BCS Practitioner Certificate

in Data Protection (2017)

Specimen Questions

Copyright © BCS 2018 Page 1 of 14

BCS Practitioner Certificate in Data Protection (2017)
WEB SPECIMEN QUESTIONS
Version 1.3 Feb 2019
 Specimen Questions
Record your surname/last/family name and initials on the Answer
Sheet.

Sample paper only.

Section A - 5 multiple-choice questions – 1 mark awarded to each

question. Mark only one answer to each question.
There are no trick questions.

Section B - 5 multiple-choice questions – 2 marks awarded to each

question. Mark only one answer to each question.
There are no trick questions.

A number of possible answers are given for each question, indicated

by either A. B. C. or D. Your answers should be clearly indicated on
the Answer Sheet.

Section C – 3 short answer questions

Answer all questions – each answer carries 5 marks.

There is no pass mark – this is a paper of specimen questions only.

A mock, or sample exam of 20 MCQ and 6 short answer questions is also

available for purchase and includes answers

The full exam is 40 multiple choice and 12 short answer questions with a pass
mark of 78/120 (65%).

Copying of this paper is expressly forbidden without the direct approval

of BCS, The Chartered Institute for IT.

Copyright © BCS 2018 Page 2 of 14

BCS Practitioner Certificate in Data Protection (2017)
WEB SPECIMEN QUESTIONS
Version 1.3 Feb 2019
Candidate answer sheet 1 of 3
Surname (last/family): _____________________ Initials: __________

Please add your answer to the table below.

At the end of the BCS Practitioner Certificate in Data Protection Sample Paper exam,
check your answers against the Answer key and marking scheme.

Question Your Answer Question Your Answer

Section A Section B

1 6
2 7
3 8
4 9
5 10

Short Answer sheet continued on next page ../..

Copyright © BCS 2018 Page 3 of 14

BCS Practitioner Certificate in Data Protection (2017)
WEB SPECIMEN QUESTIONS
Version 1.3 Feb 2019
 Candidate answer sheet 2 of 3

Question Your short written answers

11

12

13

End of Answer Sheet Candidate Initials ________

Copyright © BCS 2018 Page 4 of 14

BCS Practitioner Certificate in Data Protection (2017)
WEB SPECIMEN QUESTIONS
Version 1.3 Feb 2019
Specimen questions
Section A
Multiple-choice answers – 1 mark each
Answer all questions (Please use answer sheet provided for answers)
NOTE: Choose only one answer per question

1 Which of the following statements about Article 8 of the European Convention on

Human Rights is FALSE?

A It is part of UK law due to the enactment of the Human Rights Act 1998.
B It is about respect for private and family life.
C A public authority in certain circumstances can justifiably violate it.
D It is an absolute right which can never be violated by a public authority.

2 In the GDPR, what does the following statement describe?

'The controller shall be responsible for, and be able to demonstrate compliance with
the data protection principles’

A Accountability.
B Responsibility.
C Liability.
D Obligation.

3 Which ending to the following statement is CORRECT?

A data processor could be held in breach of the GDPR if it…

A Fails to train its staff who have access to personal data.

B Fails to take all reasonable steps to establish the appropriate level of security for
the processing of personal data.
C Fails to follow the instructions of the data controller.
D Fails to keep a record of the processing activities it performs on behalf of a data
controller.

Copyright © BCS 2018 Page 5 of 14

BCS Practitioner Certificate in Data Protection (2017)
WEB SPECIMEN QUESTIONS
Version 1.3 Feb 2019
4 Which of the following would be FALSE, when privacy information is supplied to a
data subject whose data has NOT been obtained directly from them?

A Notice must be given within one month of having obtained the data.
B If the data is to be used to communicate with the individual, at the latest, when the
first communication takes place.
C No information is required to be given to the data subject.
D If disclosure to another recipient is envisaged, at the latest, before the data are
disclosed.

5 What does NOT need be included in a personal data breach notification?

A The nature of the personal data breach.

B The name and contact details of the Data Protection Officer.
C Costs associated with the breach.
D A description of the likely consequences of the personal data breach.

-End of Section A-

Section B
Multiple-choice answers – 2 marks each
Answer all questions (Please use answer sheet provided for answers)
NOTE: Choose only one answer per question

6 Which pieces of legislation from the list below does the Information Commissioner's
office cover?

a) The GDPR.
b) Freedom of Information.
c) ISO 27001.
d) Privacy and Electronic Communications Regulations.
e) The Data Protection Act.

A a, b, c and d only.
B a, b, c and e only.
C a, c, d and e only.
D a, b, d and e only.

Copyright © BCS 2018 Page 6 of 14

BCS Practitioner Certificate in Data Protection (2017)
WEB SPECIMEN QUESTIONS
Version 1.3 Feb 2019
7 A social media site is being launched in the UK to cater for the attitudes, values,
perceptions, beliefs and behaviours of 14 year-old girls interested in fashion and
music. The new service is keen to comply with the GDPR and wants to avoid any
negative media coverage that some of its competitors has attracted. It has
designed a Data Privacy Notice (DPN) explaining the legal rights and freedoms for
data subjects. It relies on the consent of the parent and guardian in order to deliver
the service.

What mistake (if any) has the social media site made?

