You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
This lesson covers the Data Protection Act 2018 (DPA) and the General Data Protection Regulation (GDPR) as required by OCR J277 Section 1.6. These are the most important pieces of legislation governing the use of personal data in the UK.
This lesson builds AO1 knowledge of the DPA/GDPR and its key terms, AO2 the ability to apply the correct principle to a data-handling scenario, and AO3 the judgement to analyse and evaluate whether an organisation has met its legal duties.
The Data Protection Act 2018 (DPA 2018) is the UK's implementation of the General Data Protection Regulation (GDPR), a regulation from the European Union. Together, they control how personal data is collected, stored, processed, and shared by organisations.
The DPA 2018 replaced the earlier Data Protection Act 1998 and provides stronger rights for individuals and stricter obligations for organisations.
| Term | Meaning |
|---|---|
| Personal data | Any information that can identify a living individual (name, address, email, IP address, etc.) |
| Sensitive personal data | Special category data including health records, biometrics, religious beliefs, ethnicity |
| Data subject | The individual whose personal data is being processed |
| Data controller | The organisation that decides why and how personal data is processed |
| Data processor | An organisation that processes data on behalf of the data controller |
| ICO | The Information Commissioner's Office — the UK's data protection regulator |
Organisations that handle personal data must follow seven key principles:
| Principle | Meaning |
|---|---|
| 1. Lawfulness, fairness, transparency | Data must be processed legally, fairly, and in a clear manner |
| 2. Purpose limitation | Data must be collected for a specific, stated purpose and not used for anything else |
| 3. Data minimisation | Only the minimum amount of data necessary should be collected |
| 4. Accuracy | Data must be kept accurate and up to date |
| 5. Storage limitation | Data must not be kept longer than necessary |
| 6. Integrity and confidentiality | Data must be kept secure and protected from unauthorised access |
| 7. Accountability | The data controller must be able to demonstrate compliance with all principles |
OCR Exam Tip: You do not need to memorise the exact names of all seven principles, but you should be able to describe at least four or five of them in your own words. A common exam question asks you to explain how a given scenario does or does not comply with the DPA/GDPR.
Under the DPA 2018 and GDPR, individuals have several important rights:
| Right | What It Means |
|---|---|
| Right of access | You can request a copy of all personal data an organisation holds about you (Subject Access Request) |
| Right to rectification | You can ask for inaccurate data to be corrected |
| Right to erasure | You can request that your data be deleted (the "right to be forgotten") |
| Right to restrict processing | You can ask an organisation to stop processing your data in certain circumstances |
| Right to data portability | You can request your data in a format that allows it to be transferred to another provider |
| Right to object | You can object to your data being used for certain purposes, such as direct marketing |
Organisations that handle personal data must:
Organisations that fail to comply with the DPA 2018/GDPR face serious penalties:
| Consequence | Detail |
|---|---|
| Fines | Up to £17.5 million or 4% of annual global turnover (whichever is higher) |
| Enforcement notices | The ICO can order organisations to take specific actions |
| Reputation damage | Public awareness of data breaches damages trust |
| Compensation claims | Affected individuals can claim compensation for distress or financial loss |
In 2020, British Airways was fined £20 million by the ICO after a data breach exposed the personal data of approximately 400,000 customers.
OCR Exam Tip: When answering questions about the DPA/GDPR, always link back to specific principles. For example, if a company keeps data for 10 years without a reason, this violates the storage limitation principle. If they do not use encryption, this violates integrity and confidentiality.
flowchart TD
G((DPA 2018<br/>+ UK GDPR)) --> P1["1. Lawfulness, fairness,<br/>transparency"]
G --> P2["2. Purpose<br/>limitation"]
G --> P3["3. Data<br/>minimisation"]
G --> P4[4. Accuracy]
G --> P5["5. Storage<br/>limitation"]
G --> P6["6. Integrity and<br/>confidentiality"]
G --> P7[7. Accountability]
G --> R((Data subject<br/>rights))
R --> R1[Access]
R --> R2[Rectification]
R --> R3[Erasure]
R --> R4["Restrict<br/>processing"]
R --> R5[Portability]
R --> R6[Object]
G --> EN["Enforcement: ICO<br/>Fines up to £17.5m or<br/>4% global turnover"]
The Data Protection Act 2018 and GDPR protect individuals' personal data by setting strict rules for how organisations collect, store, process, and share it. The seven principles provide a framework for lawful data handling, and individuals have rights including access, rectification, and erasure. Non-compliance carries significant financial and reputational consequences. This is one of the most commonly tested pieces of legislation in the OCR J277 exam.
