1. Answer: (c)
Explanation: There are eight data protection principles put in place by the Data Protection Act 1998. These say that data must:
- be processed fairly and lawfully
- be processed for limited purposes
- be adequate, relevant and not excessive in relation to the processing purpose(s)
- be accurate and kept up to date
- not be kept for longer than necessary
- be processed in line with the data subject's rights
- not be transferred to countries without adequate data protection.
2. Answer: (a)
Explanation: While data held in a 'relevant filing system' is covered by the Data Protection Act 1998, manual files that are not stored in an organised way are unlikely to be included.
3. Answer: (c)
Explanation: 'Sensitive personal data' includes information about an individual's racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, physical or mental health condition, sex life, and criminal proceedings or convictions.
4. Answer: (b)
Explanation: The first data protection principle in the Data Protection Act 1998, Schedule 1, prohibits the processing of sensitive personal data unless one of the conditions in Schedule 3 is met. The condition in paragraph 10 of Schedule 3 is that the processing of sensitive personal data is carried out in circumstances specified by the Secretary of State. Such circumstances are specified in the Data Protection (Processing of Sensitive Personal Data) Order 2000. Neither the Data Protection Act 1998, Schedule 3, nor the Data Protection (Processing of Sensitive Personal Data) Order 2000 specifies the condition set out in (b).
5. Answer: (a)
Explanation: The Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000, regulation 3 provides that, except in specified cases, the maximum fee that a data controller can charge for access to data under the Data Protection Act 1998, section 7(2) is 10.
6. Answer: (c)
Explanation: Under the Data Protection Act 1998, section 7(10) an employer must respond to a subject access request within 40 days once it has the fee for the request together with any further information that it reasonably requires to satisfy itself as to the identity of the person making the request and to locate the required