[Q22-Q47] Updated Jul-2024 Exam Engine or PDF for the BCS PDP9 test to help you quickly prepare for the BCS exam!

Share

Updated Jul-2024 Test Engine or PDF for the BCS PDP9 test to help you quickly prepare for the BCS exam!

Full PDP9 Practice Test and 42 unique questions with explanations waiting just for you, get it now!

NEW QUESTION # 22
Where are the definitions of "Public Authority" and "Public Bodies" found?

  • A. Freedom of Information Act 2000 and Data Protection Act 2018
  • B. Data Protection Act 2018 and PECR.
  • C. Data Protection Act 2018 only
  • D. GDPRand Data Protection Act 2018.

Answer: A

Explanation:
Explanation
The definitions of "public authority" and "public body" for the purposes of the UK GDPR and the Data Protection Act 2018 are found in the Freedom of Information Act 2000 and the Data Protection Act 2018 respectively. Section 7 of the Data Protection Act 2018 provides that a public authority or a public body is one that is listed in Schedule 1 to the Freedom of Information Act 2000, or is designated by an order under section
5 of that Act. However, a court or tribunal acting in its judicial capacity is not considered a public authority or a public body under the Data Protection Act 2018. References:
* Section 7 of the Data Protection Act 20181
* Schedule 1 to the Freedom of Information Act 2000


NEW QUESTION # 23
Where a processor engages another processor ("sub-processor") to carry out processing activities on behalf of a controller, which of the following statements is CORRECT?

  • A. The processor may use the sub-processor without the written authorisation of the controller if the processing is deemed to be low risk.
  • B. The processor may use the sub-processor without the written authorisation of the controller if it adheres to an approved code of conduct
  • C. The processor may use the sub-processor without the written authorisation of the controller if the sub-processor signs a contract which reflects the same obligations as the contract with the controller
  • D. The processor must receive prior written authorisation to use the sub-processor

Answer: D

Explanation:
Explanation
Article 28(2) of UK GDPR states that where a processor engages another processor ("sub-processor") for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor shall be imposed on that other processor by way of a contract or other legal act under domestic law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of UK GDPR. The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, theprocessor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes. The other options are incorrect, as they do not reflect the requirements of UK GDPR for using a sub-processor. The processor cannot use a sub-processor without the written authorisation of the controller, regardless of whether it adheres to an approved code of conduct, signs a contract with the same obligations as the controller, or deems the processing to be low risk. References:
* Article 28(2) of UK GDPR1
* ICO guidance on contracts and liabilities between controllers and processors3


NEW QUESTION # 24
In which of the following circumstances does a public authority NOT need to appoint a Data Protection Officer?

  • A. Where it is defined as a public body in the Data Protection Act 2018
  • B. Where it is a court acting in its judicial capacity
  • C. Where it processes special category data
  • D. Where it processes a large amount of personal data

Answer: B

Explanation:
Explanation
Under Article 37 of the UK GDPR, a public authority or a public body must appoint a data protection officer (DPO) unless it is a court acting in its judicial capacity. This is the only exception for public authorities or bodies from the obligation to appoint a DPO. The other circumstances listed in the question, such as processing a large amount of personal data, processing special category data, or being defined as a public body in the Data Protection Act 2018, do not exempt a public authority or a public body from appointing a DPO.
References:
* Article 37 of the UK GDPR2
* Data protection officers | ICO2


NEW QUESTION # 25
Which one task are supervisory authorities NOT required to carry out under Article 57(1 )(f) of the UK GDPR? Select the CORRECT answer.

  • A. Handle complaints lodged by a data subject
  • B. Co-ordinate where necessary with other supervisory authorities
  • C. Investigate complaints and inform the complainant of the progress of their investigation
  • D. Mediate between the complainant and the entity against which the complaint has been lodged, to resolve the complaint

Answer: D

Explanation:
Explanation
Article 57(1)(f) of the UK GDPR requires the supervisory authority (the ICO in the UK) to handle complaints lodged by a data subject, investigate the subject matter of the complaint, and inform the complainant of the progress and the outcome of the investigation. It also requires the supervisory authority to cooperate with other supervisory authorities if the complaint involves cross-border processing. However, it does not require the supervisory authority to mediate between the complainant and the controller or processor against which the complaint has been lodged, to resolve the complaint. This is not a task of the supervisory authority under the UK GDPR, although it may be possible in some cases as a way of achieving an amicable solution. References
:
* Article 57(1)(f) of the UK GDPR1
* ICO and complaints2


NEW QUESTION # 26
Describe the act of processing under the authority of a controller or processor as stipulated in UK GDPR Article 29.

