Section 1: Understand current data protection legislation

NCFE Level 2

Certificate in Understanding Data

Protection and Data Security

PERSONAL DATA

PHYSICAL ACCESS

ELECTRONIC ACCESS

FREEDOM OF INFORMATION ACT

ORGANISATIONAL PROCEDURES

CONFIDENTIALITY

Workbook 1
 How to use your learning materials

This course is delivered on a flexible learning basis. This means that most of your
study will take place away from your Assessor/Tutor. It helps to carefully plan your
studying so that you get the most out of your course. We have put together some
handy tips for you below.

Study Guidance

Try to plan an outline timetable of when and where you will study.
Try to complete your work in a quiet environment where you are unlikely to
be distracted.
Set realistic goals and deadlines for the various elements of your course.
Plan what you are going to study during each session, and try and achieve
this each time.
After each session, reflect on what you have achieved and plan what you hope to
complete next time.
Remember that not only do you have the support of your Assessor/Tutor, but it is
likely that your family, friends and work colleagues will also be willing to help.

Assessor/Tutor Support

Your Assessor/Tutor will be available to support and guide you through the
programme. They are experts in your area of study and are experienced in helping
many different types of learners.
They can help you to improve the standard of work you submit and will give
you useful feedback on areas in which you have excelled, as well as where
you can improve.
Remember to listen to, or read, their feedback carefully. Ask if you are unsure
about any of the feedback you receive as your Assessor/Tutor is there to help.
Make note of any tips they give. Refer to the learning materials as they contain the
information you need to complete the end-of-unit assessments.
Look out for areas in which you can improve, and set yourself an action plan to
make sure you complete the required work.
Take positive feedback on board; this demonstrates you are doing things right and
have a good understanding of the subject area.
Use the feedback to avoid repeating any mistakes you may have made.

Enjoy your studies!

2 © LCG 2018
 NCFE Level 2 Certificate in Understanding
Data Protection and Data Security

Workbook 1
Workbook Contents

This workbook introduces you to the different laws that are in place to protect
our data. You will explore the General Data Protection Regulation (GDPR), how it
is applied by organisations and how it affects you as a consumer. You will also
learn about the Data Protection and Freedom of Information Acts and procedures
organisations may put into place to protect data.

Contents
This workbook contains three sections: Page
Section 1: Understand current data protection legislation 4
Section 2: Understand organisational procedures concerning data 24
Section 3:
Extension activities 34

Each section has a corresponding assessment that must be

NCFE Level 2 Certificate in Understanding
completed in order to achieve this part of the programme. Data Protection and Data Security

Assessment 1
The assessments for this workbook can be found in: Learner contact details:

Name:

Assessment 1 Contact address:

Postcode: Contact number:

Email:

Learner declaration

When you have completed this workbook, you should

I confirm that the answers in Assessment 1 were completed by me, represent my
own ideas and are my own work.
Learner signature: Assessment date:

attempt the assessment. Your Assessor/Tutor will then If you need any help in completing these Assessments, refer to the
relevant section within Workbook 1, or contact your Assessor/Tutor.

give you detailed written feedback on your progress. Please tick one of the boxes below to show what your status will be when you complete this course.
 EMP 1 In paid employment for 16 hours or more
per week
 EMP 2 In paid employment for less than 16 hours
 GAP 1 Gap year before
starting HE
 EDU 1 Traineeship
per week  EDU 2 Apprenticeship

Remember that your assessment answers should be

 EMP 4 Self-employed for 16 hours or more per week  EDU 3 Supported Internship
 EMP 5 Self-employed for less than 16 hours per week  EDU 4 Other FE* (Full-time)
 NPE 1 Not in paid employment, looking for work and
 EDU 5 Other FE* (Part-time)
available to start work
 NPE 2 Not in paid employment, not looking for work  EDU 6 HE

written in your own words. You should not copy answers

and/or not available to start work (including retired)  OTH # (please state)
 VOL 1 Voluntary work ………………………………

directly from the workbooks. Assessment 1 1

Upon successful completion of this qualification, learners will be awarded the

NCFE Level 2 Certificate in Understanding Data Protection and Data Security (QRN:
603/3639/0). This qualification is certificated by the Awarding Organisation NCFE.

Workbook 1 3
 Section 1: Understand current data protection legislation

In this section, you will learn about the GDPR, including what it is, its purpose and
what organisations need to do to meet the associated legal requirements.

Personal data
Please read the following as it will help you to answer question 1.

Personal data is any information that can be used to identify a specific person, for
example:
•• a name
•• address
•• date of birth
•• IP address (a computer’s unique identification number)
•• genetic or biometric data, e.g. fingerprints
•• information about criminal convictions

There isn’t a definitive list about what is considered to be personal data under the
General Data Protection Regulation (GDPR) 2018; however, personal data is defined
in the Regulation as:

“any information relating to an identified or identifiable natural person (‘data

subject’); an identifiable natural person is one who can be identified, directly
or indirectly, in particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person”

For example, a name on its own such as Jack Jones may not be considered personal
data because there are thousands of people with that name, but a name with a date
of birth and address would allow an individual to be identified.

4 © LCG 2018
 Section 1: Understand current data protection legislation

The purpose of the General Data Protection Regulation

Please read the following as it will help you to answer question 2.

The GDPR is European legislation that was brought into effect in May 2018 to replace
the Data Protection Act 1998. It is used alongside the new Data Protection Act 2018,
which will be used in the UK after it leaves the EU. The main purpose of the GDPR is
to create data protection laws that will protect all members of the European Union.
Additionally, the GDPR:
•• increases privacy
•• extends EU residents’ data rights
•• provides authorities with powers to take action against any organisation that
breaches the regulation
•• ensures that all new businesses that use personal data follow the regulation
•• ensures that businesses outside the EU collect and process the personal data of
EU residents according to the regulation

The role of a data controller and a data processor

Please read the following as it will help you to answer question 3.

