BCS PDP9 Exam Questions Instant Access - No Installation Required

Question 1

How are data sharing practices governed by data protection law?

AData sharing practices are covered in the DPA 2018, supported by a statutory Code of Practice that provides specific guidance

BData sharing practices are subject to the PECR until the new statutory Code of Practice is published

CData sharing practices are covered by the Freedom of Information Act

DData sharing practices are not specifically regulated, however the ICO provide best practice guidance

Answer : A

Data sharing is the disclosure of personal data from one or more organisations to a third party organisation or organisations, or the sharing of personal data within an organisation. Data sharing practices are governed by data protection law, which includes the UK GDPR and the Data Protection Act 2018 (DPA 2018). The DPA 2018 contains specific provisions on data sharing, such as the power of the Information Commissioner's Office (ICO) to issue a statutory Code of Practice on data sharing.The ICO has published a Data Sharing Code of Practice1that provides practical guidance on how to share data in a fair, safe and transparent way, in compliance with the data protection principles and the rights of data subjects. The code is not legally binding, but it reflects the ICO's interpretation of the law and it may be used as evidence in legal proceedings or investigations. The code also contains useful tools, case studies and examples that can help organisations to share data effectively and responsibly.Reference:

Data Sharing Code of Practice1

Question 2

Which of the following is NOT a processor obligation?

ATo follow the instructions of the controller in processing personal data

BTo consult the controller prior to appointing any processor.

CTo provide the controller with corporate information relating to its board members.

DTo inform the controller of any intended changes of other processors so they can object

Answer : C

Providing the controller with corporate information relating to its board members is not a processor obligation under the GDPR. The processor obligations under the GDPR are mainly the following:

To process the personal data only on documented instructions from the controller, unless required by law;

To ensure that persons authorised to process the personal data are bound by confidentiality;

To implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk;

To not engage another processor without the prior authorisation of the controller;

To assist the controller in fulfilling its obligations regarding data subject rights, data protection impact assessments, prior consultations, and data breach notifications;

To delete or return the personal data to the controller at the end of the service, unless required by law to store the data;

To make available to the controller all information necessary to demonstrate compliance and allow for audits and inspections.Reference:

Article 28 of the GDPR1

Guidelines 07/2020 on the concepts of controller and processor in the GDPR2, pp. 37-41

Question 3

Under the Privacy and Electronic Communications Regulations, organisations must NOT make marketing telephone calls to which of the following?

AAny person under the age of 18, unless their parent or guardian has provided permission

BAny person who is registered with the Telephone Preference Service, unless they have given specific consent to receive your calls

CAny person who has not consented to receiving marketing calls

DAny person outside of the United Kingdom.

Answer : B

The Privacy and Electronic Communications Regulations (PECR) are a set of rules that regulate the use of electronic communications for marketing purposes, such as phone calls, texts, emails and faxes. One of the rules is that organisations must not make unsolicited marketing calls to individuals who have registered their numbers with the Telephone Preference Service (TPS), unless they have given their prior consent to receive such calls from that organisation. The TPS is a free service that allows individuals to opt out of receiving any marketing calls. It is a legal requirement for organisations to check the TPS before making any marketing calls and to respect the preferences of the individuals registered on it. If an organisation fails to comply with this rule, it may face enforcement action from the Information Commissioner's Office (ICO), which is the UK's data protection authority and the regulator of PECR.Reference:

Telephone Preference Service

Marketing calls

Enforcement action

Question 4

What is the basis of the accountability and data governance obligation (Article 5 (2) of the GDPR)?

AThe controller shall appoint a DPO before carrying out large scale processing

BThe controller shall be responsible for. and be able to demonstrate compliance with the data protection principles.

CControllers and Processors each have a responsibility to conduct legitimate interests balancing tests before processing data for direct marketing

DProcessors have overarching responsibility to ensure their processing is compliant

Answer : B

Article 5(2) of the GDPR introduces the principle of accountability, which requires that the controller is responsible for, and be able to demonstrate compliance with, the data protection principles set out in Article 5(1). These principles are: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and data protection by design and by default. The controller must implement appropriate technical and organisational measures to ensure and demonstrate compliance, such as policies, procedures, records, audits, reviews, and DPIAs. The controller must also cooperate with the supervisory authority and provide any information requested by it. The other options are not the basis of the accountability and data governance obligation, although they may be related to other obligations under the GDPR.Reference:

Article 5(2) of the GDPR3

ICO guidance on accountability and governance4

Question 5

Which of the following statements MOST accurately describes why a risk-based approach to the use of Al is necessary?

