
更新された2024年05月21日検証済み!PDP9問題集と解答で100%合格できる
2024年最新のの問題PDP9問題集を試そう!更新されたBCS試験合格させます
PDP9認定試験は、データ保護原則、GDPR規制、プライバシー法に関する候補者の理解をテストするように設計されています。この試験は、データ保護法、DPOの役割、データ保護影響評価、国際データ転送などのトピックをカバーする英国コンピューター協会(BCS)が提供するシラバスに基づいています。この試験は、データ保護対策の実装とデータ侵害の管理における候補者の実践的スキルを評価するように設計されています。
PDP9認証を取得するには、3時間の試験に合格する必要があります。試験は20問の多肢選択問題と3つのケーススタディで構成されています。最低50%以上のスコアを取得する必要があります。この試験は、候補者のデータ保護法規、データセキュリティ、リスク管理、コンプライアンスに関する知識と理解力をテストするために設計されています。
質問 # 25
What does NOT have an exemption prescribed under schedule 3 of the Data Protection Act 2018?
- A. Health data
- B. Credit checking agency data
- C. Social Work Data.
- D. Education data, examination scripts and marks
正解:B
解説:
Explanation
Schedule 3 of the Data Protection Act 2018 (DPA 2018) provides exemptions from some of the UK GDPR provisions for certain types of personal data processing, such as health data, social work data, education data, and child abuse data. These exemptions are intended to balance the rights and freedoms of data subjects with the public interest or the legitimate interests of data controllers in specific contexts. For example, the exemptions may allow data controllers to restrict the data subjects' access to their personal data, or to process their personal data without their consent, if complying with the UK GDPR would be likely to prejudice the purposes of the processing, such as the provision of health care, social work, education, or child protection.
However, Schedule 3 of the DPA 2018 does not provide any exemption for credit checking agency data, which is personal data processed by credit reference agencies for the purposes of assessing the creditworthiness of individuals or organisations, or preventing fraud or money laundering. Credit checking agency data is subject to the UK GDPR provisions as normal, unless another exemption applies. For example, credit reference agencies may rely on the crime and taxation exemption in Schedule 2, Part 1, Paragraph 2 of the DPA 2018 if disclosing personal data to a data subject would be likely to prejudice the prevention or detection of crime, or the apprehension or prosecution of offenders. References:
* Data Protection Act 2018, Schedule 31
* ICO Guide to Data Protection, Exemptions2
* ICO Guide to Data Protection, Credit3
質問 # 26
What is the Employment Practices Code?
- A. A statutory framework for implementing data protection training for employees.
- B. Guidance on the requirements for employing a Data Protection Officer
- C. A set of exemptions that can be used when processing data related to employees
- D. Guidance on meeting legal requirements of data protection when employing staff
正解:D
解説:
Explanation
The Employment Practices Code is a guidance document issued by the ICO that provides recommendations on how to comply with the data protection principles and the rights of data subjects when processing personal data in the context of employment. The code covers various aspects of employment practices, such as recruitment and selection, employment records, monitoring at work, and information about workers' health.
The code is not legally binding, but it reflects the ICO's interpretation of the Data Protection Act and the UK GDPR, and it may be used as evidence in legal proceedings or investigations. The code is intended to help employers balance their legitimate interests in managing their workforce with the privacy rights of their workers. References:
* The Employment Practices Code
* Quick Guide to the Employment Practices Code
質問 # 27
Article 57 of the UK GDPR states that the tasks of the Commissioner include -Select the INCORRECT answer
- A. Adopting consistency findings in cross-border data protection cases
- B. Providing general guidance to clarify the law.
- C. Handling complaints raised by individuals/data subjects
- D. Advising UK Parliament on issues related to the protection of personal data
正解:A
解説:
Explanation
Article 57 of the UK GDPR states that the tasks of the Commissioner include handling complaints raised by individuals/data subjects, providing general guidance to clarify the law, and advising UK Parliament on issues related to the protection of personal data, among other tasks. However, adopting consistency findings in cross-border data protection cases is not a task of the Commissioner, but of the European Data Protection Board (EDPB), which is an independent body composed of the heads of the supervisory authorities of the EU and EEA member states and the European Data Protection Supervisor. The EDPB is responsible for ensuring the consistent application of the EU GDPR across the EU and EEA, and for issuing opinions and decisions on matters of general application or affecting more than one member state. The UK is no longer part of the EU or the EEA, and therefore the EDPB does not have jurisdiction over the UK GDPR or the Commissioner. The UK has its own mechanism for ensuring consistency and cooperation with other countries, which involves the Commissioner and the Secretary of State. References:
* Article 57 of the UK GDPR1
* Article 63 and 64 of the EU GDPR4
* ICO guidance on the UK GDPR and the EU GDPR5
質問 # 28
What does NOT have an exemption prescribed under schedule 3 of the Data Protection Act 2018?
