Pearson BTEC Digital Information Technology · Component 3 · 90 Minutes · 60 Marks

Effective Digital Working Practices. The Complete Encyclopaedia — All Four Learning Aims · Every Keyword · Every Exam Technique

One document. Four learning aims. Every concept explained in full, every exam technique mastered, every keyword defined — built to take you from knowing nothing to knowing everything.

A
Modern Technologies
Networks · Cloud · Teams · Wellbeing
B
Cyber Security
Threats · Prevention · Policy
C
Wider Implications
Ethics · Law · Environment
D
Planning & Communication
DFD · IFD · Flowcharts
90 min exam
📋 60 marks
🧠 AO1–AO4
📝 BLT method
🎯 4 Learning Aims
MODERN
Learning Aim A · Modern Technologies

Modern Technologies &
Their Impact

"Technology has obliterated geography — the question is no longer where you work, but whether you work well."

Ad Hoc NetworksCloud StorageCloud Computing SynchronisationScalabilityWorld Teams Flexible WorkingAccessibilityCapEx vs OpEx
A1
Understand modern communication technologies including wireless networks, cloud storage, and cloud computing
A2
Understand the impact of modern technologies on working practices, teams, stakeholders, and individual wellbeing
AO
Apply knowledge to vocational scenarios — selecting appropriate platforms and justifying choices with evidence
Topic A1 · Section 1
Wireless Networks & Connectivity
Ad Hoc Networks
Connecting Without Infrastructure

An ad hoc network is a temporary wireless connection created directly between devices, without needing a central router or fixed infrastructure. Three main types are examined:

📶
Tethering / Personal Hotspot: A smartphone shares its mobile data connection with other devices (laptop, tablet). The phone acts as a portable router. Quick to set up, uses mobile data allowance.
🔵
Bluetooth PAN: Personal Area Network connecting devices within ~10 metres. Used for peripherals (headphones, keyboard, mouse). Low power but limited range and speed.
⚠️
Open Wi-Fi: Public networks (cafés, airports) requiring no password. Convenient but highly insecure — data can be intercepted by anyone on the same network. Never use for sensitive data without a VPN.
🔒
WPA2 encryption secures Wi-Fi by scrambling data in transit. A VPN adds a further layer — encrypting ALL traffic from your device, making public Wi-Fi significantly safer.
Network Issues
When Networks Fail
Blackspots
Areas with no signal at all — caused by physical barriers (tunnels, hills, thick walls), distance from masts, or insufficient infrastructure in rural areas. A real business problem for field workers.
Network Congestion
Speed drops when too many users share a network simultaneously. Common in office blocks, public spaces, or during peak hours. Bandwidth is split between all users.
Infrastructure
Requires investment in transmitters, cables, and masts. Rural areas often lack this investment — creating the "digital divide" between urban and rural connectivity.
Pairing
Bluetooth authentication process — devices exchange a PIN or passkey before connecting, ensuring only authorised devices can pair. Prevents unauthorised connections.
Downtime
Period when a network or service is unavailable. Costs businesses through lost productivity, missed orders, and reputational damage. Disaster recovery plans must address this.
Topic A1 · Section 2
Cloud Storage & Computing
Cloud Storage
Files Beyond Your Device

Storing data on remote servers accessed via the internet, rather than local hard drives. Key features:

🔄
Synchronisation: Files update automatically across all linked devices — edit on your phone, see changes instantly on your laptop.
📈
Scalability: Storage capacity increases or decreases automatically to match demand — no need to buy new hardware.
🌐
24/7 Availability: Access files from anywhere, at any time, on any device with internet access.
💾
Redundancy: Data stored in multiple physical locations — if one server fails, copies in other data centres ensure no data is lost.
🔐
Access Rights: Permissions control who can view, edit, or delete specific files — essential for protecting confidential data.
Cloud Computing
Software Without Installation

Online applications run on remote servers and are accessed through a web browser — no installation required. Examples: Google Docs, Microsoft 365, Salesforce.

