Professional Development

Institute and Faculty of Actuaries

A practical guide to data protection
Workbook

ifoa_DP 1 © The University of Law Limited 2019

 Professional Development

1 INTRODUCTION

This guide deals with the position in the UK, but due to harmonisation the rules throughout
the EU are similar.
Data about persons or businesses has always been a valuable and sensitive commodity,
but in the last 30 years or so, the exponential growth and availability of computer systems to
assemble, arrange and transfer data have posed a challenge for legal systems worldwide.
The demand for such data is insatiable, and to allow unrestricted holding of, and access to,
it would rapidly lead to chaos and criminality. The only applicable English law, prior to the
recent information explosion, worked on the basis of the protection of confidence, and there
was little statutory control of data beyond that. That case law has the broad effect of treating
certain confidential information as being within the reach and protection of the equitable
jurisdiction. This was completely inadequate to deal with the huge proliferation of potentially
accessible databases, containing mundane but highly valuable information. After major
investigations and various government reports, coupled with the need to have legal
protections compatible with those of the rest of the EU, the Data Protection Act 1984 was
enacted. This Act was regulatory in effect and it could not cover paper-based systems; it set
out certain guiding principles and its enforcement was largely in the hands of a Data
Protection Registrar, with some compensation available for affected individuals. Its effect
was to make the handling of personal information subject to controls which had not existed
before
After the 1984 Act came the Data Protection Act 1998, which was enacted pursuant to the
European Data Protection Directive of 1995 (95/46/EC). The aim of the Directive (and thus
the Act) was to give no more protection to data processing than was commensurate with a
balance between the rights of natural persons and the maintenance of a free market within
the EU, by harmonising national legal rules. The Directive was replaced by the General Data
Protection Regulation (GDPR) in 2018. The GDPR was designed to reshape the way in which
data is used across Europe, with a greater emphasis on the privacy of the individual. GDPR
applies to businesses in the EU and businesses outside the EU that offer goods or services or
monitor individuals in the EU.
The GDPR, as with all EU Regulations, applies across Europe; however, it allows Member
States limited opportunities to make provision for how it applies in their countries. It is
therefore backed up in most Member States by national legislation. In the UK, this comes in
the form of the Data Protection Act 2018. This 1998 Act has one eye on Brexit (which at the
time of writing is being negotiated) as, to a large extent, it brings the GDPR into UK legislation
in a way which would not be necessary were we to remain part of the EU (as we would be
subject to the GDPR itself). It also goes beyond the GDPR, however, as it applies a broadly
equivalent regime to certain types of data processing to which the GDPR does not apply.
This guide looks at UK data protection (and by extension EU data protection). It is said that
Europe has the most comprehensive data protection rules in the world. Some jurisdictions
such as India have no specific data protection laws, are not signed up to any international
treaties or conventions and have no regulator dealing with data protection. However, it is not
to say that India does not protect personal data. The Information Technology Act 2000 gives
rights to compensation for improper disclosure of personal data. There is also a common law
of confidence which also protects data to some extent. The US has data protection provisions
but they are complex and to some extent fractured with some states, e.g California having a
data protection act whilst others do not. At a federal level children’s data is protected.
1.1 Data Protection Act (DPA) 2018
The aim of the GDPR (and thus the 2018 Act) is to protect the public from privacy and data
breaches in an increasingly data-driven world. The level of data use in 2018 is way above its

© The University of Law Limited 2019 2 Ifoa__DP

Professional Development
use in 1998, and so the legislation needed to be modernised to face the challenge which the
increase in use poses.
The 2018 Act is split into seven parts:
• Part 1: Preliminary issues.
• Part 2: General processing. It is this part that we will centre on in this
chapter as it covers the ways in which individuals’ data are processed by
commercial entities.
• Part 3: Law enforcement processing. Whilst important, this is beyond the
scope of this guide.
• Part 4: Intelligence services processing. Again this is beyond the scope of this
guide.
• Part 5: The Information Commissioner. See below for more on this.
• Part 6: Enforcement. See below for more on this.
• Part 7: Supplementary issues.
1.1.2 Freedom of Information Act (FOIA) 2000
The emergence of data protection legislation has been mainly about protecting the individual’s
expectation to the privacy of personal data. Over the same period of time, another public
expectation has arisen: that of open government and freedom of information about the acts of
public authorities. Always a contentious matter, the ‘right to know’ was not particularly
European in origin but has developed more in the common law nations of the world over the
last half century. English public law and criminal law show many cases in which the
relationship between public access to information and the privacy of the decision-making
process is hard to discern with clarity. There was a clear public demand and need for more to
be done. Following a period from 1994 during which the Government used a voluntary ‘Code
of Practice on Public Access to Government Information’ (overseen by the Parliamentary
Ombudsman), the FOIA 2000 was passed.
The big difference between the DPA 2018 and the FOIA 2000 is that the former deals with the
private protection of personal data, whereas the latter is concerned with public access to
government information. Nevertheless, there can be overlap because public authorities, for
FOIA 2000 purposes, may also be controllers for the purpose of the DPA 2018.