The GDPR applies to two different groups: data controllers and data processors.

A data controller is a: “natural or legal person, public authority, agency or

other body” which decides how and why personal data will be processed.

A data processor is a: “natural or legal person, public authority, agency or

other body” which processes data for the controller.

Example
A plumbing supply company has 50 employees. It signs a contract with a payroll
firm that provides the IT system and stores all of the company’s staff data, including
employee names and addresses, National Insurance numbers, wage amounts and
when wages should be paid. This agreement makes the plumbing supply company the
controller and the payroll firm the processor.

Workbook 1 5
 Section 1: Understand current data protection legislation

Did you know?

The more information we provide online, the more companies can tailor
advertisements to what we like and who we are. Online advertising in the UK
generates over £10 billion in revenue by monetising people’s online activities.

The key principles of the general data protection regime

Please read the following as it will help you to answer question 4.

The GDPR provides a range of key principles that organisations must include in
their data protection regime (policies and procedures) to stay compliant. Read the
information in the following table to learn about each of the principles.
Principle Description
Lawfulness, fairness Lawful: data subjects should be told what data processing will
and transparency be done.
Fair: data must be processed in the way described to the
data subject.
Transparent: processing must meet the tests described in the
GDPR.
Purpose limitation Data must be collected for specified, explicit and legitimate
purposes and not further processed in a manner that
is incompatible with those purposes; further processing
for archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes shall not
be considered to be incompatible with the initial purposes.
Data minimisation Only data that is relevant and limited to what is necessary in
relation to the purposes for which they are processed should
be gathered.
Accuracy Data must be accurate and kept up to date, and every
reasonable step must be taken to ensure that personal data
that are inaccurate are erased or rectified without delay.
Storage limitation Data must be kept in a form that permits identification of
data subjects for no longer than is necessary for the purposes
for which the personal data are processed.

6 © LCG 2018
 Section 1: Understand current data protection legislation

Integrity and Data must be processed in a way that ensures appropriate

confidentiality security, including protection against unauthorised or
unlawful processing and against accidental loss, destruction
or damage, using appropriate technical or organisational
measures.
Accountability The organisation is responsible for complying with GDPR
and must be able to show compliance if asked to do so.
Compliance includes creating and implementing data
protection policies, creating contracts with organisations that
process personal data, reporting personal data breaches and
putting security measures in place.
[Source: Article 5, GDPR]

Workbook 1 7
 Section 1: Understand current data protection legislation

A lawful basis for processing personal data

Please read the following as it will help you to answer question 5.

Under the GDPR, an organisation must have a lawful reason for processing personal
data. There are 8 lawful bases for processing personal data in the GDPR, and
organisations must choose the lawful basis that is most appropriate to the purpose
and relationship with the individual.
Processing personal data must be necessary to a company’s purpose, otherwise it will
not be permitted to process. Whichever basis is chosen, it should be included in the
organisation’s privacy notice.
Read the information in the following table to learn about each lawful basis.
Lawful basis Explanation
Consent •• A consent basis means that an organisation must offer
individuals choice and control over their personal data.
•• This basis requires individuals to ‘positively opt in’, which
means they have to select a box themselves, not de-select
a pre-ticked box.
•• Consent requires a clear and specific statement of consent
and requests should be kept separately from other terms
and conditions.
•• Blanket consents are not acceptable – individual consents
have to be received for separate things.
•• Consents must be clear and concise.
•• It must be easy for an individual to withdraw consent at
any time.
•• Organisations must keep evidence of consent and review
consent on a regular basis, updating it with any changes as
necessary.
•• Consent shouldn’t be made a precondition of a service.
Contract This basis is used when an organisation processes personal
data because it has a contractual obligation to them or
because the individual has asked the organisation to do
something before entering into a contract, e.g. providing a
quote.
The organisation should document the decision to use this
basis and be able to provide an appropriate justification, if
asked.

8 © LCG 2018
 Section 1: Understand current data protection legislation

Legal obligation To use this basis, an organisation must be processing

personal data to comply with a common law or statutory
obligation.
The organisation should document the decision to use this
basis and be able to provide the appropriate law that requires
personal data to be processed.
Vital interests This is a very limited basis that can only be used to justify
processing personal data to “protect the vital interests of the
data subject”, i.e. in life or death situations. For example, if a
hospital needs to access a new patient’s medical records in
an emergency.
Public task Public task requires that the task being carried out has a
clear legal basis. Personal data can be processed “in the
exercise of official authority”, which includes legal powers and
functions. Personal data can also be processed if doing so
will be in the public’s interest. This basis is used most often
by public authorities.
Legitimate interests This basis is described as “the most flexible” for processing;
data must be used in a reasonable way and its processing
should not have much of an impact on the individual’s
privacy. There must also be a “compelling justification”, i.e. a
good reason, for the processing.
To use this basis, an organisation must be able to:
•• identify a legitimate interest, e.g. your own interests or
those of third parties
•• show that the processing is necessary to achieve the
legitimate interest
•• balance the legitimate interest against the individual’s
interests, rights and freedoms
Special category data Under the GDPR, sensitive data, such as information on
an individual’s race, gender, trade union membership and
sexual orientation, falls into this lawful basis. Using this
basis, organisations also have to prove that there is a lawful
reason to process personal data. There are 10 conditions for
processing special category data in the GDPR.
Criminal offence data Criminal offence data includes information on criminal
allegations, proceedings or convictions. To process personal
data about criminal offences, there must be a lawful basis
and the organisation must also have legal or official authority.
[Source: www.ico.org.uk]

Workbook 1 9
 Section 1: Understand current data protection legislation

Look at the following example, which shows an organisation’s internal policy about
how data will be processed.