A No mistake as the consent of the data subject is not required in order to process
personal data.
B It has assumed it can rely on legitimate interest.
C It should have pre-notified the ICO.
D The DPN should be addressed to the data subject and consent should be obtained
in order to process personal data.

8 According to the GDPR, under which of the following circumstances SHOULD a

data protection impact assessment be required?

When...
a) Systematic evaluation is based on automated processing.
b) Processing data relating to criminal convictions and offences.
c) Carrying out analysis of individuals' use of consumer credit.
d) Conducting large scale systematic monitoring of publicly accessible information.

A b, c and d only.
B a, c and d only.
C a, b and d only.
D a, b and c only.

9 The GDPR specifically states that security measures SHOULD be taken against
which of the following?

a) Damage to personal data.

b) Unauthorised processing.
c) Data leaving Europe.
d) Unlawful processing.

A a, b and d only.
B b and c only.
C c and d only.
D a, c and d only.

Copyright © BCS 2018 Page 7 of 14

BCS Practitioner Certificate in Data Protection (2017)
WEB SPECIMEN QUESTIONS
Version 1.3 Feb 2019
10 Which of the following are TRUE in regards to the GDPR recitals?

a) Recitals are enforceable under the GDPR.

b) The European Data Protection Board references the recitals to ensure that the
GDPR is consistently applied across the European Union.
c) Recitals are important as they are in effect the explanation notes of the Articles in
the GDPR.
d) Infringement of the recitals carries the same maximum financial penalty of 4% of
global turnover or €20m, whichever is greater.

A a and d only.
B c and d only.
C b and d only.
D b and c only.

-End of Section B-

Section C
Short ‘bullet point’ type answers (making 5 distinct points) – 5 marks each
Answer all questions
(Answer booklets provided)

11 Summarise briefly five of the lawfulness of processing conditions for processing

personal data, under the GDPR.
[5 Marks]

12 From a GDPR perspective, identify five considerations for a HR department using

automated profiling to filter through applicants for their vacancies.
[5 Marks]

13 Identify five things that the ICO CCTV Code of Practice covers under the Data
Protection Act.
[5 Marks]

-End of Section C and of Specimen Question Test-

Copyright © BCS 2018 Page 8 of 14

BCS Practitioner Certificate in Data Protection (2017)
WEB SPECIMEN QUESTIONS
Version 1.3 Feb 2019
 Answer key (no feedback)

Section A Section B
Question Answer Question Answer
1 D 6 D
2 A 7 D
3 D 8 C
4 C 9 A
5 C 10 D

Section C
Short ‘bullet point’ type answers (making 5 distinct points) – 5 marks each
Marking Guidelines

11 Summarise briefly five of the lawfulness of processing conditions for

processing personal data, under the GDPR. [5 Marks]

Award 1 mark (up to a maximum of 5 marks) for any of the phrases/words

below that are found in the candidates’ responses:

6(1)(a) – Consent of the data subject [1 mark]

6(1)(b) – Processing is necessary for the performance of a contract with the data
subject or to take steps to enter into a contract [1 mark]
6(1)(c) – Processing is necessary for compliance with a legal obligation [1 mark]
6(1)(d) – Processing is necessary to protect the vital interests of a data subject or
another person [1 mark]
6(1)(e) – Processing is necessary for the performance of a task carried out in the
public interest or in the exercise of official authority vested in the controller
[1 mark]
6(1)(f) – Necessary for the purposes of legitimate interests pursued by the
controller or a third party, except where such interests are overridden by
the interests, rights or freedoms of the data subject [1 mark]

Any other appropriate response or definition that is not listed above (which may be
due to an update in case law). [Maximum 1 mark]

Copyright © BCS 2018 Page 9 of 14

BCS Practitioner Certificate in Data Protection (2017)
WEB SPECIMEN QUESTIONS
Version 1.3 Feb 2019
 12 From a GDPR perspective, identify five considerations for HR departments
using automated profiling to filter through applicants for their vacancies. [5 Marks]

Award 1 mark (up to a maximum of 5 marks) for any of the phrases/words

below that are found in the candidates’ responses:

Have they got consent from the applicant to do this? [1 mark]

Can individuals:
obtain human intervention [1 mark]
express their point of view [1 mark]
obtain an explanation of the decision and challenge it [1 mark]

Are appropriate safeguards in place:

to ensure processing is fair and transparent by providing information about the
logic involved [1 mark]
consider using appropriate mathematical or statistical procedures for the profiling
[1 mark]

Implement appropriate technical and organisational measures [1 mark]

Any other appropriate response or definition that is not listed above (which may be
due to an update in case law). [Maximum 1 mark]

13 Identify five things that the ICO CCTV Code of Practice covers under the Data
Protection Act. [5 Marks]

Award 1 mark (up to a maximum of 5 marks) for any of the phrases/words

below that are found in the candidates’ responses:

Surveillance camera systems [1 Mark]

Automatic Number Plate Recognition (ANPR) [1 Mark]
Body worn video (BWV) [1 Mark]
Unmanned aerial systems (UAS) [1 Mark]
Other systems that capture information of identifiable individuals or information
relating to individuals [1 Mark]

Any other appropriate response or definition that is not listed above (which may be
due to an update in case law). [Maximum 1 mark]

Copyright © BCS 2018 Page 10 of 14

BCS Practitioner Certificate in Data Protection (2017)
WEB SPECIMEN QUESTIONS
Version 1.3 Feb 2019