top of page

4.1 - UK Legislation


2016 - Unit 2 

Exam Board:


There are many types of legislation - laws that have been written into use - that concern data storage, protection and the use of information. In an exam, the year the law was introduced must be stated.

In 2018 the European Union introduced GDPR (General Data Protection Regulation) to protect the privacy of data for people in the EU. The UK matched this by updating the Data Protection Act introduced in 1998 to become the Data Protection Act (2018).

This act protects the data of individuals that is stored on computers and processed by organisations.

How the Data Protection Act works:

Each person who has their data stored is known as a data subject. An employee within an organisation must be appointed as a data controller and it is they who are responsible for registering with the Information Commissioner.


The Information Commissioner is the person in the UK who is responsible for managing several laws, most significantly the Data Protection Act.


When registering with the Information Commissioner, the organisation's data controller must be clear on exactly:

  • What information they are collecting,

  • Why it is being collected,

  • What the data will be used for.

The six principles of the Data Protection Act (2018) state:

1. Data must be collected lawfully and processed fairly.

2. Collected data must only be used for the reasons specified.

3. Data must be relevant and not excessive.

4. Data must be accurate and up-to-date.

5. Data must not be stored for longer than necessary,

6. Data must be stored and processed securely.

Actions organisations must take to stick to the Data Protection Act (2018):

The company must appoint and register a member of staff to act as the organisation's data controller. The data controller is responsible for communicating with the Information Commissioner and ensuring the principles of the DPA are not broken

There must be strong security measures in practice to protect data from being accessed or transferred without authorisation. This could be in the form of physical or digital protection methods enforced by the company.

Staff should be trained so that they are clearly aware of their responsibilities and each principle is adhered to. For example, they should know that data can only be used for the reasons specified when it is collected and should not be passed to others without the permission of the data subject.

Data subjects should be given the opportunity to alter their data and make changes if it is incorrect. Data should be deleted when it is no longer needed, so organisations should periodically assess both the accuracy and relevance of storing each data subject's information.

Data subjects have the right to make a Subject Access Request (SAR) and receive a copy of the data which is stored about them. Companies must abide by this request by verifying the user's identify and presenting the data to them securely. ​

Rights of data subjects:

Under the Data Protection Act, individuals have a right of access to any information that is stored about them by public bodies.

If an individual wishes to access their data they must submit a Subject Access Request (SAR) which results in the following steps:

  • The organisation's data controller must be written to and told exactly what information is required to access.

  • An administrative fee should be paid to the organisation (but only if the request requires excessive efforts to fulfil).

  • The organisation must provide the requested information within 40 days.

  • The individual must verify their identity using appropriate ID because only the data subject can request their data.

Computer Misuse Act (1990)

This act was introduced as computers became cheaper and more common at home and work . The act attempts to stop and punish those who use computers inappropriately. Breaking any of the three principles could result in fines and a jail sentence but only if it can be proved it was done on purpose and not by accident.

The Computer Misuse Act (1990) includes three main principles:​

1. No unauthorised access to data.

Example: Hacking a computer system.

2. No unauthorised access to data that could be used for further illegal activities.

Example: Accessing personal data to use as blackmail or identity theft.

3. No unauthorised modification of data.

Example: Spreading a virus to change data.

Data Protection Act (2018) / GDPR

Freedom of Information Act (2000)

This act allows people to request public authorities to release information. Public authorities include local councils, government departments, universities and hospitals.

A freedom of information request must be formally submitted in a letter or email and a reply from the organisation is required within twenty days of receiving the request.

A simple freedom of information request might be the average response times of the local ambulance service in the past year. Certain requests will not be accepted, such as if processing the request would be too expensive or if it involves sensitive information protected by the Data Protection Act (2018).

Regulation of Investigatory Powers Act (2000)

This act (often shortened to RIPA) was introduced in response to the increase in both criminal and terrorist activities on the internet, it is used to monitor and access online communication of suspected criminals. If criminal activity is suspected by an individual then this act grants the following powers:

  • Internet Service Providers (ISPs) must provide access to the suspect's online communication, such as emails or social media.

