CDP - Certificate in Data Protection

No formal entry requirements are required for the Certificate.

There is a need to provide adequate training on the Data Protection Act 1998 "the Act" and its implications for both organisations and individuals. There are important differences between the Act and its predecessor, the Data Protection Act 1984. In particular, the Act contains important new obligations in relation to manual records and transborder data flows, a new notification system and amended principles. It is important to understand the Act in the European context.

Those experienced in data protection issues, as well as those new to the subject, need to be trained so that their organisations are confident that legal compliance is continually addressed. It is necessary to identify issues requiring expert data protection advice in good time in order that organisational reputation and credibility are enhanced through relevant data protection policies and procedures.

Objectives

The aim of the syllabus is to promote an understanding of how the data protection principles work rather than simply focusing on the mechanics of regulation. The syllabus places the Act in the context of human rights and promotes good practice within organisations. On attaining the certificate, award holders will possess:

• appreciation of the broader context of the Act
• understanding of the way in which the Act and the Privacy and Electronic Communications (EC Directive) Regulations 2003 work a broad understanding of the way associated legislation relates to the Act an understanding of what has to be done to achieve compliance a recognised qualification in data protection

Course Synopsis

The syllabus comprises three main parts, each with many sub-sections!

Context - this will address the origins of and reasons for the Act together with consideration of privacy in general. Law – Data Protection Act - this will address the main concepts and elements of the Act and subordinate legislation. Application - this will consider how compliance is achieved and how the Act works in practice.

1. Context

The objective is to ensure a basic appreciation of the context of data protection law and in particular that privacy is wider than data protection.

1.1 What is privacy?

1.1.1 The right to private and family life and the relevance of confidentiality.

1.1.1 European Convention on Human Rights and Fundamental Freedoms, UK Human Rights Act

1.2 History of data protection legislation in the UK

1.2.1 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal
Data 1980

1.2.2 Council of Europe Convention 108, 1981

1.2.3 Data Protection Act 1984

1.2.4 Data Protection Directive 95/46/EC

1.2.5 Telecommunications Directive 97/66/EC, Privacy and Electronic Communications

2. The Law

2.1 Data Protection Act

2.1.1 The definitions
The objective is to ensure that candidates know, and understand the major definitions in the Act and how to apply them in order to identify what information and processing activities are subject to the Act.

2.1.2 The Role of the Commissioner
The objective is to ensure an understanding of the role and main powers of the Information commissioner. The following are to be covered.

2.1.2.1 Enforcement (including roles of the First-tier Tribunal and the Courts)

• Information and Enforcement Notices
• Prosecution
• Warrants (entry/inspection) (Schedule 9,1(1) & 12 only – that is a basic understanding of grounds for issuing and nature of offences)
• Assessment Notices (s41A-s41C) including effect of s55 (3) added by the Coroners and Justice Act 2009 which provides that the Information Commissioner may not issue a monetary penalty notice in respect of anything found in pursuance of an assessment notice or an assessment under s51 (7).
• Monetary penalties (s55A-55E) including the effect of the s55 (3A) provision.
• Undertakings (NB candidates are required to have a basic understanding of how the ICO uses ‘undertakings’ and that they do not derive from any provision in the DPA98. They are not expected to know the detail of their status and provenance).

2.1.2.2 Carrying out s42 assessments

2.1.2.3 Codes of Practice (including s52A-52E Code of Practice on data sharing) and all current ICO issued Codes but not any codes issued by other bodies. Candidates will be expected to have a broad understanding of s52A-E, to appreciate the distinction between a statutory code and other ICO issued codes and have a broad understanding (but not a detailed knowledge) of ICO issued codes.

2.1.3 Notification

• The exemptions from notification.
• A basic understanding of the two tier fee regime.

2.1.4 The Data Protection Principles
The objective is to ensure an understanding of how the principles regulate the processing of personal data and how they are enforced, as well as an understanding of the individual principles in the light of guidance on their interpretation found in Part II of Schedule 1. Candidates will be required to show an understanding of the need to interpret and apply the principles in context.

Introduction: how the principles regulate and how they are enforced including Information and Enforcement Notices.

2.1.5 Individual Rights
The objective is to ensure an understanding of the rights conferred by the Act and how they can be applied and enforced.

2.1.6 Exemptions
The objective is to ensure awareness of the fact that there are exemptions from certain provisions of the Act, and knowledge and understanding of some of these and how to apply them in practice. Candidates are not expected to have a detailed knowledge of all the exemptions. The following are expected to be covered in some detail:

2.1.7 Offences
The objective is to ensure an awareness of the fact that there are a range of offences under the Act and of the role of the Courts as well as an appreciation of how certain specified offences apply in practice. It is not intended that candidates should have a detailed knowledge of all the offences.

The candidates will be expected to cover:

• Unlawful obtaining and disclosure of personal data
• Unlawful selling of personal data
• Processing without notification
• Failure to notify changes in processing
• Failure to comply with an Enforcement Notice, an Information Notice or Special Information Notice.
• Warrant offences (Schedule 9,12)

2.2 Privacy and Electronic Communications (EC Directive) Regulations 2003
The objective is to ensure an awareness of the relationship between the above Regulations and the Act, an awareness of the broad scope of the Regulations and a detailed understanding of the practical application of the main provisions relating to unsolicited marketing.

2.3 Associated legislation
The objective is to ensure a basic awareness of some other legislation which is relevant and an appreciation that data protection legislation must be considered in the context of other law.

3. Application

The objective is to ensure an understanding of the practical application of the Act in a range of circumstances. This will include detailed analysis of sometimes complex scenarios, and deciding how the Act applies in particular circumstances and explaining and justifying a decision taken or advice given.

3.1 How to comply with the Act

3.2 Addressing scenarios in specific areas

3.3 Data processing topics

• Monitoring – internet, email, telephone calls and CCTV
• Use of the internet (including Electronic Commerce)
• Data matching
• Disclosure and Data sharing