Key advantages over traditional software:

📄
Single shared instance: All users edit the SAME version of a file — no emailing attachments, no version conflicts.
🤝
Collaboration tools: Multiple users work simultaneously. Google Docs shows each person's cursor in real time with colour coding.
🔁
Version control: Cloud systems automatically log every change with timestamps and user names. Any previous version can be restored.
💻
Platform independent: Works on Windows, Mac, iOS, Android — any device with a browser can access the same tools.
CapEx vs OpEx
The Cost Comparison
ModelDescriptionExample
CapEx
Capital Expenditure		Large one-off upfront costs for physical hardwareBuying servers, cables, routers for an on-site data centre
OpEx
Operational Expenditure		Ongoing day-to-day running costs — predictable monthly billsMonthly cloud subscription (Google Workspace: £5.20/user/month)
📊
Exam tip: Cloud = OpEx (pay monthly, scale up/down). Own servers = CapEx (big upfront cost, fixed capacity). Small businesses often prefer OpEx — lower risk, no huge initial investment.
Cloud Implications
🔒
Disaster recovery: Must have a plan for when the cloud provider has downtime — backup systems, offline working capability.
⚖️
Data security: Where is your data physically stored? Which country's laws apply? The provider's security procedures must meet DPA 2018 requirements.
Topic A2 · Impact of Modern Technologies
World Teams & Working Practices
Modern Teams
Geography Is No Longer a Barrier

Technology enables "world teams" — groups of employees in different countries, time zones, and cultures working together on shared projects 24/7/365.

🌍
Multicultural environments: Diverse teams bring different perspectives, languages, and approaches — improving creativity and problem-solving.
24/7 operations: A Tokyo team finishes and a London team picks up — the business never stops. Handover documents and version control become critical.
🏠
Flexible working: Employees can work from home, coffee shops, or co-working spaces. Reduces commuting time, lowers office costs, and improves work-life balance.
Inclusivity: Remote working enables employees who cannot travel (disability, childcare, health conditions) to contribute fully. Technology removes physical barriers.
Managing Teams
Tools for Distributed Leadership
📊
Gantt charts: Visual timeline showing tasks, responsible team members, and deadlines. Allows managers to track progress and identify delays across distributed teams.
💬
Instant messaging: Quick questions without email formality. Slack, Microsoft Teams, Google Chat — replaces the office corridor conversation.
📹
Video conferencing: Zoom, Teams, Google Meet — face-to-face meetings without travel costs. Screen sharing enables real-time collaboration on documents.
📋
Project management software: Trello, Asana, Jira — task boards showing who owns each task, its status, and deadline. Accessible by the whole team from anywhere.
Stakeholder Communication
📣
Public channels (website, social media): For general news, product launches, marketing. Anyone can see it.
📧
Private channels (email, DM): For sensitive information, financial data, personal matters. Restricted audience.
Inclusivity & Accessibility
Making Digital Workspaces Fair
👁
Screen readers: Software that reads content aloud for visually impaired users. Websites must use semantic HTML so screen readers navigate correctly.
🖼
ALT Text: Alternative text descriptions added to images — read aloud by screen readers. "Photo of a cat" tells a visually impaired user what sighted users see.
🔤
Text-to-speech: Converts written text to audio. Useful for dyslexic users or those who prefer auditory learning.
🎨
Font/colour choices: High-contrast colour schemes, dyslexia-friendly fonts (e.g. OpenDyslexic), adjustable text sizes improve readability for all users.
📍
Geo-data / Location awareness: Tells the system where users are to provide relevant local content, nearest services, or region-specific interfaces.
Individual Impact
The Human Cost of Always-On Working
✓ Benefits to Individual
Flexible hours — work when most productive, not just 9–5
🚗
No commute — saves time, money, reduces stress and carbon footprint
🏠
Family-friendly — easier to manage childcare and personal commitments
✗ Risks to Individual
😔
Isolation & loneliness: No water-cooler chat, no spontaneous collaboration — remote workers can feel disconnected from colleagues.
🔀
Blurred boundaries: When home IS the office, it's hard to switch off. Work emails at 10pm become normal — leading to burnout.
📱
Always-on culture: Technology expectations mean staff feel pressured to respond outside hours — damaging mental health.
Quick Reference
Learning Aim A Keywords
Ad hoc Network
Temporary wireless connection between devices without a central router or access point.
Tethering
Sharing a phone's mobile internet connection with other devices.
Blackspot
Area with no mobile or wireless signal — caused by terrain, buildings, or lack of masts.
Synchronisation
Automatically updating files across multiple devices so all copies are identical.
Scalability
Ability to increase or decrease computing resources automatically to match demand.
Redundancy
Copies of data stored in multiple locations to prevent loss if one server fails.
Downtime
Period when a system is unavailable — causes lost productivity and revenue.
CapEx
Capital Expenditure — large one-off costs for physical hardware (servers, cables).
OpEx
Operational Expenditure — ongoing day-to-day costs (monthly cloud subscriptions).
Version Control
System recording all changes to a document so any previous version can be restored.
Stakeholder
Individual or group with a financial interest in a business (customers, employees, owners).
Inclusivity
Involving employees with useful skills who cannot work in traditional ways.
💻Tasks — Learning Aim A
  • 1
    Cloud vs Local: A small business currently stores all files on a local server. Give TWO benefits and TWO drawbacks of switching to cloud storage. Use the BLT method for each point.
  • 2
    Ad hoc decision: A salesperson is at a client's office with no Wi-Fi. Identify TWO ways they could connect their laptop to the internet. For each, describe one security risk.
  • 3
    Team impact: A company moves from an office to fully remote working. Evaluate the impact on employees — consider both positive and negative effects on wellbeing.
  • 4
    CapEx vs OpEx: A startup has limited budget. Explain whether they should invest in their own servers (CapEx) or subscribe to a cloud service (OpEx). Justify your recommendation.
🔥 6-Mark Challenge: "Evaluate the benefits of using cloud computing for a growing e-commerce business." Use 2 BLT strands + a Therefore conclusion that links back to the business context.
Exam Sharpener · 4 Marks
"Explain two benefits of using cloud storage for a company whose employees work across three different countries."4 Marks
Benefit 1 — Point (1)
Cloud storage offers 24/7 availability — employees in any country can access the same files at any time without needing to be in the same office.
Explain (1)
This means a Tokyo employee finishing a report at 9pm hands it to a London colleague who starts at 8am — no delays, no emailing files back and forth, and always the latest version.
Benefit 2 — Point (1)
Synchronisation ensures all employees always work on an identical, up-to-date version of every file.
Explain (1)
This eliminates the risk of two employees editing different versions of the same document simultaneously — preventing conflicts, lost work, and version confusion that would cost the company time and money.
🧠 Quick Quiz — Learning Aim A Score: 0/0
SECURE
Learning Aim B · Cyber Security