Basis for processing personal information

In relation to any processing activity, we will – before the processing starts for
the first time and then regularly while it continues – review the purposes of the
particular processing activity, and select the most appropriate lawful basis (or
bases) for that processing, i.e.:
1. that the data subject has consented to the processing;
2. that the processing is necessary for the performance of a contract to which
the data subject is party, or in order to take steps at the request of the data
subject prior to entering into a contract;
3. that the processing is necessary for compliance with a legal obligation to
which the Company is subject;
4. that the processing is necessary for the protection of the vital interests of
the data subject or another natural person; or
5. that the processing is necessary for the purposes of legitimate interests of
the Company or a third party, except where those interests are overridden
by the interests of fundamental rights and freedoms of the data subject—
see below.

Except where the processing is based on consent, we will:

1. satisfy ourselves that the processing is necessary for the purpose of the
relevant lawful basis (i.e. that there is no other reasonable way to achieve
that purpose);
2. document our decision as to which lawful basis applies, to help
demonstrate our compliance with the data protection principles;
3. include information about both the purposes of the processing and the
lawful basis for it in our relevant privacy notice(s);
4. where sensitive personal information is processed, also identify a lawful
special condition for processing that information (see below), and document
it; and
5. where criminal offence information is processed, also identify a lawful
condition for processing that information, and document it.

10 © LCG 2018
 Section 1: Understand current data protection legislation

When determining whether the Company’s legitimate interests are the most
appropriate basis for lawful processing, we will:
1. conduct a legitimate interests assessment (LIA) and keep a record of it, to
ensure that we can justify our decision;
2. if the LIA identifies a significant privacy impact, consider whether we also
need to conduct a data protection impact assessment (DPIA);
3. keep the LIA under review, and repeat it if circumstances change; and
4. include information about our legitimate interests in our relevant privacy
notice(s).

Knowledge Activity 1: Put a tick next to the scenarios that you think could
use legal obligation as a lawful basis for processing data.

1. An employee’s salary is needed by HMRC. 

2. When a customer signs up for a free trial, personal data, including

contact information and credit card information, must be processed.
3. A criminal investigation requires personal data to be processed. 
[Answer: see page 23]

Workbook 1 11
 Section 1: Understand current data protection legislation

Individual rights
Please read the following as it will help you to answer question 6.

Under the GDPR, everyone in the EU has 8 rights when it comes to their personal
data. Read the information in the following table to learn more about what your
individual rights are.
Individual right Explanation
The right to be This is one of the main GDPR requirements and means that
informed individuals have the right to be told about any personal data
that is collected and how that data will be used.
The right of access Individuals must be allowed to access their personal data
and can make a request to do so verbally or in writing.
Organisations must respond within one month of a request
and cannot charge a fee for access.
The right to If personal data is incorrect or incomplete, individuals have
rectification the right to have the data changed or updated. Organisations
must respond within one month of a request and cannot
charge a fee for access. There are some reasons why a
rectification request can be denied.
The right to erasure Also known as “the right to be forgotten”, this right means an
individual can make a verbal or written request to have their
personal data erased. Not all data can be erased, and there
are some instances in which an organisation can refuse to
erase data. Organisations must respond within one month of
a request.
The right to restrict In certain circumstances, it is possible to request that
processing personal data is restricted or suppressed. Restricted data can
be stored but not used. Organisations must respond within
one month of a request.
The right to data Individuals are allowed to get and reuse their personal data
portability for their own purposes and across different services. This
means data can be copied, moved or transported in a safe
and secure way. Only personal data that has been provided
by the individual to the controller falls under this right.
The right to object It is possible to object to the processing of personal data in
some circumstances and individuals are allowed to stop their
data being used for direct marketing. Organisations have to
tell individuals about their right to object. A request can be
made verbally or in writing and organisations must respond
within one month.

12 © LCG 2018
 Section 1: Understand current data protection legislation

Rights in relation to •• Automated decision-making: when decisions are made

automated decision- automatically, e.g. an online decision to award a loan
making and profiling •• Profiling: when data is processed automatically to evaluate
certain things about an individual
Both of these actions are covered under the GDPR
and include certain restrictions, which include that the
organisation must have a lawful basis for carrying out the
decision-making or profiling.

To use either type of decision-making, the decision must be:

•• necessary for the entry into or performance of a contract
•• authorised by Union or Member state law applicable to the
controller
•• based on an individual’s explicit consent
[Source: https://ico.org.uk/for-organisations/guide-to-the-general-data-
protection-regulation-gdpr/individual-rights/rights-related-to-automated-
decision-making-including-profiling/]

Did you know?

Under new GDPR regulations, organisations are not allowed to provide
customers with pre-ticked boxes, because they don’t indicate valid consent.
This means that if a customer wants their personal data to be processed, they
have to tick the consent box themselves.

Workbook 1 13
 Section 1: Understand current data protection legislation

Look at the following example, which shows how an organisation tells its customers
about their data-related rights.

Your Rights
You have the following rights, which you can exercise free of charge:
Access The right to be provided with a copy of your personal data
Rectification The right to require us to correct any mistakes in your
personal data
To be forgotten The right to require us to delete your personal data—in
certain situations. Please contact us directly if you wish to
discuss this further.
Restriction of The right to require us to restrict processing of your
processing personal data—in certain circumstances, e.g. if you
contest the accuracy of the data
Data portability The right to receive the personal data you provided to us,
in a structured, commonly used and machine-readable
format and/or transmit that data to a third party—in certain
situations
To object The right to object:
•• at any time to your personal data being processed for
direct marketing (including profiling)
•• in certain other situations to our continued processing
of your personal data, eg processing carried out for the
purpose of our legitimate interests
Not to be subject The right not to be subject to a decision based solely on
to automated automated processing (including profiling) that produces
individual decision- legal effects concerning you or similarly significantly affects
making you

For further information on each of these rights, including the circumstances in

which they apply, please contact us or see the guidance from the UK Information
Commissioner’s Office (ICO) on individuals’ rights under the General Data
Protection Regulation.
If you would like to exercise any of those rights, please:
•• complete a data subject request form—available on our website at [insert link];
or
•• email, call or write to us —see below: ‘How to contact us’; and

14 © LCG 2018
 Section 1: Understand current data protection legislation

•• let us have enough information to identify you (e.g. your full name, address and
learner reference number (if applicable));
•• let us have proof of your identity and address (a copy of your driving licence or
passport and a recent utility or credit card bill); and
•• let us know what right you want to exercise and the information to which your
request relates.

