A LevelComputer ScienceOCRRevision Notes5. Legal, Moral, Cultural & Ethical Issues5.1 Computing Related LegislationThe Data Protection Act 1998

The Data Protection Act 1998 (OCR A Level Computer Science)

Revision Note

Jennifer Page

Written by: Jennifer Page

Reviewed by: James Woodhouse

The Data Protection Act 1998

What is The Data Protection Act?

  • The Data Protection Act (DPA) is a law that protects personal data from being misused

  • Examples of personal data would include

    • Name

    • Address

    • Date of Birth

    • Race

    • Religion

  • Most people that store personal data has to follow the Data Protection Principles although there are a few exemptions:

    • Domestic purposes – if you only use personal data for such things as writing to friends and family or taking pictures for your own enjoyment, you are not subject to the DPA

    • Law enforcement – the Police investigating a crime is not subject to the DPA. E.g. if someone has been suspected of a crime they can't request to see the evidence about them

    • Intelligence services processing – personal data processed by the intelligence services (eg MI5) is not covered by the DPA

The Data Protection Principles 

Principle

How does it affect a company?

Example

1. Personal data must be fairly and lawfully processed

A company has to be clear about what personal data they wish to collect and what they want to use it for. 

A school can request personal data to be able to call guardians in an emergency.

2. Personal data must be collected for specified and lawful purposes

A company cannot use personal data for any purpose other than what they stated originally. They also cannot pass this data on without permission.

A company asks for a phone number to call regarding delivery but then uses it to market new products. 

3. Personal data must be adequate, relevant and not excessive

A company cannot request personal data that they do not need right away.

A bank cannot ask for their customer's previous trips when opening an account.

4. Personal data must be kept accurate and up to date

If a company holds personal data that is wrong or out of date then you have a right to have it corrected or deleted. 

If a bank has a customer's old address then they will not be able to send up to date statements.

5. Personal data will not be kept for longer than is necessary

A company must delete personal data once they no longer have a need for it. 

If a customer closes their account the company must delete their data. 

6. Personal data must be processed in line with people's rights

If requested a company must provide a customer with all the personal data they hold on them. 

A hospital has to give a patient’s full records if requested by the patient. 

7. Personal data must be held securely

A company is required to make sure that personal data they keep is secured (usernames and passwords) and is backed up to prevent accidental loss. 

A company could make external backups on the cloud. 

8. Personal data must not be transferred to countries outside the European Economic Area unless those countries have similar data protection laws

A company cannot send personal data outside the European Economic area unless the country in question has been deemed by the European Commission to provide a good level of protection of personal data.  

A company cannot send its data to China because they are not deemed to have adequate Data Protection. 

Examiner Tips and Tricks

  • When you get a question asking to explain the principles make sure you explain them and not just state them.

    • Example: Personal data must be fairly and lawfully processed which means that companies must collect personal information with a lawful reason to have the data

  • OCR are also aware that the law is constantly changing especially in regards to DPA therefore answers will be accepted that use an interpretation of the law based on when the specification was set (2015) or when the examination was sat.

    • E.g. you can include GDPR

Actions Companies Must Take

  • Companies can face extremely large fines if they are found to be in breach of the Data Protection Act

  • Companies must appoint a member of staff as their Data Controller. They will then be responsible for making sure that the principles of the Data Protection Act are not breached and to keep in communication with the Information Commissioner

  • The company must put in place physical or digital security measures to prevent the data from being accessed without consent

  • The company should make sure that they train their staff to abide by the principles 

  • Companies must send a copy of the subject's data if a Subject Access Request (SAR) is received. This copy must be sent securely after the company has verified the identity of the subject

Rights of an Individual Under the DPA

Under the Data Protection legislation, data subjects have the following rights with regards to their personal information:

  • To be informed about the collection and the use of their personal data

  • To access personal data and supplementary information

  • To have inaccurate personal data rectified, or completed if it is incomplete

  • To be forgotten in certain circumstances

  • To restrict processing in certain circumstances

  • To data portability, which allows the data subject to obtain and reuse their personal data for their own purposes across different services

  • To object to processing in certain circumstances

  • To automated decision making and profiling

  • To withdraw consent at any time (where relevant)

  • To complain to the Information Commissioner

Case Study

British Airways fined £20m over GDPR Breach

“British Airways (BA) has been fined £20 million by the UK's data protection authority over data security failings which enabled unauthorised access to be obtained to personal and payment card information relating to more than 400,000 of its customers.” - External link to Pisent Masons article

Things that British Airways could have done to prevent the breach:

  • Making sure that employees have multi-factor authentications on their log-ins

  • Using Role-based controls that allow different users to be assigned different permissions 

  • Having a form of efficient and effective security monitoring 

  • Regularly penetration testing and fixing any issues that occur promptly

These are all deemed good practice and would have likely either prevented the attack or enabled British Airways to spot the breach themselves as opposed to being told about it by a third party. 

Last updated:

You've read 0 of your 10 free revision notes

Unlock more, it's free!

Join the 100,000+ Students that ❤️ Save My Exams

the (exam) results speak for themselves:

    Did this page help you?

    Previous:Adder CircuitsNext:The Computer Misuse Act 1990
    Author
    Reviewer
    Jennifer Page

    Author: Jennifer Page

    Expertise: Computer Science

    Jennifer has been teaching various Computing subjects for over 6 years in Northamptonshire across KS3-5. Working currently as a Head of Department as well as being an examiner and moderator for GCSEs. She has previously worked with a local teaching training school to provide training and mentor ECTs in Computing.

    James Woodhouse

    Author: James Woodhouse

    Expertise: Computer Science

    James graduated from the University of Sunderland with a degree in ICT and Computing education. He has over 14 years of experience both teaching and leading in Computer Science, specialising in teaching GCSE and A-level. James has held various leadership roles, including Head of Computer Science and coordinator positions for Key Stage 3 and Key Stage 4. James has a keen interest in networking security and technologies aimed at preventing security breaches.