Threats, Prevention
& Security Policy

"The question is not whether you will be attacked, but whether you will be prepared when you are."

MalwarePhishingEncryption FirewallsPenetration TestingAUP Disaster RecoveryBiometrics2FA
B1
Understand threats to data — external attacks, malware types, social engineering, and internal vulnerabilities
B2
Know the technical and procedural controls that prevent and manage cyber threats
B3
Understand security policies including AUPs, backup processes, and disaster recovery plans
Topic B1 · Threats
Threats to Data

Malware (malicious software) is deliberately created to damage, disrupt, or gain unauthorised access to systems. Each type operates differently — you must know the distinction.

🦠
Virus
Attaches to legitimate files. Spreads when infected files are shared or executed. Requires human action to spread. Can delete files, slow systems, or corrupt data. Like a biological virus — needs a host to survive.
🐛
Worm
Self-replicating — spreads automatically across networks without user action. Exploits network vulnerabilities. Causes severe congestion. WannaCry was a worm that hit 230,000 computers in 150 countries.
🎠
Trojan Horse
Disguised as useful software — appears legitimate but contains a hidden payload. Once run, secretly installs malware or creates backdoors. Named after the Trojan Horse myth.
💰
Ransomware
Encrypts the victim's files, making them unreadable. Demands payment (often cryptocurrency) for the decryption key. A form of unauthorised modification. NHS paid £92m recovering from WannaCry.
👁
Spyware
Secretly monitors user activity — keystrokes, browsing history, webcam, microphone. Sends data to attacker. Skygofree (2015) read WhatsApp messages and recorded audio without the user knowing.
🥷
Rootkit
Installs deep in the OS, hiding itself and other malware. Gives attacker administrator-level access. Extremely hard to detect — often requires complete OS reinstall to remove. Persistent, hidden threat.
🤖
Botnet
Network of infected "zombie" devices controlled remotely by an attacker. Used for DDoS attacks, spam, crypto-mining — all without device owners knowing. Mirai botnet took down major websites using IoT devices.
🔒
Denial of Service
Overwhelms a server with traffic until it crashes, making it unavailable to legitimate users. DDoS uses a botnet to amplify the attack from many sources simultaneously. Expensive downtime for businesses.
🔑
Man-in-the-Middle
Attacker intercepts communications between two parties. Neither party knows their conversation is being monitored or altered. Common on open Wi-Fi networks. Prevented by HTTPS encryption and VPNs.
Topic B1 · Human-Targeted Attacks
Social Engineering
Phishing
The Art of Deception

Fake emails, messages, or websites that impersonate trusted organisations (banks, HMRC, Amazon, your employer) to trick users into revealing passwords, card details, or personal information.

Attackers spoof sender addresses so the email appears legitimate. Urgency is weaponised: "Your account will be closed in 24 hours — click here."

🎣
Spear phishing targets specific individuals with personalised details (your name, manager's name, recent project) — far more convincing than mass phishing. Often used in corporate espionage.
Pharming
When the Right URL Goes Wrong

Redirects users from a legitimate website to a fake one even when they type the correct address. Achieved by corrupting DNS records (the internet's "phone book") so the real site name points to a fraudulent IP address.

