You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Almost every system you will ever build stores facts about people, and the moment it does, the law has something to say about it. The Data Protection Act 2018 — together with the UK GDPR it sits alongside — is the framework that decides what an organisation may and may not do with personal data, and what rights you have over data held about you. This is one of the discursive 1.5 topics, so the goal is not only to recall the rules but to apply and weigh them: to take a realistic scenario, identify which principles are engaged, judge whether there is a valid lawful basis, recognise the rights of the data subject, and assign the responsibilities of controller and processor. We cover the framework, the data-protection principles, the lawful bases, the rights of data subjects, the controller/processor roles and the function of the regulator (the ICO), and then work through a realistic scenario the way an exam answer should.
This lesson addresses the H446 1.5 content on the legal protection of personal data:
(Phrasing here paraphrases the specification content; it is not a verbatim quote.)
Before the digital age, personal information was scattered across paper files that were slow to search and costly to copy. Computers changed that overnight: data can now be collected silently, stored indefinitely, copied perfectly, combined across sources and shared worldwide in an instant. That power is enormously useful — and enormously open to abuse. Data-protection law exists to rebalance the relationship between the organisations that hold data and the individuals the data is about, so that personal information is handled fairly, lawfully and securely and the individual keeps meaningful control. The underlying principle is simple: your data is, in an important sense, yours, and an organisation processing it is doing so on terms the law sets, not on terms it invents for itself.
The two instruments work together rather than competing.
| Instrument | What it is |
|---|---|
| UK GDPR | The UK's data-protection regulation, retained and adapted from the EU General Data Protection Regulation. It sets out the core principles, lawful bases and rights. |
| Data Protection Act 2018 | The UK Act of Parliament that gives the UK GDPR effect in domestic law, adds UK-specific detail and exemptions (for example for law enforcement and national security), and establishes the powers of the regulator. |
For A-Level purposes you can treat them as a single regime — "the DPA 2018 / UK GDPR" — and concentrate on the principles, bases, rights and roles, which is where the marks lie.
| Term | Meaning |
|---|---|
| Personal data | Any information relating to an identified or identifiable living individual — including obvious identifiers (name, address) and less obvious ones (an online identifier or location that, combined with other data, could single someone out). |
| Special category (sensitive) data | Particularly sensitive personal data — such as that revealing health, ethnic origin, religious or political beliefs, sexual orientation, or biometric data used to identify a person — which receives extra protection and stricter conditions for processing. |
| Data subject | The individual the personal data is about. |
| Data controller | The organisation (or person) that decides the purposes and means of processing — why and how the data is used. It carries primary legal responsibility. |
| Data processor | A party that processes data on the controller's behalf and under its instructions — for example a cloud provider that merely stores it. |
| Processing | Any operation on personal data: collecting, recording, storing, organising, using, sharing, altering or deleting it. |
At the heart of the regime are a small number of principles that all processing must satisfy. They are the lens the exam wants you to apply to a scenario.
| Principle | What it requires |
|---|---|
| Lawfulness, fairness and transparency | Process data lawfully (with a valid basis), fairly (no deception), and openly — people must be told what is happening to their data. |
| Purpose limitation | Collect data for specified, explicit and legitimate purposes and do not later use it for an incompatible purpose. |
| Data minimisation | Collect only data that is adequate, relevant and limited to what is necessary for the purpose — no "just in case" hoarding. |
| Accuracy | Keep data accurate and up to date; correct or erase inaccurate data without delay. |
| Storage limitation | Keep data only as long as necessary for the purpose, then delete it. |
| Integrity and confidentiality (security) | Protect data with appropriate security against unauthorised access, loss or damage (this is the direct hook to encryption and access control). |
| Accountability | The controller must not only comply but be able to demonstrate compliance — through records, policies and documented decisions. |
Exam Tip: Memorise the principles as a checklist. In a scenario question, walk through them: for each, ask "is this principle upheld or breached here, and why?" Naming the specific principle and tying it to a specific detail of the scenario is what earns the application marks — a generic recital of all seven does not.
Processing personal data is only lawful if the organisation has a valid lawful basis for it. It must choose and document the appropriate basis before it starts; it cannot process first and justify later. The recognised bases are:
| Lawful basis | When it applies | Example (generic) |
|---|---|---|
| Consent | The data subject has given clear, freely given, specific agreement, and may withdraw it. | A user actively ticks an unticked box to receive a marketing newsletter. |
| Contract | Processing is necessary to perform a contract with the data subject (or to take steps before entering one). | Using a customer's address to deliver goods they ordered. |
| Legal obligation | Processing is required to comply with the law. | An employer retaining payroll records as tax law requires. |
| Vital interests | Processing is necessary to protect someone's life. | Passing a patient's medical details to A&E in an emergency. |
| Public task | Processing is necessary for a task carried out in the public interest or under official authority. | A public body processing data to deliver a statutory service. |
| Legitimate interests | Processing is necessary for the legitimate interests of the controller or a third party, provided these are not overridden by the individual's rights. | A business contacting existing customers about a closely related product, having weighed the impact on them. |
A common exam trap is to assume consent is always required. It is only one of the bases, and often not the most appropriate; an employer does not need an employee's "consent" to run payroll (that is contract and legal obligation), and consent that is not genuinely free — for instance where refusing has unfair consequences — is not valid consent at all.
