You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
This lesson covers the Data Protection Act 2018 (DPA) and the General Data Protection Regulation (GDPR) as required by OCR J277 Section 1.6. These are the most important pieces of legislation governing the use of personal data in the UK.
The Data Protection Act 2018 (DPA 2018) is the UK's implementation of the General Data Protection Regulation (GDPR), a regulation from the European Union. Together, they control how personal data is collected, stored, processed, and shared by organisations.
The DPA 2018 replaced the earlier Data Protection Act 1998 and provides stronger rights for individuals and stricter obligations for organisations.
| Term | Meaning |
|---|---|
| Personal data | Any information that can identify a living individual (name, address, email, IP address, etc.) |
| Sensitive personal data | Special category data including health records, biometrics, religious beliefs, ethnicity |
| Data subject | The individual whose personal data is being processed |
| Data controller | The organisation that decides why and how personal data is processed |
| Data processor | An organisation that processes data on behalf of the data controller |
| ICO | The Information Commissioner's Office — the UK's data protection regulator |
Organisations that handle personal data must follow seven key principles:
| Principle | Meaning |
|---|---|
| 1. Lawfulness, fairness, transparency | Data must be processed legally, fairly, and in a clear manner |
| 2. Purpose limitation | Data must be collected for a specific, stated purpose and not used for anything else |
| 3. Data minimisation | Only the minimum amount of data necessary should be collected |
| 4. Accuracy | Data must be kept accurate and up to date |
| 5. Storage limitation | Data must not be kept longer than necessary |
| 6. Integrity and confidentiality | Data must be kept secure and protected from unauthorised access |
| 7. Accountability | The data controller must be able to demonstrate compliance with all principles |
OCR Exam Tip: You do not need to memorise the exact names of all seven principles, but you should be able to describe at least four or five of them in your own words. A common exam question asks you to explain how a given scenario does or does not comply with the DPA/GDPR.
Under the DPA 2018 and GDPR, individuals have several important rights:
| Right | What It Means |
|---|---|
| Right of access | You can request a copy of all personal data an organisation holds about you (Subject Access Request) |
| Right to rectification | You can ask for inaccurate data to be corrected |
| Right to erasure | You can request that your data be deleted (the "right to be forgotten") |
| Right to restrict processing | You can ask an organisation to stop processing your data in certain circumstances |
| Right to data portability | You can request your data in a format that allows it to be transferred to another provider |
| Right to object | You can object to your data being used for certain purposes, such as direct marketing |
Organisations that handle personal data must:
Organisations that fail to comply with the DPA 2018/GDPR face serious penalties:
| Consequence | Detail |
|---|---|
| Fines | Up to £17.5 million or 4% of annual global turnover (whichever is higher) |
| Enforcement notices | The ICO can order organisations to take specific actions |
| Reputation damage | Public awareness of data breaches damages trust |
| Compensation claims | Affected individuals can claim compensation for distress or financial loss |
In 2020, British Airways was fined £20 million by the ICO after a data breach exposed the personal data of approximately 400,000 customers.
OCR Exam Tip: When answering questions about the DPA/GDPR, always link back to specific principles. For example, if a company keeps data for 10 years without a reason, this violates the storage limitation principle. If they do not use encryption, this violates integrity and confidentiality.
flowchart TD
G((DPA 2018<br/>+ UK GDPR)) --> P1["1. Lawfulness, fairness,<br/>transparency"]
G --> P2["2. Purpose<br/>limitation"]
G --> P3["3. Data<br/>minimisation"]
G --> P4[4. Accuracy]
G --> P5["5. Storage<br/>limitation"]
G --> P6["6. Integrity and<br/>confidentiality"]
G --> P7[7. Accountability]
G --> R((Data subject<br/>rights))
R --> R1[Access]
R --> R2[Rectification]
R --> R3[Erasure]
R --> R4["Restrict<br/>processing"]
R --> R5[Portability]
R --> R6[Object]
G --> EN["Enforcement: ICO<br/>Fines up to £17.5m or<br/>4% global turnover"]
The Data Protection Act 2018 and GDPR protect individuals' personal data by setting strict rules for how organisations collect, store, process, and share it. The seven principles provide a framework for lawful data handling, and individuals have rights including access, rectification, and erasure. Non-compliance carries significant financial and reputational consequences. This is one of the most commonly tested pieces of legislation in the OCR J277 exam.
In September 2018, British Airways (BA) disclosed a major cyber attack on its website and mobile app. Attackers — later linked to the group commonly known as Magecart — had injected malicious JavaScript into the payment page. For roughly two weeks, everyone who entered their details into the BA checkout had their data silently copied to an attacker-controlled server. The breach exposed the personal and payment data of approximately 429,000 customers and staff, including names, email addresses, home addresses, and crucially full payment card details (number, expiry date, and CVV).
The Information Commissioner's Office investigation: The ICO opened an investigation the same month. Investigators concluded BA had failed to implement appropriate technical and organisational measures as required by the integrity and confidentiality principle of GDPR. Key findings included: inadequate multi-factor authentication for privileged accounts, weak network segmentation allowing the attackers to move laterally once inside, absence of file-integrity monitoring that would have flagged the injected script, and insufficient testing of the payment page itself.
