Know and understand the principles of a typical data protection act and why data protection legislation is required

Safety and Security – Data Protection

1. Why a Data‑Protection Act is Required

Explain the need to protect individual privacy – personal data must be collected, stored and used fairly and transparently.

Identify how the act prevents identity theft and fraud – it reduces the chance that personal details are exploited for criminal purposes.

State why trust is essential – customers, pupils, staff and the public need confidence that organisations handle data responsibly.

List the legal obligations it creates – organisations must follow a clear framework to avoid fines, legal action and reputational damage.

Describe the ethical purpose – the act encourages organisations to consider the moral implications of data handling.

2. Physical Safety (Section 8.1)

Identify electrical hazards – ensure all equipment is plugged into RCD‑protected sockets and cords are not frayed.

Explain safe cable management – keep cables away from walkways to prevent trips and falls.

State ergonomic best‑practice – adjust chair height, screen position and keyboard angle to avoid strain.

Describe fire safety for ICT – keep fire‑extinguishers accessible, never block ventilation, and store media away from heat sources.

List emergency procedures – know the location of power‑off switches and follow the school’s evacuation plan.

3. e‑Safety Checklist – Safe Use of Personal Data Online (Section 8.2)

Use only trusted websites (look for the padlock icon and “https://”).

Verify the sender before opening email attachments or clicking links (phishing check).

Never share passwords, school roll‑numbers, or home addresses on social‑media or gaming platforms.

Keep passwords secret and change them regularly; use a password manager if possible.

Enable two‑factor authentication on school accounts and personal accounts.

Log out of shared computers and clear browser history after use.

Report any suspicious messages, requests for personal data, or unauthorised access to a teacher or IT officer.

4. Common ICT Threats (Section 8.3 – Security of Data – Threats)

Threat	Description	Preventive Measure
Phishing	Fake emails or messages that appear to be from a trusted source, asking for personal data.	Check sender address, hover over links, never give passwords via email.
Pharming	Redirecting users from a legitimate website to a fraudulent one.	Use up‑to‑date browsers, verify URL, enable DNS security extensions.
Smishing	SMS‑based phishing – text messages requesting personal details.	Do not click links or reply to unknown numbers; verify with the organisation directly.
Vishing	Voice‑call phishing – callers pretend to be from a bank or school.	Never give personal data over the phone unless you initiated the call and verified the number.
Malware / Viruses	Software that damages or steals data.	Install anti‑virus, keep software updated, avoid downloading from unknown sources.
Ransomware	Malware that encrypts files and demands payment.	Regular backups, do not open suspicious attachments, use reputable security suites.
Card‑fraud	Unauthorised use of payment‑card details.	Never store full card numbers in plain text; use secure payment gateways.
Shoulder surfing	Observing someone’s screen or keyboard to capture passwords.	Shield the screen, use privacy screens, log off when stepping away.
Hacking (unauthorised access)	Exploiting vulnerabilities to gain illegal access to systems.	Strong passwords, firewalls, regular patching, intrusion‑detection systems.

5. Technical Safeguards – Protecting Data (Section 8.3 – Security of Data – Protection Measures)

Access controls & passwords – role‑based permissions and strong password policies to limit who can view or edit data.

Two‑factor authentication (2FA) – a second code sent to a mobile device adds an extra layer of security.

Biometric verification – fingerprint or facial recognition for high‑security areas.

Encryption – AES for data at rest; TLS/SSL for data in transit, ensuring integrity and confidentiality.

Digital certificates & PKI – verify the identity of websites and email senders.

Firewalls & intrusion‑detection systems – filter unwanted traffic and alert on suspicious activity.

Secure sockets (HTTPS, SFTP) – safe file transfer and web browsing.

Regular software updates & patches – close known security holes.

Backup & recovery – automated daily backups stored off‑site; data are retained only for the period defined in the school’s retention schedule and securely deleted thereafter.

Anti‑malware and ransomware protection – real‑time scanning and behavioural analysis.

Linking safeguards to the seven principles:

Access controls, passwords and role‑based permissions support Lawful, Fair and Transparent Processing and Accountability.

Encryption, firewalls and secure sockets directly address Integrity and Confidentiality (Security).

Backup & recovery together with the retention schedule fulfil Storage Limitation and aid Accountability.

