What ethical and legal issues are raised by collecting and using personal data?
Understand ethical and legal issues associated with the collection and use of personal data (privacy, ownership, consent, misuse, data protection).
A focused answer to Edexcel GCSE Computer Science 5.2.1, covering the ethical and legal issues of collecting and using personal data: privacy, ownership, consent, misuse and data protection.
Reviewed by: AI editorial process; not yet individually human-reviewed
Have a quick question? Jump to the Q&A page
Jump to a section
What this dot point is asking
Edexcel wants you to explain the ethical and legal issues raised when organisations collect and use personal data, covering privacy, ownership, consent, misuse and data protection (the legal framework).
Privacy
Privacy is the core ethical concern. Modern services can gather a detailed picture of someone's life, often invisibly, and that information can reveal sensitive things (health, beliefs, relationships). The ethical issue is that this collection can happen without people's awareness or meaningful control, intruding on a part of life they would expect to keep private.
Consent
Consent is where ethics and law meet. The issue is whether consent is genuine and informed: agreeing to long, complex terms that few people read, or being forced to agree in order to use a service, is questionable consent. Good practice gives people a clear, understandable choice and the ability to refuse or withdraw, so they genuinely control their own data.
Ownership
Ownership matters because it decides who controls the data and what can be done with it. If an organisation treats user-generated data as its own to use and sell, users may lose control over information about themselves. Data protection law addresses this by giving individuals rights (such as to access and delete their data), but the ethical question of who "owns" personal information remains a live issue.
Misuse
The risk of misuse is what makes the other issues serious. Data collected for one purpose might be used for another, sold on, or leaked in a breach, exposing people to fraud or manipulation. This is why limiting use to the stated purpose, and keeping data secure, are central to both ethics and the law.
Data protection (the legal framework)
Data protection law turns the ethical principles into legal duties. An organisation cannot lawfully collect personal data without a proper basis, use it for unrelated purposes, keep it insecurely, or deny people their rights. This legal framework is what an exam answer should cite as the "legal" side, alongside the ethical issues of privacy, consent, ownership and misuse.
Try this
Q1. State what is meant by informed consent. [1 mark]
- Cue. The person has agreed to their data being collected and used, having been told clearly what is collected and why.
Q2. State one requirement of data protection law on organisations handling personal data. [1 mark]
- Cue. Any one of: collect it fairly and lawfully; use it only for the stated purpose; keep it secure; keep it accurate; keep it no longer than necessary; respect individuals' rights over it.
Exam-style practice questions
Practice questions written in the style of Pearson Edexcel exam questions on this dot point, with worked answer explainers. The year tag is the paper they imitate, not the source.
Edexcel 20226 marksA social media company collects large amounts of personal data about its users. Discuss the ethical and legal issues raised by the company's collection and use of this personal data.Show worked answer →
A "Discuss" answer should explore several issues and weigh them.
Privacy: collecting detailed personal data (location, messages, interests) intrudes on users' privacy, and people may not realise how much is gathered or how it is used.
Consent: there are questions over whether users have given genuine, informed consent, especially when terms are long and complex or when agreeing is required to use the service.
Ownership: it is unclear who owns the data, the user who generated it or the company that stores it, and what rights users have to see or delete it.
Misuse: the data could be misused, for example sold to third parties, used for manipulative targeted advertising, or exposed in a breach, harming users.
Data protection (legal): data protection law requires the company to collect data fairly, keep it secure, use it only for stated purposes and give users rights over their data; failing to do so is illegal and can bring large fines.
A balanced conclusion weighs the benefits (a free, personalised service) against the privacy intrusion and risks, concluding that collection must be lawful, transparent and consented to.
Markers reward exploring several issues (privacy, consent, ownership, misuse, data protection law), developed points and a balanced judgement.
Edexcel 20213 marksExplain why obtaining consent is important when an organisation collects personal data.Show worked answer →
Consent means the person has agreed to their data being collected and used, ideally having been told clearly what data is collected and why (informed consent).
It is important because individuals have a right to control their own personal data, and collecting or using it without consent intrudes on their privacy and is generally against data protection law. Genuine consent makes the collection lawful and fair and lets people make an informed choice.
Markers reward defining consent (informed agreement), and the reasons: respecting the individual's control over their data, and that it is a legal and ethical requirement (lawful, fair processing).
Related dot points
- Understand environmental issues associated with the use of digital devices (energy consumption, manufacture, replacement cycle, disposal).
A focused answer to Edexcel GCSE Computer Science 5.1.1, covering the environmental issues of digital devices: energy consumption, manufacture, the replacement cycle and disposal (e-waste).
- Understand ethical and legal issues associated with artificial intelligence, machine learning and robotics (accountability, safety, algorithmic bias, legal liability), and methods of intellectual property protection (copyright, patents, trademarks, licencing).
A focused answer to Edexcel GCSE Computer Science 5.2.2 and 5.2.3, covering the ethical and legal issues of AI, machine learning and robotics (accountability, safety, algorithmic bias, legal liability) and intellectual property protection (copyright, patents, trademarks, licensing).
- Understand the threat to digital systems posed by malware (viruses, worms, Trojans, ransomware, key loggers), how hackers exploit technical vulnerabilities and use social engineering, and methods of protecting digital systems and data (anti-malware, encryption, acceptable use policies, backup and recovery).
A focused answer to Edexcel GCSE Computer Science 5.3.1 and 5.3.2, covering malware (viruses, worms, Trojans, ransomware, key loggers), how hackers exploit vulnerabilities and use social engineering, and protection methods (anti-malware, encryption, acceptable use policies, backup and recovery).
- Understand the importance of network security, ways of identifying network vulnerabilities (penetration testing, ethical hacking) and methods of protecting networks (access control, physical security, firewalls).
A focused answer to Edexcel GCSE Computer Science 4.2.1, covering the importance of network security, identifying vulnerabilities by penetration testing and ethical hacking, and protecting networks with access control, physical security and firewalls.
- Understand how the internet is structured, including IP addressing and routers.
A focused answer to Edexcel GCSE Computer Science 4.1.3, covering how the internet is structured as a global network of networks, the role of IP addresses in identifying devices, and how routers direct data.
Sources & how we know this
- Pearson Edexcel GCSE (9-1) Computer Science (1CP2) specification — Pearson (2020)