BCS PDP9 Exam - Topic 6 Question 7 Discussion

Actual exam question for BCS's PDP9 exam

Question #: 7
Topic #: 6

[All PDP9 Questions]

An investigation reveals that an individual is defrauding a public authority After a (suspected) tip off from a senior manager, the individual submits a Subject Access Request to the authority asking for a copy of all personal data relating to any investigations that have been carried out

What would be the BEST approach?

AThe legal and professional privilege exemption applies to this information, and therefore the information does not need to be disclosed

BThey do not need to disclose details of the investigation as they can rely on the crime and taxation exemption on the basis that disclosure would prejudice the investigation

CThis is criminal offence data and therefore under the provisions of the Data Protection Act 2018, there is no obligation to disclose

DWhile the right to inform does not apply in relation to criminal acts, they need to disclose the information as this has not yet been passed to the police.

Show Suggested Answer

Suggested Answer: B

The crime and taxation exemption in Schedule 2, Part 1, Paragraph 2 of the Data Protection Act 2018 (DPA 2018) provides an exemption from the UK GDPR's transparency obligations and most individual rights, including the right of access, but only if complying with them would prejudice the prevention or detection of crime, or the apprehension or prosecution of offenders. This means that the public authority does not need to disclose details of the investigation to the individual who submitted the subject access request, as doing so would be likely to hinder the investigation and enable the individual to evade justice. The public authority should assess the likelihood of prejudice on a case-by-case basis and document its reasons for relying on the exemption. The other options are incorrect because:

The legal and professional privilege exemption in Schedule 2, Part 1, Paragraph 19 of the DPA 2018 applies to personal data that is subject to an obligation of confidentiality arising from the provision of legal advice or legal representation, or from the conduct of legal proceedings. This exemption does not apply to the information held by the public authority about the investigation, as it is not related to any legal advice or representation, or any legal proceedings.

The term ''criminal offence data'' refers to personal data relating to criminal convictions and offences, or related security measures. This type of data is subject to specific rules under Article 10 of the UK GDPR and Part 3 of the DPA 2018. However, this does not mean that there is no obligation to disclose criminal offence data in response to a subject access request. The public authority still needs to consider whether any of the exemptions in the DPA 2018 apply, such as the crime and taxation exemption, before disclosing or withholding the data.

The right to be informed does apply in relation to criminal acts, as the UK GDPR requires controllers to provide data subjects with information about the processing of their personal data, including the purposes and legal basis of the processing, unless an exemption applies. The fact that the information has not yet been passed to the police does not affect the applicability of the right to be informed or the right of access.Reference:

Data Protection Act 2018, Schedule 2, Part 1, Paragraph 21

ICO Guide to Data Protection, Crime and Taxation2

Data Protection Act 2018, Schedule 2, Part 1, Paragraph 193

UK GDPR, Article 104

Data Protection Act 2018, Part 35

UK GDPR, Article 13 and 146

by Candida at Jan 23, 2024, 01:18 AM

Limited Time Offer

25%

6 months ago

I feel pretty confident about this question. The requirements for using the Automated Installer seem clear to me.

upvoted 0 times

...