Академический Документы
Профессиональный Документы
Культура Документы
NCFE Level 2
PERSONAL DATA
PHYSICAL ACCESS
ELECTRONIC ACCESS
ORGANISATIONAL PROCEDURES
CONFIDENTIALITY
Workbook 1
How to use your learning materials
This course is delivered on a flexible learning basis. This means that most of your
study will take place away from your Assessor/Tutor. It helps to carefully plan your
studying so that you get the most out of your course. We have put together some
handy tips for you below.
Study Guidance
Try to plan an outline timetable of when and where you will study.
Try to complete your work in a quiet environment where you are unlikely to
be distracted.
Set realistic goals and deadlines for the various elements of your course.
Plan what you are going to study during each session, and try and achieve
this each time.
After each session, reflect on what you have achieved and plan what you hope to
complete next time.
Remember that not only do you have the support of your Assessor/Tutor, but it is
likely that your family, friends and work colleagues will also be willing to help.
Assessor/Tutor Support
Your Assessor/Tutor will be available to support and guide you through the
programme. They are experts in your area of study and are experienced in helping
many different types of learners.
They can help you to improve the standard of work you submit and will give
you useful feedback on areas in which you have excelled, as well as where
you can improve.
Remember to listen to, or read, their feedback carefully. Ask if you are unsure
about any of the feedback you receive as your Assessor/Tutor is there to help.
Make note of any tips they give. Refer to the learning materials as they contain the
information you need to complete the end-of-unit assessments.
Look out for areas in which you can improve, and set yourself an action plan to
make sure you complete the required work.
Take positive feedback on board; this demonstrates you are doing things right and
have a good understanding of the subject area.
Use the feedback to avoid repeating any mistakes you may have made.
2 © LCG 2018
NCFE Level 2 Certificate in Understanding
Data Protection and Data Security
Workbook 1
Workbook Contents
This workbook introduces you to the different laws that are in place to protect
our data. You will explore the General Data Protection Regulation (GDPR), how it
is applied by organisations and how it affects you as a consumer. You will also
learn about the Data Protection and Freedom of Information Acts and procedures
organisations may put into place to protect data.
Contents
This workbook contains three sections: Page
Section 1: Understand current data protection legislation 4
Section 2: Understand organisational procedures concerning data 24
Section 3:
Extension activities 34
Assessment 1
The assessments for this workbook can be found in: Learner contact details:
Name:
Email:
Learner declaration
attempt the assessment. Your Assessor/Tutor will then If you need any help in completing these Assessments, refer to the
relevant section within Workbook 1, or contact your Assessor/Tutor.
give you detailed written feedback on your progress. Please tick one of the boxes below to show what your status will be when you complete this course.
EMP 1 In paid employment for 16 hours or more
per week
EMP 2 In paid employment for less than 16 hours
GAP 1 Gap year before
starting HE
EDU 1 Traineeship
per week EDU 2 Apprenticeship
Workbook 1 3
Section 1: Understand current data protection legislation
In this section, you will learn about the GDPR, including what it is, its purpose and
what organisations need to do to meet the associated legal requirements.
Personal data
Please read the following as it will help you to answer question 1.
Personal data is any information that can be used to identify a specific person, for
example:
•• a name
•• address
•• date of birth
•• IP address (a computer’s unique identification number)
•• genetic or biometric data, e.g. fingerprints
•• information about criminal convictions
There isn’t a definitive list about what is considered to be personal data under the
General Data Protection Regulation (GDPR) 2018; however, personal data is defined
in the Regulation as:
For example, a name on its own such as Jack Jones may not be considered personal
data because there are thousands of people with that name, but a name with a date
of birth and address would allow an individual to be identified.
4 © LCG 2018
Section 1: Understand current data protection legislation
The GDPR is European legislation that was brought into effect in May 2018 to replace
the Data Protection Act 1998. It is used alongside the new Data Protection Act 2018,
which will be used in the UK after it leaves the EU. The main purpose of the GDPR is
to create data protection laws that will protect all members of the European Union.
Additionally, the GDPR:
•• increases privacy
•• extends EU residents’ data rights
•• provides authorities with powers to take action against any organisation that
breaches the regulation
•• ensures that all new businesses that use personal data follow the regulation
•• ensures that businesses outside the EU collect and process the personal data of
EU residents according to the regulation
The GDPR applies to two different groups: data controllers and data processors.
Example
A plumbing supply company has 50 employees. It signs a contract with a payroll
firm that provides the IT system and stores all of the company’s staff data, including
employee names and addresses, National Insurance numbers, wage amounts and
when wages should be paid. This agreement makes the plumbing supply company the
controller and the payroll firm the processor.
