UK GDPR (SQA National 5 Computing Science): Revision Note
Exam code: X816 75
UK GDPR
What is UK GDPR?
UK GDPR is a law that protects personal data and sets rules for how organisations collect, store, and use it
Personal data includes information that can identify a person, such as:
Name
Address
Date of birth
Email address
Contact number
Rules for handling data under UK GDPR
Rule | Description | Example |
|---|---|---|
Processed lawfully, fairly and transparently | Data must be collected and used legally, and individuals must know how it is used | A company tells users why their personal data is being collected |
Used only for the stated purpose | Data can only be used for the reason it was collected | A shop that collects an email for delivery updates cannot use it to send adverts without permission |
Limited to what is necessary | Only the data required for the task should be collected | A cinema collects a customer’s email to send tickets, not their home address |
Accurate | Personal data must be correct and kept up to date | A school updates contact details when a student moves house |
Not kept longer than necessary | Data must be deleted when it is no longer needed | A company deletes a user’s data when they close their account |
Held securely | Data must be stored safely to prevent unauthorised access or loss | A business encrypts customer data to stop hackers accessing it |
Application of UK GDPR
If customer details are stolen, the company has failed to hold data securely
If a user cancels an account, the company should delete their data
UK GDPR only applies to personal data, not to non-personal information like measurements or prices
Worked Example
A local café, "Bean Scene," runs a digital loyalty scheme where customers provide their full name, mobile phone number, and favourite coffee order to register. This personal information is stored in a database.
(i) State one implication of the UK General Data Protection Regulation (UK GDPR) that the café must follow regarding this customer's data
[1]
(ii) The café manager decides to keep the customer’s record indefinitely in the database, just in case the customer decides to re-join the scheme years later.
State which specific UK GDPR requirement is violated by this action
[1]
(iii) Due to an accidental leak, the customer's mobile phone number is stolen by unauthorised personnel. The customer is informed of the leak.
State the requirement of the UK GDPR that the café has failed to meet
[1]
Answers
(i)
Data must be processed lawfully, fairly, and in a transparent manner [1 mark]
(ii)
Data must not be kept for longer than necessary [1 mark]
(iii)
Data must be held securely to prevent unauthorised access [1 mark]
Unlock more, it's free!
Did this page help you?
