You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Data protection laws regulate how organisations collect, store, use and share personal data. This lesson covers the two most important pieces of legislation for GCSE Computer Science: the General Data Protection Regulation (GDPR) / Data Protection Act 2018 and the Computer Misuse Act 1990.
In the digital age, organisations hold vast quantities of personal data — names, addresses, financial records, medical histories, browsing habits and more. Without legal protections:
Data protection laws exist to balance the needs of organisations (which rely on data to operate) with the rights of individuals (who deserve control over their personal information).
The Data Protection Act 2018 (DPA) is the UK's main data protection law. It incorporates the General Data Protection Regulation (GDPR), which is an EU regulation that became part of UK law. The two work together.
| Term | Meaning |
|---|---|
| Personal data | Any information that can identify a living individual (name, address, email, IP address, photo) |
| Data subject | The individual whose personal data is being processed |
| Data controller | The organisation that decides how and why personal data is processed |
| Data processor | The organisation that processes data on behalf of the controller |
| ICO | Information Commissioner's Office — the UK body that enforces data protection law |
The DPA/GDPR sets out seven principles that organisations must follow when handling personal data:
| Principle | Meaning | Example |
|---|---|---|
| 1. Lawfulness, fairness and transparency | Data must be processed legally and openly | Telling users why you are collecting their data |
| 2. Purpose limitation | Data must only be used for the purpose it was collected | A school collecting email addresses for newsletters must not sell them to advertisers |
| 3. Data minimisation | Only collect the data you actually need | A delivery service needs your address but not your date of birth |
| 4. Accuracy | Data must be accurate and kept up to date | A doctor's surgery must update patient records when details change |
| 5. Storage limitation | Data must not be kept longer than necessary | Deleting job application records after the position is filled |
| 6. Integrity and confidentiality | Data must be kept secure against unauthorised access, loss or damage | Encrypting a database of customer records |
| 7. Accountability | The organisation must be able to demonstrate compliance | Keeping records of data processing activities |
| Right | What It Means |
|---|---|
| Right of access | You can make a Subject Access Request (SAR) to find out what data an organisation holds about you |
| Right to rectification | You can ask for inaccurate data to be corrected |
| Right to erasure ("right to be forgotten") | You can ask for your data to be deleted in certain circumstances |
| Right to restrict processing | You can ask for your data to stop being used temporarily |
| Right to data portability | You can request your data in a format that allows you to transfer it to another service |
| Right to object | You can object to your data being used for certain purposes (e.g. direct marketing) |
The ICO is responsible for enforcing data protection law in the UK. Penalties for breaches include:
British Airways was fined £20 million by the ICO after a data breach in which hackers stole the personal and financial details of more than 400,000 customers. The ICO found that BA had failed to implement adequate security measures.
The Computer Misuse Act 1990 (CMA) is the UK's main law against computer crime. It was introduced after the case of R v Gold and Schifreen (1988), in which two hackers accessed British Telecom's Prestel system but could not be convicted because no suitable law existed at the time.
| Section | Offence | Maximum Penalty | Example |
|---|---|---|---|
| Section 1 | Unauthorised access to computer material | 2 years imprisonment | Guessing someone's password and logging into their email |
| Section 2 | Unauthorised access with intent to commit a further offence | 5 years imprisonment | Hacking into a bank's system to steal money (fraud) |
| Section 3 | Unauthorised acts with intent to impair the operation of a computer | 10 years imprisonment | Spreading a virus, launching a DDoS attack, deleting data |
Section 3A makes it an offence to make, supply or obtain articles (tools or software) intended for use in committing offences under Sections 1-3.
Example: Creating and distributing a program designed to crack passwords would be illegal under Section 3A.
Controversy: The same tools used by attackers (e.g. network scanning tools, password crackers) are also used by legitimate security professionals for penetration testing. This creates a grey area in the law.
| Limitation | Explanation |
|---|---|
| Jurisdiction | The CMA is UK law — prosecuting attackers based in other countries is extremely difficult |
| Technology changes | The Act was written in 1990 and, despite amendments, may not cover all modern forms of cyber crime |
| Detection | Many cyber crimes go undetected or unreported |
| Attribution | It is often difficult to identify the individual responsible for an attack |
While the DPA/GDPR and CMA are the most important for GCSE, you should be aware of:
| Law | Purpose |
|---|---|
| Copyright, Designs and Patents Act 1988 | Protects intellectual property — software, music, images, text. Copying or distributing copyrighted software without permission is illegal. |
| Regulation of Investigatory Powers Act 2000 (RIPA) | Governs surveillance powers of public bodies (e.g. the police can intercept communications under certain conditions) |
| Investigatory Powers Act 2016 | Requires ISPs to retain browsing records for 12 months; gives intelligence agencies broad surveillance powers |
| Freedom of Information Act 2000 | Gives individuals the right to request information from public bodies |
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.