Workbook 1 5
Section 1: Understand current data protection legislation
The GDPR provides a range of key principles that organisations must include in
their data protection regime (policies and procedures) to stay compliant. Read the
information in the following table to learn about each of the principles.
Principle Description
Lawfulness, fairness Lawful: data subjects should be told what data processing will
and transparency be done.
Fair: data must be processed in the way described to the
data subject.
Transparent: processing must meet the tests described in the
GDPR.
Purpose limitation Data must be collected for specified, explicit and legitimate
purposes and not further processed in a manner that
is incompatible with those purposes; further processing
for archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes shall not
be considered to be incompatible with the initial purposes.
Data minimisation Only data that is relevant and limited to what is necessary in
relation to the purposes for which they are processed should
be gathered.
Accuracy Data must be accurate and kept up to date, and every
reasonable step must be taken to ensure that personal data
that are inaccurate are erased or rectified without delay.
Storage limitation Data must be kept in a form that permits identification of
data subjects for no longer than is necessary for the purposes
for which the personal data are processed.
6 © LCG 2018
Section 1: Understand current data protection legislation
Workbook 1 7
Section 1: Understand current data protection legislation
Under the GDPR, an organisation must have a lawful reason for processing personal
data. There are 8 lawful bases for processing personal data in the GDPR, and
organisations must choose the lawful basis that is most appropriate to the purpose
and relationship with the individual.
Processing personal data must be necessary to a company’s purpose, otherwise it will
not be permitted to process. Whichever basis is chosen, it should be included in the
organisation’s privacy notice.
Read the information in the following table to learn about each lawful basis.
Lawful basis Explanation
Consent •• A consent basis means that an organisation must offer
individuals choice and control over their personal data.
•• This basis requires individuals to ‘positively opt in’, which
means they have to select a box themselves, not de-select
a pre-ticked box.
•• Consent requires a clear and specific statement of consent
and requests should be kept separately from other terms
and conditions.
•• Blanket consents are not acceptable – individual consents
have to be received for separate things.
•• Consents must be clear and concise.
•• It must be easy for an individual to withdraw consent at
any time.
•• Organisations must keep evidence of consent and review
consent on a regular basis, updating it with any changes as
necessary.
•• Consent shouldn’t be made a precondition of a service.
Contract This basis is used when an organisation processes personal
data because it has a contractual obligation to them or
because the individual has asked the organisation to do
something before entering into a contract, e.g. providing a
quote.
The organisation should document the decision to use this
basis and be able to provide an appropriate justification, if
asked.
8 © LCG 2018
Section 1: Understand current data protection legislation
Workbook 1 9
Section 1: Understand current data protection legislation
Look at the following example, which shows an organisation’s internal policy about
how data will be processed.
10 © LCG 2018
Section 1: Understand current data protection legislation
When determining whether the Company’s legitimate interests are the most
appropriate basis for lawful processing, we will:
1. conduct a legitimate interests assessment (LIA) and keep a record of it, to
ensure that we can justify our decision;
2. if the LIA identifies a significant privacy impact, consider whether we also
need to conduct a data protection impact assessment (DPIA);
3. keep the LIA under review, and repeat it if circumstances change; and
4. include information about our legitimate interests in our relevant privacy
notice(s).
Knowledge Activity 1: Put a tick next to the scenarios that you think could
use legal obligation as a lawful basis for processing data.
Workbook 1 11
Section 1: Understand current data protection legislation
Individual rights
Please read the following as it will help you to answer question 6.
Under the GDPR, everyone in the EU has 8 rights when it comes to their personal
data. Read the information in the following table to learn more about what your
individual rights are.
Individual right Explanation
The right to be This is one of the main GDPR requirements and means that
informed individuals have the right to be told about any personal data
that is collected and how that data will be used.
The right of access Individuals must be allowed to access their personal data
and can make a request to do so verbally or in writing.
Organisations must respond within one month of a request
and cannot charge a fee for access.
The right to If personal data is incorrect or incomplete, individuals have
rectification the right to have the data changed or updated. Organisations
must respond within one month of a request and cannot
charge a fee for access. There are some reasons why a
rectification request can be denied.
The right to erasure Also known as “the right to be forgotten”, this right means an
individual can make a verbal or written request to have their
personal data erased. Not all data can be erased, and there
are some instances in which an organisation can refuse to
erase data. Organisations must respond within one month of
a request.
The right to restrict In certain circumstances, it is possible to request that
processing personal data is restricted or suppressed. Restricted data can
be stored but not used. Organisations must respond within
one month of a request.
