4.1 - UK Legislation


2016 - Unit 2 

Exam Board:


There are many types of legislation - laws that have been written into use - that concern data storage, protection and the use of information. In an exam, the year the law was introduced must be stated.

Data Protection Act (2018)

In 2018 the European Union introduced GDPR (General Data Protection Regulation) to protect the privacy of data for people in the EU. The UK matched this by updating the Data Protection Act introduced in 1998 to become the Data Protection Act (2018).

This act protects the data of individuals that is stored on computers and processed by organisations.

How the Data Protection Act works:

Each person who has their data stored is known as a data subject. An employee within an organisation must be appointed as a data controller and it is they who are responsible for registering with the Information Commissioner.


The Information Commissioner is the person in the UK who is responsible for managing several laws, most significantly the Data Protection Act.


When registering with the Information Commissioner, the organisation's data controller must be clear on exactly:

  • What information they are collecting,

  • Why it is being collected,

  • What the data will be used for.

The six principles of the Data Protection Act state:

1. Data must be collected lawfully and processed fairly.

4. Data must be accurate and up-to-date.

2. Collected data must only be used for the reasons specified.

5. Data must not be stored for longer than necessary,

3. Data must be relevant and not excessive.

6. Data must be stored and processed securely.

Rights of data subjects:

Under the Data Protection Act (1998), individuals have a right of access to any information that is stored about them by public bodies.

If an individual wishes to access their data a number of processes must take place:

  • The organisation's data controller must be written to and told exactly what information is required to access.

  • An administrative fee should be paid to the organisation.

  • The organisation must provide the requested information within 40 days.

  • The individual must verify their identity using appropriate ID.

Regulation of Investigatory Powers Act (2000)

This act (often shortened to RIPA) was introduced in response to the increase in both criminal and terrorist activities on the internet, it is used to monitor and access online communication of suspected criminals. If criminal activity is suspected by an individual then this act grants the following powers:

  • Internet Service Providers (ISPs) must provide access to the suspect's online communication, such as emails or social media.

  • Locked or encrypted data may be accessed such as online messages.

  • ISPs could install surveillance equipment or software to track the suspect's online activity.

  • Surveillance may take place to physically track the suspect, e.g. in private vans or by undercover officers in public spaces.

  • Access must be granted to personal information.

This act became controversial as its use widened and local councils were using it for minor offences - a Scottish council used the act to monitor dog barking and a council in Cumbria gathered video evidence about who was feeding pigeons. The act has since been changed to only allow the surveillance of crime suspects.

Copyright, Designs & Patents Act (1988)

This act makes it a criminal offence to copy work that is not your own without the permission of the creator or the copyright holder. This can refer to text, images, music, videos or software.


Owning the copyright of an image might not prevent others from copying and using it but this act means that the owner can bring legal proceedings in court to those who have stolen their work.


However, it is difficult to trace who has stolen work once it has been uploaded to the internet and copies can easily spread, especially television shows and movies.

This act specifically prohibits the following actions:

  • Making copies of copyrighted material to sell to others.

  • Importing and downloading illegally copied material (except for personal use).

  • Distributing enough copyrighted material to have a noticeable effect on the copyright holder.

  • Possessing equipment used to copy copyrighted material, as part of a business.

Protection of Freedoms Act (2012)

There are seven sections to this act, revolving around the protection of personal data. It was introduced because there was little legislation about biometric data, and to update older laws. IT-related sections are summarised below:

Part 1 - States how biometric data (e.g. fingerprints and DNA) is stored, handled and collected. For example, parents must give consent before their child gives biometric data to a school. Also, biometric data for suspects of minor offences is deleted after the case is closed.

Part 2 - Creates new regulation for CCTV and ANPR (automatic number plate recognition) use.

Part 5 - The Disclosure & Barring Service (DBS) was created to run background checks on anyone wanting to work with children or vulnerable people.

Part 6 - Extends the Freedom of Information Act (2000) allowing for wider requests to be made

Privacy and Electronic Communications Regulations (2003)

This law (which was updated in 2011) regulates how organisations can communicate with individuals.


It makes it an offence to directly contact someone with marketing information unless they have specifically opted-in to receive them. A noticeable effect of this is the increase of tick boxes on online stores where you must opt-in (or opt-out if the tick box is cheekily pre-ticked for you) of receiving promotional material.


The methods of communication that are regulated included telephone calls, text messages and emails.


The Information Commissioner's Office (ICO) is responsible for this regulation and can fine companies that commit unsolicited communication up to £500,000. It is the customer who benefits and is protected by this regulation.

Equality Act (2010)

The government states that "The Equality Act legally protects people from discrimination in the workplace and in wider society. It replaced previous anti-discrimination laws with a single Act, making the law easier to understand and strengthening protection in some situations. It sets out the different ways in which it’s unlawful to treat someone."

Discrimination because of gender, race and disability are specifically punishable by legal action. The aim of the act is to end discrimination in the workplace and open up fair opportunities for every employee regardless of behavioural or physical characteristics that are outside of their control.

Questo's Questions

4.1 - UK Legislation:

1. Create a flashcard or PowerPoint slide for each legislation above. Explain the purpose of the legislation, its main principles and whom it affects. [5 each]

Freedom of Information Act (2000)

This act allows people to request public authorities to release information. Public authorities include local councils, government departments, universities and hospitals.

A freedom of information request must be formally submitted in a letter or email and a reply from the organisation is required within twenty days of receiving the request.

A simple freedom of information request might be the average response times of the local ambulance service in the past year. Certain requests will not be accepted, such as if processing the request would be too expensive or if it involves sensitive information protected by the Data Protection Act (2018).

Computer Misuse Act (1990)

This act was introduced as computers became cheaper and more common at home and work . The act attempts to stop and punish those who use computers inappropriately. Breaking any of the three principles could result in fines and a jail sentence but only if it can be proved it was done on purpose and not by accident.

The Computer Misuse Act (1990) includes three main principles:​

1. No unauthorised access to data.

Example: Hacking a computer system.

2. No unauthorised access to data that could be used for further illegal activities.

Example: Accessing personal data to use as blackmail or identity theft.

3. No unauthorised modification of data.

Example: Spreading a virus to change data.

© CSNewbs 2020