welcome to Module four principles .
The GDPR is built upon a set of principles which govern the way organisations should manage personal data .
At the end of this module , you will have a basic understanding of the six data protection principles how the principles are applied to the processing of personal data .
Here's a scenario .
A former employee of the House of lemons , importer of fine oranges , makes a subject access request for all records and correspondence regarding a disciplinary action from 2015 .
However , House of Lemons failed to provide all the data held .
So the employee complains to the Information Commissioner's office who write to house of lemons , requesting they provide evidence to show how they apply the GDPR principles .
The house of lemons must demonstrate that they adhere to the following six principles .
One lawfulness , fairness and transparency data should be processed lawfully , fairly and in a transparent manner .
In relation to individuals .
The data controller should define a legal basis for the data they process and communicate openly with data subjects about data processing activities , for example , the collection of data , how it's stored and what it's used for by issuing a privacy notice to data subjects .
The transparency principle requires data controllers to provide information about the personal data they process in an intelligible and easily accessible form .
Clear and plain language .
Concise communication .
A privacy notice is a statement to the data subject , which describes how the organisation collects , uses , retains and discloses personal data .
This can be a physical notice or a link to a Web page .
Two purpose limitation data can only be collected and processed for a defined , explicit and legitimate purpose and should not be used for processing , which falls outside the stated purpose .
Data controllers must first identify the purpose for which the personal data will be processed .
This will form the boundary of what can be done with the data .
If the organisation wishes to complete processing which falls outside this boundary , they must determine if the processing is compatible with the original purpose .
If you join your local leisure centre and provide demographic details which they state will only be used for statistical purposes , you should not then receive targeted communications about classes offered to your age group .
If the leisure centre provides users with an app to monitor their draining , but also used the personal data to identify and eliminate technical errors within the APP .
This could be compatible with the original purpose as it is an activity of the APP creator that could reasonably be expected by the users .
Data minimization data should be adequate , relevant and limited to what is necessary in relation to the purposes for which they are processed .
Only personal data that is needed for the defined purpose should be collected and processed .
The GDPR states that data not required for the processing is not collected .
This is known as data minimization .
Signing up to receive an online newsletter will require your email address but does not require you to provide your physical address or other personal details .
Accuracy data should be accurate and where necessary .
Kept up to date , every reasonable step must be taken to ensure that inaccurate data is erased or rectified without delay .
It is the responsibility of the data controller to ensure data is accurate and to action requests by data subjects to amend or remove inaccurate data .
In addition , the data controller must notify anyone else who has access to the data or processes the data that it has changed unless it requires disproportionate effort .
The third party recipients should then update their records accordingly .
If requested , the data controller must inform the data subject about any data recipients .
If a person informs their employer that they have married and changed their title to Mrs and their surname from Smith to Jones , their employer must change your systems , which include these details , for example , HR and payroll and inform any third parties who receive the data .
For example , HMRC and their company pension provider , five storage limitation data , should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed .
Data should be kept for the duration of the processing and , if necessary , for a period thereafter as defined by law .
For example , retention of payroll records for HMRC to defend a legal action for business reasons , organisations should have a data retention policy , which states how long each category of data is retained and how it will be destroyed after this period .
There are different retention periods for different data .
For example , application forms for successful job candidates should be kept for the duration of the employment and payroll and tax information .
HMRC must be kept for seven years , six years plus the current year .
Employers may wish to extend some of these , for example , if they feel they might be needed to defend a legal claim or for company records , perhaps to send a card to everyone who has worked for a company during its 100 year history .
Integrity and confidentiality data should be processed in a manner that ensures appropriate security of the personal data , including protection against unauthorised or unlawful processing , and against accidental loss , destruction or damage using appropriate technical or organisational measures .
The GDPR requires organisations to complete risk analysis for their systems and implement appropriate technical and organisational measures to mitigate those risks and ensure the security of the data .
A healthcare company provides their shift managers with laptops to allow them to access patient records to assist their teams during out of hours calls .
The company will need to ensure that the laptop is encrypted and password protected so that data cannot be accessed if the laptop is lost and in addition , they should consider the possibility of a disgruntled employee downloading patient data and disable the use of USB mass storage devices .
It is not possible to completely remove all risks , but it is essential to assess the major risks and mitigate them .
We will now ask you a short question .
Some time will be left for you to think about the answer .
However , feel free to pause the video after the question is asked to allow yourself enough time to think about the answer .
You do not need to click on the boxes to provide your answer .
The answer will be given shortly after the question has been asked .
If an individual wants an organisation holding their data to amend incorrect information , they must request their data is deleted and resubmit all information .
Inform the Information Commissioner's office , inform the organisation directly , or tell the organisation what systems they would like .
The individual must inform the organisation directly .
This is the end of our module .
Four principles .
You can now move on to module five legal basis