The role of a Data Protection Officer

Please read the following as it will help you to answer question 7.

Under the GDPR, it is mandatory for every organisation that regularly processes
personal data to appoint a Data Protection Officer (DPO). The DPO:
•• must be independent and avoid conflicts of interest
•• must report to the highest level of management
•• must be appointed on the basis of their expertise in data protection
•• may be a staff member or external service provider
•• must be provided with appropriate resources to carry out their tasks and maintain
their expert knowledge

The DPO’s role is to:

•• Monitor GDPR compliance to make sure that all employees and the organisation as
a whole follow the GDPR regulation.
•• Act as a source of information and provide advice on data protection requirements.
•• Act as the point of contact for the body that oversees the GDPR, known as the
supervisory authority, and those whose data has been collected.
•• Provide advice on Data Protection Impact Assessments (DPIA; see page 16 for
more information).
•• Provide relevant training to employees.

Did you know?

To keep costs down, an organisation can ‘outsource’ its data protection officer
role to an external organisation who they will go to for help, support and advice
when they need it.

Workbook 1 15
 Section 1: Understand current data protection legislation

Data Protection Impact Assessment

Please read the following as it will help you to answer question 8.

A Data Protection Impact Assessment (DPIA) is a process that organisations use to

identify data protection risks and put procedures in place to reduce them.
According to the Information Commissioner’s Office (ICO), a DPIA must be conducted
when a type of processing is likely to result in a high risk to the rights and freedoms of
individuals.
When an assessment is done, it should assess the level of risk that could happen as
well as the level of impact on affected individuals. If a risk is identified that cannot be
reduced, the organisation must inform the Information Commissioner’s Office (ICO), who
will provide written advice.
A DPIA will:
•• include information about the nature, scope, context and purposes of the processing
•• assess how necessary the processing is and what compliance measures are in place
to keep data safe
•• identify and assess risks to individuals
•• identify measures that can be put in place to reduce those risks

The kind of processes that automatically require a DPIA, according to Article 35(4) of
the GDPR are:
•• new technologies, including Artificial Intelligence (AI)
•• denial of service, i.e. when decisions on an individual’s access to a product or service
is based on automated decision-making
•• large-scale profiling, i.e. when a large number of individuals are profiled at one time
•• biometrics, i.e. when biometric data, such as fingerprints or facial recognition, is
processed
•• genetic data, i.e. processing of genetic data besides that processed by a healthcare
profession to provide care direct to the data subject
•• data matching, i.e. comparing, matching or combining personal data from multiple
sources
•• invisible processing, i.e. processing of personal data hasn’t been obtained directly
from the data subject
•• tracking, i.e. using an individual’s geolocation to track them

16 © LCG 2018
 Section 1: Understand current data protection legislation

•• targeting children or other vulnerable individuals, i.e. using personal data for
marketing purposes, profiling or decision-making
•• risk of physical harm, i.e. the processing is such that a breach could endanger the
physical health or safety of individuals

[Source: www.ico.org.uk]

What should happen in the event of a personal data breach

Please read the following as it will help you to answer question 9.

A data breach refers to instances in which data is lost, accidentally disseminated or

accessed illegally. For example, data may be accidentally sent to the wrong person;
a laptop or memory stick containing personal data could be stolen; or data may be
inaccessible.
Personal data breaches can be catastrophic to the individuals whose data has been
lost or stolen and the organisation responsible for protecting the data.
Organisations should elect a dedicated individual or team to have responsibility for
managing breaches and should implement strong breach detection, investigation and
internal reporting procedures. This will affect whether or not the organisation has to
report the breach.
The GDPR requires all organisations to deal with a personal data breach in the
following way:
•• Take steps to contain the breach as quickly as possible.
•• Assess the severity of the breach.
•• Personal data breaches that will result in a risk to individuals’ rights and freedoms
must be reported to the appropriate supervisory authority within 72 hours of
becoming aware of the breach.
•• If there is a high risk of an adverse impact on individuals’ rights and freedoms, they
must be told of the breach as quickly as possible.
•• Ensure staff know the process to escalate a security incident.
•• Keep a record of personal data breaches – even if they aren’t reported.

Workbook 1 17
 Section 1: Understand current data protection legislation

Example - Ed Sheeran
In 2017, an Ipswich Hospital administration worker was sacked for accessing
singer Ed Sheeran’s medical records without a legitimate reason, after Sheeran
broke both of his arms in a bike accident. A second worker was also disciplined.

Example - patient data illegally accessed by healthcare worker

A former midwifery assistant at Colchester Hospital University NHS Foundation
Trust was fined £1,715 in 2017 after pleading guilty to unlawfully obtaining
and disclosing personal data. An investigation found that Brioney Woolfe
had accessed the medical records of 29 people, including family members,
colleagues and others, without a legitimate reason. Woolfe then shared some of
this information with others, breaching patient confidentiality and violating the
Data Protection Act.
Woolfe used the trust’s electronic patient record system to access medical
records. She was found out when a woman discovered that her medical record
had been shared with her ex-partner. Head of Enforcement, Steve Eckersley,
said: “Patients are entitled to have their privacy protected and those who work
with sensitive personal data need to know that they can’t just access it or share
it with others when they feel like it. The law is clear and the consequences of
breaking it can be severe.”

