Legislation (Edexcel GCSE Computer Science): Revision Notes
Legislation
Introduction to data protection legislation
Legislation plays a crucial role in regulating how personal data is collected and used in our digital world. These laws exist to protect individuals from misuse of their personal information and to ensure organisations handle data responsibly. Understanding these key pieces of legislation is essential for anyone working with technology or personal data.
Data protection laws affect almost every aspect of modern life - from social media accounts and online shopping to healthcare records and banking. Learning about these laws helps you understand your rights and how your information should be protected.
Data Protection Act 2018 (DPA)
The Data Protection Act 2018 is the UK's main data protection law. It affects many organisations you interact with daily, including the government, NHS, social networking sites, and online retailers. Any organisation that stores personal details about people must follow the strict principles set out in this act.
The seven key principles
Organisations must follow seven fundamental principles when handling personal data. Each principle has specific requirements that help protect your privacy:
| Principle | What it means |
|---|---|
| Lawfulness, fairness and transparency | Must have a good reason for using personal data and tell people what you plan to do with it |
| Purpose limitation | Must only collect data for specific reasons and not use it for anything else |
| Data minimisation | Must not collect more data than you need |
| Accuracy | Must make sure personal data is correct and up to date |
| Storage limitation | Must not keep personal data for longer than necessary |
| Security | Must keep personal data safe and secure |
| Accountability | Must be able to prove you are following all the other principles |
These principles work together to create a comprehensive framework for data protection. For example, the lawfulness principle ensures organisations have a valid reason for collecting your data and must tell you what they plan to do with it. The data minimisation principle prevents companies from collecting more information than they actually need, while storage limitation stops them from keeping your data forever.
All seven principles must be followed simultaneously - organisations cannot pick and choose which ones to apply. Breaking any of these principles can result in significant fines and legal consequences.
Your rights as a data subject
When an organisation stores your personal data, you become what's called a data subject. This gives you important rights that help you maintain control over your information:
- Right to be informed - Organisations must tell you how they use your data
- Right of access - You can ask to see what personal data an organisation holds about you
- Right to have inaccurate data corrected - You can ask for wrong information to be fixed
- Right to have data deleted - You can ask for your data to be removed in certain circumstances
- Right to restrict processing - You can ask an organisation to limit how they use your data
- Right to data portability - You can ask for your data in a format that lets you move it elsewhere
- Right to object - You can ask an organisation to stop using your data for certain purposes
- Right to be protected from automated decision-making - You have rights around decisions made by computers about you
These rights are powerful tools that give you control over your personal information. For instance, if you discover a company has incorrect information about you, the right to have inaccurate data corrected ensures they must fix it promptly. The right to be forgotten means you can ask for your data to be deleted if it's no longer needed.
Computer Misuse Act 1990
The Computer Misuse Act 1990 was created to protect against cybercriminals and unauthorised computer access. This law was groundbreaking when it was introduced, as it was one of the first pieces of legislation specifically designed to deal with computer crimes.
Three types of computer misuse offences
The act defines three main categories of unauthorised computer access, each with increasing levels of severity:
-
Unauthorized access to computer material - This includes activities like logging into another person's computer without their permission. It covers basic hacking attempts and unauthorised access to files or systems.
-
Unauthorized access with intent to commit further offences - This is more serious and involves gaining access to a computer system with the intention of committing additional crimes. Examples include stealing someone's credit card details and using them to make fraudulent purchases.
-
Unauthorized access with intent to impair computer operation or damage data - This is the most serious category and includes activities designed to damage or destroy computer systems or data. This covers actions like deliberately installing malware or planting viruses.
Common Mistake to Avoid: Even accessing someone else's computer or online account with their password, if done without proper permission, can still count as unauthorised access under this law. Always ensure you have explicit permission before accessing another person's computer systems.
Evolution of the act
The Computer Misuse Act has been updated several times since 1990 to keep pace with advancing technology and new types of cybercrime. These updates have been necessary because:
- New technologies have created new opportunities for criminals
- Original penalties may have become outdated
- New types of cyberattacks have emerged that weren't anticipated in 1990
- International cooperation on cybrime has required legal changes
The act has been particularly important in addressing modern threats like ransomware, distributed denial of service (DDoS) attacks, and sophisticated phishing schemes that didn't exist when the original law was written.
Cookies and privacy regulations
Understanding cookies
A cookie is a small text file that gets downloaded onto your computer when you visit a website. Think of it as a digital memory card that helps the website remember your preferences and recognise your device when you return. Cookies enable websites to provide personalised experiences by storing information about your choices and behaviour.
Privacy and Electronic Communications Regulations 2003
These Privacy and Electronic Communications Regulations 2003 specifically govern how websites can use cookies. The key requirements are:
- Transparency requirement: If a website uses cookies, it must clearly display a message informing users about this and explain what the cookies do
- Consent requirement: Users must be given the option to opt out of having data collected about them through cookies
- User control: People have the right to refuse cookies and control how their data is collected
You've probably seen cookie consent banners on websites - these exist because of these regulations. Websites must give you clear information about their cookies and meaningful choice about whether to accept them.
Real-world application
Worked Example: Online Store Cookie Benefits
An online store uses cookies on its website. One key benefit to customers of consenting to the website's use of cookies is that it saves time.
How this works:
- Step 1: Customer visits website and consents to cookies
- Step 2: Cookies store customer preferences, delivery details, and shopping history
- Step 3: On return visits, the website remembers this information
- Step 4: Customer doesn't need to re-enter details every time they shop
Result: The cookies enable the website to store customer information, so customers only need to supply this information once rather than entering it every time they shop.
This example demonstrates how legislation balances user privacy with practical benefits. While the law requires websites to ask permission to use cookies, it also recognises that cookies can improve user experience when used responsibly.
Key Points to Remember:
-
The Data Protection Act 2018 sets seven key principles that organisations must follow when handling personal data, giving individuals important rights over their information
-
The Computer Misuse Act 1990 creates three levels of computer crime offences, from basic unauthorised access to serious attempts to damage computer systems
-
Cookie regulations require websites to inform users about cookies and get their consent, balancing privacy protection with website functionality
-
These laws evolve over time - they get updated regularly to keep pace with new technologies and emerging threats in the digital world
-
You have legal rights - understanding these laws helps you know what organisations can and cannot do with your personal data and computer systems