10.2: Legislation

Exam Board:

Eduqas / WJEC


2016 + 

Data Protection Act (2018)

In 2018 the European Union introduced GDPR (General Data Protection Regulation) to protect the privacy of data for people in the EU. The UK matched this by updating the Data Protection Act introduced in 1998 to become the Data Protection Act (2018).

This act protects the data of individuals that is stored on computers and processed by organisations.

How the Data Protection Act works:

Each person who has their data stored is known as a data subject. An employee within an organisation must be appointed as a data controller and it is they who are responsible for registering with the Information Commissioner.


The Information Commissioner is the person in the UK who is responsible for managing several laws, most significantly the Data Protection Act.


When registering with the Information Commissioner, the organisation's data controller must be clear on exactly:

  • What information they are collecting,

  • Why it is being collected,

  • What the data will be used for.

The six principles of the Data Protection Act state that data must be:

1. Collected lawfully and processed fairly.

4. Data must be accurate and up-to-date.

2. Only used for the reasons specified.

Principles of the Data Protection Act (2018)

5. Data must not be stored for longer than necessary,

3. Data must be relevant and not excessive.

6. Data must be stored and processed securely.

Regulation of Investigatory Powers Act (2000)

This act (often shortened to RIPA) was introduced in response to the increase in both criminal and terrorist activities on the internet, it is used to monitor and access online communication of suspected criminals. If criminal activity is suspected by an individual then this act grants the following powers:

  • Internet Service Providers (ISPs) must provide access to the suspect's online communication, such as emails or social media.

  • Locked or encrypted data may be accessed such as online messages.

  • ISPs could install surveillance equipment or software to track the suspect's online activity.

  • Surveillance may take place to physically track the suspect, e.g. in private vans or by undercover officers in public spaces.

  • Access must be granted to personal information.

This act became controversial as its use widened and local councils were using it for minor offences - a Scottish council used the act to monitor dog barking and a council in Cumbria gathered video evidence about who was feeding pigeons. The act has since been changed to only allow the surveillance of crime suspects.

Copyright, Designs & Patents Act (1988)

This act makes it a criminal offence to copy work that is not your own without the permission of the creator or the copyright holder. This can refer to text, images, music, videos or software.


Owning the copyright of an image might not prevent others from copying and using it but this act means that the owner can bring legal proceedings in court to those who have stolen their work.


However, it is difficult to trace who has stolen work once it has been uploaded to the internet and copies can easily spread, especially television shows and movies.

This act specifically prohibits the following actions:

  • Making copies of copyrighted material to sell to others.

  • Importing and downloading illegally copied material (except for personal use).

  • Distributing enough copyrighted material to have a noticeable effect on the copyright holder.

  • Possessing equipment used to copy copyrighted material, as part of a business.

Codes of Conduct

One way that organisations try to ensure that staff are held to professional standards and display appropriate behaviour is to create a code of conduct. This is a set of rules or requirements that employees must follow or they may be punished, such as a temporary ban from the network or being fired. There are two types of codes of conduct: 

  • Formal codes of conduct are a set of written rules that clearly state expected behaviour, such as what employees can access online at work. Schools may have this too, and you might have to sign a document at the start of the year before you can use the computers. 

  • Informal codes of conduct are used by small organisations where there might not be a written set of rules, but newer employees follow the habits and expectations of senior members of staff. This is harder to monitor but provides a more relaxed working environment.

Questo's Questions

10.2 - Legislation:

1a. State the 6 principles of the Data Protection Act (2018)[6]

1b. Explain how the Data Protection Act works. In your answer, you should include definitions of a data subject, the data controller and the Data Commissioner[6]

2. Describe the 4 principles of the Computer Misuse Act (1990). [3]

3. Describe the purpose of the Freedom of Information Act (1990) and state an example of a freedom request. [3]

4a. What is the purpose of RIPA (2000)[2]

4b. Describe 3 actions that RIPA (2000) allows the government / police to do[3]

5a. What is the purpose of the Copyright, Designs & Patents Act (1988)[2]

5b. Describe 3 actions that CDPA (1988) prohibits[3]

6a. What is the purpose of a code of conduct[2]

6b. Describe the difference between formal and informal codes of conduct[2]

Computer Misuse Act (1990)

This act was introduced as computers became cheaper and more common at home and work . The act attempts to stop and punish those who use computers inappropriately. Breaking any of the three principles could result in fines and a jail sentence but only if it can be proved it was done on purpose and not by accident.

The Computer Misuse Act (1990) includes three main principles:​

1. No unauthorised access to data.

Example: Hacking a computer system.

2. No unauthorised access to data that could be used for further illegal activities.

Example: Accessing personal data to use as blackmail or identity theft.

3. No unauthorised modification of data.

Example: Spreading a virus to change data.

Freedom of Information Act (2000)

This act allows people to request public authorities to release information. Public authorities include local councils, government departments, universities and hospitals.

A freedom of information request must be formally submitted in a letter or email and a reply from the organisation is required within twenty days of receiving the request.

A simple freedom of information request might be the average response times of the local ambulance service in the past year. Certain requests will not be accepted, such as if processing the request would be too expensive or if it involves sensitive information protected by the Data Protection Act (2018).