Example - Equifax hack

The credit scoring organisation was victim of a cyber attack in 2017, which
saw the personal data of 694,000 UK customers stolen. Up to 15,000 UK
customers had their financial information and passwords stolen, including
partial credit card information. After the cyber attack was first reported, Equifax
denied that any UK customers had been affected. It only admitted the scale of
the breach months later. As a result, the organisation’s share price plummeted
13%.

Example - Hilton Hotels data breach

The hospitality industry is subject to a high number of cyber attacks and in 2017
Hilton Hotels was fined £525,000 for mishandling two separate credit card
data breaches. The attacks, which happened in 2014 and 2015, put 360,000
accounts at risk and the organisation failed to alert authorities as quickly as they
should have.
It was found that credit card targeting malware had infected Hilton’s cash
register computers in 2014 and a similar thing happened again in 2015. The
public were only made aware of the breaches nine months after they happened.

18 © LCG 2018
 Section 1: Understand current data protection legislation

Knowledge Activity 2: Which of the following do you think would require a

Data Protection Impact Assessment? Put a tick next to your choices.

 Credit checks
 Social care records
 Mortgage application
 Artificial intelligence
 Autonomous vehicles

[Answer: see page 23]

The purpose and main elements of the Data Protection Act

Please read the following as it will help you to answer questions 10 and 11.

The Data Protection Act 1998 was replaced in 2018 by the Data Protection Act
2018 in the UK, which was created to ensure that data protection laws encompass
data that is processed digitally, and the GDPR for all European Union countries. The
updated Data Protection Act has been created to work alongside the GDPR and to
take over from the GDPR when the UK leaves the European Union.
The new Act provides individuals with rights that allow them to decide how their
personal information is handled and used and take control of their data. It also
provides a data protection framework and definitive punishments for misusing data.
The main elements of the Data Protection Act are explored in the following table.

Element Description
General data •• implements all GDPR standards across general data
processing processing
•• clarifies what definitions used in the GDPR mean in the UK
•• ensures that essential sensitive data (education, health,
social care) can still be processed and confidentiality
maintained
•• in cases of data processing that is justified by public policy,
restricts individuals’ right to access and delete data to
ensure that current processing can continue
•• sets the age of digital consent to process online data at 13
years old

Workbook 1 19
 Section 1: Understand current data protection legislation

Law enforcement •• provides police, prosecutors and criminal justice agencies

processing with a bespoke regime for processing personal data for law
enforcement purposes
•• allows data to be easily exchanged internationally while
maintaining protection

Intelligence services •• allows the intelligence community to keep tackling existing,

processing new and emerging national security threats by ensuring
data processing laws are kept up to date and in line with
modernised international standards
Regulation and •• gives the Information Commissioner more powers to
enforcement regulate and enforce data protection laws
•• increases the administrative fines the Commissioner can
impose, up to £17 million for serious data breaches
•• allows the Commissioner to bring criminal proceedings
when a data controller/processor alters records to prevent
disclosure of a breach
[Source: https://assets.publishing.service.gov.uk/government/uploads/system/
uploads/attachment_data/file/711162/2018-05-23_Factsheet_1_-_Act_
overview.pdf]

How the Data Protection Act differs from the GDPR

Please read the following as it will help you to answer question 12.

All EU countries have to follow the GDPR, but it is possible for EU members to decide
how some aspects of the GDPR are applied in their country. GDPR will be followed by
the UK until it leaves the EU, but until then, the GDPR and Data Protection Act should
be used alongside each other.
The Data Protection Act is different from the GDPR in the following ways:
•• It addresses processing by law enforcement and intelligence services.
•• It lays out the power and responsibilities of the Information Commissioner’s Office
(ICO).
•• It lays out the punishments that can be given for breaking data protection laws,
including financial penalties.

20 © LCG 2018
 Section 1: Understand current data protection legislation

Under the GDPR, the ICO can impose the following fines:
•• Up to €10 million or 2% annual global turnover – whichever is higher
•• Up to €20 million, or 4% annual global turnover – whichever is higher
•• The fines levied will be decided on a case-by-case basis.

Did you know?

Following on from the Cambridge Analytica scandal, Facebook had to contact
87 million users who were affected by the data breach. Those affected lived
in America, the UK, the Philippines, Indonesia and Australia. Facebook CEO,
Mark Zuckerberg, knew about the data breach in 2015 but didn’t inform
users.

Knowledge Activity 3: On page 16, you read that ‘new technologies’

automatically require a DPIA. Go online and research what ‘new technologies’
refers to for the purposes of the GDPR.

Workbook 1 21
 Section 1: Understand current data protection legislation

The purpose of the Freedom of Information Act

Please read the following as it will help you to answer question 13.

Based on the principle that people have a right to know about the activities of public
authorities, the Freedom of Information Act 2000 gives members of the public access
to any recorded information that is held by public authorities in England, Wales and
Northern Ireland. Public authorities include:
•• the NHS
•• police forces
•• local authorities
•• government departments

Under the Act, public authorities must publish certain information about their activities
and members of the public can request information that includes letters, photographs,
emails, computer files, printed documents and sound/video recordings.
The Act was created because taxpayers fund public authorities and it was felt that
providing the public with access to information would mean that public authorities
would be held accountable for their actions. It was also hoped that the Act would help
the public to be better informed.
Individuals are not able to access their own personal data under the Act; this must be
done under the Data Protection Act 1998.

Did you know?

Under the Freedom of Information Act, you have a right to request any recorded
information held by a public authority. You can ask for any information you
think a public authority may hold on computers, or in emails, handwritten
documents, images, video and audio recordings. You cannot request personal
information through a FOIA - that has to be done using a subject access
request. If information you request would unfairly reveal personal details about
someone else, you won’t be able to access it.