- A. Health data
- B. Credit checking agency data
- C. Social Work Data.
- D. Education data, examination scripts and marks
正解:B
質問 # 29
What factors should be considered when looking at security of processing under Article 32 of the GDPR?
Select the INCORRECT answer
- A. The most secure option available
- B. Lawfulness of processing
- C. Adherence to an approved code of conduct
- D. The likelihood of a risk to the rights of the data subjects
正解:B
解説:
Explanation
Lawfulness of processing is not a factor that should be considered when looking at security of processing under Article 32 of the GDPR. Lawfulness of processing is a separate requirement that applies to all processing of personal data, regardless of the level of security. Security of processing under Article 32 of the GDPR should be based on the following factors:
* The state of the art and the costs of implementation of the security measures;
* The nature, scope, context and purposes of the processing;
* The risk of varying likelihood and severity for the rights and freedoms of natural persons;
* Adherence to an approved code of conduct or an approved certification mechanism (as an element to demonstrate compliance). References:
* Article 32 of the GDPR1
* Guidelines 07/2020 on the concepts of controller and processor in the GDPR2, p. 36
質問 # 30
Which of the following would NOT be a personal data breach'?
- A. The accidental destruction of a current employee's HR file.
- B. The loss of a memory stick containing the names and addresses of students in private accommodation
- C. The accidental deletion of an organisation's information security policy from the public facing website
- D. The unauthorised changing of a persons address details on a database of customers.
正解:C
解説:
Explanation
A personal data breach is defined in Article 4(12) of the UK GDPR as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed". Personal data means any information relating to an identified or identifiable natural person, such as a name, an identification number, location data, an online identifier or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Therefore, a personal data breach only occurs when the security incident affects personal data, not any other type of information. In this case, the accidental deletion of an organisation's information security policy from the public facing website would not be a personal data breach, as the policy does not contain any personal data. However, the other scenarios would be considered personal data breaches, as they involve the loss, alteration, destruction or unauthorised access to personal data of customers, employees or students.
References:
* UK GDPR, Article 4(12)1
* UK GDPR, Article 4(1)2
* ICO Guide to Data Protection, Personal Data Breaches3
質問 # 31
Which one task are supervisory authorities NOT required to carry out under Article 57(1 )(f) of the UK GDPR? Select the CORRECT answer.
- A. Co-ordinate where necessary with other supervisory authorities
- B. Handle complaints lodged by a data subject
- C. Investigate complaints and inform the complainant of the progress of their investigation
- D. Mediate between the complainant and the entity against which the complaint has been lodged, to resolve the complaint
正解:D
解説:
Explanation
Article 57(1)(f) of the UK GDPR requires the supervisory authority (the ICO in the UK) to handle complaints lodged by a data subject, investigate the subject matter of the complaint, and inform the complainant of the progress and the outcome of the investigation. It also requires the supervisory authority to cooperate with other supervisory authorities if the complaint involves cross-border processing. However, it does not require the supervisory authority to mediate between the complainant and the controller or processor against which the complaint has been lodged, to resolve the complaint. This is not a task of the supervisory authority under the UK GDPR, although it may be possible in some cases as a way of achieving an amicable solution. References
:
* Article 57(1)(f) of the UK GDPR1
* ICO and complaints2
質問 # 32
What is the basis of the accountability and data governance obligation (Article 5 (2) of the GDPR)?
- A. Controllers and Processors each have a responsibility to conduct legitimate interests balancing tests before processing data for direct marketing
- B. The controller shall be responsible for. and be able to demonstrate compliance with the data protection principles.
