FoxChild@Learn
KS3 Computing — Study Pack
Topic: Legal & Ethical Issues in Computing
Year 7–9 | Impact of Technology | UK National Curriculum
Overview
Technology raises both legal and ethical questions that affect everyone in society. These are not the same thing:
- A legal issue is something prohibited by law — breaking it can result in prosecution, fines, or imprisonment.
- An ethical issue is a moral question — something that may be legal but that reasonable people might consider wrong, harmful, or unfair.
The two categories overlap: hacking a computer is both illegal (Computer Misuse Act) and widely considered unethical. But they can also be separate: a company that collects huge amounts of personal data for targeted advertising may do so legally (with buried consent in Terms & Conditions) while many people consider it ethically questionable.
Section 1: UK Computing Legislation
The Computer Misuse Act 1990
Passed to make hacking and related activities a criminal offence. The Act defines three offences, each carrying increasing penalties:
Offence 1: Unauthorised access to computer material
- Simply accessing a computer system or data you do not have permission to access
- Does NOT require any damage to be done — just accessing without permission is enough
- Examples: guessing a classmate's password and logging into their account; accessing company files you are not authorised to see; a low-level employee reading the CEO's private emails
Offence 2: Unauthorised access with intent to commit a further offence
- Accessing a system specifically with the intention of committing another crime
- Examples: hacking a bank's servers to commit fraud; accessing a company's database to steal customer credit card details; breaking into a system to plant ransomware
Offence 3: Unauthorised modification of computer material
- Intentionally altering, deleting, or corrupting data or software without authorisation
- Examples: planting a virus; deleting someone else's files; altering exam records; defacing a website; deploying ransomware that encrypts data
Penalties: up to 10 years imprisonment for the most serious offences; unlimited fines.
The Data Protection Act 2018 / UK GDPR
Governs how personal data about individuals must be collected, stored, used, and protected. Based on the UK General Data Protection Regulation (UK GDPR) — the UK version of the EU's GDPR framework, retained after Brexit.
Key principles — personal data must be:
| Principle | What It Means |
|---|---|
| Lawful, fair, and transparent | Data collected only with a valid legal basis; individuals know what is collected and why |
| Purpose limitation | Data used only for the specific, stated reason it was collected; not repurposed without consent |
| Data minimisation | Only the data actually needed is collected — not more |
| Accuracy | Data must be kept accurate and up to date |
| Storage limitation | Data not kept longer than necessary for its purpose |
| Integrity and confidentiality | Stored securely with appropriate technical and organisational measures |
| Accountability | Organisations must be able to demonstrate compliance |
Individual rights under the DPA:
- Right to access: individuals can request a copy of all personal data held about them (Subject Access Request)
- Right to be forgotten: individuals can request their data be deleted (in certain circumstances)
- Right to correction: individuals can request inaccurate data be corrected
- Breach notification: organisations must report significant data breaches to the ICO (Information Commissioner's Office) within 72 hours
ICO: the Information Commissioner's Office is the UK regulator that enforces the DPA. It can issue fines of up to £17.5 million or 4% of global annual turnover.
The Copyright, Designs and Patents Act 1988
Protects the intellectual property of creators — their original creative works are protected from being copied, distributed, or modified without permission.
What it covers:
- Software and code
- Music, films, and videos
- Images, photographs, artwork
- Written text, books, articles
- Databases
What is illegal without permission:
- Copying software and distributing it
- Downloading music or films without paying
- Using someone's image in your project without credit or licence
- Modifying and distributing someone else's code
Creative Commons licences: allow creators to specify exactly what others can do with their work (e.g. free to use but must credit the creator; can modify but only for non-commercial use; must share modifications under the same licence).
Open Source Software: software whose source code is published and freely available. Comes with its own licence terms (e.g. MIT, GNU GPL) which specify whether it can be used commercially, whether modifications must also be open source, etc.
Freedom of Information Act 2000
Public sector organisations (government, councils, NHS, schools, police) must disclose information held about their activities upon request, within 20 working days, unless an exemption applies.
Exemptions include: national security; personal data about third parties; information that would prejudice commercial interests; information still being used in policy development.