22 © LCG 2018
 Section 1: Understand current data protection legislation

Example of freedom of information access requests – MPs’ expenses

In May 2009 a FOI request uncovered a trove of information about how MPs spent
taxpayers’ money. One MP tried to claim £1,645 for a floating duck house in the
garden pond at his constituency home. The FOI request resulted in a long court
battle, after which MPs were forced to gather and make public their invoices, receipts,
letters and other documents. Consequently, five Labour MPs and two Conservative
peers were sent to prison, others had to repay the money they had falsely claimed,
many MPs resigned or retired and a new expenses system was introduced.

Knowledge Activity 4: Go online and research the impact of a well-known

Freedom of Information request.

Answers to Knowledge Activities

Knowledge Activity 1:
Scenarios 1 and 3 use legal obligation as a lawful basis
Knowledge Activity 2:
All of them

Summary

In this section, you have learned about:

•• the General Data Protection Regulation
•• the purpose of the Data Protection Act
•• the purpose of the Freedom of Information Act
Workbook 1 23
 Section 2: Understand organisational procedures
concerning data

In this section, you will learn about the procedures an organisation might have for
recording, storing and disposing of data, how to protect data – including encryption
techniques – and security checks that can be made.

Procedures for recording, storing and disposing of data

Please read the following as it will help you to answer question 14.

In the last unit, you learned about the key principles of the General Data Protection
Regulation (GDPR) and the Data Protection Act 2018 (DPA). In this unit you will
explore how three key principles of the GDPR impact on organisational procedures for
recording, storing and disposing of data. The three principles are:
•• Data minimisation: only data that is relevant and limited to what is necessary
in relation to the purposes for which they are processed should be gathered, and
the length of time it is kept for should be limited. In Article 5 (e) of the GDPR,
it is stated that personal data shall be kept no longer than is necessary for the
purposes for which it is being processed. Essentially, when personal data is no
longer needed by an organisation, it should be deleted. While there are no set
guidelines, under the GDPR organisations must define a strict minimum amount of
time for storing personal data.
•• Accuracy: Data must be accurate and kept up to date and every reasonable step
must be taken to ensure that personal data that are inaccurate are erased or
rectified without delay.
•• Storage limitation: Data must be kept in a form that permits identification of data
subjects for no longer than is necessary for the purposes for which the personal
data are processed.

24 © LCG 2018
 Section 2: Understand organisational procedures
concerning data

Look at the following example, which shows how an organisation tells its customers
about how long their data will be kept and how it will be disposed of.

Records Retention Schedule (RRS)

This is a list detailing the length of time for which ABC Group aims to keep each
class of records. The retention schedules are based on legislative requirements
and the retention periods are those recommended by JISC for use within the FE
sector, but other legal advice may be taken on an ad-hoc basis. Retention periods
apply to the record and to any associated index data held with the record. Audit
trail data should be held for at least as long as the record, but may be held
longer.
The retention schedule will capture:
•• Type of data
•• Person responsible
•• Disposal
•• When and who it will be disposed by
And covers the following functions:
•• Quality
•• MIS
•• Business Development
•• HR
•• Finance

Staff are responsible for ensuring the Data Coordinator has up-to-date records of
data held and will do so using the Data Information Template.

Document Retention for ESF

ABC Group have robust systems and controls in place to maintain and monitor
access to documentation throughout the retention period.
All documents (including any electronic information) are readily accessible to
requests from auditors and DWP upon request, and are stored in accordance with
DWP standards.

Workbook 1 25
 Section 2: Understand organisational procedures
concerning data

Documentation must be retained as a minimum to meet audit requirements

2007 - 2022 and 2014 - 2030:
No. Document/Information
1 Evidence on the 2-way conversation/action planning to support fee
payment, as detailed in Work Programme Guidance
2 Participant Action Plan or Development Plan
3 Sustainable Development Policy and Action Plans
4 Equality and Diversity Policy and Action Plans
5 Marketing and Publicity documents, including Marketing/Communication
plans and products produced to promote ESF to participants
6 Supporting information for job and sustainment claims, detailed in
programme-specific guidance
7 Supporting information to validate the agreed Progress Measures, as
detailed in the ESF Families with Multiple Problems Guidance
8 Evidence to support the assessment and decision on eligibility for the
ESF families with multiple problems programme secondary referral route
9 Document Retention Policy and Plan

Disposing of Data
Data will be disposed of through either confidential shredding using an external
contractor, or purging from the Company servers.

Disposal of Computer and IT Equipment

Where computer equipment is disposed of, all data shall be removed and storage
media, such as hard disks, Tablets, iPads and USB memory sticks, will be
“electronically” shredded or will undergo a similar procedure to ensure that data
can’t be “reclaimed”.

Did you know?

Following on from the Cambridge Analytica scandal, Facebook usage surged,
despite warnings that it could mean the end of the social networking site.

26 © LCG 2018
 Section 2: Understand organisational procedures
concerning data

Did you know?

In September 2018, credit reference agency Equifax was fined £500,000
by the Information Commissioner’s Officer (ICO). The fine was given after the
personal information of 15 million Britons held by the agency was part of a
cyber attack. The ICO found that Equifax didn’t properly protect the information
they collected.