The flip side of an organisation's duties is a set of rights belonging to the individual. The most important to know are:
| Right | What it lets the individual do |
|---|---|
| Right to be informed | Be told, clearly, what data is collected, why, on what basis, and for how long. |
| Right of access | Request a copy of the personal data held about them (a "subject access request"), usually free and within a set time. |
| Right to rectification | Have inaccurate or incomplete data corrected. |
| Right to erasure ("right to be forgotten") | Have their data deleted in certain circumstances (e.g. when it is no longer needed or consent is withdrawn). |
| Right to restrict processing | Have processing paused while, say, a dispute over accuracy is resolved. |
| Right to data portability | Receive their data in a structured, machine-readable format to reuse or move to another provider. |
| Right to object | Object to certain processing — including, absolutely, to direct marketing. |
| Rights around automated decisions | Not be subject to a solely automated decision with significant effects without safeguards, and to challenge such decisions. |
These rights are not absolute — erasure, for instance, can be refused where the law requires the data to be kept — but an organisation must have a proper reason to decline and must respond to requests within the statutory timeframe.
The split between controller and processor decides where legal responsibility falls, and scenarios love to test it.
flowchart LR
DS[Data subject<br/>the individual] -- data about them --> DC[Data controller<br/>decides WHY and HOW]
DC -- instructs, under a contract --> DP[Data processor<br/>acts only on instructions]
DP -- processed data --> DC
ICO[ICO<br/>independent regulator] -. oversees + enforces .-> DC
ICO -. oversees .-> DP
The Information Commissioner's Office (ICO) is the UK's independent supervisory authority for data protection. Its functions are:
| Function | What it does |
|---|---|
| Guidance | Publishes codes of practice and guidance so organisations know how to comply. |
| Complaints and investigation | Receives complaints from data subjects and investigates suspected breaches. |
| Enforcement | Can issue notices requiring an organisation to act or stop, and can impose substantial financial penalties for serious breaches (the law sets the ceiling at a high level, intended to be a meaningful deterrent rather than a token). |
| Audit and oversight | Assesses organisations' practices and promotes good information handling. |
Alongside the regulator's powers, organisations carry duties of their own: securing data appropriately, reporting serious personal-data breaches to the ICO without undue delay (and informing affected individuals where the risk is high), keeping records of processing, building privacy in by design and default, and — for some organisations — appointing a Data Protection Officer. The consequences of getting it wrong are not only financial: reputational damage and loss of trust can outlast any penalty.
It is just as useful to see compliance succeed as to see it fail. Consider a school that holds pupils' names, addresses, attainment data and some medical information. Walking the principles shows what good practice looks like — this is exactly the structured reasoning an exam answer should imitate.
| Principle | How the school satisfies it |
|---|---|
| Lawfulness / fairness / transparency | Pupils and parents are given a clear privacy notice explaining what is held, why, and on what basis; nothing is collected covertly. |
| Purpose limitation | Data is used only for education and safeguarding — not, say, sold for marketing or repurposed for an unrelated scheme. |
| Data minimisation | Only data needed for those purposes is collected; the school does not gather, for example, parents' political views or income "just in case". |
| Accuracy | Records are reviewed and corrected promptly when families notify a change of address or a corrected name. |
| Storage limitation | Records are deleted a set time after a pupil leaves, retaining only what the law requires to be kept. |
| Security | Databases are encrypted, access is role-based (a subject teacher cannot see safeguarding files), and staff are trained against phishing. |
| Accountability | The school documents what data it holds, the lawful basis for each use, and its security measures, so it can demonstrate compliance if asked. |
The lawful basis here is typically public task and legal obligation rather than consent — a pupil cannot meaningfully "consent" to the school holding attendance data, and the school must hold it anyway — which again shows why consent is not the default. The medical data is special category data, so it attracts the extra conditions and the tightest access controls. Notice how each principle maps to a concrete action: that mapping from rule to implementation is precisely what distinguishes a top-band answer from a list of definitions.
Two duties deserve a closer look because scenarios so often turn on them.
Personal-data breaches. A breach is not only a hacker stealing data — it includes accidental loss (a misplaced unencrypted laptop), accidental disclosure (an email sent to the wrong recipient) or destruction of data. When a breach occurs that risks people's rights, the controller must notify the ICO without undue delay, and where the risk to individuals is high, tell the affected individuals too, so they can take protective steps. The point of mandatory reporting is to end the temptation to cover up incidents, and prompt, honest handling is treated as mitigation, whereas concealment aggravates the position.
flowchart TD
B[Personal-data breach detected] --> Q1{Risk to<br/>individuals' rights?}
Q1 -- No --> LOG[Record it internally;<br/>no external report needed]
Q1 -- Yes --> ICO[Notify the ICO<br/>without undue delay]
ICO --> Q2{High risk to<br/>individuals?}
Q2 -- No --> DONE[Document + remediate]
Q2 -- Yes --> SUBJ[Also inform the<br/>affected individuals]
SUBJ --> DONE
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.