Why it matters for computing: members of the public can request data about government IT contracts, algorithms used in public services, or how data is processed.
UK Laws Summary Table
| Law | Year | What It Covers | Example Offence/Application |
|---|---|---|---|
| Computer Misuse Act | 1990 | Criminalises unauthorised access to computer systems and data | Hacking a school's database to change exam grades |
| Data Protection Act / UK GDPR | 2018 | Governs how personal data is collected, stored, used, and protected | Company selling customer data to third parties without consent |
| Copyright, Designs and Patents Act | 1988 | Protects creators' intellectual property from unauthorised copying/use | Distributing cracked software or using music without a licence |
| Freedom of Information Act | 2000 | Public sector must disclose information on request | Requesting details of a council's CCTV data processing |
Section 2: Ethical Issues in Computing
Ethical issues arise where technology creates moral dilemmas — situations where the right course of action is unclear, or where different values (privacy vs security; innovation vs fairness) come into conflict.
AI Bias
The issue: Machine learning algorithms are trained on historical data. If that historical data reflects historical biases (discrimination, inequality), the AI learns and perpetuates those biases.
Example: a recruitment AI trained on historical hiring data from a company that historically promoted mostly men will learn to favour male candidates — not because it is programmed to discriminate, but because it is optimising for "candidates similar to those who succeeded in the past."
Why difficult to fix: the bias is embedded in the training data; even removing explicitly protected characteristics (gender, race) may not help if other data (postcode, school attended) correlates with them.
Ethical concern: AI bias can systematically disadvantage entire groups at massive scale, affecting jobs, loans, bail decisions, and medical diagnoses.
Surveillance and Privacy
The issue: CCTV cameras, facial recognition systems, smartphone location tracking, government data collection — the technology exists to monitor people's movements and behaviour extensively.
Arguments for surveillance: prevents and solves crime; finds missing persons; deters terrorism; improves public safety.
Arguments against: significant invasion of privacy; chilling effect on freedom of expression and assembly; facial recognition has higher error rates for people of colour (an AI bias issue); collected data can be misused; "who watches the watchers?"
Automation and Job Displacement
The issue: Robots and AI are capable of performing an increasing range of tasks previously done by humans — manufacturing (car assembly robots), logistics (automated warehouses), transport (autonomous vehicles), and customer service (chatbots).
Arguments for automation: increases efficiency and reduces costs; removes humans from dangerous jobs; frees people from repetitive tasks; creates new jobs in technology.
Arguments against: widespread job displacement, particularly for low-skilled workers who cannot easily retrain; new tech jobs may not be accessible to displaced workers; increasing wealth inequality if profits go to technology owners rather than workers.
Digital Divide
The issue: Not everyone has equal access to technology. This creates a two-tier society — those with technology and the skills to use it (the digitally included) and those without (the digitally excluded).
Who is affected: elderly people; those on low incomes; people in rural areas with poor broadband infrastructure; people with disabilities who need assistive technology they cannot afford.
Consequences: educational disadvantage; inability to access government services, job applications, banking, and healthcare that have moved online; social isolation.
Exposed by COVID-19: when schools moved to remote learning, students without home computers or internet connections were severely disadvantaged.
Data Ethics
The issue: large technology companies collect vast amounts of personal data — browsing history, location, purchases, social connections, health data. This data is used to target advertising, train AI models, and make inferences about individuals.
Ethical questions:
- Is "implied consent" (clicking "I Agree" on Terms & Conditions without reading them) genuinely informed consent?
- Should companies be able to profit from personal data without meaningfully sharing that profit with the people who generated it?
- Who owns your data — you or the company?
Algorithmic Accountability
The issue: when an AI system makes a harmful decision — an autonomous vehicle kills a pedestrian, a medical AI misdiagnoses cancer, a credit scoring algorithm unfairly denies loans to a demographic — who is responsible?
Options: the developer who wrote the algorithm; the company that deployed it; the user who relied on it without questioning it; the person whose data trained it.
Why difficult: AI decisions are often opaque ("black box" — not even the developers fully understand why the model made a specific decision).
