a) Computer hardware and software are usually supplied separately. However, the process of evaluation and acquisition should be related to each other as the functioning of each depends on the other. Usually, companies develop an invitation to tender (ITT) which provides guidelines for the tendering process.
Outline the contents of an ITT.
b) Explain the following terms as they relate to data storage:
c) What do you understand the term audit trail?
i) The Data Protection Act 1998 gives individuals seven specific rights in respect of personal data held about them others. Briefly outline any four of these the rights.
ii) What controls must a company have to ensure its compliance with the requirements of Data Protection Act?
a) Structure and contents of an Invitation to Tender (ITT)
An invitation to tender sets out the specifications for the required system explaining how it is to be used and setting out a time scale for its implementation. It will set out the performance requirements for the new system. Typical contents include:
Volume of data to be processed
Complexity of processing
Number of offices to be connected
Speed of processing required
Inputs and outputs desired.
File processing needed
Estimated life of the system
Contacts with the company
Form of submissions
Address for submission
Various sources of information on suppliers
Industry trade journals
Companies that perform software testing/evaluation
Users of the package
i) Archiving is the process of moving data from primary storage such as a hard disk to portable media for long-term storage. It provides a legally acceptable business history while freeing up hard disk space.
ii) Back-up means making as copy of data/system files in anticipation of future failure or corruption. A back-up copy of a file is a duplicate copy kept separate from the main system and only used if the original fails.
c) Audit trail
An AUDIT TRAIL is a record of file updating that takes place during a specific transaction. It enables a trace to be kept of all operations on files. Outputs can be traced back to their inputs. Computer audits occur through the computer or around the computer.
i) The 1998 Data Protection Act gives individuals seven specific rights in respect of personal data held about them others.
1 Right of subject access: Upon making a written request and paying a reasonable fee (currently £10) individuals are entitled to be told whether the data controller, or someone on their behalf, holds personal data about them and if so to be given:
A description of the personal data;
The purposes for which they are being processed; and
Those to whom they may be disclosed.
a) Right to prevent processing likely to cause damage or distress: Individuals can, written notice, request that a data controller does not process data that might cause substantial damage or distress.
b) Right to prevent processing for the purposes of direct marketing: An individual can, written notice, require a data controller to cease processing data for the purposes of direct marketing.
c) Rights in relation to automated decision-making: An individual can, written notice, require a data controller to ensure that no decision is made about them purely automated means. Where a decision has been made affecting an individual solely automated means, the data controller must inform the individual of the decision.
d) Right to take action for compensation for damages caused the data controller: Where an individual has suffered damage and/or distress because of a data controller’s contravention of the Act, damages can be claimed.
e) Right to take action to rectify, block, erase or destroy personal data: A data subject may apply to a court requesting that any inaccurate data relating to them, including any expressions of opinion based upon inaccurate data, be rectified, blocked, erased or destroyed.
Right to request that the Commissioner assesses whether any contravention of the Act has occurred: Any person may ask the commissioner to assess whether or not it is likely that any processing of personal data is being, or has been, carried out in accordance with the Act.
ii) To ensure compliance with Data Protection Act a company should appoint someone responsible to carry out the duties of Data Protection Officer. These duties must include:
Performing a regular check that the company’s entry in the Register of Data Controllers is up to date;
Ensuring that any processing carried out is in accordance with the purpose(s) stated in the register;
Ensuring that there are adequate controls in place such that communication from data subjects is promptly dealt with in accordance with their rights;
Maintaining a system of controls ensuring compliance with the eight data protection principles.