2. OVERVIEW AND SCOPE OF THE DPA 2018

As mentioned above, for the purposes of this guide we will concentrate on the provisions of
the DPA 2018 as they affect the relationship between the individual and those who process
our personal data in the commercial world. In this regard the effects of the DPA 2018 fall into
two categories. The first is to allow individuals access to information held about them, for
example the information held about people by credit reference agencies. This may be
inaccurate and a person would probably want to correct such inaccuracies. The second effect
is to protect information about individuals from being disclosed improperly. So, if you give
your bank or gas supplier certain information, you might not want them to disclose that
information to another business, for example an insurance company, without your consent.
Such information is very valuable commercially, and it should not be available for sale without
your consent.
To understand the workings of the 2018 Act, it is necessary first to look at some definitions
which are closely interdependent, and then to examine the principles of good practice (see
2.2.2).
2.2.1 The definitions of ‘controller’, ‘processor’ ‘personal data’ and ‘processing’
‘Controller’ means the natural or legal person, public authority, agency or other body
which, alone or jointly with others, determines the purposes and means of the
processing of personal data. A processor is capable of acting independently in respect

ifoa_DP 3 © The University of Law Limited 2019

 Professional Development
of personal data
‘Processor’ means a natural or legal person, public authority, agency or other body
which processes personal data on behalf of the controller.
‘Personal data’ means any information relating to an identified or identifiable living
individual. Someone is identifiable by an identifier such as name, number, location.
Data identifying companies is not covered by DPA 2018 as a company is not a living
individual. DPA 2018 only covers information processed electronically or if in paper
form the information must be in a structured filing system which is easily accessible.
Paper records in unstructured form, e.g. thrown into box, are not covered by DPA
2018.Some personal data is classed as sensitive (called special category in GDPR)
and more steps need to be taken to protect it. Sensitive information includes
information as to race, ethnic origin, political opinions, religious belief, trade union
membership, genetic ir biometric data, health data, sex life, or sexual orientation.
GDPR does not class data about criminal convictions as a special category of
sensitive data. However, DPA 2018 affords data about criminal convictions a similar
status to special category sensitive information.
‘Processing’, in relation to information, means an operation or set of operations which
is performed on information, or on sets of information, such as—
(a) collection, recording, organisation, structuring or storage,
(b) adaptation or alteration,
(c) retrieval, consultation or use,
(d) disclosure by transmission, dissemination or otherwise making available,
(e) alignment or combination, or
(f ) restriction, erasure or destruction.
So, it is fairly easy to see the general scheme of the 2018 Act from the connection of these
interpretative definitions; the controller becomes responsible to the individual from the first
moment of dealing with any personal data that could identify the individual, even if the data is
processed by its processor.
2.2.2 The six principles of good practice
Anyone processing personal information must comply with six enforceable principles of good
information handling practice. These principles, which are taken from the GDPR, state that
data must be:
(1) fairly and lawfully processed;
(2) processed for specified, explicit and legitimate purposes;
(3) adequate, relevant and not excessive;
(4) accurate and up-to-date;
(5) not kept longer than necessary; and
(6) processed in a secure way.
Processing will be lawful only if and to the extent that one of the following applies (GDPR,
Article 6): the data subject has given consent to the processing of his or her personal data for
one or more specific purposes;
(a) processing is necessary for the performance of a contract to which the data
subject is party or in order to take steps at the request of the data subject
prior to entering into a contract;
(b) processing is necessary for compliance with a legal obligation to which the
controller is subject;
(c) processing is necessary in order to protect the vital interests of the data
subject or of another natural person;
(d) processing is necessary for the performance of a task carried out in the
public interest or in the exercise of official authority vested in the controller;
(e) processing is necessary for the purposes of the legitimate interests pursued

