You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
This lesson covers the Data Protection Act 2018 and the General Data Protection Regulation (GDPR) for the OCR A-Level Computer Science (H446) specification, section 1.5. These are the primary laws governing how personal data is collected, processed, and stored in the UK and EU.
The Data Protection Act 2018 (DPA) is the UK's implementation of the EU General Data Protection Regulation (GDPR). Together, they form the framework for protecting individuals' personal data.
| Law | Scope |
|---|---|
| GDPR (2018) | EU-wide regulation; also applies to organisations outside the EU that process EU residents' data. |
| DPA 2018 | UK-specific implementation of GDPR; includes additional provisions for national security, immigration, etc. |
| Term | Definition |
|---|---|
| Personal data | Any information relating to an identified or identifiable living individual. |
| Sensitive personal data (Special category data) | Data revealing racial/ethnic origin, political opinions, religious beliefs, health data, biometric data, sexual orientation. |
| Data subject | The individual whose personal data is being processed. |
| Data controller | The organisation or person that determines the purposes and means of processing personal data. |
| Data processor | An organisation or person that processes data on behalf of the data controller. |
| Processing | Any operation performed on personal data (collecting, storing, using, sharing, deleting). |
| ICO | Information Commissioner's Office -- the UK's independent authority for data protection. |
| Principle | Description |
|---|---|
| 1. Lawfulness, fairness, transparency | Data must be processed lawfully, fairly, and in a transparent manner. |
| 2. Purpose limitation | Data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. |
| 3. Data minimisation | Data collected must be adequate, relevant, and limited to what is necessary. |
| 4. Accuracy | Data must be accurate and, where necessary, kept up to date. Inaccurate data must be corrected or erased. |
| 5. Storage limitation | Data must not be kept longer than necessary for its purpose. |
| 6. Integrity and confidentiality (Security) | Data must be processed in a manner that ensures appropriate security, including protection against unauthorised access, loss, or damage. |
| 7. Accountability | The data controller must be able to demonstrate compliance with all principles. |
Exam Tip: You must be able to name and explain all seven principles. OCR exam questions often present a scenario and ask which principles are being violated. Link each principle to the specific scenario detail.
Organisations must have a lawful basis for processing personal data. The six lawful bases are:
| Basis | Description | Example |
|---|---|---|
| Consent | The data subject has given clear consent for processing. | Ticking a box to agree to marketing emails. |
| Contract | Processing is necessary for a contract with the data subject. | Processing an employee's payroll data. |
| Legal obligation | Processing is necessary to comply with the law. | Sharing data with HMRC for tax purposes. |
| Vital interests | Processing is necessary to protect someone's life. | Sharing medical data in an emergency. |
| Public task | Processing is necessary for performing a task in the public interest. | NHS processing health data for public health. |
| Legitimate interests | Processing is necessary for the legitimate interests of the controller or a third party. | A company sending product updates to existing customers. |
Under GDPR/DPA 2018, individuals have the following rights:
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.