Exam CIPP-E All QuestionsBrowse all questions from this exam
Go to Exam
Question 7

SCENARIO -

Please use the following to answer the next question:

Anna and Frank both work at Granchester University. Anna is a lawyer responsible for data protection, while Frank is a lecturer in the engineering department. The University maintains a number of types of records:

Student records, including names, student numbers, home addresses, pre-university information, university attendance and performance records, details of special educational needs and financial information.

Staff records, including autobiographical materials (such as curricula, professional contact files, student evaluations and other relevant teaching files).

Alumni records, including birthplaces, years of birth, dates of matriculation and conferrals of degrees. These records are available to former students after registering through Granchester’s Alumni portal.

Department for Education records, showing how certain demographic groups (such as first-generation students) could be expected, on average, to progress. These records do not contain names or identification numbers.

Under their security policy, the University encrypts all of its personal data records in transit and at rest.

In order to improve his teaching, Frank wants to investigate how his engineering students perform in relational to Department for Education expectations. He has attended one of Anna’s data protection training courses and knows that he should use no more personal data than necessary to accomplish his goal. He creates a program that will only export some student data: previous schools attended, grades originally obtained, grades currently obtained and first time university attended. He wants to keep the records at the individual student level. Mindful of Anna’s training, Frank runs the student numbers through an algorithm to transform them into different reference numbers. He uses the same algorithm on each occasion so that he can update each record over time.

One of Anna’s tasks is to complete the record of processing activities, as required by the GDPR. After receiving her email reminder, as required by the GDPR. After receiving her email reminder, Frank informs Anna about his performance database.

Ann explains to Frank that, as well as minimizing personal data, the University has to check that this new use of existing data is permissible. She also suspects that, under the GDPR, a risk analysis may have to be carried out before the data processing can take place. Anna arranges to discuss this further with Frank after she has done some additional research.

Frank wants to be able to work on his analysis in his spare time, so he transfers it to his home laptop (which is not encrypted). Unfortunately, when Frank takes the laptop into the University he loses it on the train. Frank has to see Anna that day to discuss compatible processing. He knows that he needs to report security incidents, so he decides to tell Anna about his lost laptop at the same time.

Before Anna determines whether Frank’s performance database is permissible, what additional information does she need?

    Correct Answer: D

    Before determining whether Frank's performance database is permissible, Anna needs to obtain more information about what students have been told and how the research will be used. This is crucial to ensure that the data processing aligns with the principles of transparency and purpose limitation under the GDPR. Anna must verify that the students have been informed about the use of their data and that the processing is in accordance with the purposes for which the data was originally collected, or to determine if the new purpose is compatible with the original purpose.

Discussion
HarryJOption: D

How an algorithm works doesn’t matter if a database is permissible. This question is about purpose and legitimacy

EvelynRavioli

How an algorithm works does matter, as the algorithm is processing data. How students are informed and how the research is used, only matters after said research has been approved. Right now, Anna needs to know how the tool to do the research, namely the algorithm, processes data, to know if it complies with the GDPR.

ZeroStatic

It does not matter because masking means the data is pseudonymous data, and pseudonymous data is personal data, which falls under the GDPR and requires a legal basis to be processed. He can use the most sophisticated algorithms in the world, but his database would not be permissible if he did not get the proper consents and information requirements in place.

ZeroStatic

To clarify: He's using existing non-anonymous data for a new purpose. If he has no valid legal basis for using the data in that way in the first place, the database is not permissible regardless of technologies and algorithms chosen.

SsouravOption: D

D. More information about what students have been told and how the research will be used. This information is crucial to ensure that the data processing aligns with the principles of transparency and purpose limitation under the GDPR. Anna needs to verify that the students have been informed about the use of their data and that the processing is in accordance with the purposes for which the data was originally collected, or if a new purpose is compatible with the original one.

HannawayOption: C

This is about further processing - Recital (50). Frank uses the data for statistical purpose, which is considered compatible lawful processing operation. Ann still needs to takes into account the appropriate safeguards, which in this case is the algorithm used to general reference numbers to mask the data.