  • A. A processor shall not process those data except on instructions from the controller, unless required to do so by domestic law
  • B. The processor shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
  • C. The processor shall consult the supervisory authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the processor to mitigate the risk.
  • D. Each processor and, where applicable, the processors representative shall maintain a record of all categories of processing activities earned out on behalf of a controller.

Answer: A

Explanation:
Explanation
Article 29 of UK GDPR states that the processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by domestic law. This means that the processor must follow the controller's directions on how to handle the personal data, and cannot use it for its own purposes or deviate from the agreed terms. The only exception is when the processor is obliged by law to process the data in a different way, for example, to comply with a court order or a legal obligation. The other options are not related to Article 29, but to other articles of UK GDPR, such as Article 25 (data protection by design and by default), Article 30 (records of processing activities), and Article 36 (prior consultation). References:
* Article 29 of UK GDPR1
* ICO guidance on controllers and processors2


NEW QUESTION # 27
If a complainant disagrees with the decision of the UK's supervisory authority, how do they appeal this decision?

  • A. To the European Commission
  • B. To the First Tier Tribunal (Information Rights)
  • C. To the Information Commissioner
  • D. To the European Data Protection Supervisor.

Answer: B

Explanation:
Explanation
If a complainant disagrees with the decision of the UK's supervisory authority, which is the Information Commissioner's Office (ICO), they have the right to appeal to the First Tier Tribunal (Information Rights).
The tribunal is an independent body that can review the ICO's decision and either uphold it, vary it or cancel it. The tribunal can also direct the ICO to take certain actions, such as issuing a decision notice or an enforcement notice. The appeal must be lodged within 28 days of receiving the ICO's decision, using the notice of appeal form and providing the relevant documents and grounds for appeal. The tribunal will then notify the ICO and the complainant of the appeal and the procedure for dealing with it. The tribunal may hold a hearing to examine the evidence and arguments of both parties, or decide the case on the basis of written submissions only. The tribunal will issue a written decision, which will be sent to both parties and published on the tribunal's website. The tribunal's decision can be further appealed tothe Upper Tribunal on a point of law, with the permission of the First Tier Tribunal or the Upper Tribunal. References:
* Information rights and data protection: appeal against the Information Commissioner1
* Notice of appeal form2
* First Tier Tribunal (Information Rights) website3


NEW QUESTION # 28
Article 9(2)(c) of UK GDPR condition of processing special category data in the vital interests of the data subject is only applicable in which of the following circumstances:

  • A. When the data subject refuses to consent
  • B. When a data subject is incapacitated
  • C. When another lawful basis applies.
  • D. When the data subject is physically unable to be present

Answer: B

Explanation:
Explanation
Article 9(2) of UK GDPR allows the processing of special category data when it is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent. This means that the data subject is unable to exercise their right to consent or object to the processing, either because they are unconscious, in a coma, suffering from a severe mental disorder, or otherwise unable to communicate their wishes. This condition is intended to cover emergency situations, such as life-threatening medical interventions, where the data subject's consent cannot be obtained in time. It does not apply when another lawful basis applies, when the data subject is physically absent but still capable of giving consent, or when the data subject refuses to consent. References:
* Article 9(2) of UK GDPR1
* ICO guidance on special category data2


NEW QUESTION # 29
Under which circumstances can the 'domestic purposes' exemption be used to justify non-compliance with the Data Protection Act 2018?
A)An individual sells make up products for commission and uses social media to promote products to friends and family B)A couple are planning their daughter's wedding and use excel to store contact details and dietary needs of the guests C)An individual employs a babysitter and stores her bank details in an encrypted document in order to make payments D)A pansh council keeps a spreadsheet to manage bookings of the village hall, it contains only contact information and time slots E)A group of students are arranging a house party and using social media to invite people that they do and do not know