© The University of Law Limited 2019 4 Ifoa__DP

Professional Development
by the controller or by a third party, except where such interests are
overridden by the interests or fundamental rights and freedoms of the data
subject which require protection of personal data, in particular where the
data subject is a child.
Where processing is based on consent, the controller must be able to demonstrate that the
data subject has consented to the processing of his or her personal data. You may remember
that in the run-up to the introduction of the DPA 2018, many traders believed that the best
way to establish this was to email previous customers whom they wished to continue to
contact with sales offers, etc and either ask for express permission to keep the individual on
their mailing list or point out that they believed they did have permission from previous
correspondence (with an opt-out option being included in the email for future
correspondence).
It is important to appreciate that individuals may withdraw their consent at any time, and it
must be as easy to withdraw consent as to give it in the first place. This is an attempt to place
the individual more in control of the data about them which is processed.
Special rules regarding consent apply to children and ‘information society services’, ie online
services or shopping. Consent of a child will only be valid where the child is 13 and above.
Below this, the consent of the holder of parental responsibility for the child is required. It
should be noted that in the GDPR the relevant age is 16, but it allows Member States to
reduce this to 13 (post-Brexit of course the DPA 2018 could be amended to apply a lower age
if Parliament wished).
2.2.3 Special categories of personal data
There are categories of personal data, the processing of which are prohibited due to their
sensitive nature. Data concerning racial or ethnic origin, political opinions, religious or
philosophical beliefs, trade union membership, and the processing of genetic data, biometric
data for the purpose of uniquely identifying a natural person, data concerning health or data
concerning a natural person’s sex life or sexual orientation may not be processed. However,
exceptions include (inter alia):
• consent having been obtained;
• necessary processing in the field of employment and social security in so far
as it is lawful;
• processing is necessary to protect the vital interests of the data subject;
• processing involves data manifestly made public by the data subject;
• processing is necessary for reasons of substantial public interest (where
proportionate).

3. THE RIGHTS OF THE DATA SUBJECT UNDER THE DPA 2018

Again, in the field of commerce, the DPA 2018 largely adheres to the provisions of the GDPR
in terms of the rights of the data subject. Therefore, in the discussion below, reference has
been made where appropriate to the relevant articles of the GDPR which are applied via Part
2, Chapter 2 of the DPA 2018.
There are eight rights which data subjects have under Chapter 3 of the GDPR:
(1) The right to be informed. Individuals have the right to be informed about the
collection and use of their personal data. At the time the data is collected,
the individual must be provided with information including the purpose for
processing it, the retention period for it, and who it will be shared with. If
information on an individual is obtained from another source, the
controller/processor must provide the individual with privacy information
within a maximum of a month.
(2) The right of access. Individuals have a right to access their personal data,
and this request may be made verbally or in writing. Requests must be

ifoa_DP 5 © The University of Law Limited 2019

 Professional Development
responded to within a month, and in most cases no fee can be charged.
(3) The right to rectification. An individual may make a request either verbally or
in writing for inaccurate information about them to be amended, or
completed if it is incomplete. Again requests must be responded to within a
month.
(4) The right to erasure. This has commonly become known as the right to be
forgotten. A request can be made (again verbally or in writing) for data to be
deleted. The right is not absolute and only applies in certain circumstances.
It has come to the public’s attention recently as Google now has a form
which can be completed to have data, which would ordinarily be revealed on
a Google search about an individual, removed.
(5) The right to restrict processing. In some circumstances the individual has the
right to restrict the processing of information about them. This is possible
where the accuracy of the data is contested (the restriction being to allow a
period for the data to be verified), the processing is unlawful, the controller
no longer needs the data but it is required by the individual to use in legal
claims, or the individual has objected to processing pending the verification
of whether the legitimate grounds of the controller override those of the
individual.
(6) The right to data portability. This right allows individuals to obtain and reuse
their data for their own purposes across different services. This allows them
to take advantage of applications and services that can use this data to find
them a better deal, etc.
(7) The right to object. Individuals have the right to object to the processing of
their data in certain circumstances, such as for direct marketing. Individuals
must be told of their right to object. You may be aware of this: when ordering
goods or services online, it is now usual to be asked whether you consent to
your data being used for, eg, marketing.
(8) Rights in relation to automated decision-making and profiling. An individual
has the right not to be subject to a decision based solely on automated
processing, including profiling. This does not apply if the decision is
necessary for entering into or performing a contract between the individual
and controller, is lawful, or is based on the individual’s explicit consent.