AAl is inherently negative and its use should be limited

BAl is unlawful

CAl's benefits make accepting all arising risks necessary.

DAl carries new and complex risks not present in other technologies

Answer : D

Artificial intelligence (AI) is the use of digital systems to perform tasks that would normally require human intelligence, such as recognition, decision making, learning and adaptation. AI can bring many benefits to society, such as innovation, efficiency, personalisation and convenience. However, AI also carries new and complex risks that are not present in other technologies, such as opacity, unpredictability, bias, discrimination, intrusion, manipulation and harm. These risks can affect the rights and freedoms of individuals, especially their data protection rights, such as privacy, transparency, fairness, accuracy and accountability. Therefore, a risk-based approach to the use of AI is necessary, which means identifying, assessing and mitigating the potential adverse impacts of AI on individuals and society, while balancing them with the benefits and opportunities.A risk-based approach also means complying with the relevant legal and ethical frameworks, such as the UK GDPR and the DPA 2018, and following the best practices and guidance issued by the ICO and other authorities on AI and data protection234.Reference:

Guidance on AI and data protection2

Explaining decisions made with AI3

AI auditing framework4

Question 6

Under which circumstances can the 'domestic purposes' exemption be used to justify non-compliance with the Data Protection Act 2018?

A) An individual sells make up products for commission and uses social media to promote products to friends and family

B) A couple are planning their daughter's wedding and use excel to store contact details and dietary needs of the guests

C) An individual employs a babysitter and stores her bank details in an encrypted document in order to make payments

D) A pansh council keeps a spreadsheet to manage bookings of the village hall, it contains only contact information and time slots

E) A group of students are arranging a house party and using social media to invite people that they do and do not know

AA, B, C, and E.

BB. C. D, and E

CB, and C

DA. B.C. and D

Answer : C

The domestic purposes exemption applies to personal data processed by an individual only for the purposes of their personal, family or household affairs. This means that the processing has no connection to any professional or commercial activity. Examples of such processing include writing to friends and family, taking pictures for personal enjoyment, or keeping an address book. However, the exemption does not apply if the individual processes personal data outside the reasonable expectations of the data subject, or if the processing causes unwarranted harm to the data subject's interests. Therefore, the exemption can be used to justify non-compliance with the Data Protection Act 2018 in scenarios B and C, where the processing is purely personal and does not affect the rights and freedoms of others. However, the exemption cannot be used in scenarios A, D and E, where the processing has a professional or commercial element, or involves sharing personal data with third parties without consent or legitimate interest.Reference:

Data Protection Act 2018, Schedule 2, Part 1, Paragraph 21

ICO Guide to Data Protection, Domestic Purposes2

ICO Guide to Data Protection, Exemptions3

Question 7

Two businesses decide to work together to sell their products by mail order Orders are made via a single online website and they each use their existing employees to administer and update each other's orders on a single order system regardless of product.

Which of the below is CORRECT of the roles of the two businesses in relation to the single order system'?

AThey are controllers of their own information contained in the single order system only

BThey are controllers of their own information in the single order system and processors of the information they process on behalf of the other business.

CThe businesses are controllers of their respective information, and the staff are processors of this information

DThey are both joint controllers of the information contained in the single order system

Answer : D

The two businesses are both joint controllers of the information contained in the single order system, because they jointly determine the purposes and means of the processing. They have a shared purpose of selling their products by mail order and they agree on the means of processing by using a single online website and a single order system. Their decisions complement each other and are necessary for the processing to take place. The processing by each party is inseparable and inextricably linked. Therefore, they meet the criteria for joint controllership under the GDPR.Reference:

Article 26 of the GDPR1

Guidelines 07/2020 on the concepts of controller and processor in the GDPR2, pp. 16-24

BCS Practitioner Certificate in Data Protection PDP9 Exam Questions