  • A. A,B, C, and E.
  • B. A. B.C. and D
  • C. B. C. D, and E
  • D. B,and C

Answer: D

Explanation:
Explanation
The domestic purposes exemption applies to personal data processed by an individual only for the purposes of their personal, family or household affairs. This means that theprocessing has no connection to any professional or commercial activity. Examples of such processing include writing to friends and family, taking pictures for personal enjoyment, or keeping an address book. However, the exemption does not apply if the individual processes personal data outside the reasonable expectations of the data subject, or if the processing causes unwarranted harm to the data subject's interests. Therefore, the exemption can be used to justify non-compliance with the Data Protection Act 2018 in scenarios B and C, where the processing is purely personal and does not affect the rights and freedoms of others. However, the exemption cannot be used in scenarios A, D and E, where the processing has a professional or commercial element, or involves sharing personal data with third parties without consent or legitimate interest. References:
* Data Protection Act 2018, Schedule 2, Part 1, Paragraph 21
* ICO Guide to Data Protection, Domestic Purposes2
* ICO Guide to Data Protection, Exemptions3


NEW QUESTION # 30
A company has twenty retail outlets in France and thirty retail outlets in Belgium The payroll department and the Data Protection Officer are based in Poland.The Company Board and administrative functions are based in Germany. Determine where the company's 'mainestablishment' would be

  • A. Belgium
  • B. Germany
  • C. Poland
  • D. France

Answer: B

Explanation:
Explanation
The main establishment of a controller or a processor in the EU is the place where the decisions on the purposes and means of the processing of personal data are taken and implemented. According to Recital 36 of the GDPR, the main establishment of a controller with establishments in more than one Member State should be the place of its central administration in the EU, unless the decisions on the processing are taken in another establishment of the controller in the EU and the latter establishment has the power to have such decisions implemented, in which case the establishment havingtaken such decisions should be considered to be the main establishment. Similarly, the main establishment of a processor with establishments in more than one Member State should be the place of its central administration in the EU, or, if the processor has no central administration in the EU, the establishment of the processor in the EU where the main processing activities take place to the extent that the processor is subject to specific obligations under the GDPR. The main establishment is relevant for determining the lead supervisory authority, the applicable law, and the jurisdiction of the courts for cross-border processing of personal data. In this case, the company's main establishment would be Germany, as it is the place where the company board and administrative functions are based and where the decisions on the processing of personal data are likely to be taken and implemented.
References:
* Recital 36 of the GDPR8
* Article 4(16) of the GDPR9
* Article 56 of the GDPR


NEW QUESTION # 31
Under the Privacy and Electronic Communications Regulations, organisations must NOT make marketing telephone calls to which of the following?

  • A. Any person who has not consented to receiving marketing calls
  • B. Any person outside of the United Kingdom.
  • C. Any person under the age of 18, unless their parent or guardian has provided permission
  • D. Any person who is registered with the Telephone Preference Service, unless they have given specific consent to receive your calls

Answer: D

Explanation:
Explanation
The Privacy and Electronic Communications Regulations (PECR) are a set of rules that regulate the use of electronic communications for marketing purposes, such as phone calls, texts, emails and faxes. One of the rules is that organisations must not make unsolicited marketing calls to individuals who have registered their numbers with the Telephone Preference Service (TPS), unless they have given their prior consent to receive such calls from that organisation. The TPS is a free service that allows individuals to opt out of receiving any marketing calls. It is a legal requirement for organisations to check the TPS before making any marketing calls and to respect the preferences of the individuals registered on it. If an organisation fails to comply with this rule, it may face enforcement action from the Information Commissioner's Office (ICO), which is the UK's data protection authority and the regulator of PECR. References:
* Telephone Preference Service
* Marketing calls
* Enforcement action


NEW QUESTION # 32
A company based in France uses a specialist IT support business in China The two companies have signed a Data Processing Agreement.The Chinese business provides specialist IT support for the French company's digital customer experience platform No personal data is sent to China, but employees of the Chinese business access the platform on a regular basis and have access to the databases that sit behind it.Which of the following statements is CORRECT in relation to the French company's requirements to ensure compliance with the GDPR?

