Know and understand characteristics of personal and sensitive data including personal name, address, date of birth, a photograph in school uniform, medical history

Topic 8 – Safety and Security

Learning objectives

By the end of this topic students will be able to:

  • Identify the characteristics of personal and sensitive data (e.g. name, address, date of birth, a photograph in school uniform, medical history).

  • Explain why each type of data needs protection and how the law regulates it.

  • Recognise common physical‑safety hazards, e‑safety risks and data‑security threats in a school ICT environment.

  • Apply appropriate technical and organisational measures to protect data, including password hygiene and authentication methods.

  • Understand how data‑security considerations fit into every stage of the Systems Development Life‑Cycle (SDLC).

1. Personal and Sensitive Data

1.1 Definitions

  • Personal data: any information that can identify an individual, either directly (e.g. name, photograph) or indirectly (e.g. address, date of birth).

  • Sensitive data: a subset of personal data that could cause significant harm if disclosed, such as health information, ethnicity, religion, sexual orientation or biometric data.

1.2 Characteristics of the specified data items

Data itemCategoryWhy it is sensitivePotential risks if misused
Personal namePersonalDirect identifier; can be linked with other records.Identity theft, phishing, impersonation.
Home addressPersonalReveals physical location; can be combined with other data.Stalking, burglary, targeted scams.
Date of birthPersonalOften used as a unique identifier and for age verification.Identity fraud, unauthorised account creation.
Photograph in school uniformPersonal (treated as Sensitive in schools)Visually links a pupil to a specific school and age group.Bullying, unauthorised media use, impersonation.
Medical history (e.g. allergies, conditions)SensitiveContains private health information protected by law.Discrimination, embarrassment, insurance fraud.

1.3 Core principles of data‑protection legislation (Data Protection Act / GDPR)

  • Lawful basis – data must be processed only when a legal ground (e.g. consent, contractual necessity, legal obligation) exists.

  • Data minimisation – collect only the data that is necessary for the purpose.

  • Purpose limitation – use data only for the specific purpose for which it was collected.

  • Accuracy – keep personal data up‑to‑date and correct any errors.

  • Retention – store data for no longer than required; dispose of it securely.

  • Right to be forgotten – individuals can request deletion of their personal data.

  • Security – appropriate technical and organisational measures must be in place to protect data.

2. Physical Safety in an ICT Environment

Physical hazards can cause injury to pupils or damage to equipment. The table lists the main risks found in a school ICT setting and the preventive actions required.

HazardPotential consequencePreventive actions
Electrical – damaged cables, exposed sockets, overloaded power stripsElectrocution, fire, equipment damage

  • Never use frayed or damaged cords.

  • Use surge‑protected outlets; avoid plugging more devices than the socket rating allows.

  • Inspect power strips regularly and replace faulty ones.

Fire – overheating computers, blocked ventilation, flammable materials nearbyBurns, smoke damage, loss of data

  • Keep vents clear; clean dust from fans weekly.

  • Never place paper, cloth or liquids on keyboards.

  • Know the location of fire extinguishers and evacuation routes.

Tripping and slipping – loose cables, wet floorsFalls, injuries, equipment displacement

  • Use cable covers, cable trays, or colour‑coded cable management.

  • Secure loose cables with ties and keep walkways clear.

  • Wipe up spills immediately; report wet floors to staff.

Heavy or moving equipment – monitors, printers, projectorsStrains, back injuries, equipment damage

  • Lift with two people or use trolleys.

  • Secure portable devices when not in use (e.g. lock cabinets).

3. e‑Safety (Online Safety)

3.1 Core areas

  • Safe browsing – check the URL, look for the padlock (HTTPS), avoid pop‑ups and unknown downloads.

  • Email safety – verify sender’s address, never open unexpected attachments, hover over links to see the real URL.

  • Social media & online gaming – keep profiles private, think before posting personal details, use strong, unique passwords.

  • Video‑call etiquette – mute when not speaking, do not share meeting links publicly, use waiting rooms.

  • Parental/teacher controls – enable content‑filtering software, set age‑appropriate privacy settings on platforms.

  • Password hygiene – create passwords of at least 12 characters using a mix of letters, numbers and symbols; change passwords every 3–6 months; never reuse passwords across different services; store them in a reputable password manager.

3.2 Reporting e‑safety incidents

All pupils should know the steps to follow if they encounter a problem online.