4.THE OBLIGATIONS OF THE DATA CONTROLLER AND PROCESSOR

As we saw at 2.2.2, data controllers must abide by the data protection principles. The two
principles of most concern in regard to disclosure of personal data are the first two, namely
that data must be fairly and lawfully processed, and processed for legitimate purposes. In
addition, the controller must implement appropriate technical and organisational measures to
ensure and to be able to demonstrate that processing is performed in accordance with the
GDPR (GDPR, Article 24). This obligation essentially requires a data controller to be able to
show that its systems are robust and demonstrably able to comply with the principles.
Controllers need to have systems which ensure that only personal data which is necessary for
each specific purpose of the processing is processed. These systems must control the
amount of personal data collected, the extent of the processing, the period of storage and its
accessibility. There are recommendations in the GDPR for national codes of conduct and
certification schemes to encourage best practice in the handling of data.
The GDPR specifically envisages controllers using processors, who carry out processing on
behalf of the controller. According to Article 28, the controller shall use only processors who
provide sufficient guarantees to implement appropriate technical and organisational measures
that will meet the demands of the GDPR. The GDPR is very clear that the processor should
not process data except on the instructions of the controller (unless the law directs otherwise).
The controller, or its processor, must keep accurate records (according to GDPR, Article 30)

© The University of Law Limited 2019 6 Ifoa__DP

Professional Development
covering (inter alia):
(a) the purposes of the processing;
(b) a description of the categories of data subjects and of the categories of
personal data;
(c) the categories of recipients to whom the personal data has been or will be
disclosed, including recipients in third countries or international
organisations;
(d) where applicable, transfers of personal data to a third country or an
international organisation, including the identification of that third country or
international organisation and the documentation of suitable safeguards;
(e) where possible, the envisaged time limits for erasure of the different
categories of data.
One of the key reasons for the creation of the GDPR was a desire to increase the security of
the handling of data, following some high-profile examples of data breaches by large retailers
where credit card details of thousands of customers were accessed illegally, or even put on
websites by mistake. Article 32 of the GDPR requires the controller and processor to
implement appropriate technical and organisational measures to ensure a level of security
appropriate to the risk. This may include: the pseudonymisation and encryption of personal
data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of
processing systems and services; the ability to restore the availability and access to personal
data in a timely manner in the event of a physical or technical incident; and a process for
regularly testing, assessing and evaluating the effectiveness of technical and organisational
measures for ensuring the security of the processing. Risks which should be envisaged
include accidental or unlawful destruction and unauthorised disclosure of, or access to, the
data.
In the event of a data breach, the controller must within 72 hours notify the national
supervisory authority, unless the breach is unlikely to result in a risk to the rights of the
individuals whose data is held. This notification must identify the nature of the breach, the
approximate number of individuals affected, the likely consequences, and the measures taken
or proposed to be taken to remedy (if possible) the situation. When the personal data breach
is likely to result in a high risk to the rights and freedoms of natural persons, the controller
must communicate the personal data breach to the data subject without undue delay. As an
example, if a person’s credit card details had been accidentally disclosed or unlawfully
accessed, the controller should notify both the supervisory authority and also the individuals
concerned. This would enable the individuals to take action such as suspending their credit
cards, hopefully before they are illegally used.

5. TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL

ORGANISATIONS
Chapter 5 of the GDPR deals with transfers outside of the EU or to international
organisations. For such a transfer to take place by the controller, the rules in the Chapter
must be adhered to.
The first rule is that such a transfer can only take place to third countries or international
organisations which are approved by the UK Information Commissioner as having an
adequate level of protection. Following Brexit, the UK will of course be a ‘third country’ and so
the UK Government is, where possible, incorporating the GDPR into national law via the DPA
2018 to ensure that we are recognised as having adequate levels of protection.
When assessing whether a country or organisation has an adequate level of protection, the
following elements (inter alia) may be taken into account:
(a) the rule of law, respect for human rights and fundamental freedoms, relevant
legislation, both general and sectoral, including that concerning public
security, defence, national security and criminal law and the access of public
authorities to personal data, as well as the implementation of such