- C. The controller shall appoint a DPO before carrying out large scale processing
- D. Processors have overarching responsibility to ensure their processing is compliant
正解:B
解説:
Explanation
Article 5(2) of the GDPR introduces the principle of accountability, which requires that the controller is responsible for, and be able to demonstrate compliance with, the data protection principles set out in Article
5(1). These principles are: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and data protection by design and by default. The controller must implement appropriate technical and organisational measures to ensure and demonstrate compliance, such as policies, procedures, records, audits, reviews, and DPIAs. The controller must also cooperate with the supervisory authority and provide any information requested by it. The other options are not the basis of the accountability and data governance obligation, although they may be related to other obligations under the GDPR. References:
* Article 5(2) of the GDPR3
* ICO guidance on accountability and governance4
質問 # 33
An individual applies for a job as a security guard The employer has had significant issues with the sickness record of past recruits They therefore decide to offer the position to the individual on the basis they request a copy of their medical record so that the employer can be assured that they are in a good state of health.
The Data Protection Officer has been asked to advise. What advice is MOST appropriate?
- A. While requesting and viewing medical evidence may be legitimate, they should ask for evidence that the individual consents to the proposition that they make the request
- B. Providing the medical evidence is used for a legitimate purpose, and that the information is securely destroyed on verification that the employee is healthy, this is an acceptable action.
- C. This is a criminal offence under the Data Protection Act 2018 No individual should be asked to make a subject access request in order to obtain health records in these circumstances.
- D. In requesting information that is more than they necessary require to verify the medical condition of the individual they will have breached the data minimisation principle
正解:C
解説:
Explanation
The Data Protection Act 2018 (DPA 2018) makes it a criminal offence for a person to require another person to make a subject access request for information about their health, convictions or cautions, or spent convictions, and to provide that information to the first person or a third person, as a condition of providing or offering to provide goods, facilities or services, or as a condition of entering into or continuing a contract. This is known as an enforced subject access request. The employer in this scenario is committing a criminal offence by offering the job to the individual on the condition that they request a copy of their medical record and provide it to the employer. The employer is also breaching the data protection principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, and storage limitation, as they are processing health data, which is a special category of personal data, without a valid legal basis, without informing the individual of the purpose and legal basis of the processing, and without limiting the processing to what is necessary and relevant for the employment relationship. The employer should instead obtain the individual's explicit consent to request the health information directly from the relevant health professional, and only request the information that is necessary and proportionate for the specific role of a security guard. References
:
* Section 184 of the DPA 20183
* ICO guidance on enforced subject access requests4
* ICO guidance on special category data5
質問 # 34
Describe the act of processing under the authority of a controller or processor as stipulated in UK GDPR Article 29.
- A. The processor shall consult the supervisory authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the processor to mitigate the risk.
- B. A processor shall not process those data except on instructions from the controller, unless required to do so by domestic law
- C. The processor shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
- D. Each processor and, where applicable, the processors representative shall maintain a record of all categories of processing activities earned out on behalf of a controller.
正解:B
解説:
Explanation
Article 29 of UK GDPR states that the processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by domestic law. This means that the processor must follow the controller's directions on how to handle the personal data, and cannot use it for its own purposes or deviate from the agreed terms. The only exception is when the processor is obliged by law to process the data in a different way, for example, to comply with a court order or a legal obligation. The other options are not related to Article 29, but to other articles of UK GDPR, such as Article 25 (data protection by design and by default), Article 30 (records of processing activities), and Article 36 (prior consultation). References:
* Article 29 of UK GDPR1
* ICO guidance on controllers and processors2
質問 # 35
Of the following options which is NOT a purpose of carrying out a Data Protection Impact Assessment (DPIA)?
- A. It is necessary to fulfil the requirement that all DPIAs are submitted to the ICO
- B. It is key to the accountability element of the GDPR.
- C. It fulfils a requirement that data protection is carried out by design and default.
- D. It assists in identifying the main risks that may exist in any use of data, so that they can be mitigated
正解:A
解説:
Explanation
A DPIA is not required to fulfil the requirement that all DPIAs are submitted to the ICO, because this is not a requirement under the GDPR. The GDPR only requires that the controller consults the ICO before carrying out processing that is likely to result in a highrisk to individuals, if the controller cannot mitigate that risk. This means that not all DPIAs need to be submitted to the ICO, only those that identify a high residual risk that cannot be reduced. The other options are valid purposes of carrying out a DPIA, as they help the controller to comply with the GDPR, ensure data protection by design and by default, and identify and mitigate the main risks to individuals' rights and freedoms. References:
* Article 35 and 36 of the GDPR3
* ICO guidance on DPIAs5
質問 # 36
Where a processor engages another processor ("sub-processor") to carry out processing activities on behalf of a controller, which of the following statements is CORRECT?