The right to data Individuals are allowed to get and reuse their personal data
portability for their own purposes and across different services. This
means data can be copied, moved or transported in a safe
and secure way. Only personal data that has been provided
by the individual to the controller falls under this right.
The right to object It is possible to object to the processing of personal data in
some circumstances and individuals are allowed to stop their
data being used for direct marketing. Organisations have to
tell individuals about their right to object. A request can be
made verbally or in writing and organisations must respond
within one month.
12 © LCG 2018
Section 1: Understand current data protection legislation
Workbook 1 13
Section 1: Understand current data protection legislation
Look at the following example, which shows how an organisation tells its customers
about their data-related rights.
Your Rights
You have the following rights, which you can exercise free of charge:
Access The right to be provided with a copy of your personal data
Rectification The right to require us to correct any mistakes in your
personal data
To be forgotten The right to require us to delete your personal data—in
certain situations. Please contact us directly if you wish to
discuss this further.
Restriction of The right to require us to restrict processing of your
processing personal data—in certain circumstances, e.g. if you
contest the accuracy of the data
Data portability The right to receive the personal data you provided to us,
in a structured, commonly used and machine-readable
format and/or transmit that data to a third party—in certain
situations
To object The right to object:
•• at any time to your personal data being processed for
direct marketing (including profiling)
•• in certain other situations to our continued processing
of your personal data, eg processing carried out for the
purpose of our legitimate interests
Not to be subject The right not to be subject to a decision based solely on
to automated automated processing (including profiling) that produces
individual decision- legal effects concerning you or similarly significantly affects
making you
14 © LCG 2018
Section 1: Understand current data protection legislation
•• let us have enough information to identify you (e.g. your full name, address and
learner reference number (if applicable));
•• let us have proof of your identity and address (a copy of your driving licence or
passport and a recent utility or credit card bill); and
•• let us know what right you want to exercise and the information to which your
request relates.
Under the GDPR, it is mandatory for every organisation that regularly processes
personal data to appoint a Data Protection Officer (DPO). The DPO:
•• must be independent and avoid conflicts of interest
•• must report to the highest level of management
•• must be appointed on the basis of their expertise in data protection
•• may be a staff member or external service provider
•• must be provided with appropriate resources to carry out their tasks and maintain
their expert knowledge
Workbook 1 15
Section 1: Understand current data protection legislation
The kind of processes that automatically require a DPIA, according to Article 35(4) of
the GDPR are:
•• new technologies, including Artificial Intelligence (AI)
•• denial of service, i.e. when decisions on an individual’s access to a product or service
is based on automated decision-making
•• large-scale profiling, i.e. when a large number of individuals are profiled at one time
•• biometrics, i.e. when biometric data, such as fingerprints or facial recognition, is
processed
•• genetic data, i.e. processing of genetic data besides that processed by a healthcare
profession to provide care direct to the data subject
•• data matching, i.e. comparing, matching or combining personal data from multiple
sources
•• invisible processing, i.e. processing of personal data hasn’t been obtained directly
from the data subject
•• tracking, i.e. using an individual’s geolocation to track them
16 © LCG 2018
Section 1: Understand current data protection legislation
•• targeting children or other vulnerable individuals, i.e. using personal data for
marketing purposes, profiling or decision-making
•• risk of physical harm, i.e. the processing is such that a breach could endanger the
physical health or safety of individuals
[Source: www.ico.org.uk]
Workbook 1 17
Section 1: Understand current data protection legislation
Example - Ed Sheeran
In 2017, an Ipswich Hospital administration worker was sacked for accessing
singer Ed Sheeran’s medical records without a legitimate reason, after Sheeran
broke both of his arms in a bike accident. A second worker was also disciplined.
18 © LCG 2018
Section 1: Understand current data protection legislation
Credit checks
Social care records
Mortgage application
Artificial intelligence
Autonomous vehicles
The Data Protection Act 1998 was replaced in 2018 by the Data Protection Act
2018 in the UK, which was created to ensure that data protection laws encompass
data that is processed digitally, and the GDPR for all European Union countries. The
updated Data Protection Act has been created to work alongside the GDPR and to
take over from the GDPR when the UK leaves the European Union.
The new Act provides individuals with rights that allow them to decide how their
personal information is handled and used and take control of their data. It also
provides a data protection framework and definitive punishments for misusing data.
The main elements of the Data Protection Act are explored in the following table.