Ethical Issues Table
| Ethical Issue | Description | Argument For Technology | Argument Against / Concern |
|---|---|---|---|
| AI bias | Algorithms perpetuate historical biases | AI can make faster, more consistent decisions than biased humans | Systematically disadvantages groups at scale; hard to detect and fix |
| Surveillance | CCTV, facial recognition, data collection | Deters crime; helps find missing people | Invasion of privacy; chilling effect on freedom; facial recognition errors |
| Automation | Robots/AI replacing human workers | Efficiency gains; removes humans from danger | Job displacement; growing inequality; retraining barriers |
| Digital divide | Unequal access to technology | Technology has made services more accessible overall | Excludes those who cannot access technology from education, employment, services |
| Data ethics | Companies collecting and profiting from personal data | Enables personalised services; drives innovation | Uninformed consent; exploitation; loss of privacy and autonomy |
| Algorithmic accountability | Who is responsible when AI causes harm | AI can supplement human judgement | Opacity ("black box"); unclear liability; potential for undetected bias |
Case Study: TechCorp Ltd
Scenario: TechCorp Ltd is a software company. They operate a free app that stores users' contact details, location history, and browsing habits. Without telling users, TechCorp sells this data to advertisers. A disgruntled employee hacks into the rival company's server and modifies their pricing data.
Legal issues:
- TechCorp selling personal data without explicit consent → Data Protection Act 2018 / UK GDPR violation (purpose limitation: data used for something other than the stated purpose)
- The employee accessing and modifying the rival's server → Computer Misuse Act 1990 (Offence 1: unauthorised access + Offence 3: unauthorised modification)
Ethical issues:
- Even if TechCorp buried consent in Terms & Conditions (making it technically legal), selling users' data without genuine informed consent is ethically questionable
- The employee's hacking is both illegal and widely considered unethical
Key Vocabulary
| Term | Definition |
|---|---|
| Legal issue | Something prohibited by law — breaking it can lead to prosecution |
| Ethical issue | A moral question about whether an action is right or wrong, regardless of legality |
| Computer Misuse Act | UK law (1990) criminalising unauthorised access to computer systems |
| Data Protection Act | UK law (2018/UK GDPR) governing the collection, storage, and use of personal data |
| Copyright | Legal protection for creators of original works |
| ICO | Information Commissioner's Office — UK regulator for data protection |
| Subject Access Request | A formal request by an individual to see all personal data held about them |
| Creative Commons | Licences that allow creators to specify permitted uses of their work |
| Open source | Software with publicly available source code and specific licence terms |
| AI bias | Discrimination embedded in AI systems because of biased training data |
| Digital divide | The gap between those with and without access to technology |
| Algorithmic accountability | The question of who is responsible when an AI system causes harm |
| Automation | Using technology to perform tasks previously done by humans |
| Surveillance | Monitoring of people's activities, movements, and communications |
| Intellectual property | Creative works or inventions protected by copyright, patents, or trademarks |
| Breach notification | Legal requirement to report data breaches to the ICO within 72 hours |
Common Misconceptions
| Misconception | Correction |
|---|---|
| "Legal and ethical are the same thing" | Something can be legal but unethical (selling customer data with buried consent) or illegal but some might consider ethical (whistleblowing). They are separate categories that sometimes overlap. |
| "The Computer Misuse Act only applies to professional hackers" | The CMA applies to anyone who accesses a system without authorisation — including a student who guesses a classmate's password or a curious employee who reads files they are not supposed to see. |
| "If you remove names, data is anonymous" | Removing names often does not make data truly anonymous. If age, postcode, medical condition, and employer are all known, an individual can often be re-identified — a process called de-anonymisation. |
| "Copyright only covers music and films" | Copyright covers any original creative work — including software code, images, text, databases, and web content. |
| "AI is unbiased because it is a machine" | AI systems reflect the data they are trained on. If training data contains biases, the AI learns and amplifies those biases. Machines can be more consistently biased than humans. |
Exam-Style Questions
Q1 [1 mark] Describe one offence under the Computer Misuse Act 1990.
Q2 [3 marks] Explain how the Data Protection Act 2018 protects individuals from the misuse of their personal data. Refer to at least two principles in your answer.
Q3 [4 marks] A company collects customer email addresses and sells them to advertising companies without the customers' knowledge or explicit consent.