- A. The processor may use the sub-processor without the written authorisation of the controller if it adheres to an approved code of conduct
- B. The processor may use the sub-processor without the written authorisation of the controller if the sub-processor signs a contract which reflects the same obligations as the contract with the controller
- C. The processor must receive prior written authorisation to use the sub-processor
- D. The processor may use the sub-processor without the written authorisation of the controller if the processing is deemed to be low risk.
正解:C
解説:
Explanation
Article 28(2) of UK GDPR states that where a processor engages another processor ("sub-processor") for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor shall be imposed on that other processor by way of a contract or other legal act under domestic law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of UK GDPR. The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, theprocessor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes. The other options are incorrect, as they do not reflect the requirements of UK GDPR for using a sub-processor. The processor cannot use a sub-processor without the written authorisation of the controller, regardless of whether it adheres to an approved code of conduct, signs a contract with the same obligations as the controller, or deems the processing to be low risk. References:
* Article 28(2) of UK GDPR1
* ICO guidance on contracts and liabilities between controllers and processors3
質問 # 37
What is the meaning of storage limitation in relation to UK GDPR Article 5 (1 )(e)?
- A. Only storing data in locations within the EU. except where there is an adequacy decision.
- B. Limiting the number of records stored in any single repository to minimise risk surface.
- C. Keeping identifiable personal data for no longer than is necessary for the intended processing
- D. Storing data in a secure format only permitting access to those with a business need
正解:C
解説:
Explanation
Storage limitation is one of the principles of data protection under the UK GDPR. It means that personal data should not be kept in a form that allows identification of data subjects for longer than is necessary for the purposes for which the data are processed. The UK GDPR does not specify any fixed time limits for different types of data, but rather requires data controllers to determine and justify the appropriate retention periods for their processing activities, taking into account factors such as the nature, scope, context and purposes of the processing, the risks to the rights and freedoms of data subjects, and the legal obligations and expectations of the data controller. Data controllers should also have a policy setting out standard retention periods where possible, and review the data they hold regularly to ensure that it is erased or anonymised when it is no longer needed. Data subjects have the right to request the erasure of their personal data if the data controller no longer has a lawful basis or a legitimate interest for keeping it. The UK GDPR allows for some exceptions to the storage limitation principle, such as when the personal data is processed solely forarchiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to appropriate safeguards for the rights and freedoms of data subjects. References:
* UK GDPR, Article 5 (1) (e) and (2)4
* UK GDPR, Article 175
* UK GDPR, Article 896
* ICO Guide to Data Protection, Storage Limitation7
質問 # 38
Which of the following is NOT a key requirement of independent supervisory authorities?
- A. They review DPIAs in cases of unmitigated high risk
- B. They must operate independently.
- C. They must provide each other with mutual assistance
- D. Their leadership must change every four years
正解:D
解説:
Explanation
Independent supervisory authorities are public authorities that supervise, through investigative and corrective powers, the application of the data protection law. They provide expert advice on data protection issues and handle complaints lodged against violations of the UK GDPR and the relevant national laws. The UK GDPR sets out the key requirements for independent supervisory authorities in Chapter VI, which include the following:
* They must operate independently and remain free from external influence, whether direct or indirect, and must neither seek nor take instructions from anybody.
* They must have adequate human, technical and financial resources to perform their tasks and exercise their powers effectively.
* They must review data protection impact assessments in cases of unmitigated high risk and provide prior consultation to controllers on such processing operations.
* They must provide each other with mutual assistance and cooperate with each other and the European Data Protection Board to ensure the consistent application of the UK GDPR across the EU.
* They must handle complaints lodged by data subjects or by bodies, organisations or associations representing them, and investigate the subject matter of the complaint to the extent appropriate.
* They must adopt binding decisions on matters concerning the application of the UK GDPR and impose effective, proportionate and dissuasive administrative fines for infringements of the UK GDPR.
