality arising from the provision of legal advice or legal representation, or from the conduct of legal proceedings. This exemption does not apply to the information held by the public authority about the investigation, as it is not related to any legal advice or representation, or any legal proceedings.

The term “criminal offence data” refers to personal data relating to criminal convictions and offences, or related security measures. This type of data is subject to specific rules under Article 10 of the UK GDPR and Part 3 of the DPA2018. However, this does not mean that there is no obligation to disclose criminal offence data in response to a subject access request. The public authority still needs to consider whether any of the exemptions in the DPA 2018 apply, such as the crime and taxation exemption, before disclosing or withholding the data.

The right to be informed does apply in relation to criminal acts, as the UK GDPR requires controllers to provide data subjects with information about the processing of their personal data, including the purposes and legal basis of the processing, unless an exemption applies. The fact that the information has not yet been passed to the police does not affect the applicability of the right to be informed or the right of access. References:

Data Protection Act 2018, Schedule 2, Part 1, Paragraph 21

ICO Guide to Data Protection, Crime and Taxation2

Data Protection Act 2018, Schedule 2, Part 1, Paragraph 193

UK GDPR, Article 104

Data Protection Act 2018, Part 35

UK GDPR, Article 13 and 146

If a complainant disagrees with the decision of the UK’s supervisory authority, which is the Information Commissioner’s Office (ICO), they have the right to appeal to the First Tier Tribunal (Information Rights). The tribunal is an independent body that can review the ICO’s decision and either uphold it, vary it or cancel it. The tribunal can also direct the ICO to take certain actions, such as issuing a decision notice or an enforcement notice. The appeal must be lodged within 28 days of receiving the ICO’s decision, using the notice of appeal form and providing the relevant documents and grounds for appeal. The tribunal will then notify the ICO and the complainant of the appeal and the procedure for dealing with it. The tribunal may hold a hearing to examine the evidence and arguments of both parties, or decide the case on the basis of written submissions only. The tribunal will issue a written decision, which will be sent to both parties and published on the tribunal’s website. The tribunal’s decision can be further appealed tothe Upper Tribunal on a point of law, with the permission of the First Tier Tribunal or the Upper Tribunal. References:

Information rights and data protection: appeal against the Information Commissioner1

Notice of appeal form2

First Tier Tribunal (Information Rights) website3

Schedule 3 of the Data Protection Act 2018 (DPA 2018) provides exemptions from some of the UK GDPR provisions for certain types of personal data processing, such as health data, social work data, education data, and child abuse data. These exemptions are intended to balance the rights and freedoms of data subjects with the public interest or the legitimate interests of data controllers in specific contexts. For example, the exemptions may allow data controllers to restrict the data subjects’ access to their personal data, or to process their personal data without their consent, if complying with the UK GDPR would be likely to prejudice the purposes of the processing, such as the provision of health care, social work, education, or child protection. However, Schedule 3 of the DPA 2018 does not provide any exemption for credit checking agency data, which is personal data processed by credit reference agencies for the purposes of assessing the creditworthiness of individuals or organisations, or preventing fraud or money laundering. Credit checking agency data is subject to the UK GDPR provisions as normal, unless another exemption applies. For example, credit reference agencies may rely on the crime and taxation exemption in Schedule 2, Part 1, Paragraph 2 of the DPA 2018 if disclosing personal data to a data subject would be likely to prejudice the prevention or detection of crime, or the apprehension or prosecution of offenders. References:

Data Protection Act 2018, Schedule 31

ICO Guide to Data Protection, Exemptions2

ICO Guide to Data Protection, Credit3

Article 28(2) of UK GDPR states that where a processor engages another processor (“sub-processor”) for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor shall be imposed on that other processor by way of a contract or other legal act under domestic law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of UK GDPR. The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, theprocessor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes. The other options are incorrect, as they do not reflect the requirements of UK GDPR for using a sub-processor. The processor cannot use a sub-processor without the written authorisation of the controller, regardless of whether it adheres to an approved code of conduct, signs a contract with the same obligations as the controller, or deems the processing to be low risk. References:

Article 28(2) of UK GDPR1

ICO guidance on contracts and liabilities between controllers and processors3

A DPIA is not required to fulfil the requirement that all DPIAs are submitted to the ICO, because this is not a requirement under the GDPR. The GDPR only requires that the controller consults the ICO before carrying out processing that is likely to result in a highrisk to individuals, if the controller cannot mitigate that risk. This means that not all DPIAs need to be submitted to the ICO, only those that identify a high residual risk that cannot be reduced. The other options are valid purposes of carrying out a DPIA, as they help the controller to comply with the GDPR, ensure data protection by design and by default, and identify and mitigate the main risks to individuals’ rights and freedoms. References:

Article 35 and 36 of the GDPR3

ICO guidance on DPIAs5

Storage limitation is one of the principles of data protection under the UK GDPR. It means that personal data should not be kept in a form that allows identification of data subjects for longer than is necessary for the purposes for which the data are processed. The UK GDPR does not specify any fixed time limits for different types of data, but rather requires data controllers to determine and justify the appropriate retention periods for their processing activities, taking into account factors such as the nature, scope, context and purposes of the processing, the risks to the rights and freedoms of data subjects, and the legal obligations and expectations of the data controller. Data controllers should also have a policy setting out standard retention periods where possible, and review the data they hold regularly to ensure that it is erased or anonymised when it is no longer needed. Data subjects have the right to request the erasure of their personal data if the data controller no longer has a lawful basis or a legitimate interest for keeping it. The UK GDPR allows for some exceptions to the storage limitation principle, such as when the personal data is processed solely forarchiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to appropriate safeguards for the rights and freedoms of data subjects. References:

UK GDPR, Article 5 (1) (e) and (2)4

UK GDPR, Article 175

UK GDPR, Article 896

ICO Guide to Data Protection, Storage Limitation7

The principle of transparency requires that any processing of personal data is fair, lawful and transparent to the data subjects. This means that data subjects should be informed about the existence, nature, purpose and consequences of the processing, as well as their rights and choices regarding their data. Transparency is essential for ensuring accountability, trust and compliance in data processing. However, the use of AI can pose challenges to the principle of transparency, as AI can lead to invisible processing, with data subjects not being aware of its presence, or the logic, significance and implications of the processing. For example, AI can be used to profile, infer, predict or influence the behaviour, preferences, interests, emotions or personality of data subjects, without their knowledge or consent. AI can also be used to make automated decisions that affect data subjects, such as credit scoring, recruitment, health diagnosis or social benefits, without providing meaningful explanations or opportunities for human intervention. Therefore, it is important to ensure that data subjects are informed and empowered when AI is involved in the processing of their data, and that they can exercise their rights, such as the right to access, rectify, object, restrict, erase or port their data, or the right to challenge or contest automated decisions56. References:

Guidance on AI and data protection5

Explaining decisions made with AI6

 Information society services (ISS) are defined in Article 4(25) of the UK GDPR as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”. This means that ISS are online services that are paid for, either by the user or by another source of income, such as advertising or sponsorship, and that are provided without the parties being physically present, using electronic equipment for the transmission and reception of data, and upon the request of the user. Examples of ISS include apps, programs, websites, search engines, social media platforms, online marketplaces, content streaming services, online games, and any other online services that offer goods or services to users over the internet. Therefore, options A, B and C are correct examples of ISS, as they meet the criteria of the definition. However, option D is not a correct example of ISS, as it does not involve any remuneration for the service provider. Information services provided by non-profit or government organisations with no remuneration are not considered ISS under the UK GDPR, unless they compete with other ISS on the market. References:

UK GDPR, Article 4(25)4

Services covered by this code5

A DPIA is a process to help identify and minimise the data protection risks of a project that is likely to result in a high risk to individuals. A DPIA must include the following elements, according to Article 35(7) of the UK GDPR1:

a description of the processing, including its purposes and legal basis;

an assessment of the necessity and proportionality of the processing in relation to its purposes;

an assessment of the risks to the rights and freedoms of individuals; and

the measures envisaged to address the risks and demonstrate compliance with the UK GDPR.

There is no requirement to publish any potential risks in the information notice, which is a document that provides individuals with information about how their personal data is processed, as required by Article 13 and 14 of the UK GDPR2. However, it may be good practice to do so, as well as to consult with individuals or their representatives, where appropriate, as part of the DPIA process. This can help to enhance transparency, trust and accountability, and to identify any additional risks or concerns from the perspective of the data subjects. References:

Article 35(7) of the UK GDPR1

Article 13 and 14 of the UK GDPR2

Lawfulness of processing is not a factor that should be considered when looking at security of processing under Article 32 of the GDPR. Lawfulness of processing is a separate requirement that applies to all processing of personal data, regardless of the level of security. Security of processing under Article 32 of the GDPR should be based on the following factors:

The state of the art and the costs of implementation of the security measures;

The nature, scope, context and purposes of the processing;

The risk of varying likelihood and severity for the rights and freedoms of natural persons;

Adherence to an approved code of conduct or an approved certification mechanism (as an element to demonstrate compliance). References:

Article 32 of the GDPR1

Guidelines 07/2020 on the concepts of controller and processor in the GDPR2, p. 36