The fake site looks identical to the real one — victims have no visible warning they've been redirected.

⚠️
Key distinction: Phishing uses fake links in messages. Pharming corrupts the DNS — you can be a victim even if you type the address correctly and don't click any links.
Other Social Engineering
Exploiting Human Nature
👀
Shoulder surfing: Watching someone enter a PIN or password from a nearby position. Low-tech but highly effective in busy public places or open-plan offices.
🗑
Dumpster diving: Searching through discarded rubbish (paper, old hard drives) for confidential data. Prevented by shredding documents and properly wiping storage devices.
📞
Vishing: Voice phishing — phone calls impersonating bank fraud teams, IT support, or HMRC. Creates urgency to manipulate victims into revealing information.
💾
Baiting: Leaving infected USB drives in car parks or reception areas. Curious employees plug them in — malware auto-runs. Simple, devastatingly effective.
Internal Threats
The Enemy Within

Not all threats come from outside. Employees represent a significant security risk — either accidentally or deliberately.

😇
Unintentional disclosure: Emailing sensitive data to the wrong recipient, losing a USB drive, leaving a laptop on a train, misconfiguring a cloud folder as "public". Human error is the #1 cause of data breaches.
😡
Disgruntled employees: A dismissed or unhappy employee deliberately leaks data, sabotages systems, or steals customer lists to sell to competitors. Access rights must be revoked immediately on departure.
🔓
Default passwords: Equipment (routers, printers, servers) ships with well-known default passwords. If not changed immediately, attackers can trivially access the system — these are publicly listed online.
💀
Vulnerability exploitation: Unpatched software contains known security flaws. WannaCry exploited an unpatched Windows vulnerability that Microsoft had already released a fix for.
Breach Impacts
What a Successful Attack Costs
💸
Financial loss: Direct costs of breach remediation, ransom payments, regulatory fines (up to €20m or 4% of global turnover under GDPR), and lost revenue during downtime.
📰
Reputational damage: News of a breach destroys customer trust. Customers switch to competitors — long-term revenue loss may dwarf the immediate costs. Brand recovery takes years.
Downtime: Systems taken offline during investigation and recovery. Every hour offline = lost orders, productivity, and staff unable to work. Industry average: 21 days to recover from ransomware.
⚖️
Legal action: GDPR requires notification of breaches to the ICO within 72 hours. Failure = additional fines. Individuals whose data was breached may seek compensation.
Topic B2 · Prevention
Technical & Physical Controls
Access Controls
Verifying Identity
🔑
Passwords: First line of defence. Must be complex (upper/lowercase + numbers + symbols), unique per account, and not shared. Regular forced changes reduce risk.
🧬
Biometrics: Fingerprints, iris scans, facial recognition — unique physical identifiers that cannot be shared, forgotten, or easily replicated. More secure than passwords.
📱
Two-Factor Authentication (2FA): Requires TWO different verification methods — password + one-time SMS code. Even if the password is stolen, the attacker cannot log in without the second factor.
📊
Access levels: Read / Write / Full Control. Employees only have access to data needed for their role (principle of least privilege). Limits damage from both insider and external threats.
Technical Protections
Hardware & Software Defences
🛡
Firewalls: Hardware or software that monitors all incoming and outgoing network traffic against defined security rules. Blocks unauthorised access attempts and suspicious traffic patterns.
🦠
Anti-virus software: Scans files and processes for known malware signatures. Modern solutions use behavioural analysis to detect unknown threats by what they DO rather than matching signatures.
🔐
Encryption: Scrambles data so only the intended recipient with the correct key can read it. Protects data both in transit (HTTPS, TLS) and at rest (encrypted hard drive).
🔧
Device hardening: Reducing the "attack surface" — disabling unused network ports, removing unnecessary software, applying security patches immediately. Less software = fewer vulnerabilities.
Ethical Hacking
Fighting Fire With Fire

Penetration testing — authorised simulation of a cyberattack to find weaknesses before malicious hackers do. The five stages:

