Know and understand the need for personal data to be kept confidential and protected to avoid inappropriate disclosure

Safety and Security – Personal Data Confidentiality

1. What is Personal Data?

  • Any information that can identify a living individual, directly or indirectly.

  • Sensitive personal data – health, ethnicity, religion, sexual orientation, biometric identifiers, or financial details.

2. Legal & Ethical Frameworks (Why They Matter)

These frameworks set the rules that organisations (including schools) must follow when handling personal data.

  • General Data Protection Regulation (GDPR) – EU‑wide regulation; applies to any body that processes data of people in the EU.

  • Data Protection Act 2018 (UK) – National implementation of GDPR; adds provisions for law‑enforcement and intelligence agencies.

  • Children’s Online Privacy Protection Act (COPPA) – US law protecting children < 13 years when they use online services.

  • ISO/IEC 27001 – International standard for an Information Security Management System (ISMS).

  • Copyright law (Section 9 of the syllabus) – Protects creators’ rights; unauthorised copying or distribution of software, images, music, etc., is illegal.

3. Data‑Protection Principles (Core of the Data‑Protection Act & GDPR)

These seven principles are the basis for AO1 (recall) questions. An organisation must be able to demonstrate compliance (accountability).

PrincipleWhat it means
Lawful, fair & transparent processingCollect data for a legitimate reason and inform the data subject.
Purpose limitationUse data only for the purpose stated at collection.
Data minimisationCollect the smallest amount of data necessary.
AccuracyKeep data up‑to‑date and correct any errors.
Storage limitationDelete or anonymise data when it is no longer needed.
Integrity & confidentiality (security)Protect data with appropriate technical and organisational measures.
AccountabilityBe able to demonstrate that all other principles are being met.

Example (AO2 – application): A school records pupils’ emergency contact numbers (purpose = safety). It stores the file on a password‑protected server, updates it each term, and permanently deletes it when a pupil leaves the school.

4. Common Types of Personal Data

CategoryExamples
IdentificationName, date of birth, National Insurance/ID number, passport number
Contact detailsHome address, telephone number, email address
Financial informationBank account numbers, credit/debit card details, tax records
Health & biometric dataMedical history, DNA profile, fingerprint, facial‑recognition data
Online credentialsUsernames, passwords, security questions, 2FA codes
Behavioural dataBrowsing history, location data, purchase habits, gaming usernames

5. Threats to Personal Data (Syllabus – Section 8.3)

  • Hacking – unauthorised access to computer systems.

  • Phishing, vishing, smishing, pharming – deceptive attempts to obtain data via email, voice call, SMS, or fake websites.

  • Malware & viruses – software that steals, corrupts or destroys data.

  • Card fraud – unauthorised use of payment‑card details.

  • Shoulder surfing & key‑logging – watching a user enter data or recording keystrokes.

  • Social engineering – manipulation of people to reveal confidential information.

  • Physical loss/theft of devices – laptops, phones or USB drives containing personal data.

6. Risks of Inappropriate Disclosure

  1. Identity theft – criminals impersonate the victim.

  2. Financial loss – unauthorised transactions or fraudulent loans.

  3. Targeted phishing or further social‑engineering attacks.

  4. Reputational damage – to the individual or the organisation.

  5. Legal consequences – fines, sanctions, or civil action.

7. eSafety Behaviours (What Learners Must Do Online)

  • Use only trusted sites (look for HTTPS and the padlock icon).

  • Do not open attachments or click links from unknown senders.

  • Set privacy settings on social‑media to “friends only” or “private”.

  • Never share real names, addresses, or school details in online games or public forums.

  • Report suspicious messages or requests to a trusted adult or teacher.

  • Lock devices with a password, PIN or biometric lock when unattended.

  • Keep reputable antivirus/anti‑malware software up‑to‑date.

  • Respect copyright – only use software, images or music that you have a licence for.

8. Protection Methods (Technical & Organisational)

MethodHow It Works (example)
Strong passwordsAt least 12 characters, mix of upper/lower case, numbers, symbols. e.g. “G7!kPz$3mQb9”.
Two‑factor authentication (2FA)Password + one‑time code sent to phone or generated by an authenticator app.
EncryptionTransforms data into unreadable code; only holders of the decryption key can read it. Used for files (AES), emails (PGP), and whole‑disk (BitLocker, FileVault).
FirewallsHardware or software that filters incoming/outgoing network traffic according to security rules.
SSL/TLS & digital certificatesSecure the link between a web browser and a server; the padlock icon shows the site uses HTTPS.
Access controls & role‑based permissionsOnly authorised users can view or edit data; rights are set according to job role.
Regular software updates & patchesInstall updates promptly to close known security vulnerabilities.
Secure disposalShred paper documents; use data‑wiping tools (e.g., DBAN) for hard drives before recycling.
Awareness & trainingRegular lessons on phishing, safe password habits, and reporting procedures.

9. Practical Steps for Individuals (Checklist)

  • Lock computers, tablets and smartphones with passwords, PINs or biometrics.

  • Never post full name, address, or school name on public forums.

  • Review privacy settings on social‑media, gaming and messaging apps every 3–6 months.

  • Install and keep updated reputable antivirus/anti‑malware software.

  • Back up important files to an encrypted external drive or a trusted cloud service.

  • Use a password manager to generate and store unique passwords.

  • Report any suspected data breach or suspicious message to a teacher, IT officer or parent immediately.

  • Only use software, music, images or video that you have a legal licence for (copyright compliance).

10. Case Study – The Cost of a Data Breach (2022)

A small e‑commerce retailer stored customer credit‑card numbers in an unencrypted spreadsheet on a shared server. Hackers accessed the file, exposing 3 200 customers’ details.

  1. Financial loss: £12 000 of fraudulent transactions.

  2. GDPR fine: £75 000 for failing to implement appropriate security measures.

  3. Reputational damage: 15 % drop in repeat customers within three months.

  4. Remediation costs: £8 000 for forensic investigation, system upgrades and staff training.

Key lessons (AO2 – application): encrypt stored data, enforce 2FA for admin accounts, and schedule regular security audits.

11. Summary (Key Points for Exam Revision)

  • Personal and sensitive data must be kept confidential to protect privacy, prevent fraud and satisfy legal obligations.

  • The seven data‑protection principles guide how organisations should handle data (lawful processing, purpose limitation, data minimisation, accuracy, storage limitation, security, accountability).

  • Common threats include hacking, phishing, malware, social engineering, shoulder surfing and physical loss of devices.

  • Effective protection combines technical measures (encryption, firewalls, SSL/TLS, 2FA, access control, updates) with organisational policies (training, secure disposal, regular audits).

  • eSafety behaviours—using trusted sites, managing privacy settings, respecting copyright, and reporting concerns—are essential for every learner.

12. Quick Quiz (Exam‑style Questions)

  1. Which of the following is NOT considered personal data?

    • a) Email address

    • b) Favourite colour

    • c) National Insurance number

    • d) Date of birth

  2. True or False: Using the same password for multiple accounts improves security.

  3. Name two legal frameworks that require organisations to protect personal data.

  4. What is the main purpose of two‑factor authentication?

  5. List three common threats to personal data (choose any three from the syllabus).

  6. Explain why encrypting stored data helps meet the “integrity & confidentiality” principle.

Suggested diagram: Flowchart of the personal‑data life‑cycle – Collection → Storage → Processing → Transfer → Disposal – with security checkpoints (encryption, access control, secure disposal) at each stage.