ifoa_DP 7 © The University of Law Limited 2019

 Professional Development
(b) legislation, data protection rules, professional rules and security measures,
including rules for the onward transfer of personal data to another third
country or
international organisation which are complied with in that country or
international organisation;
(c) the existence and effective functioning of one or more independent
supervisory authorities in the third country or to which an international
organisation is subject, with responsibility for ensuring and enforcing
compliance with the data protection rules;
(d) the international commitments the third country or international organisation
concerned has entered into, or other obligations arising from legally binding
conventions or instruments as well as from its participation in multilateral or
regional systems, in particular in relation to the protection of personal data.
If the EU Commission decides that a country or organisation should be recognised as having
an adequate level of protection, it can pass an implementing act, which will provide a
mechanism for review every four years. If such an act is passed, data controllers are free to
transfer data to those countries or international organisations provided that all other
obligations in the GDPR are complied with. In the absence of such an act, the controller may
still transfer the data but only if the controller (or its processor) has provided adequate
safeguards, and on condition that enforceable data subject rights and effective legal remedies
for data subjects are available.

6. ENFORCEMENT, LIABILITY AND PENALTIES

The Information Commissioner may issue to controllers or processors an ‘information notice’,
which requires them to provide such information as the Commissioner may reasonably
require for the purposes of carrying out the Commissioner’s functions. This notice may
request such information as the Commissioner may need to decide whether a breach of the
DPA 2018 has occurred. If, on the application of the Commissioner, a court decides that a
person has failed to comply with an information notice, the court may make an order requiring
the person to supply the information required in the information notice.
The Information Commissioner may also (or subsequently) issue an ‘assessment notice’
which requires a controller or processor to permit the Commissioner to carry out an
assessment of whether either of them has complied with the DPA 2018 (and, consequently,
the GDPR). An assessment notice may require the controller or processor to do any of the
following (DPA 2018, s 146(2)):
(a) permit the Commissioner to enter specified premises;
(b) direct the Commissioner to documents on the premises that are of a
specified description;
(c) assist the Commissioner to view information of a specified description
that is capable of being viewed using equipment on the premises;
(d) comply with a request from the Commissioner for a copy (in such form
as may be requested) of—
(i) the documents to which the Commissioner is directed;
(ii) the information which the Commissioner is assisted to view;
(e) direct the Commissioner to equipment or other material on the
premises which is of a specified description;
(f) permit the Commissioner to inspect or examine the documents,
information, equipment or material to which the Commissioner is
directed or which the Commissioner is assisted to view;
(g) provide the Commissioner with an explanation of such documents,
information, equipment or material;
(h) permit the Commissioner to observe the processing of personal data

© The University of Law Limited 2019 8 Ifoa__DP

Professional Development
that takes place on the premises;
(i) make available for interview by the Commissioner a specified number
of people of a specified description who process personal data on
behalf of the controller, not exceeding the number who are willing to be
interviewed.
Failure to comply with an information notice or assessment notice may lead to the Information
Commissioner issuing an ‘enforcement notice’, failure to comply with which may lead to a
‘penalty notice’, which requires the controller or processor to pay a sum (as discussed below)
to the Information Commissioner. Penalty notices may also be issued for any breach of any of
the obligations imposed on controllers or processors by the DPA 2018.
When considering whether to issue a penalty notice, and, if so, when considering what level
of penalty to impose, the Information Commissioner must bear in mind the following matters
(DPA 2018, s 155(3)):
(a) the nature, gravity and duration of the failure;
(b) the intentional or negligent character of the failure;
(c) any action taken by the controller or processor to mitigate the damage
or distress suffered by data subjects;
(d) the degree of responsibility of the controller or processor;
(e) any relevant previous failures by the controller or processor;
(f) the degree of co-operation with the Commissioner, in order to remedy
the failure and mitigate the possible adverse effects of the failure;
(g) the categories of personal data affected by the failure;
(h) the manner in which the infringement became known to the
Commissioner, including whether, and if so to what extent, the
controller or processor notified the Commissioner of the failure;
(i) the extent to which the controller or processor has complied with
previous enforcement notices or penalty notices;
(j) adherence to approved codes of conduct or certification mechanisms;
(k) any other aggravating or mitigating factor applicable to the case,
including financial benefits gained, or losses avoided, as a result of the
failure (whether directly or indirectly);
(l) whether the penalty would be effective, proportionate and dissuasive.
The maximum fine under the DPA 1998 was £500,000 for serious breaches. Under the GDPR
and consequently under the DPA 2018, the maximum fine is €20 million, or 4% of annual
global turnover, whichever is the highest. This significant increase in the level of fine reflects
the perceived increase in importance of compliance in an economy which is much more data
driven than when the previous legislation was passed. It also reflects the growth in the size of
organisations which handle data – a fine of £500,000 would simply not be felt heavily enough
by major companies.
Whilst the €20 million or 4% of annual global turnover fine has grabbed the headlines, there
are in fact two levels of fines. As well as the €20 million/4% figure, there is a lower ‘maximum’
of €10 million or 2% of annual global turnover. The former is called the ‘higher maximum
amount’ and the latter is called the ‘standard maximum amount’.
The higher maximum amount applies to failure to comply with an information notice, an
assessment notice, an enforcement notice, or failure to comply with the principles contained
in the DPA 2018. For more minor breaches, the standard maximum amount applies.
The DPA 2018 contains criminal sanctions in s 148 for any person who destroys, conceals,
blocks or falsifies information when an information or assessment notice has been issued if it
is done with the intention of preventing the Information Commissioner from viewing the
relevant information. Further criminal sanctions appear in s 170 (knowingly or recklessly
obtaining or disclosing personal data without the consent of the controller), s 171 (knowingly
or recklessly re-identifying information that was previously de-identified) and s 173