1
Authorise
Get written permission from the organisation. Define scope — which systems can be tested.
2
Discover
Scan for open ports, services, software versions, and potential entry points.
3
Exploit
Attempt to use discovered vulnerabilities — safely, without causing real damage.
4
Document
Record every vulnerability found, its severity, and evidence of exploitation.
5
Recommend
Provide a detailed report with specific remediation steps for each vulnerability found.
🎩
Hat colours: White Hat = ethical hacker (legal, authorised). Black Hat = malicious hacker (illegal). Grey Hat = finds vulnerabilities without permission but reports them (legally ambiguous).
Topic B3 · Policy
Security Policy & Disaster Recovery
Security Policy
Rules That Protect Everyone
📋
AUP (Acceptable Use Policy): Formal document defining what employees CAN and CANNOT do with IT systems. Includes scope, behaviours, monitoring methods, and sanctions for violations.
🔑
Password parameters: Minimum length (e.g. 12 characters), complexity requirements, maximum age before forced change, no reuse of recent passwords. Enforced by the system, not just requested.
📱
BYOD policy: Rules governing personal devices used for work — what apps may be installed, whether the company can remote-wipe the device if lost, security requirements before accessing corporate systems.
🔍
Software audit: Regular inventory of all software installed on company devices. Identifies unauthorised software (potential malware or licence violations) and ensures security patches are current.
⚠️
Sanctions: Graduated consequences for policy violations — from informal warning to dismissal and legal action. Must be clearly defined before incidents occur to be enforceable.
Backup & Disaster Recovery
Planning for When Things Go Wrong
💾
Full backup: Complete copy of ALL data. Takes longest but restores everything. Typically done weekly during low-traffic periods (nights/weekends).
📈
Incremental backup: Only backs up data that has changed since the LAST backup. Faster and smaller — done daily. Restoring requires the last full backup + all incrementals since.
🏦
RAID: Redundant Array of Independent Disks — identical data written to multiple physical drives simultaneously. If one fails, the system keeps running from the others. Hardware-level resilience.
📍
Offsite storage: Backups kept in a physically separate location. If the building burns down, the backup survives. Cloud backup is the modern equivalent.
🚨
Incident response: Investigate → Respond → Manage → Recover → Analyse. A documented process for handling attacks that everyone knows before an incident occurs.
📅
RTO vs RPO: Recovery Time Objective (how quickly systems must be back) and Recovery Point Objective (how much data loss is acceptable). These determine backup frequency and recovery infrastructure investment.
Quick Reference
Learning Aim B Keywords
Malware
Any malicious software designed to damage, disrupt, or gain unauthorised access.
Phishing
Fake messages impersonating trusted organisations to steal credentials or personal data.
Pharming
Corrupting DNS to redirect users to fake sites even when they type the correct URL.
Encryption
Scrambling data so only the holder of the correct key can read it.
Biometrics
Using unique physical characteristics (fingerprint, iris, face) to verify identity.
Two-Factor Authentication
Requiring two separate verification methods — password + one-time code.
Firewall
Hardware/software monitoring network traffic and blocking unauthorised access.
Penetration Testing
Authorised simulation of a cyberattack to identify and fix system weaknesses.
Ransomware
Encrypts victim's files and demands payment for the decryption key.
RAID
Redundant Array of Independent Disks — identical data on multiple drives for resilience.
White Hat Hacker
Ethical hacker hired by organisations to find vulnerabilities with full authorisation.
AUP
Acceptable Use Policy — rules defining how employees must use organisational IT systems.
🛡 Quick Quiz — Learning Aim B Score: 0/0
🔐Tasks — Learning Aim B
  • 1
    Threat classification: For each scenario, identify the threat type AND suggest a specific prevention: (a) An employee opens an attachment and all files become encrypted; (b) A manager receives an email apparently from the CEO asking for a bank transfer; (c) A hacker floods the company website until it crashes.
  • 2
    Backup strategy: A law firm stores 200GB of client files updated daily. Design a backup strategy specifying: type (full/incremental), frequency, location, and justification for each choice.
  • 3
    AUP sections: Identify which AUP section is violated in each case: (a) An employee installs a game on their work laptop; (b) A manager shares their password with their assistant; (c) A developer accesses a client database outside their authorised role.
🔥 6-Mark Challenge: "Evaluate the effectiveness of biometric security compared to password-based authentication for a bank with 5,000 employees." Use 2 BLT strands + Therefore conclusion referencing the banking context.
Exam Sharpener · 6 Marks
"Discuss the security measures a hospital should put in place to protect patient data on its computer systems."6 Marks
Strand 1 — Encryption (P+B+L)
The hospital should encrypt all patient records at rest and in transit, because patient data is extremely sensitive medical information. This means that even if a device is lost or the network is intercepted, unauthorised parties cannot read the data — protecting patient privacy and maintaining DPA 2018 compliance.
Strand 2 — Access Control (P+B+L)
Implementing role-based access with biometric authentication ensures only the correct clinician can access a specific patient's records, because each person's fingerprint or iris is unique and cannot be shared or guessed. This prevents both internal access violations and external attacks using stolen passwords.
Therefore — Conclusion
Therefore, the combination of encryption and biometric access control provides layered defence — technical controls protecting the data itself, and access controls ensuring only authorised medical staff can reach it. In a hospital, a breach could endanger lives, making robust multi-layered security not just legal compliance but an ethical imperative.
WIDER
Learning Aim C · Wider Implications

The Wider Implications
of Digital Systems

"Every digital action has consequences — legal, ethical, environmental, and social. Understanding them separates good practice from recklessness."