Procedures

Under the GDPR and DPA 2018, every individual has the right to decide whether or not
his or her personal data is gathered and if it is, what is done with it.
To meet the standards in place in the GDPR and the DPA 2018 for recording, storing
and disposing of information, organisations may have the following procedures in place:

Type of Possible procedures

information
handling
Recording of •• How to get an individual’s explicit consent to record their
data information.
•• How to document the purpose for recording information (see
page 6).
•• How to inform individuals about the purposes of recording
personal information.
•• How to clearly define how long personal information should be
kept for, known as the standard retention period. This usually
depends on why the organisation holds the information, and
every organisation has to be able to justify the length of time
they keep information for (see page 8 for information on lawful
bases).
•• How to ensure personal information is safe and protected from
loss or theft.
•• How to identify personal information that needs to be kept
for public interest archiving, scientific or historical research or
statistical purposes.
•• How to review information on a regular basis, e.g. every three
months, and erasing any data that is not still needed
Workbook 1 27
 Section 2: Understand organisational procedures
concerning data

Storing of data •• How long personal information can be kept for, including a
reasonable justification for the length of time decided on.
•• Reviewing existing information on a regular basis, including when
to erase or anonymise it (so that the individual can’t be identified
by the information).
•• Keeping information safe.
•• What to do if an individual asks that their information is erased –
every individual has the ‘right to be forgotten’.
•• What to do if an individual believes their information to be
incorrect.
•• What to do if an individual wants to move, copy or transfer their
data.
•• Reviewing information – e.g. how often and what steps to take.
•• How/where to store backup information.
Disposing of •• Disposal periods: an organisation may keep different information
data for different lengths of time.
•• How to dispose of information in a secure way: this will help
prevent information breaches.
•• Medical data can be disposed of by shredding, pulping or
incineration.
•• Electronically-held legal data must be deleted in a way that
means it can never be recovered.

Knowledge Activity 5: Go online and research what steps you have to take
to make a freedom of information access request. List them in the space
below.

28 © LCG 2018
 Section 2: Understand organisational procedures
concerning data

How to protect stored data

Please read the following as it will help you to answer question 15.

As you learned in the ‘Did you know?’ section on page 27, there are serious financial
penalties for organisations that don’t properly protect personal information. There are
also serious consequences for any individual whose personal information is stolen. It
can result in their identities being stolen, which can make it difficult for them to buy a
car or get a credit card.
Every organisation that handles personal information must take steps to protect it.
The different ways to protect stored data include:
•• Encryption: encryption is a process by which electronic data is changed into a
secret code that can only be accessed with a password or ‘key’. For example,
encryption is responsible for hiding your credit card number on your computer.
•• Protection from hacks and viruses: by ensuring all IT systems have anti-malware
software, stored data will be safe from viruses, spyware, worms, scareware and
Trojan horses, all of which can steal or be used to access personal information.
•• Not storing passwords on laptops or phones: if the device is stolen, the thief will be
able to access all password-protected information.
•• Keeping operating systems updated: system updates can be annoying, but they are
essential because they are how developers add extra security to your computer to
beat new threats.
•• Having a secure wireless network: the harder it is for a potential hacker to access
an organisation’s network, the safer stored data will be.
•• Backing up: this means that you make an exact copy
of every piece of information and store it in another
location so that if one device is damaged, lost or
stolen, the information won’t be lost. An external hard
drive can be used for backing up data.
•• Destroying unneeded data: any data that is no longer
still needed should be deleted, and if it is kept on an
old hard drive or external hard drive, they should be
magnetically cleaned or physically shredded so that the
data can never be accessed again.
•• Switching computers off at night: when a computer
or laptop is left switched on and connected to the
internet, it gives hackers the opportunity to install
malware.

Workbook 1 29
 Section 2: Understand organisational procedures
concerning data

Techniques for encrypting information

Please read the following as it will help you to answer questions 16 and 17.

According to the ICO, encrypting stored information provides “effective protection

against unauthorised or unlawful processing”. This means that if data is lost or stolen,
it can’t be accessed and will remain safe.
The two basic techniques for encrypting information and the advantages and
disadvantages of each are explored in the following table.

Technique Advantages Disadvantages

Symmetric: •• encrypting/ •• if someone gets a key, they are
the same password decrypting able to decrypt everything that
(key) is used for symmetric data has been encrypted with that key
encryption and is faster than an •• requires a safe way of getting
decryption asymmetric system the key to another user, as keys
•• provides excellent are complicated text – not like a
data security simple password
•• uses a password •• the key must be kept secret
to prove the data •• high possibility of data being
recipient’s identity tapped when it is sent
Asymmetric: •• very secure •• data can only be decrypted with
a ‘key pair’, i.e. a •• data can only be the correct password or key
different password decrypted with the •• encryption can be slow
is used for the correct password or
encryption and key
decryption process •• the encryption can
be shared with
anyone, as the
decryption key is
kept secret

Did you know?

Encrypted information is also called ‘ciphertext’ and unencrypted data is called
‘plaintext’.

30 © LCG 2018
 Section 2: Understand organisational procedures
concerning data

Making security checks before releasing information

Please read the following as it will help you to answer questions 18, 19a and 19b.

When an individual contacts an organisation for information, the organisation must

conduct certain security checks before releasing the information. This is done to
protect the company and the individual from possible fraudulent access to their
personal information.

For example, when you contact a credit card company or utility provider, you could be
asked for any of the following information:
•• a unique ‘passphrase’, e.g. your first pet’s name or your mother’s maiden name
•• a number of characters from a password, e.g. characters 2, 5 and 6.
•• a number of characters from a pin code
•• your date of birth
•• your post code
•• the first line of your address
•• account information, e.g. you might be asked the amount of money one of your
direct debits is
•• an account number

If an individual is unable to answer some or all of the security checks, an organisation

may take the following action:
•• not release the information
•• lock the account that was trying to be accessed
•• contact the account holder and alert them of the attempt to access their
information
•• alert the police

Workbook 1 31
 Section 2: Understand organisational procedures
concerning data

Fraud is when someone tries to get something, e.g. money or goods, by lying or
pretending they are someone else. If fraud is suspected, an organisation may take the
following action:
•• take steps to protect and record any evidence: take control of any devices the
potential criminal has access to
•• restrict access to company data
•• start an investigation
•• interview members of staff
•• alert the police

Did you know?

The American government has an Advanced Encryption Standard that offers a
256-bit key, which would take almost a billion years for a current computer to
hack.

Knowledge Activity 6: Go online and research Identification Document

Validation Technology. Describe what it is and what it is used for in the space
below.

