Three Acts you must know for your GCSE. Expand each one to learn key provisions, penalties, and what the examiners look for.
Created after the R v Gold & Schifreen case — two hackers accessed BT's Prestel network using a stolen password. Courts could not convict them; no law covered it. Parliament acted.
Three Sections to Know
Logging into any system without permission — guessing passwords, using someone else's account, accessing files you shouldn't see.
Up to 2 years · unlimited fine
Breaking in with a further criminal goal — hacking a bank to transfer money, accessing emails to blackmail someone.
Up to 5 years · unlimited fine
Altering, deleting, encrypting or corrupting data or programs — malware, ransomware, DDoS attacks, defacing websites.
Up to 10 years · unlimited fine
Exam tip
S1 = access only · S2 = access + further crime planned · S3 = damage or modification. Examiners love scenarios — practise identifying which section fits before you go in.
Protects the intellectual property of creators. Copyright is automatic — it applies from the moment a work is created, with no registration needed. Covers software, websites, music, images, film, databases, and written content.
What Is Illegal
Copying or distributing without permission
Reproducing or sharing a protected work without the owner's licence — even if you don't charge for it.
Circumventing copy protection
Cracking DRM, removing licence checks from software, or "ripping" protected DVDs is a separate offence.
Installing software beyond licence terms
A single-user licence installed on 30 machines is a breach — common in schools and businesses.
Protected Works (examples)
Penalties: Up to 10 years imprisonment and/or unlimited fines for criminal copyright infringement. Rights holders can also sue for civil damages.
Exam tip
If a scenario involves piracy, torrenting, cracking software, or using images/music without permission → CDPA. The CMA is about unauthorised access to systems; CDPA is about unauthorised use of creative works. Don't mix them up.
Governs how organisations collect, store, use, and share personal data. Enforced by the Information Commissioner's Office (ICO). The 2018 Act brought UK law in line with the EU GDPR (now retained as UK GDPR after Brexit).
The 7 Principles
Lawfulness, fairness and transparency
People must know what you're doing with their data; processing must be legal.
Purpose limitation
Data collected for one purpose cannot be used for a different purpose without consent.
Data minimisation
Only collect data that is actually needed — not extra data "just in case".
Accuracy
Data must be kept up to date; individuals can request corrections.
Storage limitation
Don't keep personal data for longer than necessary.
Integrity and confidentiality
Protect data from loss, theft, or damage — encryption, access controls, backups.
Accountability
Organisations must be able to prove compliance — documented policies, privacy notices.
Key Individual Rights
Enforcement: ICO can fine up to £17.5 million or 4% of global annual turnover (whichever is higher) for serious breaches.
Exam tip
DPA scenarios involve personal data being lost, shared without consent, used for the wrong purpose, or kept too long. The ICO is the enforcement body. For 2-mark questions naming principles, know at least four by name.
At a Glance
| Act | Covers | Enforcer | Max penalty |
|---|---|---|---|
| CMA 1990 | Hacking, unauthorised access, malware, DDoS | Police / CPS | 10 years |
| CDPA 1988 | Piracy, cracked software, using images without permission | Police / rights holders | 10 years |
| DPA 2018 | Personal data misuse, data breaches, unlawful sharing | ICO | £17.5m fine |
Read each incident report, then stamp it with the correct Act.
Score: 0 correct out of 0 answered
Final score: / 9
Attempt each question, then reveal the mark scheme to check your answer.
J277 Command Words