  • A. The French company must identify and implement an appropriate transfer mechanism
  • B. There is a Data Processing Agreement in place therefore no transfer mechanism is needed
  • C. No personal data is being transferred, therefore no transfer mechanism is needed
  • D. China provides an adequate level of protection for personal data, therefore no transfer mechanism is needed

Answer: A

Explanation:
Explanation
According to the GDPR, a transfer of personal data to a third country or an international organisation occurs when the personal data is made available to someone outside the EU and EEA, regardless of whether the data is physically sent or not. Therefore, the fact that the Chinese business accesses the platform and the databases that contain personal data of the French company's customers constitutes a transfer of personal data to China, which is a third country under the GDPR. The French company, as the controller of the personal data, must ensure that the transfer complies with the GDPR requirements and that the level of protection of the personal data is not undermined. This means that the French company must identify and implement an appropriate transfer mechanism, such as an adequacy decision, appropriate safeguards, or derogations for specific situations, as set out in Chapter V of the GDPR. A data processing agreement, although necessary to define the roles and responsibilities of the controller and the processor, is not sufficient to ensure the legality of the transfer, as it does not provide the same guarantees as the GDPR. China is not a country that has been recognised by the European Commission as providing an adequate level ofprotection for personal data, so the French company cannot rely on an adequacy decision either. References:
* Article 44 of the GDPR1
* ICO guidance on international transfers2


NEW QUESTION # 33
How does the GDPR relate to cookies?

  • A. Websites only need an opt out of cookies if GDPR applies
  • B. Where PECR is engaged only PECR will apply to the processing of personal data
  • C. The GDPR only applies where a cookie processes personal data
  • D. The GDPR applies in all cases where cookies are used

Answer: B

Explanation:
Explanation
The GDPR and the Privacy and Electronic Communications Regulations (PECR) are two different but related legal frameworks that regulate the use of cookies and similar technologies. Cookies are small text files that are stored on the user's device when they visit a website or use an online service. Cookies can be used for various purposes, such as remembering user preferences, tracking user behaviour, delivering targeted advertising, or enabling online transactions. The GDPR applies to the processing of personal data by cookies and similar technologies, as they can be used to identify or single out individuals, either directly or indirectly. Personal data is any information relating to an identified or identifiable natural person, such as a name, an email address, a location data, or a cookie identifier. The GDPR requires data controllers to obtain the user's consent before using any cookies that are not strictly necessary for the functioning of the website or service, and to provide clear and transparent information about the purposes and legal basis of the processing, the categories and recipients of the personal data, the retention periods, and the rights of the data subjects. The GDPR also requires data controllers to implement appropriate technical and organisational measures to ensure the security and confidentiality of the personal data, and to comply with the principles of data protection by design and by default. The PECR are a set of UK-specific rules that implement the EU ePrivacy Directive, which is a complementary legislation to the GDPR that deals with the privacy and security of electronic communications.
The PECR apply to the use of cookies and similar technologies, as well as to the sending of marketing communications by phone, email, text, or fax, and to the provision of public electronic communications services and networks. The PECR require data controllers to obtain the user's consent before using any cookies or similar technologies, except those that are strictly necessary for the provision of an information society service requested by the user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network. The PECR also require data controllers to provide clear and comprehensive information about the purposes of the cookies or similar technologies, and to offer the user a way to refuse or withdraw their consent. The PECR do not apply to the processing of personal data by cookies or similar technologies, as this is covered by the GDPR. Therefore, the correct answer is C, as where PECR is engaged only PECR will apply to the use of cookies or similar technologies, but not to the processing of personal data by them. The other options are incorrect because:
* The GDPR does not only apply where a cookie processes personal data, but to any processing of personal data by any means, including cookies and similar technologies. The GDPR applies to the processing of personal data by cookies and similar technologies, regardless of whether they are strictly necessary or not, or whether they are first-party or third-party cookies. However, the GDPR does not apply to the use of cookies or similar technologies, as this is covered by the PECR.
* The GDPR does not apply in all cases where cookies are used, but only in cases where cookies are used to process personal data. The GDPR does not apply to the use of cookies or similar technologies that do not process personal data, such as those that are strictly necessary for the functioning of the website orservice, or those that do not identify or single out individuals. However, the PECR still apply to the use of cookies or similar technologies, regardless of whether they process personal data or not, except for some limited exemptions.
* Websites do not only need an opt out of cookies if GDPR applies, but also if PECR applies. The GDPR and the PECR both require data controllers to obtain the user's consent before using any cookies or similar technologies that are not strictly necessary, and to offer the user a way to refuse or withdraw their consent. The opt out of cookies is a mechanism that allows the user to exercise their right to object to the use of cookies or similar technologies, and to prevent the processing of their personal data by them. Websites need to provide an opt out of cookies in all cases where the user's consent is required, regardless of whether the GDPR or the PECR applies. References:
* GDPR, Article 4(1)5
* GDPR, Article 6(1)(a)6
* GDPR, Article 13 and 147
* GDPR, Article 328
* GDPR, Article 25
* PECR, Regulation 6
* PECR, Regulation 5


NEW QUESTION # 34
Which of the following is NOT a processor obligation?

