BCS PDP9 BCS Practitioner Certificate in Data Protection Exam Practice Test
Page: 1 / 14 Total 40 questions
Want more questions? Get Premium Access. ()
Question 1
If a complainant disagrees with the decision of the UK's supervisory authority, how do they appeal this decision?
Answer : A
If a complainant disagrees with the decision of the UK's supervisory authority, which is the Information Commissioner's Office (ICO), they have the right to appeal to the First Tier Tribunal (Information Rights). The tribunal is an independent body that can review the ICO's decision and either uphold it, vary it or cancel it. The tribunal can also direct the ICO to take certain actions, such as issuing a decision notice or an enforcement notice. The appeal must be lodged within 28 days of receiving the ICO's decision, using the notice of appeal form and providing the relevant documents and grounds for appeal. The tribunal will then notify the ICO and the complainant of the appeal and the procedure for dealing with it. The tribunal may hold a hearing to examine the evidence and arguments of both parties, or decide the case on the basis of written submissions only. The tribunal will issue a written decision, which will be sent to both parties and published on the tribunal's website. The tribunal's decision can be further appealed to the Upper Tribunal on a point of law, with the permission of the First Tier Tribunal or the Upper Tribunal.Reference:
What is the basis of the accountability and data governance obligation (Article 5 (2) of the GDPR)?
Answer : B
Article 5(2) of the GDPR introduces the principle of accountability, which requires that the controller is responsible for, and be able to demonstrate compliance with, the data protection principles set out in Article 5(1). These principles are: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and data protection by design and by default. The controller must implement appropriate technical and organisational measures to ensure and demonstrate compliance, such as policies, procedures, records, audits, reviews, and DPIAs. The controller must also cooperate with the supervisory authority and provide any information requested by it. The other options are not the basis of the accountability and data governance obligation, although they may be related to other obligations under the GDPR.Reference:
Article 9(2)(c) of UK GDPR condition of processing special category data in the vital interests of the data subject is only applicable in which of the following circumstances:
Answer : B
Article 9(2) of UK GDPR allows the processing of special category data when it is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent. This means that the data subject is unable to exercise their right to consent or object to the processing, either because they are unconscious, in a coma, suffering from a severe mental disorder, or otherwise unable to communicate their wishes. This condition is intended to cover emergency situations, such as life-threatening medical interventions, where the data subject's consent cannot be obtained in time. It does not apply when another lawful basis applies, when the data subject is physically absent but still capable of giving consent, or when the data subject refuses to consent.Reference:
Which of the below would be the BEST example of processing that could utilise the Public Interest Task lawful basis?
Answer : C
The public interest task lawful basis applies to the processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The relevant task or authority must have a clear basis in domestic law, such as a statutory power, a common law duty, or a function of the Crown, central or local government. The processing must also be necessary, meaning that there is no reasonable and less intrusive way to achieve the same purpose. The public interest task lawful basis is most relevant to public authorities, but it can also apply to any organisation that exercises official authority or carries out tasks in the public interest. In scenario C, a local authority processing the personal information of the person responsible for paying council tax is likely to rely on the public interest task lawful basis, as it is performing a task in the public interest that is laid down by law, namely the Local Government Finance Act 1992, and the processing is necessary for the collection and administration of council tax. In contrast, scenarios A, B and D are less likely to qualify for the public interest task lawful basis, as they do not involve a clear task or authority that is set out in law, or that serves the public interest. For example, a health authority processing the personal information of its staff in order to record all training undertaken may have a different lawful basis, such as legitimate interests or contractual necessity. A debt collection agency processing information relating to unpaid fines for misuse of community council car parking may not have any official authority or public interest justification for its processing. A tax authority dropping cookies on the devices of visitors to its website may not be able to demonstrate that the processing is necessary for its official functions, and may also need to comply with the Privacy and Electronic Communications Regulations (PECR) for the use of cookies.Reference:
What is the meaning of storage limitation in relation to UK GDPR Article 5 (1 )(e)?
Answer : A
Storage limitation is one of the principles of data protection under the UK GDPR. It means that personal data should not be kept in a form that allows identification of data subjects for longer than is necessary for the purposes for which the data are processed. The UK GDPR does not specify any fixed time limits for different types of data, but rather requires data controllers to determine and justify the appropriate retention periods for their processing activities, taking into account factors such as the nature, scope, context and purposes of the processing, the risks to the rights and freedoms of data subjects, and the legal obligations and expectations of the data controller. Data controllers should also have a policy setting out standard retention periods where possible, and review the data they hold regularly to ensure that it is erased or anonymised when it is no longer needed. Data subjects have the right to request the erasure of their personal data if the data controller no longer has a lawful basis or a legitimate interest for keeping it. The UK GDPR allows for some exceptions to the storage limitation principle, such as when the personal data is processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to appropriate safeguards for the rights and freedoms of data subjects.Reference:
When were data protection rights first introduced into UK law'?
Answer : C
Data protection rights were first introduced into UK law by the Data Protection Act 1984, which was enacted to implement the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 1981. The Data Protection Act 1984 established a set of principles for the processing of personal data by data users, such as obtaining consent, ensuring accuracy, and limiting retention. It also created a system of registration for data users and a Data Protection Registrar (later renamed as the Information Commissioner) to oversee and enforce the law. The Data Protection Act 1984 was replaced by the Data Protection Act 1998, which transposed the EU Data Protection Directive 1995 into UK law and extended the scope of data protection to cover manual as well as automated processing of personal data. The Data Protection Act 1998 was further amended by the Data Protection Act 2018, which incorporated the EU General Data Protection Regulation (GDPR) and the Law Enforcement Directive into UK law and made provisions for specific processing situations, such as national security, immigration, and journalism.Reference:
Who is entitled to a private life by law in the UK?
Answer : A
The right to a private life is a fundamental human right that is protected by law in the UK. Article 8 of the European Convention on Human Rights (ECHR), which is incorporated into UK law by the Human Rights Act 1998, states that ''Everyone has the right to respect for his private and family life, his home and his correspondence''. This right applies to all individuals, regardless of their status, profession, or public exposure. The right to a private life covers aspects such as personal identity, personal relationships, physical and mental well-being, personal data, and correspondence. However, this right is not absolute and can be limited or interfered with by the state or other parties in certain circumstances, such as for the protection of national security, public safety, health, morals, or the rights and freedoms of others.Reference:
All Official Question Types