BCS PDP9 Exam Questions Instant Access - No Installation Required

Question 1

How are data sharing practices governed by data protection law?

AData sharing practices are covered in the DPA 2018, supported by a statutory Code of Practice that provides specific guidance

BData sharing practices are subject to the PECR until the new statutory Code of Practice is published

CData sharing practices are covered by the Freedom of Information Act

DData sharing practices are not specifically regulated, however the ICO provide best practice guidance

Answer : A

Data sharing is the disclosure of personal data from one or more organisations to a third party organisation or organisations, or the sharing of personal data within an organisation. Data sharing practices are governed by data protection law, which includes the UK GDPR and the Data Protection Act 2018 (DPA 2018). The DPA 2018 contains specific provisions on data sharing, such as the power of the Information Commissioner's Office (ICO) to issue a statutory Code of Practice on data sharing.The ICO has published a Data Sharing Code of Practice1that provides practical guidance on how to share data in a fair, safe and transparent way, in compliance with the data protection principles and the rights of data subjects. The code is not legally binding, but it reflects the ICO's interpretation of the law and it may be used as evidence in legal proceedings or investigations. The code also contains useful tools, case studies and examples that can help organisations to share data effectively and responsibly.Reference:

Data Sharing Code of Practice1

Question 2

Under which circumstances can the 'domestic purposes' exemption be used to justify non-compliance with the Data Protection Act 2018?

A) An individual sells make up products for commission and uses social media to promote products to friends and family

B) A couple are planning their daughter's wedding and use excel to store contact details and dietary needs of the guests

C) An individual employs a babysitter and stores her bank details in an encrypted document in order to make payments

D) A pansh council keeps a spreadsheet to manage bookings of the village hall, it contains only contact information and time slots

E) A group of students are arranging a house party and using social media to invite people that they do and do not know

AA, B, C, and E.

BB. C. D, and E

CB, and C

DA. B.C. and D

Answer : C

The domestic purposes exemption applies to personal data processed by an individual only for the purposes of their personal, family or household affairs. This means that the processing has no connection to any professional or commercial activity. Examples of such processing include writing to friends and family, taking pictures for personal enjoyment, or keeping an address book. However, the exemption does not apply if the individual processes personal data outside the reasonable expectations of the data subject, or if the processing causes unwarranted harm to the data subject's interests. Therefore, the exemption can be used to justify non-compliance with the Data Protection Act 2018 in scenarios B and C, where the processing is purely personal and does not affect the rights and freedoms of others. However, the exemption cannot be used in scenarios A, D and E, where the processing has a professional or commercial element, or involves sharing personal data with third parties without consent or legitimate interest.Reference:

Data Protection Act 2018, Schedule 2, Part 1, Paragraph 21

ICO Guide to Data Protection, Domestic Purposes2

ICO Guide to Data Protection, Exemptions3

Question 3

An investigation reveals that an individual is defrauding a public authority After a (suspected) tip off from a senior manager, the individual submits a Subject Access Request to the authority asking for a copy of all personal data relating to any investigations that have been carried out

What would be the BEST approach?

AThe legal and professional privilege exemption applies to this information, and therefore the information does not need to be disclosed

BThey do not need to disclose details of the investigation as they can rely on the crime and taxation exemption on the basis that disclosure would prejudice the investigation

CThis is criminal offence data and therefore under the provisions of the Data Protection Act 2018, there is no obligation to disclose

DWhile the right to inform does not apply in relation to criminal acts, they need to disclose the information as this has not yet been passed to the police.

Answer : B

The crime and taxation exemption in Schedule 2, Part 1, Paragraph 2 of the Data Protection Act 2018 (DPA 2018) provides an exemption from the UK GDPR's transparency obligations and most individual rights, including the right of access, but only if complying with them would prejudice the prevention or detection of crime, or the apprehension or prosecution of offenders. This means that the public authority does not need to disclose details of the investigation to the individual who submitted the subject access request, as doing so would be likely to hinder the investigation and enable the individual to evade justice. The public authority should assess the likelihood of prejudice on a case-by-case basis and document its reasons for relying on the exemption. The other options are incorrect because:

The legal and professional privilege exemption in Schedule 2, Part 1, Paragraph 19 of the DPA 2018 applies to personal data that is subject to an obligation of confidentiality arising from the provision of legal advice or legal representation, or from the conduct of legal proceedings. This exemption does not apply to the information held by the public authority about the investigation, as it is not related to any legal advice or representation, or any legal proceedings.

The term ''criminal offence data'' refers to personal data relating to criminal convictions and offences, or related security measures. This type of data is subject to specific rules under Article 10 of the UK GDPR and Part 3 of the DPA 2018. However, this does not mean that there is no obligation to disclose criminal offence data in response to a subject access request. The public authority still needs to consider whether any of the exemptions in the DPA 2018 apply, such as the crime and taxation exemption, before disclosing or withholding the data.