  • A. To inform the controller of any intended changes of other processors so they can object
  • B. To consult the controller prior to appointing any processor.
  • C. To provide the controller with corporate information relating to its board members.
  • D. To follow the instructions of the controller in processing personal data

Answer: C

Explanation:
Explanation
Providing the controller with corporate information relating to its board members is not a processor obligation under the GDPR. The processor obligations under the GDPR are mainly the following:
* To process the personal data only on documented instructions from the controller, unless required by law;
* To ensure that persons authorised to process the personal data are bound by confidentiality;
* To implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk;
* To not engage another processor without the prior authorisation of the controller;
* To assist the controller in fulfilling its obligations regarding data subject rights, data protection impact assessments, prior consultations, and data breach notifications;
* To delete or return the personal data to the controller at the end of the service, unless required by law to store the data;
* To make available to the controller all information necessary to demonstrate compliance and allow for audits and inspections. References:
* Article 28 of the GDPR1
* Guidelines 07/2020 on the concepts of controller and processor in the GDPR2, pp. 37-41


NEW QUESTION # 35
A UK public body has a security breach, in which the details of a hundred thousand members of the public are published What is the MAXIMUM fine that they could receive for this breach?

  • A. £17 5 million or 4% of gross annual turnover
  • B. £20 million or 2% of gross annual turnover
  • C. £10 million or 4% of gross annual turnover
  • D. £8.7 million or 2% of gross annual turnover

Answer: A

Explanation:
Explanation
The UK GDPR and the Data Protection Act 2018 set a maximum fine of £17.5 million or 4% of annual global turnover, whichever is higher, for infringements of the data protection principles, the rights of data subjects, or the rules on transfers of personal data to third countries. This is the higher maximum penalty that applies to the most serious breaches of the UK GDPR. A security breach that exposes the details of a hundred thousand members of the public would likely fall under this category, as it would compromise the confidentiality and integrity of personal data, and potentially cause significant harm and distress to the data subjects. Therefore, the maximum fine that the UK public body could receive for this breach is £17.5 million or 4% of gross annual turnover, whichever is higher. References:
* Penalties3
* GDPR Penalties & Fines4
* Three years of GDPR: the biggest fines so far5


NEW QUESTION # 36
Which of the following statements MOST accurately describes why a risk-based approach to the use of Al is necessary?

  • A. Al is inherently negative and its use should be limited
  • B. Al's benefits make accepting all arising risks necessary.
  • C. Al carries new and complex risks not present in other technologies
  • D. Al is unlawful

Answer: C

Explanation:
Explanation
Artificial intelligence (AI) is the use of digital systems to perform tasks that would normally require human intelligence, such as recognition, decision making, learning and adaptation. AI can bring many benefits to society, such as innovation, efficiency, personalisation and convenience. However, AI also carries new and complex risks that are not present in other technologies, such as opacity, unpredictability, bias, discrimination, intrusion, manipulation and harm. These risks can affect the rights and freedoms of individuals, especially their data protection rights, such as privacy, transparency, fairness, accuracy and accountability. Therefore, a risk-based approach to the use of AI is necessary, which means identifying, assessing and mitigating the potential adverse impacts of AI on individuals and society, while balancing them with the benefits and opportunities. A risk-based approach also means complying with the relevant legal and ethical frameworks, such as the UK GDPR and the DPA 2018, and following the best practices and guidance issued by the ICO and other authorities on AI and data protection234. References:
* Guidance on AI and data protection2
* Explaining decisions made with AI3
* AI auditing framework4


NEW QUESTION # 37
An investigation reveals that an individual is defrauding a public authority After a (suspected) tip off from a senior manager, the individual submits a Subject Access Request to the authority asking for a copy of all personal data relating to any investigations that have been carried out What would be the BEST approach?

  • A. The legal and professional privilege exemption applies to this information, and therefore the information does not need to be disclosed
  • B. They do not need to disclose details of the investigation as they can rely on the crime and taxation exemption on the basis that disclosure would prejudice the investigation
  • C. This is criminal offence data and therefore under the provisions of the Data Protection Act 2018, there is no obligation to disclose
  • D. While the right to inform does not apply in relation to criminal acts, they need to disclose the information as this has not yet been passed to the police.