Shared DataCookiesE-waste Equal AccessNet NeutralityDPA 2018 GDPRCMA 1990AUPIP Rights
C1
Understand responsible use of data including shared data, cookies, geo-data, and the environmental impact of technology
C2
Know the legal and ethical frameworks — Equality Act, Net Neutrality, AUPs, DPA 2018/GDPR, CMA 1990, and intellectual property
AO
Apply legislation and ethical principles to vocational scenarios — distinguishing legal from ethical, identifying violations
Topic C1 · Responsible Use
Shared Data & Privacy
Types of Shared Data
What Gets Collected About You
📍
Location-based / Geo-data (GPS): Real-time geographical coordinates from your device's GPS. Accurate to a few metres when 4+ satellites are detected. Used for navigation, tracking, geofencing, and targeted advertising based on location.
💳
Transactional data: Information generated when you make purchases, bookings, or sign-ups — items bought, customer details, payment information, time and location. Shared between payment processors, card networks, and banks.
🍪
Cookies: Small text files stored on your device by websites. Track browsing activity, remember login details, and enable personalised advertising. Third-party cookies track you across multiple sites.
👣
Digital footprint: The trail of all data you leave online — browsing history, social media posts, purchases, and any interaction with digital services. Permanent and often difficult to erase completely.
⚖️
Right to be Forgotten (GDPR): Individuals can request permanent deletion of their personal data. The organisation has 30 days to comply unless there is a legal obligation to retain it (e.g. financial records for HMRC).
Environmental Impact
The Hidden Cost of Technology
1
Mining Raw Materials
Gold, copper, lithium, cobalt extracted from the earth. Non-renewable resources — once consumed, they cannot be replaced. Mining destroys ecosystems and pollutes water.
2
Manufacturing
Factories consume enormous energy (gas, coal). Cooling systems use millions of litres of water. Shipping components globally adds carbon footprint.
3
Use Phase
Continuous electricity consumption. Data centres globally consume ~1% of all electricity. Battery charging cycles degrade lithium — leading to replacement.
4
E-waste Disposal
62 million tonnes globally per year. Contains toxic chemicals: lead, mercury, arsenic, cadmium. WEEE regulations require proper recycling.
5
Reprocessing
Recovery of valuable metals (gold, silver, copper) from e-waste. UK generates 1.6M tonnes annually. 23% of discarded electronics still work.
Reducing Environmental Impact
What Organisations Can Do
🌙
Auto power-off / Auto-sleep: Configure devices to power down after inactivity. Reduces electricity consumption during the 16+ hours devices would otherwise idle overnight.
📧
Electronic distribution: Sending documents by email or cloud link instead of printing. Reduces paper use (trees), toner (chemicals), and physical delivery (fuel).
♻️
WEEE compliance: Waste Electrical and Electronic Equipment directive requires proper recycling of old devices. Prevents toxic chemicals entering landfill or water supply.
🔋
Energy-efficient hardware: Modern devices with better energy ratings consume less power. Server virtualisation reduces physical hardware needed, cutting energy use significantly.
☁️
Cloud migration: Hyperscale data centres (AWS, Google, Azure) achieve efficiency levels (PUE) far superior to on-premise servers — better per-computation energy use.
Topic C2 · Legal & Ethical
Legislation & Equal Access

The Data Protection Act 2018 incorporates the EU GDPR into UK law. It governs how personal data must be collected, stored, processed, and protected. Eight principles bind every organisation handling personal data:

1
Processed Fairly & Lawfully
Organisations must have legitimate grounds for collecting data and not use it in ways people wouldn't reasonably expect.
2
Obtained for Specified Purposes
Data collected for one purpose cannot be repurposed. The purpose must be clear from the start.
3
Adequate, Relevant, Not Excessive
Only collect the minimum data necessary for the stated purpose — nothing more.
4
Accurate & Up to Date
Take reasonable steps to ensure accuracy. Outdated data must be corrected or deleted.
5
Not Kept Longer Than Necessary
Review retention periods. Securely delete data that is no longer needed for its purpose.
6
Processed Per Rights
Individuals can access their data, request corrections, and claim compensation for mishandling.
7
Appropriate Security
Technical and organisational measures must protect data. Breaches must be reported to ICO within 72 hours.
8
No Transfer Outside EEA Without Protection
Data cannot be sent to countries lacking adequate protection laws.
Equality Act 2010
Equal Access to Digital Services

Consolidates 116 pieces of legislation. Protects 9 protected characteristics: age, disability, gender, race, religion, sex, sexual orientation, pregnancy, gender reassignment.