(a) State which UK law has been broken. [1 mark] (b) Explain how the company has broken this law. [3 marks]
Q4 [6 marks] A city council is planning to install facial recognition cameras in its town centre.
Evaluate this proposal by discussing:
- the relevant law(s) that apply
- the potential benefits
- the ethical concerns raised
- a reasoned conclusion
Q5 [6 marks] Discuss how automation is changing employment. In your answer, consider:
- which types of jobs are most affected
- arguments in favour of automation
- arguments against automation
- the ethical responsibilities of companies that automate
MCQ Which law protects an individual's right to know what personal data a company holds about them?
A) Computer Misuse Act 1990 B) Copyright, Designs and Patents Act 1988 C) Data Protection Act 2018 D) Freedom of Information Act 2000
Fill in the blanks The __________ Act 1990 makes it illegal to access a computer system without __________. The Data Protection Act states that personal data must only be used for the __________ for which it was collected. An issue that is morally questionable but not illegal is an __________ issue. When AI systems are trained on biased historical data, they may produce __________ outcomes that discriminate against certain groups.
Model Answers
Q1: Any one of: unauthorised access to computer material (e.g. accessing another person's account or files without permission); unauthorised access with intent to commit a further offence (e.g. hacking a system to commit fraud); unauthorised modification of computer material (e.g. planting a virus, deleting files, altering records). [1 mark]
Q2: Any two principles with explanation, for example:
- Purpose limitation: the DPA requires that personal data is only used for the specific purpose for which it was collected (1). If a company collects emails for order confirmations but then uses them for marketing, this violates the DPA (1).
- Storage limitation: the DPA requires that personal data is not kept longer than is necessary for its stated purpose (1). A company that retains customer data indefinitely after they have closed their account is in breach (1). [3 marks: up to 2 per principle, but cap at 3 total]
Q3: (a) Data Protection Act 2018 / UK GDPR [1 mark] (b) The Data Protection Act requires that personal data is used only for the specific, stated purpose for which it was collected (1). Selling email addresses to advertisers is a different purpose from that for which they were collected (1). Additionally, the DPA requires that data processing is done lawfully and transparently — the customers were not told their data would be sold, so there was no lawful basis for this processing (1). [3 marks]
Q4: Award marks for: identifying relevant laws (surveillance law, GDPR for biometric data) (1); benefit: prevents crime, deters criminals, helps identify suspects (1–2); ethical concern: invasion of privacy, facial recognition has higher error rates for darker skin tones (AI bias), chilling effect on freedom of movement (1–2); reasoned conclusion: must be balanced against proportionality, transparency, and safeguards (1). [6 marks total]
Q5: Award 1 mark per developed point, up to 6 marks:
- Jobs most affected: routine, repetitive manual work (factory assembly), transport (lorry/taxi drivers), customer service (call centres), some administrative roles.
- Arguments for: efficiency and productivity gains; humans freed from dangerous or monotonous work; lower costs leading to cheaper goods; new technology jobs created.
- Arguments against: job displacement particularly affects low-skilled workers; new jobs in technology may require high skills displaced workers do not have; increases income inequality.
- Ethical responsibilities: companies have a duty to consider the impact on workers, invest in retraining programmes, and not purely prioritise profit over people; governments may need to intervene with regulation or taxation of automation.
MCQ: C — Data Protection Act 2018
Fill in the blanks: Computer Misuse / authorisation (permission) / purpose / ethical / biased (discriminatory)
Revision Checklist
- I can distinguish between a legal issue and an ethical issue with examples
- I can describe three offences under the Computer Misuse Act 1990
- I can state five principles from the Data Protection Act 2018 / UK GDPR
- I can explain what a Subject Access Request is
- I can explain what the ICO is and what it does
- I can describe what the Copyright, Designs and Patents Act protects
- I can explain what Creative Commons and open source licences are
- I can explain what AI bias is and give an example
- I can describe the digital divide and identify who is most affected
- I can explain what algorithmic accountability means
- I can construct a balanced argument about a computing ethical issue (surveillance, automation)
- I can identify which law applies to a given computing scenario
- I can evaluate a computing proposal by discussing legal, ethical, and social dimensions