Answer: B

Explanation:
Explanation
The crime and taxation exemption in Schedule 2, Part 1, Paragraph 2 of the Data Protection Act 2018 (DPA
2018) provides an exemption from the UK GDPR's transparency obligations and most individual rights, including the right of access, but only if complying with them would prejudice the prevention or detection of crime, or the apprehension or prosecution of offenders. This means that the public authority does not need to disclose details of the investigation to the individual who submitted the subject access request, as doing so would be likely to hinder the investigation and enable the individual to evade justice. The public authority should assess the likelihood of prejudice on a case-by-case basis and document its reasons for relying on the exemption. The other options are incorrect because:
* The legal and professional privilege exemption in Schedule 2, Part 1, Paragraph 19 of the DPA 2018 applies to personal data that is subject to an obligation of confidentiality arising from the provision of legal advice or legal representation, or from the conduct of legal proceedings. This exemption does not apply to the information held by the public authority about the investigation, as it is not related to any legal advice or representation, or any legal proceedings.
* The term "criminal offence data" refers to personal data relating to criminal convictions and offences, or related security measures. This type of data is subject to specific rules under Article 10 of the UK GDPR and Part 3 of the DPA2018. However, this does not mean that there is no obligation to disclose criminal offence data in response to a subject access request. The public authority still needs to consider whether any of the exemptions in the DPA 2018 apply, such as the crime and taxation exemption, before disclosing or withholding the data.
* The right to be informed does apply in relation to criminal acts, as the UK GDPR requires controllers to provide data subjects with information about the processing of their personal data, including the purposes and legal basis of the processing, unless an exemption applies. The fact that the information has not yet been passed to the police does not affect the applicability of the right to be informed or the right of access. References:
* Data Protection Act 2018, Schedule 2, Part 1, Paragraph 21
* ICO Guide to Data Protection, Crime and Taxation2
* Data Protection Act 2018, Schedule 2, Part 1, Paragraph 193
* UK GDPR, Article 104
* Data Protection Act 2018, Part 35
* UK GDPR, Article 13 and 146


NEW QUESTION # 38
An individual applies for a job as a security guard The employer has had significant issues with the sickness record of past recruits They therefore decide to offer the position to the individual on the basis they request a copy of their medical record so that the employer can be assured that they are in a good state of health.
The Data Protection Officer has been asked to advise. What advice is MOST appropriate?

  • A. Providing the medical evidence is used for a legitimate purpose, and that the information is securely destroyed on verification that the employee is healthy, this is an acceptable action.
  • B. This is a criminal offence under the Data Protection Act 2018 No individual should be asked to make a subject access request in order to obtain health records in these circumstances.
  • C. While requesting and viewing medical evidence may be legitimate, they should ask for evidence that the individual consents to the proposition that they make the request
  • D. In requesting information that is more than they necessary require to verify the medical condition of the individual they will have breached the data minimisation principle

Answer: B

Explanation:
Explanation
The Data Protection Act 2018 (DPA 2018) makes it a criminal offence for a person to require another person to make a subject access request for information about their health, convictions or cautions, or spent convictions, and to provide that information to the first person or a third person, as a condition of providing or offering to provide goods, facilities or services, or as a condition of entering into or continuing a contract. This is known as an enforced subject access request. The employer in this scenario is committing a criminal offence by offering the job to the individual on the condition that they request a copy of their medical record and provide it to the employer. The employer is also breaching the data protection principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, and storage limitation, as they are processing health data, which is a special category of personal data, without a valid legal basis, without informing the individual of the purpose and legal basis of the processing, and without limiting the processing to what is necessary and relevant for the employment relationship. The employer should instead obtain the individual's explicit consent to request the health information directly from the relevant health professional, and only request the information that is necessary and proportionate for the specific role of a security guard. References
:
* Section 184 of the DPA 20183
* ICO guidance on enforced subject access requests4
* ICO guidance on special category data5


NEW QUESTION # 39
......

Get Latest PDP9 Dumps Exam Questions: https://drive.google.com/open?id=1klpCm27fdJLrCKXEfdroLhIBaOeJql8R

Full PDP9 Practice Test and 42 unique questions with explanations waiting just for you, get it now: https://www.pdf4test.com/PDP9-dump-torrent.html