The fine: the ICO initially issued a notice of intent to fine BA £183 million in 2019 — at the time the largest GDPR fine in UK history. After representations by BA and the impact of the COVID-19 pandemic on the aviation industry, the final penalty issued in October 2020 was reduced to £20 million. Even the reduced figure was substantially higher than the maximum possible under the old DPA 1998 and confirmed the ICO's willingness to use its UK GDPR powers.
What OCR J277 concepts does this illustrate? Several at once. BA is the data controller — it decided what data to collect and how. The attackers' infrastructure was effectively a rogue data processor. The payment card data was personal data, and given its sensitivity and regulatory weight (PCI-DSS) it attracted particular scrutiny. BA breached the integrity and confidentiality principle. The breach-notification obligation (72 hours to the ICO; without undue delay to affected individuals) applied — BA notified customers within a few days of discovery. Data subject rights were engaged: affected customers had the right to bring civil claims for compensation. A class action followed and settled in 2021.
Technical dimension for the specification: injected-JavaScript attacks (Magecart-style) are a common exam-friendly illustration of why input validation, subresource integrity (SRI), and strict content security policies matter. They are also a reminder that DPA obligations extend to an organisation's supply chain: third-party scripts loaded from vendors can exfiltrate data just as easily as first-party code.
Wider context: Marriott International was fined £18.4m in the same period for a similar breach affecting hundreds of millions of hotel guests; TalkTalk was fined £400,000 in 2016 under the earlier DPA 1998. Together these cases form a clear UK regulatory trend: large organisations holding personal data face escalating fines for inadequate security, and the ICO treats integrity and confidentiality failures as serious principle breaches.
Exam-applicable takeaway: when a scenario involves stolen personal data from a company, structure your answer around (1) the principle breached (usually integrity and confidentiality), (2) the role of the parties (data controller, processor, subject), (3) the 72-hour notification duty, (4) the scale of potential fines (up to £17.5m or 4% of global turnover), and (5) the data-subject rights (access, erasure, compensation).
Misconception: "GDPR was replaced by something different after Brexit, so it doesn't apply in the UK any more."
Correction: After Brexit the UK retained GDPR as the UK GDPR, which operates alongside the Data Protection Act 2018. Both the principles and the data subject rights remain essentially unchanged. The ICO still enforces them, and the maximum fines (£17.5m or 4% of global annual turnover) still apply. British Airways (2020) and Marriott (2020) were both fined under this UK GDPR regime. The law has not been weakened by Brexit; it has been localised.
Exam question (6 marks): A UK retailer's customer database is hacked and the personal data of 50,000 customers is stolen. Discuss the legal position of the retailer under the Data Protection Act 2018.
Grade 3-4 response: The retailer has broken the Data Protection Act because the customer data was stolen. They should have kept it more safe. They will get a fine from the government. The customers can sue them. They need to tell the customers what happened.
Examiner commentary: Identifies the correct Act and two consequences but lacks specifics — no principle named, no timescale, no quantified fine, no identification of who enforces. Around 1-2 marks.
Grade 5-6 response: Under the UK GDPR / Data Protection Act 2018, the retailer is the data controller and has breached the integrity and confidentiality principle because the data was not kept secure. The retailer must report the breach to the ICO within 72 hours and notify affected customers if there is a high risk to them. The ICO can issue a fine of up to 17.5 million or 4% of global turnover. The retailer may also face civil claims from customers for compensation, as happened after the British Airways breach. The retailer should improve its security by using encryption, multi-factor authentication, and regular penetration testing.
Examiner commentary: Principle identified, notification timescale correct, quantified fine, real-case reference, concrete remediation. Around 4-5 marks.
Grade 7-9 response: The retailer acts as the data controller under the UK GDPR / Data Protection Act 2018 and bears the legal responsibility for processing customer personal data lawfully and securely. The breach engages the integrity and confidentiality principle (Article 5(1)(f)) and arguably the accountability principle (Article 5(2)) because a data controller must demonstrate compliance through documented security measures. Notification duties: the breach must be reported to the ICO within 72 hours (Article 33) unless unlikely to result in risk; affected customers must be notified "without undue delay" where high risk exists (Article 34). Regulatory consequences: the ICO can issue a fine of up to £17.5m or 4% of annual global turnover, whichever is higher; precedent includes BA (£20m, 2020) and Marriott (£18.4m, 2020). Civil liability: affected customers have the right to compensation for both material and non-material damage (Article 82), and group litigation is increasingly common. Remediation: the controller should investigate root cause, remediate technical weaknesses (encryption at rest and in transit, MFA, network segmentation, input validation, SRI for third-party scripts), conduct staff retraining, update its Record of Processing Activities, and document lessons learned. Conclusion: beyond the fine, reputational damage, lost customers, and litigation costs typically exceed regulatory penalties; BA's total breach cost is estimated to have run into hundreds of millions once civil settlements and remediation are included. Robust preventive measures are therefore commercially as well as legally essential.
Examiner commentary: Articles cited, dual notification duties distinguished, quantified fines with precedent cases, civil litigation route, remediation aligned to the breach type, and commercial context. Full 6 marks.
This content is aligned with OCR GCSE Computer Science (J277) specification section 1.6 Ethical, legal, cultural and environmental impacts of digital technology. For the most accurate and up-to-date information, please refer to the official OCR specification document.