Spec & Goals 3 min
AQA Spec 3.8.1 — Legislation: the Data Protection Act 2018 (incorporating GDPR)
By the end of this lesson you can:
- State what the Data Protection Act 2018 protects and who it covers.
- Describe the key data-protection principles.
- Apply the Act to a scenario involving personal data.
Warm-Up 5 min
Last lessons showed how much personal data is collected. The Data Protection Act is the UK law that controls what organisations may do with it.
Quick starter
A shop collects your email to send a receipt, then starts selling it to advertisers. Should that be allowed?
Reveal the idea
No. Data must be used only for the purpose it was collected for. Reusing it like this breaks the Data Protection Act.
Key Concept — controlling personal data 14 min
The Data Protection Act 2018 is the UK law (incorporating the EU's GDPR) that governs how organisations collect, store and use personal data. It protects individuals ("data subjects").
Key principles — data must be…
| Principle | Meaning |
|---|---|
| Used fairly & lawfully | Collected with consent, for a clear reason. |
| Used for a specified purpose | Only used for the reason it was collected. |
| Adequate, not excessive | Collect only what is needed. |
| Accurate & up to date | Errors must be corrected. |
| Not kept longer than needed | Delete data once it's no longer required. |
| Kept secure | Protected against loss, theft or unauthorised access. |
Rights of the individual (data subject)
- The right to see the data held about them.
- The right to have inaccurate data corrected.
- The right to have their data erased in some cases.
Worked Example — which principle is broken? 12 min
Problem: Identify the data-protection principle each scenario breaks.
| Scenario | Principle broken |
|---|---|
| A gym keeps ex-members' details for 10 years after they leave. | Not kept longer than necessary. |
| A clinic emails patient records that get intercepted because they weren't encrypted. | Kept secure. |
| A shop uses emails collected for receipts to send marketing. | Used only for the specified purpose. |
| A school keeps a wrong address and refuses to fix it. | Accurate and up to date. |
Try It Yourself 12 min
Goal: State what the Data Protection Act 2018 protects.
Goal: List three data-protection principles in your own words.
Goal: A company suffers a data breach exposing customer records. Explain which principle it failed and one consequence it could face.
📝 Exam Practice 10 min
State the name of the UK law that controls how organisations use personal data.
Mark scheme
- The Data Protection Act 2018 (accept: incorporating GDPR) (1).
Describe two principles of the Data Protection Act.
Mark scheme
- Any two of: used fairly/lawfully; for a specified purpose; adequate not excessive; accurate; not kept longer than needed; kept secure (2).
A school stores students' personal data. Explain how the Data Protection Act affects how it must handle this data.
Mark scheme
- Must keep the data secure / protected from unauthorised access (1).
- Must use it only for the purpose it was collected / not excessive (1).
- Must keep it accurate and not longer than necessary / let students see it (1).
Recap & Key Terms 3 min
The Data Protection Act 2018 (incorporating GDPR) governs how organisations handle personal data: fairly, for a specified purpose, accurate, secure, and not kept too long. Individuals can see, correct and sometimes erase their data. Malaysia's equivalent is the PDPA 2010, but the exam answer is the UK Act.
- Data Protection Act 2018
- UK law (incorporating GDPR) controlling how personal data is collected, stored and used.
- GDPR
- General Data Protection Regulation — the EU rules incorporated into the UK Act.
- Data subject
- The individual that personal data is about.
- Specified purpose
- The principle that data is used only for the reason it was collected.
Homework 1 min
Task (≤ 15 min): Write a short "data promise" a tuition centre could give parents, listing four things it will do with students' data to obey the Data Protection Act.
Model answer (example)
"We will: collect only the data we need; use it only to run your child's classes; keep it accurate and let you correct it; store it securely; and delete it when your child leaves."
Award marks for: four valid promises, each matching a principle (purpose, minimal, accurate, secure, retention).