ifoa_DP 9 © The University of Law Limited 2019

 Professional Development
(deliberately altering or concealing information which should be provided in response to a
data subject access request).
As well as fines and criminal sanctions, compensation may be awarded to the data subject by
a court for loss suffered due to breach of the GDPR.

QUESTIONS

1. What is the relationship between GDPR and the Data Protection Act 2018?
2. Does GDPR apply only to businesses in the EU?
3. Is a cloud storage provider likely to be a controller or processor of data?
4. A client passes data to a firm of actuaries so the firm can give him professional advice. Is
the firm likely to be a controller or processor of the data?
5. Is data about a criminal conviction a special category of sensitive data under GDPR?
6. If there has been a data breach how long has a controller got to notify the supervisory
authorities of breach?
7. What is the maximum that can be levied for breaches of data protection rules?
8. What is the main distinction that can be drawn between the Data Protection Act 2018 and
the Freedom of Information Act 2000?
9. Does the Data Protection Act cover data which might identify a company?
10. What is an ‘information notice’? What is an ‘assessment notice’?

© The University of Law Limited 2019 10 Ifoa__DP

Professional Development

ANSWERS

1. The GDPR applies across all members of the EU. It allows member countries to build on
the rights in it in some cases. The Data Protection Act 2018 would have been a short statute
building on GDPR rights if Brexit was not happening. However, Brexit means the Data
Protection Act 2018 brings GDPR into domestic legislation to align with the EU after Brexit.
The Data Protection Act 2018 therefore both repeats GDPR in domestic form and also builds
on GDPR
2. No. GDPR can apply to businesses outside the EU that offer goods or services in the EU or
monitor individuals in the EU.
3. A cloud storage provider is likely to be acting as a processor as it stores data in behalf of a
controller.
4. The firm is likely to be a controller. The firm is likely to be able to act independently with the
data in order to give effective advice to the client.
5. No. Under GDPR data about criminal convictions is not special category sensitive
information. However, the Data Protection Act 2018 extends special category status to data
about criminal convictions.
6. 72 hours. It is worth noting that the 72 hours includes non-working days such as weekends
and bank holidays.
7. The maximum fine depends on the nature of the breach. The higher maximum fine for
breaches of information notices, assessment notices or enforcement notices is up to
€20m/4% (whichever is higher) of annual worldwide turnover. For other breaches it is
€10m/2% of annual worldwide turnover.
8. The Data Protection Act 2018 deals with private protection of personal data. The Freedom
of Information Act 2000 deals with public access to government information.
9. No. The Act only includes data which might identify an individual.
10. An information notice is a notice issued by the Information Commissioner which requires a
controller or processor to provide information to the Information Commissioner to enable the
Information Commissioner to decide whether a breach has occurred. An assessment notice is
a notice issued by the Information Commissioner to a controller of processor to allow the
Information Commissioner to assess whether a controller or purchaser has complied with
their legal obligations.

ifoa_DP 11 © The University of Law Limited 2019