In September 2018, British Airways (BA) disclosed a major cyber attack on its website and mobile app. Attackers — later linked to the group commonly known as Magecart — had injected malicious JavaScript into the payment page. For roughly two weeks, everyone who entered their details into the BA checkout had their data silently copied to an attacker-controlled server. The breach exposed the personal and payment data of approximately 429,000 customers and staff, including names, email addresses, home addresses, and crucially full payment card details (number, expiry date, and CVV).
The Information Commissioner's Office investigation: The ICO opened an investigation the same month. Investigators concluded BA had failed to implement appropriate technical and organisational measures as required by the integrity and confidentiality principle of GDPR. Key findings included: inadequate multi-factor authentication for privileged accounts, weak network segmentation allowing the attackers to move laterally once inside, absence of file-integrity monitoring that would have flagged the injected script, and insufficient testing of the payment page itself.
The fine: the ICO initially issued a notice of intent to fine BA £183 million in 2019 — at the time the largest GDPR fine in UK history. After representations by BA and the impact of the COVID-19 pandemic on the aviation industry, the final penalty issued in October 2020 was reduced to £20 million. Even the reduced figure was substantially higher than the maximum possible under the old DPA 1998 and confirmed the ICO's willingness to use its UK GDPR powers.
What OCR J277 concepts does this illustrate? Several at once. BA is the data controller — it decided what data to collect and how. The attackers' infrastructure was effectively a rogue data processor. The payment card data was personal data, and given its sensitivity and regulatory weight (PCI-DSS) it attracted particular scrutiny. BA breached the integrity and confidentiality principle. The breach-notification obligation (72 hours to the ICO; without undue delay to affected individuals) applied — BA notified customers within a few days of discovery. Data subject rights were engaged: affected customers had the right to bring civil claims for compensation. A class action followed and settled in 2021.
Technical dimension for the specification: injected-JavaScript attacks (Magecart-style) are a common exam-friendly illustration of why input validation, subresource integrity (SRI), and strict content security policies matter. They are also a reminder that DPA obligations extend to an organisation's supply chain: third-party scripts loaded from vendors can exfiltrate data just as easily as first-party code.
Wider context: Marriott International was fined £18.4m in the same period for a similar breach affecting hundreds of millions of hotel guests; TalkTalk was fined £400,000 in 2016 under the earlier DPA 1998. Together these cases form a clear UK regulatory trend: large organisations holding personal data face escalating fines for inadequate security, and the ICO treats integrity and confidentiality failures as serious principle breaches.
Exam-applicable takeaway: when a scenario involves stolen personal data from a company, structure your answer around (1) the principle breached (usually integrity and confidentiality), (2) the role of the parties (data controller, processor, subject), (3) the 72-hour notification duty, (4) the scale of potential fines (up to £17.5m or 4% of global turnover), and (5) the data-subject rights (access, erasure, compensation).
Misconception: "GDPR was replaced by something different after Brexit, so it doesn't apply in the UK any more."
Correction: After Brexit the UK retained GDPR as the UK GDPR, which operates alongside the Data Protection Act 2018. Both the principles and the data subject rights remain essentially unchanged. The ICO still enforces them, and the maximum fines (£17.5m or 4% of global annual turnover) still apply. British Airways (2020) and Marriott (2020) were both fined under this UK GDPR regime. The law has not been weakened by Brexit; it has been localised.
Exam question (6 marks): A UK retailer's customer database is hacked and the personal data of 50,000 customers is stolen. Discuss the legal position of the retailer under the Data Protection Act 2018.
Grade 3-4 response: The retailer has broken the Data Protection Act because the customer data was stolen. They should have kept it more safe. They will get a fine from the government. The customers can sue them. They need to tell the customers what happened.