32 © LCG 2018
 Section 2: Understand organisational procedures
concerning data

Summary

In this section, you have learned about:

•• organisational procedures concerning data
•• procedures to maintain data confidentiality and security

Workbook 1 33
 Section 3: Extension activities

Extension Activity 1: Go online and research what you can do if you find
out that your identity has been stolen and used to create fake social media
accounts.

34 © LCG 2018
 Section 3: Extension activities

Extension Activity 2: Read through the following DPIA template. Can you
think of an area where you would need to fill one of these in for your job?

Sample DPIA template

Step 1: Identify the need for a DPIA

Explain broadly what the project aims to achieve and what type of processing it
involves. You may find it helpful to refer or link to other documents, such as a
project proposal. Summarise why you identified the need for a DPIA.

Step 2: Describe the processing

Describe the nature of the processing: how will you collect, use, store and delete
data? What is the source of the data? Will you be sharing data with anyone? You
might find it useful to refer to a flow diagram or another way of describing data
flows. What types of processing identified as likely high risk are involved?

Describe the scope of the processing: what is the nature of the data, and does
it include special category or criminal offence data? How much data will you be
collecting and using? How often? How long will you keep it? How many individuals
are affected? What geographical area does it cover?
Describe the context of the processing: what is the nature of your relationship
with the individuals? How much control will they have? Would they expect you to
use their data in this way? Do they include children or other vulnerable groups?
Are there prior concerns over this type of processing or security flaws? Is it novel
in any way? What is the current state of technology in this area? Are there any
current issues of public concern that you should factor in? Are you signed up to any
approved code of conduct or certification scheme (once any have been approved)?

Describe the purposes of the processing: what do you want to achieve? What is
the intended effect on individuals? What are the benefits of the processing for you,
and more broadly?

Workbook 1 35
 Section 3: Extension activities

Step 3: Consultation process

Consider how to consult with relevant stakeholders: describe when and how
you will seek individuals’ views – or justify why it’s not appropriate to do so. Who
else do you need to involve within your organisation? Do you need to ask your
processors to assist? Do you plan to consult information security experts, or any
other experts?

Step 4: Assess necessity and proportionality

Describe compliance and proportionality measures – in particular: what is your
lawful basis for processing? Does the processing actually achieve your purpose?
Is there another way to achieve the same outcome? How will you prevent function
creep? How will you ensure data quality and data minimisation? What information
will you give individuals? How will you help to support their rights? What measures
do you take to ensure processors comply? How do you safeguard any international
transfers?

Step 5: Identify and assess risks

Describe the source of risk and nature Likelihood Severity of Overall risk
of potential impact on individuals. of harm harm
Include associated compliance and
corporate risks as necessary.
Remote, Minimal, Low,
possible or significant medium or
probable or severe high

36 © LCG 2018
 Section 3: Extension activities

Step 6: Identify measures to reduce risk

Identify additional measures you could take to reduce or eliminate risks
identified as medium or high risk in step 5
Risk Options to reduce or Effect on Residual Measure
eliminate risk risk risk approved
Eliminated, Low, Yes/no
reduced or medium or
accepted high

Step 7: Sign off and record outcomes

Item Name/date Notes
Measures approved Integrate actions back into
by: project plan, with date and
responsibility for completion
Residual risks If accepting any residual high
approved by: risk, consult the ICO before going
ahead
DPO advice provided: DPO should advise on
compliance, step 6 measures
and whether processing can
proceed

Workbook 1 37
 Section 3: Extension activities

Summary of DPO advice:

DPO advice accepted If overruled, you must explain

or overruled by: your reasons
Comments:

Consultation If your decision departs from

responses reviewed individuals’ views, you must
by: explain your reasons
Comments:

This DPIA will be kept The DPO should also review

under review by: ongoing compliance with DPIA

[Source: https://ico.org.uk/media/about-the-ico/consultations/2258461/dpia-
template-v04-post-comms-review-20180308.pdf]

Well done!
You have now completed Workbook 1 and should attempt
the assessments. If you require any help or guidance,
please contact your Assessor/Tutor.

38 © LCG 2018
Please use this page for additional notes

Workbook 1 39
 SECURITY CHECKS

PROTECT ICT SYSTEMS

Disclaimer Copyright 2018

Every effort has been made to ensure that the information All rights reserved. All material contained within this manual,
contained within this learning material is accurate and reflects including (without limitation): text; logos; icons; and all other
current best practice. All information provided should be used artwork is copyright material of Learning Curve Group (LCG),
as guidance only, and adapted to reflect local practices and unless otherwise stated. No part of this publication may be
individual working environment protocols. reproduced, stored in a retrieval system, or transmitted in any
form or by any means (electronic, mechanical, photocopying,
All legislation is correct at the time of printing, but is liable to
recording or otherwise), without the prior permission of the
change (please ensure when referencing legislation that you
copyright owners.
are working from the most recent edition/amendment).
If you have any queries, feedback or need further
Neither Learning Curve Group (LCG); nor their authors,
information please contact:
publishers or distributors accept any responsibility for any
loss, damage or injury (whether direct, indirect, incidental or Learning Curve Group
consequential) howsoever arising in connection with the use of 1-10 Dunelm Rise
the information in this learning material. Durham Gate
Spennymoor, DL16 6FS
Whilst NCFE has exercised reasonable care and skill in
info@learningcurvegroup.co.uk
endorsing this resource, we make no representation, expressed
www.learningcurvegroup.co.uk
or implied, with regard to the continued accuracy of the
information contained in this resource. NCFE does not accept
any legal responsibility or liability for any errors or omissions
from the resource or the consequences thereof.

This resource has been endorsed by national Awarding

Organisation, NCFE. This means that NCFE has reviewed it
and agreed that it meets the necessary endorsement criteria.

LCG-DPDS November 2018

Version 1 (603/3639/0)
Workbook 1 40