top of page

11.2: Legislation

Exam Board:

Eduqas / WJEC


2020 + 

Data Protection Act (2018)

In 2018 the European Union introduced GDPR (General Data Protection Regulation) to protect the privacy of data for people in the EU. The UK matched this by updating the Data Protection Act introduced in 1998 to become the Data Protection Act (2018).

This act protects the data of individuals that is stored on computers and processed by organisations.

How the Data Protection Act works:

Each person who has their data stored is known as a data subject. An employee within an organisation must be appointed as a data controller and it is they who are responsible for registering with the Information Commissioner.


The Information Commissioner is the person in the UK who is responsible for managing several laws, most significantly the Data Protection Act.


When registering with the Information Commissioner, the organisation's data controller must be clear on exactly:

  • What information they are collecting,

  • Why it is being collected,

  • What the data will be used for.

The six principles of the Data Protection Act state that data must be:

1. Collected lawfully and processed fairly.

2. Only used for the reasons specified.

3. Data must be relevant and not excessive.

4. Data must be accurate and up-to-date.

5. Data must not be stored for longer than necessary,

6. Data must be stored and processed securely.

Computer Misuse Act (1990)

This act was introduced as computers became cheaper and more common at home and work . The act attempts to stop and punish those who use computers inappropriately. Breaking any of the three principles could result in fines and a jail sentence but only if it can be proved it was done on purpose and not by accident.

The Computer Misuse Act (1990) includes three main principles:​

1. No unauthorised access to data.

Example: Hacking a computer system.

2. No unauthorised access to data that could be used for further illegal activities.

Example: Accessing personal data to use as blackmail or identity theft.

3. No unauthorised modification of data.

Example: Spreading a virus to change data.

Freedom of Information Act (2000)

This act allows people to request public authorities to release information. Public authorities include local councils, government departments, universities and hospitals.

A freedom of information request must be formally submitted in a letter or email and a reply from the organisation is required within twenty days of receiving the request.

A simple freedom of information request might be the average response times of the local ambulance service in the past year. Certain requests will not be accepted, such as if processing the request would be too expensive or if it involves sensitive information protected by the Data Protection Act (2018).

Regulation of Investigatory Powers Act (2000)

This act (often shortened to RIPA) was introduced in response to the increase in both criminal and terrorist activities on the internet, it is used to monitor and access online communication of suspected criminals. If criminal activity is suspected by an individual then this act grants the following powers:

  • Internet Service Providers (ISPs) must provide access to the suspect's online communication, such as emails or social media.

  • Locked or encrypted data may be accessed such as online messages.

  • ISPs could install surveillance equipment or software to track the suspect's online activity.

  • Surveillance may take place to physically track the suspect, e.g. in private vans or by undercover officers in public spaces.

  • Access must be granted to personal information.

This act became controversial as its use widened and local councils were using it for minor offences - a Scottish council used the act to monitor dog barking and a council in Cumbria gathered video evidence about who was feeding pigeons. The act has since been changed to only allow the surveillance of crime suspects.

Copyright, Designs & Patents Act (1988)

This act makes it a criminal offence to copy work that is not your own without the permission of the creator or the copyright holder. This can refer to text, images, music, videos or software.


Owning the copyright of an image might not prevent others from copying and using it but this act means that the owner can bring legal proceedings in court to those who have stolen their work.


However, it is difficult to trace who has stolen work once it has been uploaded to the internet and copies can easily spread, especially television shows and movies.

This act specifically prohibits the following actions:

  • Making copies of copyrighted material to sell to others.

  • Importing and downloading illegally copied material (except for personal use).

  • Distributing enough copyrighted material to have a noticeable effect on the copyright holder.

  • Possessing equipment used to copy copyrighted material, as part of a business.

Creative Commons (CC) Licensing

A CC licence allows people to share their copyrighted work while still retaining rights to the material.

There are different types of licence that specify exactly what can and can't be done to the copyrighted material. For example:


  • An attribution licence allows copyrighted material to be edited and distributed but the original owner must be credited.

  • A non-commercial licence allows copyrighted material to be shared and edited but no profit must be gained through its distribution.


CC licences are not automatically given, they must be granted by the copyright owner. To ensure you are not illegally using copyrighted work change the Tools and Licence setting when using Google Images to filter work with CC licenses applied

Telecommunications Regulation Act (2000)

This act allows organisations to lawfully monitor communications made online and on the phone by employees while at work.

All users of the network should be aware that their communication is being monitored when they are using emails, the internet or telephone calls.

The act was introduced to ensure that employees are using the computer systems for the correct purpose, to prevent illegal activity and to monitor staff performance.

Codes of Conduct

One way that organisations try to ensure that staff are held to professional standards and display appropriate behaviour is to create a code of conduct. This is a set of rules or requirements that employees must follow or they may be punished, such as a temporary ban from the network or being fired. There are two types of codes of conduct: 

  • Formal codes of conduct are a set of written rules that clearly state expected behaviour, such as what employees can access online at work. Schools may have this too, and you might have to sign a document at the start of the year before you can use the computers. 

  • Informal codes of conduct are used by small organisations where there might not be a written set of rules, but newer employees follow the habits and expectations of senior members of staff. This is harder to monitor but provides a more relaxed working environment.

Monochrome on Transparent.png

Questo's Questions

11.2 - Legislation:

1a. State the 6 principles of the Data Protection Act (2018)[6]

1b. Explain how the Data Protection Act works. In your answer, you should include definitions of a data subject, the data controller and the Data Commissioner[6]

2. Describe the 4 principles of the Computer Misuse Act (1990). [3]

3. Describe the purpose of the Freedom of Information Act (1990) and state an example of a freedom request. [3]

4a. What is the purpose of RIPA (2000)[2]

4b. Describe 3 actions that RIPA (2000) allows the government / police to do[3]

5a. What is the purpose of the Copyright, Designs & Patents Act (1988)[2]

5b. Describe 3 actions that CDPA (1988) prohibits[3]

6a. What is a Creative Commons (CC) licence? [2]

6b. Describe 2 types of CC licence[4]

7a. What is the purpose of the Telecommunications Regulation Act (2003)[2]

7b. Describe 3 reasons why this act was introduced[3]

8a. What is the purpose of a code of conduct[2]

8b. Describe the difference between formal and informal codes of conduct[2]

bottom of page