BCS PDP9 Exam Questions Instant Access - No Installation Required

Question 1

Where a processor engages another processor ("sub-processor") to carry out processing activities on behalf of a controller, which of the following statements is CORRECT?

AThe processor must receive prior written authorisation to use the sub-processor

BThe processor may use the sub-processor without the written authorisation of the controller if it adheres to an approved code of conduct

CThe processor may use the sub-processor without the written authorisation of the controller if the sub-processor signs a contract which reflects the same obligations as the contract with the controller

DThe processor may use the sub-processor without the written authorisation of the controller if the processing is deemed to be low risk.

Answer : A

Article 28(2) of UK GDPR states that where a processor engages another processor (''sub-processor'') for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor shall be imposed on that other processor by way of a contract or other legal act under domestic law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of UK GDPR. The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes. The other options are incorrect, as they do not reflect the requirements of UK GDPR for using a sub-processor. The processor cannot use a sub-processor without the written authorisation of the controller, regardless of whether it adheres to an approved code of conduct, signs a contract with the same obligations as the controller, or deems the processing to be low risk.Reference:

Article 28(2) of UK GDPR1

ICO guidance on contracts and liabilities between controllers and processors3

Question 2

What are Information Society Services'? Select the INCORRECT answer

AA service provided for remuneration, by electronic means, at distance to an individual that has requested it.

BAn electronic information service provided to individuals but paid for solely by advertising

CBusiness to business online networking sites

DInformation services provided by non-profit or government organisations with no remuneration

Answer : D

Information society services (ISS) are defined in Article 4(25) of the UK GDPR as ''any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services''. This means that ISS are online services that are paid for, either by the user or by another source of income, such as advertising or sponsorship, and that are provided without the parties being physically present, using electronic equipment for the transmission and reception of data, and upon the request of the user. Examples of ISS include apps, programs, websites, search engines, social media platforms, online marketplaces, content streaming services, online games, and any other online services that offer goods or services to users over the internet. Therefore, options A, B and C are correct examples of ISS, as they meet the criteria of the definition. However, option D is not a correct example of ISS, as it does not involve any remuneration for the service provider. Information services provided by non-profit or government organisations with no remuneration are not considered ISS under the UK GDPR, unless they compete with other ISS on the market.Reference:

UK GDPR, Article 4(25)4

Services covered by this code5

Question 3

What is the meaning of storage limitation in relation to UK GDPR Article 5 (1 )(e)?

AKeeping identifiable personal data for no longer than is necessary for the intended processing

BStoring data in a secure format only permitting access to those with a business need

COnly storing data in locations within the EU. except where there is an adequacy decision.

DLimiting the number of records stored in any single repository to minimise risk surface.

Answer : A

Storage limitation is one of the principles of data protection under the UK GDPR. It means that personal data should not be kept in a form that allows identification of data subjects for longer than is necessary for the purposes for which the data are processed. The UK GDPR does not specify any fixed time limits for different types of data, but rather requires data controllers to determine and justify the appropriate retention periods for their processing activities, taking into account factors such as the nature, scope, context and purposes of the processing, the risks to the rights and freedoms of data subjects, and the legal obligations and expectations of the data controller. Data controllers should also have a policy setting out standard retention periods where possible, and review the data they hold regularly to ensure that it is erased or anonymised when it is no longer needed. Data subjects have the right to request the erasure of their personal data if the data controller no longer has a lawful basis or a legitimate interest for keeping it. The UK GDPR allows for some exceptions to the storage limitation principle, such as when the personal data is processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to appropriate safeguards for the rights and freedoms of data subjects.Reference:

UK GDPR, Article 5 (1) (e) and (2)4

UK GDPR, Article 175

UK GDPR, Article 896

ICO Guide to Data Protection, Storage Limitation7

Question 4

Which of the following would NOT be a personal data breach'?

AThe accidental deletion of an organisation's information security policy from the public facing website

BThe unauthorised changing of a persons address details on a database of customers.

CThe accidental destruction of a current employee's HR file.