Regular updates and anti‑malware tools help maintain Integrity and Confidentiality by preventing unauthorised alteration.

Biometric verification and 2FA reinforce Integrity and Confidentiality while also demonstrating Accountability through robust access control.

6. Seven Core Principles of a Data‑Protection Act

Principle	Explanation
Lawful, Fair and Transparent Processing	Data must be processed legally, respect individuals’ rights and be clear about how it is used.
Purpose Limitation	Collect data only for specified, explicit and legitimate purposes; do not reuse incompatibly.
Data Minimisation	Gather only the data necessary for the intended purpose.
Accuracy	Keep data accurate and up‑to‑date; correct or delete errors promptly.
Storage Limitation	Retain data no longer than needed for its original purpose.
Integrity and Confidentiality (Security)	Protect data with appropriate technical and organisational measures against unauthorised access, loss or damage.
Accountability	The data controller must demonstrate compliance with all other principles.

6.1 School‑Level Examples for Each Principle

Lawful, fair & transparent: Provide a privacy notice on the school portal explaining why student names and grades are stored.

Purpose limitation: Collect pupil emergency‑contact details only for safeguarding; do not use them for marketing.

Data minimisation: Record only the pupil’s roll number and class, not their home address, unless required for a specific activity.

Accuracy: Update the pupil’s medical information each term and delete outdated allergy notes.

Storage limitation: Delete exam papers and associated personal data after the statutory retention period (e.g., 5 years).

Integrity & confidentiality: Store staff payroll files on an encrypted server and restrict access to HR personnel.

Accountability: The headteacher signs off the school’s data‑protection policy and can produce evidence of staff training.

7. Applying the Principles in Practice

Conduct a Data Audit – list what personal data is held, where it is stored and who can access it.

Produce a clear Privacy Notice for pupils, parents and staff.

Implement Access Controls – role‑based passwords, lock screens, and 2FA for admin accounts.

Use Encryption for files containing personal data and for data transmitted over the internet.

Set up a Retention Schedule and securely delete data once it is no longer needed.

Provide regular Data‑Protection Training for teachers, support staff and senior students.

Appoint a Data Protection Officer (DPO) (or designate a senior staff member) to oversee compliance and act as the point of contact for data‑subject requests.

Maintain a Record of Processing Activities (ROPA) – a log of what data is processed, why, and how it is protected.

Establish a Data‑Breach Response Plan – steps to contain, assess, report (to the ICO within 72 hours) and communicate any breach.

8. Legal and Organisational Responsibilities

Data Protection Officer (DPO) – monitors compliance, advises on impact assessments, and liaises with the Information Commissioner’s Office (ICO).

Accountability – senior management must ensure policies are in place and that staff can demonstrate compliance.

Data‑subject rights – right to access, rectify, erase, restrict processing, data portability and to object.

Impact assessments – required for high‑risk processing (e.g., new student‑tracking system).

Reporting breaches – notify the ICO and affected individuals when a breach is likely to result in risk to individuals’ rights.

9. Consequences of Non‑Compliance

Financial penalties – up to £17.5 million or 4 % of global turnover under GDPR.

Legal action from affected individuals (compensation claims).

Reputational damage and loss of confidence from pupils, parents and partners.

Enforcement orders – e.g., mandatory cessation of processing, forced data deletion, or audit requirements.

10. Suggested Diagram

Flowchart of the data lifecycle – Collection → Storage → Use → Sharing → Retention → Disposal – with a checkpoint for each of the seven data‑protection principles.

11. Summary Checklist for Students (Command‑Word Style)

Explain why protecting personal data is essential for individuals and organisations.

Recall the seven core principles of a data‑protection act and give a school‑level example for each.

Identify at least eight common ICT threats (phishing, pharming, smishing, vishing, malware, ransomware, card‑fraud, shoulder surfing, hacking) and the appropriate preventive measures.

List technical safeguards (access controls, 2FA, biometrics, encryption, digital certificates, firewalls, secure sockets, updates, backup & recovery, anti‑malware) and describe when they are used.

State the possible penalties for breaching data‑protection legislation.

Describe the role of a Data Protection Officer and why accountability matters.

Apply the e‑Safety checklist when using the internet, email and social media.