  • Locked or encrypted data may be accessed such as online messages.

  • ISPs could install surveillance equipment or software to track the suspect's online activity.

  • Surveillance may take place to physically track the suspect, e.g. in private vans or by undercover officers in public spaces.

  • Access must be granted to personal information.

This act became controversial as its use widened and local councils were using it for minor offences - a Scottish council used the act to monitor dog barking and a council in Cumbria gathered video evidence about who was feeding pigeons. The act has since been changed to only allow the surveillance of crime suspects.

Copyright, Designs & Patents Act (1988)

This act makes it a criminal offence to copy work that is not your own without the permission of the creator or the copyright holder. This can refer to text, images, music, videos or software.


Owning the copyright of an image might not prevent others from copying and using it but this act means that the owner can bring legal proceedings in court to those who have stolen their work.

Creators of copyrighted work can take ownership of their work and control how it is used. Others must ask for permission to use the work otherwise the copyright holder can ask for it to be removed or demand a fee for its use

This act specifically prohibits the following actions:

  • Making copies of copyrighted material to sell to others.

  • Importing and downloading illegally copied material (except for personal use).

  • Distributing enough copyrighted material to have a noticeable effect on the copyright holder.

  • Possessing equipment used to copy copyrighted material, as part of a business.

Information Commissioner's Office (ICO) Codes of Practice

Protection of Freedoms Act (2012)

There are seven sections to this act, revolving around the protection of personal data. It was introduced because there was little legislation about biometric data, and to update older laws. IT-related sections are summarised below:

Part 1 - States how biometric data (e.g. fingerprints and DNA) is stored, handled and collected. For example, parents must give consent before their child gives biometric data to a school. Also, biometric data for suspects of minor offences is deleted after the case is closed.

Part 2 - Creates new regulation for CCTV and ANPR (automatic number plate recognition) use.

Part 5 - The Disclosure & Barring Service (DBS) was created to run background checks on anyone wanting to work with children or vulnerable people.

Part 6 - Extends the Freedom of Information Act (2000) allowing for wider requests to be made

The information commissioner is the senior government official in charge of the country's freedom of information requests and the protection of personal data.
The Information Commissioner's Office describes itself as "The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals".

The ICO publishes codes of practices about various data protection and privacy topics, usually related to explaining the Data Protection Act. For example, the ICO has a code of practice regarding how organisations should share data and another code of practice about the use of CCTV.
The ICO offers help and support to both individuals (such as giving access to students to their exam results) and organisations (such as support with legal electronic marketing).

Privacy and Electronic Communications Regulations (2003)

This law (which was updated in 2011) regulates how organisations can communicate with individuals.


Companies must stick to the following rules:

It is an offence to directly contact an individual unless they have specifically opted-in to receive communication. This is commonly managed by using tick boxes on online stores where you must opt-in to receiving promotional material.


Companies must clearly state who they are when contacting customers, such as displaying the phone number when calling - and not 'hiding' the number.


Organisations must explain how cookies are used on their website.


Companies must only contact customers through communication channels that the customer has previously permitted. This can be done with tick boxes when signing up. Customers can select or de-select methods such as email, phone calls and text messages.

The Information Commissioner's Office (ICO) is responsible for this regulation and can fine companies that commit unsolicited communication up to £500,000. It is the customer who benefits and is protected by this regulation.

Equality Act (2010)

The government states that "The Equality Act legally protects people from
in the workplace and in wider society."

Discrimination because of protected characteristics such as  gender, race, religion, age and disability are specifically punishable by legal action.


The aim of the act is to end discrimination in the workplace and open up fair opportunities for every employee regardless of behavioural or physical characteristics that are outside of their control.

Within a company, the Equality Act protects staff by stating protected characteristics should not be a factor in an employee's promotion or change of role. Information must be presented in a format accessible to all staff

Monochrome on Transparent.png

Questo's Questions

4.1 - UK Legislation:

1. Create a flashcard or PowerPoint slide for each legislation above. Explain the purpose of the legislation, its main principles and whom it affects. [5 each]

bottom of page