The UK GDPR does not specify any fixed term for the leadership of independent supervisory authorities, nor does it require their leadership to change every four years. However, it does require that the members of the supervisory authority must be appointed by means of a transparent procedure by the parliament, the government or the head of state of the Member State concerned, and that they must act with integrity, refrain from any action incompatible with their duties and not engage in any incompatible occupation during and after their term of office. The UK GDPR also allows Member States to provide for rules regarding the establishment, appointment, duration of the term and dismissal of the head or members of the supervisory authority. References:
* UK GDPR, Chapter VI7
* ICO website, About the ICO8
質問 # 39
In which of the following circumstances does a public authority NOT need to appoint a Data Protection Officer?
- A. Where it processes a large amount of personal data
- B. Where it is defined as a public body in the Data Protection Act 2018
- C. Where it is a court acting in its judicial capacity
- D. Where it processes special category data
正解:C
解説:
Explanation
Under Article 37 of the UK GDPR, a public authority or a public body must appoint a data protection officer (DPO) unless it is a court acting in its judicial capacity. This is the only exception for public authorities or bodies from the obligation to appoint a DPO. The other circumstances listed in the question, such as processing a large amount of personal data, processing special category data, or being defined as a public body in the Data Protection Act 2018, do not exempt a public authority or a public body from appointing a DPO.
References:
* Article 37 of the UK GDPR2
* Data protection officers | ICO2
質問 # 40
Which of the following is NOT a role of the Information Commissioner's Office?
- A. Providing an annual activity report to Parliament
- B. Encouraging the establishment of data protection certification mechanisms and of data protection seals
- C. Publishing a list of the kind of processing that is subject to the requirement for a DPIA
- D. Providing case by case advice on what retention period companies should use
正解:D
解説:
Explanation
The Information Commissioner's Office (ICO) is the UK's independent authority for data protection, which is responsible for upholding the UK GDPR and the Data Protection Act 2018, as well as other related legislation.
The ICO has various roles and tasks, such as monitoring and enforcing the application of the data protection law, promoting publicawareness and understanding of the risks and rights related to processing, advising the Parliament and the government on legislative and administrative measures concerning data protection, encouraging the development of codes of conduct and certification schemes, and handling complaints and investigations. However, the ICO does not provide case by case advice on what retention period companies should use, as this is a matter for the companies themselves to determine, based on their own purposes, legal obligations, and risk assessments. The ICO only provides general guidance on the data minimisation and storage limitation principles, which require that personal data should be kept only for as long as necessary and no longer than that. The ICO also expects companies to have clear policies and procedures on how they retain and dispose of personal data, and to document their retention periods and the reasons for them. References:
* Article 57 of the UK GDPR1
* ICO guidance on the role of the ICO2
* ICO guidance on data minimisation and storage limitation3
質問 # 41
If a complainant disagrees with the decision of the UK's supervisory authority, how do they appeal this decision?
- A. To the European Data Protection Supervisor.
- B. To the Information Commissioner
- C. To the European Commission
- D. To the First Tier Tribunal (Information Rights)
正解:D
解説:
Explanation
If a complainant disagrees with the decision of the UK's supervisory authority, which is the Information Commissioner's Office (ICO), they have the right to appeal to the First Tier Tribunal (Information Rights).
The tribunal is an independent body that can review the ICO's decision and either uphold it, vary it or cancel it. The tribunal can also direct the ICO to take certain actions, such as issuing a decision notice or an enforcement notice. The appeal must be lodged within 28 days of receiving the ICO's decision, using the notice of appeal form and providing the relevant documents and grounds for appeal. The tribunal will then notify the ICO and the complainant of the appeal and the procedure for dealing with it. The tribunal may hold a hearing to examine the evidence and arguments of both parties, or decide the case on the basis of written submissions only. The tribunal will issue a written decision, which will be sent to both parties and published on the tribunal's website. The tribunal's decision can be further appealed tothe Upper Tribunal on a point of law, with the permission of the First Tier Tribunal or the Upper Tribunal. References:
* Information rights and data protection: appeal against the Information Commissioner1
* Notice of appeal form2
* First Tier Tribunal (Information Rights) website3
質問 # 42
......
PDP9認定試験は、候補者がさまざまなデータ保護の概念と原則の理解を示すことを要求する厳格で包括的な試験です。この試験は、候補者の知識を現実世界の状況に適用する能力をテストする複数選択の質問と実用的なシナリオで構成されています。認定試験は、データ保護とプライバシー管理の専門知識を強化しようとする専門家にとって重要な要件です。
最新のPDP9試験問題集でBCSトレーニング試験には:https://jp.fast2test.com/PDP9-premium-file.html