The Data Protection Act (2018) sets out strict rules that organisations must follow when handling personal data.

State three of the six principles of the Data Protection Act (2018).

An individual has specific rights regarding the data held about them by a company.

Identify two of these rights.

Hospitals hold sensitive personal data about patients (e.g., medical records), whereas a local coffee shop might only hold a customer's email address.

(a) Give one other example of sensitive personal data.
(b) Explain why the security measures for the hospital database need to be stricter than those for the coffee shop.

A youth club stores member details (Name, Address, Date of Birth) on a computer database.

One of the principles of the Data Protection Act (2018) is 'Storage Limitation'.

Explain what this principle means for the youth club and describe one practical step they must take to comply with it.

A school sends an email to parents about a school trip. They accidentally attach a spreadsheet containing every student's home address and phone number.

(a) Identify which specific principle of the Data Protection Act (2018) has been broken.
(b) Describe two consequences for the school of breaking the Data Protection Act.

A mobile app collects users' location data to provide local weather updates. The app developers decide to sell this location data to an advertising company without asking the users.

Explain why this action breaches the principle of 'Purpose Limitation'.

A social media company plans to use Artificial Intelligence (AI) to scan users' private photos to tag their friends automatically.

Discuss the legal and ethical issues the company must consider before doing this.


In your answer, you must refer to:

• Specific principles of the Data Protection Act 2018.
• The privacy of the users.