CREST Practitioner Security Analyst (CPSA) Practice

Which of the following is a requirement of the Data Protection Act?

• A. Organizations must secure IT infrastructure
• B. Organizations must protect personal data
• C. Personal data can be shared without consent
• D. Data must be kept indefinitely

The correct answer is: Organizations must protect personal data

The requirement of the Data Protection Act focuses primarily on the protection of personal data. This law mandates that organizations have a responsibility to ensure that any personal data they handle is processed fairly and lawfully, kept secure, and only used for the specific purposes for which it was collected. This encompasses not only the secure handling and protection of individuals' private information but also entails providing individuals with rights concerning their data, such as the right to access, correct, or erase their personal information. This principle is designed to give individuals control over their personal data and safeguard their privacy rights, aligning closely with modern data protection frameworks, including the General Data Protection Regulation (GDPR) in Europe. The emphasis on protecting personal data underlines the importance of organizations implementing appropriate technical and organizational measures to prevent unauthorized access, misuse, or breaches of sensitive information. In contrast, the other options do not align with the core principles of the Data Protection Act. While securing IT infrastructure and adhering to other security practices are important for data protection, the Act specifically emphasizes the protection and lawful processing of personal data rather than general IT security. Personal data sharing without consent contradicts the fundamental tenets of the Act, as it typically requires individuals to consent to the processing of their data. Lastly, the