  1. Stop the activity immediately.

  2. Take a screenshot or note down the details (URL, message, user name).

  3. Report the incident to a teacher, school ICT coordinator, or designated safeguarding officer.

  4. If the incident involves a third‑party service, use the service’s “report abuse” feature.

  5. Do not engage with the offender or share further personal information.

3.3 Checklist – “What to do if you receive a suspicious email?”

  1. Do not click any links or open attachments.

  2. Check the sender’s address for misspellings or unusual domains.

  3. Hover over links to view the actual URL.

  4. Ask a teacher, parent or trusted adult for advice.

  5. Delete the email or mark it as spam after reporting.

4. Data‑Security Threats

ThreatDescriptionTypical mitigation
HackingUnauthorised access to a computer or network.Strong passwords, regular patches, firewalls, intrusion‑detection systems.
Phishing / Smishing / VishingDeceptive messages (email, SMS, voice) that aim to obtain personal data.Never click unknown links, verify sender, report to staff.
PharmingRedirects users to a fake website even when the correct URL is entered.Keep anti‑malware up‑to‑date, check for HTTPS and valid certificates.
Malware (viruses, worms, ransomware)Software that damages, steals or locks data.Reputable anti‑virus, avoid unauthorised downloads, regular backups.
Password‑related attacks (brute‑force, credential stuffing)Attackers try large numbers of password combinations or reuse leaked credentials.Enforce complex passwords, limit login attempts, enable 2‑factor authentication.
Card fraud / identity theftUnauthorised use of payment or identity details.Never share card numbers or DOB on unverified sites; use secure payment gateways.

5. Protection Measures – Technical & Organisational

5.1 Technical controls

  • Access control – role‑based permissions, least‑privilege principle, account lock‑out after failed attempts.

  • Encryption – data at rest (full‑disk or file‑level encryption) and data in transit (SSL/TLS).

  • SSL/TLS & digital certificates – encrypt web traffic and verify server identity.

  • Firewalls – hardware or software filters for inbound/outbound traffic.

  • Anti‑malware/anti‑virus – real‑time scanning and regular updates.

  • Regular software updates & patches – close known vulnerabilities.

  • Secure backups – encrypted, off‑site or cloud backups; test restoration quarterly.

  • Authentication methods – passwords, two‑factor authentication (2FA), smart cards, security tokens, and biometric verification (fingerprint, facial recognition, iris scan).

  • Password policies – minimum length, complexity, expiration, prohibition of reuse, and mandatory use of password managers.

5.2 Organisational controls

  • Data‑handling policies – clear rules for collection, storage, processing, retention and secure disposal.

  • Consent procedures – obtain written parental/guardian consent before collecting pupil data, especially sensitive data.

  • Awareness & training – regular lessons on phishing, social engineering, password hygiene, and safe internet use.

  • Incident‑response plan – steps: contain, assess, report (to senior staff, parents and, where required, the Information Commissioner), recover and review.

  • Physical security – lock server rooms, restrict access to ICT equipment, use cable trays and colour‑coded cable management.

  • Reporting procedures – clear form or digital ticket system for pupils and staff to report e‑safety or data‑security incidents.

6. Legal, Ethical & SDLC Considerations

  1. Data‑protection legislation – GDPR (EU) and national Data Protection Acts require lawful processing, data minimisation, purpose limitation, accuracy, retention limits and the right to be forgotten.

  2. Ethical responsibilities – respect privacy, collect only what is needed, keep data accurate, and ensure it is used fairly.

  3. SDLC link – security must be built‑in at every stage:

    • Analysis – identify data‑security requirements and legal obligations.

    • Design – choose encryption, authentication (passwords, 2FA, smart cards, biometrics) and access‑control mechanisms.

    • Implementation – write secure code, use libraries that protect against injection and buffer‑overflow attacks.

    • Testing – perform vulnerability scans, penetration testing and review audit logs.

    • Deployment & Maintenance – monitor systems, apply patches, review policies, and conduct regular backup restores.

7. Practical Classroom Activity – Data Classification Chart

Students work in pairs to classify a fictional pupil’s information.

  1. Provide the following list of data items:

    • Full name

    • Home address

    • Date of birth

    • Favourite colour

    • Photograph in school uniform

    • Allergy to peanuts (medical history)

    • Username for the school’s learning platform

  2. Classify each item as Public, Personal or Sensitive and record the classification in a table.

  3. Class discussion:

    • Why each classification was chosen.

    • Which technical and organisational safeguards are appropriate for each category.

    • How the data would be handled at each SDLC stage (analysis → maintenance).

8. Summary

Understanding the nature of personal and sensitive data, recognising physical and e‑safety hazards, and knowing the common data‑security threats enable students to apply the right safeguards. By embedding password hygiene, robust authentication, and clear reporting procedures throughout the SDLC and complying with data‑protection legislation, schools create a safe, legal and ethical ICT environment for pupils and staff.

9. Audience & Copyright

This material is intended for teachers and students preparing for the Cambridge IGCSE Computer Science (0417) examination. It may be reproduced and adapted for non‑commercial educational use provided that full credit is given to the original author and the Cambridge Assessment International Education syllabus.