DThe loss of a memory stick containing the names and addresses of students in private accommodation

Answer : A

A personal data breach is defined in Article 4(12) of the UK GDPR as ''a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed''. Personal data means any information relating to an identified or identifiable natural person, such as a name, an identification number, location data, an online identifier or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Therefore, a personal data breach only occurs when the security incident affects personal data, not any other type of information. In this case, the accidental deletion of an organisation's information security policy from the public facing website would not be a personal data breach, as the policy does not contain any personal data. However, the other scenarios would be considered personal data breaches, as they involve the loss, alteration, destruction or unauthorised access to personal data of customers, employees or students.Reference:

UK GDPR, Article 4(12)1

UK GDPR, Article 4(1)2

ICO Guide to Data Protection, Personal Data Breaches3

Question 5

An individual applies for a job as a security guard The employer has had significant issues with the sickness record of past recruits They therefore decide to offer the position to the individual on the basis they request a copy of their medical record so that the employer can be assured that they are in a good state of health.

The Data Protection Officer has been asked to advise. What advice is MOST appropriate?

AProviding the medical evidence is used for a legitimate purpose, and that the information is securely destroyed on verification that the employee is healthy, this is an acceptable action.

BWhile requesting and viewing medical evidence may be legitimate, they should ask for evidence that the individual consents to the proposition that they make the request

CIn requesting information that is more than they necessary require to verify the medical condition of the individual they will have breached the data minimisation principle

DThis is a criminal offence under the Data Protection Act 2018 No individual should be asked to make a subject access request in order to obtain health records in these circumstances.

Answer : D

The Data Protection Act 2018 (DPA 2018) makes it a criminal offence for a person to require another person to make a subject access request for information about their health, convictions or cautions, or spent convictions, and to provide that information to the first person or a third person, as a condition of providing or offering to provide goods, facilities or services, or as a condition of entering into or continuing a contract. This is known as an enforced subject access request. The employer in this scenario is committing a criminal offence by offering the job to the individual on the condition that they request a copy of their medical record and provide it to the employer. The employer is also breaching the data protection principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, and storage limitation, as they are processing health data, which is a special category of personal data, without a valid legal basis, without informing the individual of the purpose and legal basis of the processing, and without limiting the processing to what is necessary and relevant for the employment relationship. The employer should instead obtain the individual's explicit consent to request the health information directly from the relevant health professional, and only request the information that is necessary and proportionate for the specific role of a security guard.Reference:

Section 184 of the DPA 20183

ICO guidance on enforced subject access requests4

ICO guidance on special category data5

Question 6

What is the Employment Practices Code?

AGuidance on meeting legal requirements of data protection when employing staff

BGuidance on the requirements for employing a Data Protection Officer

CA statutory framework for implementing data protection training for employees.

DA set of exemptions that can be used when processing data related to employees

Answer : A

The Employment Practices Code is a guidance document issued by the ICO that provides recommendations on how to comply with the data protection principles and the rights of data subjects when processing personal data in the context of employment. The code covers various aspects of employment practices, such as recruitment and selection, employment records, monitoring at work, and information about workers' health. The code is not legally binding, but it reflects the ICO's interpretation of the Data Protection Act and the UK GDPR, and it may be used as evidence in legal proceedings or investigations. The code is intended to help employers balance their legitimate interests in managing their workforce with the privacy rights of their workers.Reference:

The Employment Practices Code

Quick Guide to the Employment Practices Code

Question 7

Which of the following statements MOST accurately describes the potential impact of Al on the principle of transparency?

AData subjects should generally expect Al to be present in processing activities

BTransparency requirements do not apply to Al, as it is always compatible with original purposes

CAl can lead to invisible processing, with data subjects not being aware of its presence.

DTransparency requirements do not apply to Al, as there is a relevant exemption

Answer : C

The principle of transparency requires that any processing of personal data is fair, lawful and transparent to the data subjects. This means that data subjects should be informed about the existence, nature, purpose and consequences of the processing, as well as their rights and choices regarding their data. Transparency is essential for ensuring accountability, trust and compliance in data processing. However, the use of AI can pose challenges to the principle of transparency, as AI can lead to invisible processing, with data subjects not being aware of its presence, or the logic, significance and implications of the processing. For example, AI can be used to profile, infer, predict or influence the behaviour, preferences, interests, emotions or personality of data subjects, without their knowledge or consent. AI can also be used to make automated decisions that affect data subjects, such as credit scoring, recruitment, health diagnosis or social benefits, without providing meaningful explanations or opportunities for human intervention.Therefore, it is important to ensure that data subjects are informed and empowered when AI is involved in the processing of their data, and that they can exercise their rights, such as the right to access, rectify, object, restrict, erase or port their data, or the right to challenge or contest automated decisions56.Reference:

Guidance on AI and data protection5

Explaining decisions made with AI6

BCS Practitioner Certificate in Data Protection PDP9 Exam Questions