BCS PDP9 Exam Practice Test Instant Access

Question 1

Which of the below would be the BEST example of processing that could utilise the Public Interest Task lawful basis?

AA health authority processing the personal information of its staff in order to record all training undertaken

BA debt collection agency processing information relating to unpaid fines for misuse of community council car parking.

CA local authority processing the personal information of the person responsible for paying council tax

DA tax authority drops cookies on the devices of visitors to its website

Answer : C

The public interest task lawful basis applies to the processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The relevant task or authority must have a clear basis in domestic law, such as a statutory power, a common law duty, or a function of the Crown, central or local government. The processing must also be necessary, meaning that there is no reasonable and less intrusive way to achieve the same purpose. The public interest task lawful basis is most relevant to public authorities, but it can also apply to any organisation that exercises official authority or carries out tasks in the public interest. In scenario C, a local authority processing the personal information of the person responsible for paying council tax is likely to rely on the public interest task lawful basis, as it is performing a task in the public interest that is laid down by law, namely the Local Government Finance Act 1992, and the processing is necessary for the collection and administration of council tax. In contrast, scenarios A, B and D are less likely to qualify for the public interest task lawful basis, as they do not involve a clear task or authority that is set out in law, or that serves the public interest. For example, a health authority processing the personal information of its staff in order to record all training undertaken may have a different lawful basis, such as legitimate interests or contractual necessity. A debt collection agency processing information relating to unpaid fines for misuse of community council car parking may not have any official authority or public interest justification for its processing. A tax authority dropping cookies on the devices of visitors to its website may not be able to demonstrate that the processing is necessary for its official functions, and may also need to comply with the Privacy and Electronic Communications Regulations (PECR) for the use of cookies.Reference:

UK GDPR, Article 6 (1) (e) and (3)8

ICO Guide to Data Protection, Public Task9

Local Government Finance Act 199210

Question 2

Which of the following is NOT a key requirement of independent supervisory authorities?

ATheir leadership must change every four years

BThey must operate independently.

CThey review DPIAs in cases of unmitigated high risk

DThey must provide each other with mutual assistance

Answer : A

Independent supervisory authorities are public authorities that supervise, through investigative and corrective powers, the application of the data protection law. They provide expert advice on data protection issues and handle complaints lodged against violations of the UK GDPR and the relevant national laws. The UK GDPR sets out the key requirements for independent supervisory authorities in Chapter VI, which include the following:

They must operate independently and remain free from external influence, whether direct or indirect, and must neither seek nor take instructions from anybody.

They must have adequate human, technical and financial resources to perform their tasks and exercise their powers effectively.

They must review data protection impact assessments in cases of unmitigated high risk and provide prior consultation to controllers on such processing operations.

They must provide each other with mutual assistance and cooperate with each other and the European Data Protection Board to ensure the consistent application of the UK GDPR across the EU.

They must handle complaints lodged by data subjects or by bodies, organisations or associations representing them, and investigate the subject matter of the complaint to the extent appropriate.

They must adopt binding decisions on matters concerning the application of the UK GDPR and impose effective, proportionate and dissuasive administrative fines for infringements of the UK GDPR.

The UK GDPR does not specify any fixed term for the leadership of independent supervisory authorities, nor does it require their leadership to change every four years. However, it does require that the members of the supervisory authority must be appointed by means of a transparent procedure by the parliament, the government or the head of state of the Member State concerned, and that they must act with integrity, refrain from any action incompatible with their duties and not engage in any incompatible occupation during and after their term of office. The UK GDPR also allows Member States to provide for rules regarding the establishment, appointment, duration of the term and dismissal of the head or members of the supervisory authority.Reference:

UK GDPR, Chapter VI7

ICO website, About the ICO8

Question 3

Under which circumstances can the 'domestic purposes' exemption be used to justify non-compliance with the Data Protection Act 2018?

A) An individual sells make up products for commission and uses social media to promote products to friends and family

B) A couple are planning their daughter's wedding and use excel to store contact details and dietary needs of the guests

C) An individual employs a babysitter and stores her bank details in an encrypted document in order to make payments

D) A pansh council keeps a spreadsheet to manage bookings of the village hall, it contains only contact information and time slots

E) A group of students are arranging a house party and using social media to invite people that they do and do not know

AA, B, C, and E.

BB. C. D, and E

CB, and C

DA. B.C. and D

Answer : C

The domestic purposes exemption applies to personal data processed by an individual only for the purposes of their personal, family or household affairs. This means that the processing has no connection to any professional or commercial activity. Examples of such processing include writing to friends and family, taking pictures for personal enjoyment, or keeping an address book. However, the exemption does not apply if the individual processes personal data outside the reasonable expectations of the data subject, or if the processing causes unwarranted harm to the data subject's interests. Therefore, the exemption can be used to justify non-compliance with the Data Protection Act 2018 in scenarios B and C, where the processing is purely personal and does not affect the rights and freedoms of others. However, the exemption cannot be used in scenarios A, D and E, where the processing has a professional or commercial element, or involves sharing personal data with third parties without consent or legitimate interest.Reference:

Data Protection Act 2018, Schedule 2, Part 1, Paragraph 21

ICO Guide to Data Protection, Domestic Purposes2

ICO Guide to Data Protection, Exemptions3

Question 4

Where are the definitions of "Public Authority" and "Public Bodies" found?