Element Description
General data •• implements all GDPR standards across general data
processing processing
•• clarifies what definitions used in the GDPR mean in the UK
•• ensures that essential sensitive data (education, health,
social care) can still be processed and confidentiality
maintained
•• in cases of data processing that is justified by public policy,
restricts individuals’ right to access and delete data to
ensure that current processing can continue
•• sets the age of digital consent to process online data at 13
years old
Workbook 1 19
Section 1: Understand current data protection legislation
All EU countries have to follow the GDPR, but it is possible for EU members to decide
how some aspects of the GDPR are applied in their country. GDPR will be followed by
the UK until it leaves the EU, but until then, the GDPR and Data Protection Act should
be used alongside each other.
The Data Protection Act is different from the GDPR in the following ways:
•• It addresses processing by law enforcement and intelligence services.
•• It lays out the power and responsibilities of the Information Commissioner’s Office
(ICO).
•• It lays out the punishments that can be given for breaking data protection laws,
including financial penalties.
20 © LCG 2018
Section 1: Understand current data protection legislation
Under the GDPR, the ICO can impose the following fines:
•• Up to €10 million or 2% annual global turnover – whichever is higher
•• Up to €20 million, or 4% annual global turnover – whichever is higher
•• The fines levied will be decided on a case-by-case basis.
Workbook 1 21
Section 1: Understand current data protection legislation
Based on the principle that people have a right to know about the activities of public
authorities, the Freedom of Information Act 2000 gives members of the public access
to any recorded information that is held by public authorities in England, Wales and
Northern Ireland. Public authorities include:
•• the NHS
•• police forces
•• local authorities
•• government departments
Under the Act, public authorities must publish certain information about their activities
and members of the public can request information that includes letters, photographs,
emails, computer files, printed documents and sound/video recordings.
The Act was created because taxpayers fund public authorities and it was felt that
providing the public with access to information would mean that public authorities
would be held accountable for their actions. It was also hoped that the Act would help
the public to be better informed.
Individuals are not able to access their own personal data under the Act; this must be
done under the Data Protection Act 1998.
22 © LCG 2018
Section 1: Understand current data protection legislation
Summary
In this section, you will learn about the procedures an organisation might have for
recording, storing and disposing of data, how to protect data – including encryption
techniques – and security checks that can be made.
In the last unit, you learned about the key principles of the General Data Protection
Regulation (GDPR) and the Data Protection Act 2018 (DPA). In this unit you will
explore how three key principles of the GDPR impact on organisational procedures for
recording, storing and disposing of data. The three principles are:
•• Data minimisation: only data that is relevant and limited to what is necessary
in relation to the purposes for which they are processed should be gathered, and
the length of time it is kept for should be limited. In Article 5 (e) of the GDPR,
it is stated that personal data shall be kept no longer than is necessary for the
purposes for which it is being processed. Essentially, when personal data is no
longer needed by an organisation, it should be deleted. While there are no set
guidelines, under the GDPR organisations must define a strict minimum amount of
time for storing personal data.
•• Accuracy: Data must be accurate and kept up to date and every reasonable step
must be taken to ensure that personal data that are inaccurate are erased or
rectified without delay.
•• Storage limitation: Data must be kept in a form that permits identification of data
subjects for no longer than is necessary for the purposes for which the personal
data are processed.
24 © LCG 2018
Section 2: Understand organisational procedures
concerning data
Look at the following example, which shows how an organisation tells its customers
about how long their data will be kept and how it will be disposed of.
Staff are responsible for ensuring the Data Coordinator has up-to-date records of
data held and will do so using the Data Information Template.
Workbook 1 25
Section 2: Understand organisational procedures
concerning data
Disposing of Data
Data will be disposed of through either confidential shredding using an external
contractor, or purging from the Company servers.
26 © LCG 2018
Section 2: Understand organisational procedures
concerning data
Procedures
Under the GDPR and DPA 2018, every individual has the right to decide whether or not
his or her personal data is gathered and if it is, what is done with it.
To meet the standards in place in the GDPR and the DPA 2018 for recording, storing
and disposing of information, organisations may have the following procedures in place:
Storing of data •• How long personal information can be kept for, including a
reasonable justification for the length of time decided on.
•• Reviewing existing information on a regular basis, including when
to erase or anonymise it (so that the individual can’t be identified
by the information).
•• Keeping information safe.
•• What to do if an individual asks that their information is erased –
every individual has the ‘right to be forgotten’.
•• What to do if an individual believes their information to be
incorrect.
•• What to do if an individual wants to move, copy or transfer their
data.
•• Reviewing information – e.g. how often and what steps to take.
•• How/where to store backup information.
Disposing of •• Disposal periods: an organisation may keep different information
data for different lengths of time.
•• How to dispose of information in a secure way: this will help
prevent information breaches.