In digital contexts, organisations must ensure websites, apps, and IT services are accessible to everyone. Professional guidelines: WCAG (Web Content Accessibility Guidelines) — four principles: Perceivable, Operable, Understandable, Robust (POUR).

Net Neutrality: The principle that all internet data should be treated equally by ISPs — no "fast lanes" for companies that pay more. Protects startups from being throttled by larger competitors. UK ISPs signed the Open Internet Code of Practice.
AUP — 6 Sections
Acceptable Use Policy Contents
🗺
Scope: Who is covered, which systems, which devices (including BYOD), effective dates.
💎
Assets: Tangible (hardware) and intangible (intellectual property, data) assets to be protected.
⚖️
Behaviours: What is acceptable (polite communication, strong passwords) and unacceptable (installing unauthorised software, sharing passwords).
👁
Monitoring: How employees are monitored — login times, websites visited, email content, keylogging. Must be disclosed in advance.
Sanctions: Graduated consequences — informal warning → formal warning → dismissal → legal action.
✍️
Agreement: Signed and dated by employee (and guardian if under 18) to make it legally binding.
Intellectual Property & CMA
Laws Protecting Ideas & Systems
Copyright
Automatically protects creative works (music, writing, images, software code) from unauthorised copying or distribution.
Patent
Exclusive rights for a specific invention or process. Prevents others from using or copying the invention for a set period.
Trademark
Legally registered brand identity (logo, name, symbol) preventing others from using confusingly similar marks.
CMA 1990
Computer Misuse Act 1990 — illegal to gain unauthorised access, make unauthorised modifications, or spread malware. Up to 10 years imprisonment.
Police & Justice Act 2006
Extended CMA — criminalises creating or possessing hacking tools, even if not yet used in an attack.
Quick Reference
Learning Aim C Keywords
Cookies
Small text files stored on devices to track activity, remember logins, and enable targeted ads.
Digital Footprint
Trail of data left behind when interacting with digital services — largely permanent.
Right to be Forgotten
GDPR right to request permanent deletion of personal data from an organisation's systems.
E-waste
Discarded electronics containing toxic materials — requires WEEE-compliant recycling.
WEEE
Waste Electrical and Electronic Equipment — regulations governing safe disposal of electronics.
Net Neutrality
Principle that all internet traffic must be treated equally — no paid fast lanes by ISPs.
WCAG
Web Content Accessibility Guidelines — Perceivable, Operable, Understandable, Robust (POUR).
DPA 2018 / GDPR
UK/EU data protection law — 8 principles, fines up to €20m or 4% of global turnover.
Copyright
Automatic protection of creative works from unauthorised copying or distribution.
Geo-data
Real-time geographical information from GPS showing a device's current location.
Equal Access
Everyone has equal ability to access digital services regardless of disability or background.
Plagiarism
Using someone else's intellectual property without proper acknowledgement or permission.
⚖️ Quick Quiz — Learning Aim C Score: 0/0
⚖️Tasks — Learning Aim C
  • 1
    Data ethics: A hospital shares anonymised patient data with a pharmaceutical company for drug research — without telling patients. (a) Is this legal under DPA 2018? (b) Is it ethical? Explain the difference between legal and ethical in this context.
  • 2
    IP identification: For each situation, state which IP right applies: (a) A music app uses a band's song without permission; (b) A company copies a competitor's patented drug formula; (c) Another café uses the same logo as a famous coffee chain.
  • 3
    Environment: A school buys 200 new laptops and discards the old ones in general waste bins. Identify TWO environmental issues and explain what the school should have done instead.
  • 4
    AUP violation: An employee is caught accessing a competitor's database using credentials stolen via phishing. Identify which laws have been broken (be specific with act and year) and what sanctions the employee might face.
🔥 9-Mark Challenge: "Evaluate the importance of the Data Protection Act 2018 for individuals and organisations in an increasingly digital society." Write 3 BLT strands (individual rights, organisational responsibility, wider society) + a Therefore conclusion.
Exam Sharpener · 4 Marks
"Explain two ways an organisation can reduce the environmental impact of its use of digital technology."4 Marks
Action 1 (1)
Configure all devices with auto power-off schedules so systems shut down at the end of the working day automatically.
Explain (1)
This reduces electricity consumption during the 16+ hours devices would otherwise remain on idle — directly lowering the organisation's carbon footprint and energy bills.
Action 2 (1)
Send all old or broken hardware to a WEEE-certified recycling facility rather than general waste when replacing equipment.
Explain (1)
This prevents toxic chemicals (lead, mercury, arsenic) in circuit boards from entering landfill and contaminating groundwater, while allowing valuable metals like gold and copper to be recovered and reused.
PLAN
Learning Aim D · Planning & Communication

Forms of Notation &
Professional Communication

"A diagram is a language that everyone, regardless of spoken language, can read — if you follow the standard symbols."