AFreedom of Information Act 2000 and Data Protection Act 2018

BGDPR and Data Protection Act 2018.

CData Protection Act 2018 and PECR.

DData Protection Act 2018 only

Answer : A

The definitions of ''public authority'' and ''public body'' for the purposes of the UK GDPR and the Data Protection Act 2018 are found in the Freedom of Information Act 2000 and the Data Protection Act 2018 respectively. Section 7 of the Data Protection Act 2018 provides that a public authority or a public body is one that is listed in Schedule 1 to the Freedom of Information Act 2000, or is designated by an order under section 5 of that Act. However, a court or tribunal acting in its judicial capacity is not considered a public authority or a public body under the Data Protection Act 2018.Reference:

Section 7 of the Data Protection Act 20181

Schedule 1 to the Freedom of Information Act 2000

Question 5

Which of the following statements are CORRECT about records of processing'?

A, It must contain contact details for the Data Protection Officer where applicable.

B, It must be submitted to the Information Commissioner's Office following every Data Protection Impact Assessment

C, It is mandatory for all data processors

D, The controller or the processor a must makes the record available to the supervisory authority on request

E, It must contain contact details for the supervisory authority

AB, C. and D

BA, C, and E

CA. C, D, and E

DA, C, and D

Answer : D

Article 30 of the UK GDPR3requires both controllers and processors to maintain records of their processing activities, unless they are exempted under certain conditions. The records must contain the following information, among others:

the name and contact details of the controller or the processor, and of any joint controller, representative or data protection officer;

the purposes of the processing;

the categories of data subjects and personal data;

the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;

where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of suitable safeguards;

where possible, the envisaged time limits for erasure of the different categories of data;

where possible, a general description of the technical and organisational security measures.

The records must be in writing, including in electronic form, and must be made available to the ICO on request. The records do not need to contain contact details of the supervisory authority, as this is not specified in Article 30. Nor do they need to be submitted to the ICO following every DPIA, as this is not required by Article 35, which only obliges the controller to consult the ICO prior to the processing if the DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.Reference:

Article 30 of the UK GDPR3

Article 35 of the UK GDPR4

Question 6

Where a processor engages another processor ("sub-processor") to carry out processing activities on behalf of a controller, which of the following statements is CORRECT?

AThe processor must receive prior written authorisation to use the sub-processor

BThe processor may use the sub-processor without the written authorisation of the controller if it adheres to an approved code of conduct

CThe processor may use the sub-processor without the written authorisation of the controller if the sub-processor signs a contract which reflects the same obligations as the contract with the controller

DThe processor may use the sub-processor without the written authorisation of the controller if the processing is deemed to be low risk.

Answer : A

Article 28(2) of UK GDPR states that where a processor engages another processor (''sub-processor'') for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor shall be imposed on that other processor by way of a contract or other legal act under domestic law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of UK GDPR. The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes. The other options are incorrect, as they do not reflect the requirements of UK GDPR for using a sub-processor. The processor cannot use a sub-processor without the written authorisation of the controller, regardless of whether it adheres to an approved code of conduct, signs a contract with the same obligations as the controller, or deems the processing to be low risk.Reference:

Article 28(2) of UK GDPR1

ICO guidance on contracts and liabilities between controllers and processors3

Question 7

Of the following options which is NOT a purpose of carrying out a Data Protection Impact Assessment (DPIA)?

AIt is necessary to fulfil the requirement that all DPIAs are submitted to the ICO

BIt is key to the accountability element of the GDPR.

CIt fulfils a requirement that data protection is carried out by design and default.

DIt assists in identifying the main risks that may exist in any use of data, so that they can be mitigated

Answer : A

A DPIA is not required to fulfil the requirement that all DPIAs are submitted to the ICO, because this is not a requirement under the GDPR. The GDPR only requires that the controller consults the ICO before carrying out processing that is likely to result in a high risk to individuals, if the controller cannot mitigate that risk. This means that not all DPIAs need to be submitted to the ICO, only those that identify a high residual risk that cannot be reduced. The other options are valid purposes of carrying out a DPIA, as they help the controller to comply with the GDPR, ensure data protection by design and by default, and identify and mitigate the main risks to individuals' rights and freedoms.Reference:

Article 35 and 36 of the GDPR3

ICO guidance on DPIAs5

BCS Practitioner Certificate in Data Protection PDP9 Exam Practice Test