In the terms of their relevance under data protection legislation, how can CCTV images recorded in a supermarket BEST be described'?
CCTV images recorded in a supermarket are personal data as they can be used to identify living human beings, either directly or indirectly, by their physical appearance, clothing, accessories, or other distinctive features. Personal data is defined in Article 4(1) of the GDPR as ''any information relating to an identified or identifiable natural person''. The GDPR applies to the processing of personal data by automated means, such as CCTV cameras, or by non-automated means that form part of a filing system, such as paper records. The other options are incorrect because:
CCTV images are not special category data as they do not reveal any of the sensitive information listed in Article 9(1) of the GDPR, such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation, or biometric or genetic data. Special category data is subject to stricter conditions and safeguards under the GDPR, as it poses a higher risk to the rights and freedoms of individuals.
CCTV images are not biometric data in the terms of the definition stipulated in the GDPR. Biometric data is defined in Article 4(14) of the GDPR as ''personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data''. CCTV images do not result from specific technical processing, nor do they allow or confirm the unique identification of a natural person, unless they are combined with other data or identifiers.
The GDPR is not only engaged where CCTV images are accompanied by text or other identifier. The GDPR applies to any information that relates to an identified or identifiable natural person, regardless of whether it is accompanied by text or other identifier. CCTV images can relate to an identifiable natural person even if they do not contain any text or other identifier, as long as there is a possibility to single out or link the person to other data or factors.Reference:
What are Information Society Services'? Select the INCORRECT answer
Information society services (ISS) are defined in Article 4(25) of the UK GDPR as ''any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services''. This means that ISS are online services that are paid for, either by the user or by another source of income, such as advertising or sponsorship, and that are provided without the parties being physically present, using electronic equipment for the transmission and reception of data, and upon the request of the user. Examples of ISS include apps, programs, websites, search engines, social media platforms, online marketplaces, content streaming services, online games, and any other online services that offer goods or services to users over the internet. Therefore, options A, B and C are correct examples of ISS, as they meet the criteria of the definition. However, option D is not a correct example of ISS, as it does not involve any remuneration for the service provider. Information services provided by non-profit or government organisations with no remuneration are not considered ISS under the UK GDPR, unless they compete with other ISS on the market.Reference:
Services covered by this code5
An investigation reveals that an individual is defrauding a public authority After a (suspected) tip off from a senior manager, the individual submits a Subject Access Request to the authority asking for a copy of all personal data relating to any investigations that have been carried out
What would be the BEST approach?
The crime and taxation exemption in Schedule 2, Part 1, Paragraph 2 of the Data Protection Act 2018 (DPA 2018) provides an exemption from the UK GDPR's transparency obligations and most individual rights, including the right of access, but only if complying with them would prejudice the prevention or detection of crime, or the apprehension or prosecution of offenders. This means that the public authority does not need to disclose details of the investigation to the individual who submitted the subject access request, as doing so would be likely to hinder the investigation and enable the individual to evade justice. The public authority should assess the likelihood of prejudice on a case-by-case basis and document its reasons for relying on the exemption. The other options are incorrect because:
The legal and professional privilege exemption in Schedule 2, Part 1, Paragraph 19 of the DPA 2018 applies to personal data that is subject to an obligation of confidentiality arising from the provision of legal advice or legal representation, or from the conduct of legal proceedings. This exemption does not apply to the information held by the public authority about the investigation, as it is not related to any legal advice or representation, or any legal proceedings.
The term ''criminal offence data'' refers to personal data relating to criminal convictions and offences, or related security measures. This type of data is subject to specific rules under Article 10 of the UK GDPR and Part 3 of the DPA 2018. However, this does not mean that there is no obligation to disclose criminal offence data in response to a subject access request. The public authority still needs to consider whether any of the exemptions in the DPA 2018 apply, such as the crime and taxation exemption, before disclosing or withholding the data.
The right to be informed does apply in relation to criminal acts, as the UK GDPR requires controllers to provide data subjects with information about the processing of their personal data, including the purposes and legal basis of the processing, unless an exemption applies. The fact that the information has not yet been passed to the police does not affect the applicability of the right to be informed or the right of access.Reference:
Data Protection Act 2018, Schedule 2, Part 1, Paragraph 21
ICO Guide to Data Protection, Crime and Taxation2
Data Protection Act 2018, Schedule 2, Part 1, Paragraph 193
Data Protection Act 2018, Part 35
When were data protection rights first introduced into UK law'?
Data protection rights were first introduced into UK law by the Data Protection Act 1984, which was enacted to implement the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 1981. The Data Protection Act 1984 established a set of principles for the processing of personal data by data users, such as obtaining consent, ensuring accuracy, and limiting retention. It also created a system of registration for data users and a Data Protection Registrar (later renamed as the Information Commissioner) to oversee and enforce the law. The Data Protection Act 1984 was replaced by the Data Protection Act 1998, which transposed the EU Data Protection Directive 1995 into UK law and extended the scope of data protection to cover manual as well as automated processing of personal data. The Data Protection Act 1998 was further amended by the Data Protection Act 2018, which incorporated the EU General Data Protection Regulation (GDPR) and the Law Enforcement Directive into UK law and made provisions for specific processing situations, such as national security, immigration, and journalism.Reference:
Council of Europe Convention 1085
A company based in France uses a specialist IT support business in China The two companies have signed a Data Processing Agreement. The Chinese business provides specialist IT support for the French company's digital customer experience platform No personal data is sent to China, but employees of the Chinese business access the platform on a regular basis and have access to the databases that sit behind it. Which of the following statements is CORRECT in relation to the French company's requirements to ensure compliance with the GDPR?
According to the GDPR, a transfer of personal data to a third country or an international organisation occurs when the personal data is made available to someone outside the EU and EEA, regardless of whether the data is physically sent or not. Therefore, the fact that the Chinese business accesses the platform and the databases that contain personal data of the French company's customers constitutes a transfer of personal data to China, which is a third country under the GDPR. The French company, as the controller of the personal data, must ensure that the transfer complies with the GDPR requirements and that the level of protection of the personal data is not undermined. This means that the French company must identify and implement an appropriate transfer mechanism, such as an adequacy decision, appropriate safeguards, or derogations for specific situations, as set out in Chapter V of the GDPR. A data processing agreement, although necessary to define the roles and responsibilities of the controller and the processor, is not sufficient to ensure the legality of the transfer, as it does not provide the same guarantees as the GDPR. China is not a country that has been recognised by the European Commission as providing an adequate level of protection for personal data, so the French company cannot rely on an adequacy decision either.Reference:
ICO guidance on international transfers2