The right to be informed does apply in relation to criminal acts, as the UK GDPR requires controllers to provide data subjects with information about the processing of their personal data, including the purposes and legal basis of the processing, unless an exemption applies. The fact that the information has not yet been passed to the police does not affect the applicability of the right to be informed or the right of access.Reference:

Data Protection Act 2018, Schedule 2, Part 1, Paragraph 21

ICO Guide to Data Protection, Crime and Taxation2

Data Protection Act 2018, Schedule 2, Part 1, Paragraph 193

UK GDPR, Article 104

Data Protection Act 2018, Part 35

UK GDPR, Article 13 and 146

Question 4

Who is entitled to a private life by law in the UK?

AAll individuals.

BAll individuals save for Members of Parliament

CPrivate individuals who do not conduct their business on public platforms (such as professional sports people and actors

DNobody

Answer : A

The right to a private life is a fundamental human right that is protected by law in the UK. Article 8 of the European Convention on Human Rights (ECHR), which is incorporated into UK law by the Human Rights Act 1998, states that ''Everyone has the right to respect for his private and family life, his home and his correspondence''. This right applies to all individuals, regardless of their status, profession, or public exposure. The right to a private life covers aspects such as personal identity, personal relationships, physical and mental well-being, personal data, and correspondence. However, this right is not absolute and can be limited or interfered with by the state or other parties in certain circumstances, such as for the protection of national security, public safety, health, morals, or the rights and freedoms of others.Reference:

Article 8 of the ECHR1

Human Rights Act 19982

ICO Guide to Data Protection3

Question 5

What is the meaning of storage limitation in relation to UK GDPR Article 5 (1 )(e)?

AKeeping identifiable personal data for no longer than is necessary for the intended processing

BStoring data in a secure format only permitting access to those with a business need

COnly storing data in locations within the EU. except where there is an adequacy decision.

DLimiting the number of records stored in any single repository to minimise risk surface.

Answer : A

Storage limitation is one of the principles of data protection under the UK GDPR. It means that personal data should not be kept in a form that allows identification of data subjects for longer than is necessary for the purposes for which the data are processed. The UK GDPR does not specify any fixed time limits for different types of data, but rather requires data controllers to determine and justify the appropriate retention periods for their processing activities, taking into account factors such as the nature, scope, context and purposes of the processing, the risks to the rights and freedoms of data subjects, and the legal obligations and expectations of the data controller. Data controllers should also have a policy setting out standard retention periods where possible, and review the data they hold regularly to ensure that it is erased or anonymised when it is no longer needed. Data subjects have the right to request the erasure of their personal data if the data controller no longer has a lawful basis or a legitimate interest for keeping it. The UK GDPR allows for some exceptions to the storage limitation principle, such as when the personal data is processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to appropriate safeguards for the rights and freedoms of data subjects.Reference:

UK GDPR, Article 5 (1) (e) and (2)4

UK GDPR, Article 175

UK GDPR, Article 896

ICO Guide to Data Protection, Storage Limitation7

Question 6

A privacy notice MUST NOT contain

AThe contact details of the controller

BThe purpose of the processing

CDetails of the processor's staff

DDetails of the right to lodge a complaint with the supervisory authority

Answer : C

A privacy notice is a document that provides individuals with information about how their personal data is processed, as required by Article 13 and 14 of the UK GDPR5. A privacy notice must include the following information, among others:

the identity and contact details of the controller and, where applicable, the controller's representative and the data protection officer;

the purposes and legal basis of the processing;

the categories of personal data concerned;

the recipients or categories of recipients of the personal data, including any third parties or international organisations;

where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available;

the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

the existence of the rights of the data subject, such as the right to access, rectify, erase, restrict, object or port the data, and the conditions or limitations on those rights;

the existence of the right to withdraw consent at any time, where the processing is based on consent;

the right to lodge a complaint with a supervisory authority;

whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;

the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

A privacy notice does not need to contain details of the processor's staff, as this is not relevant or necessary for the data subject to understand how their personal data is processed. However, the controller may need to inform the data subject if their personal data is shared with a processor, and provide the identity and contact details of the processor, as part of the information on the recipients or categories of recipients of the personal data.Reference:

Article 13 and 14 of the UK GDPR5

Question 7

In which of the following circumstances would Privacy and Electronic Communications Regulation (PECR) NOT apply?

ATelephone marketing communications

BPostal marketing communications.

CText marketing communications.

DEmail marketing communications

Answer : B

The Privacy and Electronic Communications Regulations (PECR) are a set of rules that regulate the use of electronic communications for marketing purposes, as well as the use of cookies and similar technologies, and the security and privacy of electronic communications services. PECR apply to all organisations that market by phone, email, text, fax, or online, or that use cookies or similar technologies on their websites or other electronic services. PECR do not apply to postal marketing communications, which are not considered electronic communications under the definition of PECR. However, postal marketing communications may still be subject to the UK GDPR and the Data Protection Act 2018, as well as other regulations, such as the Consumer Protection from Unfair Trading Regulations 2008 and the Advertising Standards Authority codes of practice.Reference:

ICO Guide to PECR, What are PECR?4

ICO Guide to PECR, Electronic and telephone marketing5

BCS Practitioner Certificate in Data Protection PDP9 Exam Questions