Examiner-style commentary: Identifies the correct Act and two consequences but lacks specifics — no principle named, no timescale, no quantified fine, no identification of who enforces. Around 1-2 marks.
Grade 5-6 response: Under the UK GDPR / Data Protection Act 2018, the retailer is the data controller and has breached the integrity and confidentiality principle because the data was not kept secure. The retailer must report the breach to the ICO within 72 hours and notify affected customers if there is a high risk to them. The ICO can issue a fine of up to 17.5 million or 4% of global turnover. The retailer may also face civil claims from customers for compensation, as happened after the British Airways breach. The retailer should improve its security by using encryption, multi-factor authentication, and regular penetration testing.
Examiner-style commentary: Principle identified, notification timescale correct, quantified fine, real-case reference, concrete remediation. Around 4-5 marks.
Grade 7-9 response: The retailer acts as the data controller under the UK GDPR / Data Protection Act 2018 and bears the legal responsibility for processing customer personal data lawfully and securely. The breach engages the integrity and confidentiality principle (Article 5(1)(f)) and arguably the accountability principle (Article 5(2)) because a data controller must demonstrate compliance through documented security measures. Notification duties: the breach must be reported to the ICO within 72 hours (Article 33) unless unlikely to result in risk; affected customers must be notified "without undue delay" where high risk exists (Article 34). Regulatory consequences: the ICO can issue a fine of up to £17.5m or 4% of annual global turnover, whichever is higher; precedent includes BA (£20m, 2020) and Marriott (£18.4m, 2020). Civil liability: affected customers have the right to compensation for both material and non-material damage (Article 82), and group litigation is increasingly common. Remediation: the controller should investigate root cause, remediate technical weaknesses (encryption at rest and in transit, MFA, network segmentation, input validation, SRI for third-party scripts), conduct staff retraining, update its Record of Processing Activities, and document lessons learned. Conclusion: beyond the fine, reputational damage, lost customers, and litigation costs typically exceed regulatory penalties; BA's total breach cost is estimated to have run into hundreds of millions once civil settlements and remediation are included. Robust preventive measures are therefore commercially as well as legally essential.
Examiner-style commentary: Articles cited, dual notification duties distinguished, quantified fines with precedent cases, civil litigation route, remediation aligned to the breach type, and commercial context. Full 6 marks.
The seven principles are the heart of the DPA/GDPR, and the exam rewards students who can explain what each one actually requires an organisation to do rather than just repeating its name. Here they are re-stated as practical duties, using a school as a running example.
Lawfulness, fairness and transparency means the school must have a genuine legal reason to hold your data (for example, it needs your address to contact your parents), must not deceive you about what it is doing, and must tell you clearly — usually through a privacy notice — what it collects and why. Collecting data for one stated reason and quietly using it for another (say, selling parents' emails to a uniform supplier) would break this principle.
Purpose limitation means data gathered for enrolment cannot suddenly be repurposed for unrelated marketing. If the school later wants to use the data for a genuinely new purpose, it normally needs a fresh lawful basis or fresh consent.
Data minimisation means only collecting what is genuinely needed. A sports club sign-up form that demands your National Insurance number and religion "just in case" is collecting far more than it needs and breaches this principle.
Accuracy places a duty to keep records correct and up to date. If your recorded allergy information is wrong, that is not just an administrative slip — it is a legal breach, and it could be dangerous.
Storage limitation means data must be deleted once it is no longer needed. Keeping the medical records of a pupil who left ten years ago, with no retention justification, breaches this principle. Organisations meet it by writing a retention schedule that states how long each type of record is kept.
Integrity and confidentiality — often just called "security" — requires appropriate technical and organisational measures: encryption, access controls, staff training, backups, and so on. This is the principle most often breached in the news, because it is the one that fails when a system is hacked or a laptop is lost.
Accountability is the newest and most demanding principle. It is not enough to comply; the organisation must be able to prove it complies, through written policies, records of processing activities, training logs, and impact assessments. An organisation that does everything right but cannot demonstrate it has still failed the accountability test.
