ICO

Card Set Information

Author:
DPAMac
ID:
59812
Filename:
ICO
Updated:
2011-01-14 13:23:40
Tags:
ICO
Folders:

Description:
Function of the ICO
Show Answers:

Home > Flashcards > Print Preview

The flashcards below were created by user DPAMac on FreezingBlue Flashcards. What would you like to do?


  1. What are the regulatory functions of the ICO?
    • - enforce compliance
    • - requests for assessment
    • - develop codes of practice
    • - maintain register of Data Controllers
  2. What are the reporting functions of the ICO?
    • - annual report to Parliament
    • - authority for Council of Europe Convention 108
    • - liaise with other DP Commissioners
    • - contact for EU commission on Directive 95/46/EC
  3. What is notification?
    • - one notification per organisation
    • - completed annually
    • - Section 21 makes failure to notify an offense
    • - since 1st Oct 2009 - two tiers
    • - 1st Tier = £35
    • - 2nd Tier = £500 (250+ FTE staff, £26m+ turnover)
    • - can be done by Direct Debit
    • - schools: one notification in the name of the school (England: done by school/Scotland: done by council)
  4. What are the registrable particulars of notification?
    • - name and address
    • - description of data and categories of data subject to which they relate
    • - description of the purpose(s)
    • - description of any recipient to whom the data controller intends to disclose
    • - places outside the EEA to which data will or may be transferred
    • - security statement (not disclosed to the public)
    • - declaration if public body and subject to FOI/FOISA
  5. What are the Notification Exemptions (there are 4 main ones)?
    • - personal and domestic use
    • - maintenance of public register
    • - not for profit organisations
    • - admin, advertising, accounts
    • - manual records unless subject to assessable processing (transitional exemption)
  6. Examples of an Offence
    • - failure to notify or to notify changes
    • - failure to comply with a written request
    • - failure to comply with a Notice
    • - unauthorised obtaining/disclosure
    • - procuring a disclosure to another person
    • - unlawful selling of data
    • - enforced Subject Access (only allowed in certain sectors e.g. children and vulnerable adults

    You can breach a principle but this is not necessarily a criminal offence
  7. Notices
    • - Information Notice (s43) (specifies information required by ICO) notification of complaint received 14/21 day deadlines usually
    • - Enforcement Notice (s40) (specifies steps required to comply with Act post investigation if commissioner has found fault and details changes required
    • - Appeal to Information Tribunal in 35 days
    • - Special Notices (relating to special purposes e.g. journalism, art
  8. Appeals Process
    • - Information Tribunal in London (usually)
    • - High Court
    • - Supreme Court
    • - a public process
  9. Warrants
    • Circuit judge/sherriff issues warrant if satisfied
    • - Data Controller has contravened principles
    • - offence is being committed
    • - evidence will be found on premises subject to warrant
    • Warrant not granted if
    • - ICO has not provided controller with 7 days notice demanding access and access was unreasonably refused or access to evidence was blocked
    • - ICO has not notified subject about the warrant
    • Warrant can allow
    • - entry to premises
    • - search of premises
    • - inspection, examination, operation and test of any equipment
    • - inspection and seizure of documents and materials that may be evidence of breach

    Notice not required if believed that data will be destroyed (but still require a warrant)

    Schedule 9 - powers of entry and inspection
  10. Serving a Warrant
    • - person seving warrant can use necessary and reasonable force
    • - warrant must be served at reasonable hour
    • - copy of warrant must be given to occupier
    • - receipt given for seized documents
    • - seized items must be returned when no longer required
  11. Exempt from Warrants
    • - communications between legal adviser and client containing legal advice, or information about client's obligations, liabilities or rights under DPA
    • - any communications about proceedings under the DPA
  12. Section 55 Offence
    A person must not knowingly or recklessly, without the consent of the Data Controller:

    obtain/disclose personal data or the information contained in personal data, or procure the disclosure to another person of the information contained in personal data

    £5,000 fine, unlimited fine, prison (being considered)
  13. Penalties
    • - fines at Magistrates and Crown Court
    • - undertakings
    • - public domain
    • - public relations disaster
  14. Criminal Justice and Immigration Act
    • - power to fine for data loss (£500k)
    • - requirement to notify data loss
    • - prison term for breach of DPA
    • - tiered notification fee
  15. Coroners and Justice Act
    • - power to inspect public sector without notice
    • - nominated defendant
    • - 2009
  16. Codes of Practice
    Section 51

    It shall be the duty of the Commissioner to promote the following of good practice by data controllers

    • - COPs can be approved at European level
    • - Secretary of State in the Uk may direct - ICO to produce a COP on a particular topic
    • - good practice covers both compliance with the requirements of the Act and actions that go beyond that
    • - ICO may develop own COPs
    • - ICO to encourage trade association COPs
    • - ICO must consider Trade Association COPs
    • - ICO has to consult before endorsing COPs
    • - consultation must be with relevant interested parties, trade associations, data subjects, representatives of data subjects
  17. S51 (4) (b)
    The Commissioner has a duty to review Codes of Practice submitted by trade associations under s51 (4) (b) of the DPA 1998 which states:

    "where any trade association submits a code of practice to him for his consideration, consider the code and, after such consultation with data subjects or persons representing data subjects as appears to him to be appropriate, notify the trade association whether in his opinion the code promotes the following of good practice"
  18. Examples of Codes of Practice
    • - Archivists & Record Managers
    • - Sharing Personal Data
    • - Privacy Notices
    • - Employment Practices
    • - CCTV
    • - Telecommunications Directory Information
    • - Assessment Notices (new)
    • - Online Information (new)

    • Nemonic
    • ASPECT + A + O / PEACOATS
  19. CCTV Legislation
    • - Data Protection Act 1998
    • - The Regulation of Investigatory Powers Act, and associated regulations (covers secret recording)
    • - The Human Rights Act 1998 (basic right to privacy)
    • - The Freedom of Information Act 2000/2002
    • - The Private Security Act 2001
  20. Standards (CCTV)
    • - Information Commissioner Code of Practice on CCTV
    • - Home Office Scientific Division guidance and advice, including technical standards
    • - British Standards Institute (BS 7958:2005)
  21. Home Office Standards (CCTV)
    • 1. Monitoring: watch the flow of e.g. traffic; identity not necessary
    • 2. Detecting: detecting the presence of people where they should not be
    • 3. Recognising: recognise people you know
    • 4. Identifying: identifying a person with sufficient clarity that the evidence would be admissable

What would you like to do?

Home > Flashcards > Print Preview