•• Medical data can be disposed of by shredding, pulping or
incineration.
•• Electronically-held legal data must be deleted in a way that
means it can never be recovered.
Knowledge Activity 5: Go online and research what steps you have to take
to make a freedom of information access request. List them in the space
below.
28 © LCG 2018
Section 2: Understand organisational procedures
concerning data
As you learned in the ‘Did you know?’ section on page 27, there are serious financial
penalties for organisations that don’t properly protect personal information. There are
also serious consequences for any individual whose personal information is stolen. It
can result in their identities being stolen, which can make it difficult for them to buy a
car or get a credit card.
Every organisation that handles personal information must take steps to protect it.
The different ways to protect stored data include:
•• Encryption: encryption is a process by which electronic data is changed into a
secret code that can only be accessed with a password or ‘key’. For example,
encryption is responsible for hiding your credit card number on your computer.
•• Protection from hacks and viruses: by ensuring all IT systems have anti-malware
software, stored data will be safe from viruses, spyware, worms, scareware and
Trojan horses, all of which can steal or be used to access personal information.
•• Not storing passwords on laptops or phones: if the device is stolen, the thief will be
able to access all password-protected information.
•• Keeping operating systems updated: system updates can be annoying, but they are
essential because they are how developers add extra security to your computer to
beat new threats.
•• Having a secure wireless network: the harder it is for a potential hacker to access
an organisation’s network, the safer stored data will be.
•• Backing up: this means that you make an exact copy
of every piece of information and store it in another
location so that if one device is damaged, lost or
stolen, the information won’t be lost. An external hard
drive can be used for backing up data.
•• Destroying unneeded data: any data that is no longer
still needed should be deleted, and if it is kept on an
old hard drive or external hard drive, they should be
magnetically cleaned or physically shredded so that the
data can never be accessed again.
•• Switching computers off at night: when a computer
or laptop is left switched on and connected to the
internet, it gives hackers the opportunity to install
malware.
Workbook 1 29
Section 2: Understand organisational procedures
concerning data
30 © LCG 2018
Section 2: Understand organisational procedures
concerning data
For example, when you contact a credit card company or utility provider, you could be
asked for any of the following information:
•• a unique ‘passphrase’, e.g. your first pet’s name or your mother’s maiden name
•• a number of characters from a password, e.g. characters 2, 5 and 6.
•• a number of characters from a pin code
•• your date of birth
•• your post code
•• the first line of your address
•• account information, e.g. you might be asked the amount of money one of your
direct debits is
•• an account number
Workbook 1 31
Section 2: Understand organisational procedures
concerning data
Fraud is when someone tries to get something, e.g. money or goods, by lying or
pretending they are someone else. If fraud is suspected, an organisation may take the
following action:
•• take steps to protect and record any evidence: take control of any devices the
potential criminal has access to
•• restrict access to company data
•• start an investigation
•• interview members of staff
•• alert the police
32 © LCG 2018
Section 2: Understand organisational procedures
concerning data
Summary
Workbook 1 33
Section 3: Extension activities
Extension Activity 1: Go online and research what you can do if you find
out that your identity has been stolen and used to create fake social media
accounts.
34 © LCG 2018
Section 3: Extension activities
Extension Activity 2: Read through the following DPIA template. Can you
think of an area where you would need to fill one of these in for your job?
Describe the scope of the processing: what is the nature of the data, and does
it include special category or criminal offence data? How much data will you be
collecting and using? How often? How long will you keep it? How many individuals
are affected? What geographical area does it cover?
Describe the context of the processing: what is the nature of your relationship
with the individuals? How much control will they have? Would they expect you to
use their data in this way? Do they include children or other vulnerable groups?
Are there prior concerns over this type of processing or security flaws? Is it novel
in any way? What is the current state of technology in this area? Are there any
current issues of public concern that you should factor in? Are you signed up to any
approved code of conduct or certification scheme (once any have been approved)?
Describe the purposes of the processing: what do you want to achieve? What is
the intended effect on individuals? What are the benefits of the processing for you,
and more broadly?
Workbook 1 35
Section 3: Extension activities
36 © LCG 2018
Section 3: Extension activities
Workbook 1 37
Section 3: Extension activities
[Source: https://ico.org.uk/media/about-the-ico/consultations/2258461/dpia-
template-v04-post-comms-review-20180308.pdf]
Well done!
You have now completed Workbook 1 and should attempt
the assessments. If you require any help or guidance,
please contact your Assessor/Tutor.
38 © LCG 2018
Please use this page for additional notes
Workbook 1 39
SECURITY CHECKS