OCR Exam Tip: If a question asks you to apply the DPA to a scenario, name the specific principle that has been broken and say why. "They broke data protection" earns little; "they breached the storage limitation principle by keeping the records for ten years with no retention justification" earns the mark.
A high-scoring answer weighs both sides rather than assuming regulation is simply "good".
Benefits of strong data protection law. It gives individuals genuine control over information about them, which matters because data can be used to profile, manipulate, or discriminate. It forces organisations to take security seriously, reducing the frequency and severity of breaches. It creates a level playing field so that responsible companies are not undercut by careless ones. It builds public trust in digital services, which arguably grows the digital economy rather than shrinking it. And it provides a route to compensation and redress when things go wrong.
Drawbacks and criticisms. Compliance carries a real cost, which falls hardest on small businesses, charities, and schools that cannot afford dedicated data-protection staff. Some argue the rules are complex and vague — phrases such as "appropriate" security or "legitimate interests" are open to interpretation, leaving well-meaning organisations unsure whether they comply. Consent requests have multiplied into an endless stream of cookie banners that most people click through without reading, which arguably reduces genuine understanding rather than increasing it. Critics also note that the largest fines fall on big companies that can absorb them, while smaller organisations are disproportionately deterred from useful data use (for example, medical research or fraud detection). Finally, because the internet is global, a UK law can only do so much against a company based in a jurisdiction with weaker rules.
Reaching a judgement. On balance most commentators accept that the principle of legally enforceable data protection is justified — the power imbalance between individuals and large data-holders is too great to leave to goodwill. The sharper debate is about proportionality: whether the compliance burden on small organisations is set at the right level, and whether consent-based models actually deliver the control they promise. A strong exam answer states a clear view and defends it, rather than sitting on the fence.
Specimen question modelled on the OCR J277 format (8 marks): "Some people argue that data protection law protects individuals, while others argue it is an unnecessary burden on organisations. Evaluate the impact of the Data Protection Act 2018 on both individuals and organisations."
This is a levelled-response question. Markers place your answer in a band based on the quality of reasoning, not the number of points.
| Level | Marks | What it looks like |
|---|---|---|
| Level 3 | 6–8 | A balanced, well-structured evaluation covering both individuals and organisations, using accurate terminology (principles, ICO, data subject rights, fines), with a justified conclusion that weighs the arguments. |
| Level 2 | 3–5 | Some description of benefits and/or drawbacks with some relevant terminology, but analysis is one-sided or thin, and any conclusion is asserted rather than argued. |
| Level 1 | 1–2 | A few basic, mostly one-sided points (e.g. "it keeps data safe"), with little accurate terminology and no real evaluation. |
| 0 | 0 | Nothing creditworthy. |
How to reach Level 3: deal explicitly with both stakeholders — individuals (control, rights, redress) and organisations (security discipline versus compliance cost). Use accurate terms such as the seven principles, the ICO, and subject access requests. Then commit to a conclusion — for example, that the benefits to individuals outweigh the costs to organisations, but that the burden on small organisations is a genuine weakness — and justify it. The single most common reason an otherwise good answer stays in Level 2 is failing to write a real conclusion.
"Consent is always needed to process personal data." No. Consent is only one of six lawful bases. An employer processing payroll relies on contract; a hospital sharing data in an emergency may rely on vital interests; a public body may rely on legal obligation or public task. Insisting that everything needs consent is a frequent error.
"The DPA only applies to computerised data." It applies to personal data held in a structured manual filing system too, not just databases — although at GCSE the digital dimension is the focus.
"Anonymised data is still personal data." Genuinely anonymised data (where no individual can be re-identified, even by combining datasets) falls outside the DPA. The catch is that weak "anonymisation" that can be reversed is really pseudonymisation, which is still personal data.
"A data controller and a data processor are the same thing." They are legally distinct. The controller decides the purposes and means of processing (and carries most of the legal responsibility); the processor merely acts on the controller's instructions (for example, a cloud host). Confusing the two loses application marks in scenario questions.
This content is aligned with OCR GCSE Computer Science (J277) specification section 1.6 Ethical, legal, cultural and environmental impacts of digital technology. For the most accurate and up-to-date information, please refer to the official OCR specification document.