FlowchartsData Flow DiagramsInformation Flow Diagrams System DiagramsTablesEmails CC/BCC
D1
Use and interpret standard flowchart symbols — Terminator, Process, Decision, Input/Output
D2
Draw and read Data Flow Diagrams (DFD) and Information Flow Diagrams (IFD) using correct notation
D3
Communicate professionally through written documents, emails (CC/BCC), and well-structured tables
Topic D1 · Flowcharts
Standard Flowchart Symbols

Flowcharts use standard symbols so that anyone — regardless of language — can understand a process. Using the wrong shape loses marks in the exam. Each symbol has one specific purpose.

Terminator
Oval shape — marks the Start and End of a process. Every flowchart must have exactly one Start and one End terminator.
Process
Rectangle — represents an instruction, calculation, or task being performed. "Calculate total", "Update database", "Send email".
Decision
Diamond — represents a Yes/No or True/False choice. Two paths leave the diamond — one for each answer. Used for IF statements and loops.
Input / Output
Parallelogram — represents data entry by a user (input) or display of results (output). "Enter password", "Display total cost".
💡
Exam rule — arrows always have a direction. Draw arrows showing the flow direction. Lines without arrowheads lose marks. All paths from a Decision diamond must be labelled "Yes"/"No" or "True"/"False". Flowcharts flow TOP to BOTTOM normally — loops go back UP.
Topic D1 · DFD vs IFD
Data Flow & Information Flow Diagrams
Data Flow Diagram (DFD)
How Data Moves Through a System

Shows how data moves between entities, processes, and data stores within a specific digital system. Uses short data labels on arrows.

Entity (rectangle/square): External users, departments, or organisations that interact with the system — e.g. "Customer", "Supplier", "HMRC".
Process (circle/oval): The central system or process that receives, transforms, and outputs data — e.g. "Order Processing System".
Data Store (open rectangle labelled D or M): Where data is stored within the system. D = Digital, M = Manual. E.g. "D1 Customer Records".
Data Flow (arrow with label): Shows data moving between components. Labels are SHORT — "Order details", "Payment confirmation", "Stock level".
Information Flow Diagram (IFD)
How Information Moves Between People

Shows the exchange of detailed information between entities, people, or departments. Labels are more descriptive than a DFD.

👤
Entities shown as boxes or figures — individuals, departments, or external organisations. E.g. "Sales Manager", "Accounts Department", "Bank".
📄
Information flows shown as arrows with detailed labels — "Monthly sales report", "Invoice with payment terms", "Bank transfer confirmation".
🔄
Two-way flows — arrows in both directions show information going and responses returning. E.g. "Purchase order" → "Delivery confirmation" ←.
📊
Key difference from DFD: IFD focuses on PEOPLE and INFORMATION between them. DFD focuses on the SYSTEM and how DATA moves through it technically.
⚠️
Exam trap: In a DFD, entities CANNOT communicate directly with each other — all data must flow through a Process or Data Store. Entities connected directly = automatic mark loss.
Topic D1 · Written Communication
Professional Communication Standards
Email Features
CC, BCC & Professional Standards
CC (Carbon Copy)
Sends a copy to additional recipients — they can all see who else received it. Use to keep stakeholders informed on a project. All recipients can see each other's addresses.
BCC (Blind Carbon Copy)
Sends a copy but hides the recipient's address from everyone else. Use when emailing multiple clients — protects each client's email address (DPA 2018 compliance). The primary recipient cannot see who is BCC'd.
Subject line
Must clearly describe the email content — allows recipients to prioritise and locate emails later. Vague subjects ("Re: Re: Re:") are unprofessional and waste time.
Attachments
Reference in the body text. Consider file size — large attachments may be blocked. Use cloud links instead for large files.
Tables
Presenting Data Clearly

Tables organise information for clear comparison and reference. Exam questions often ask you to create or interpret tables — follow these rules for full marks:

📌
Title: Clear, descriptive title above the table explaining what it shows.
🔤
Bold headings: Column and row headers in bold — identifies what each cell represents.
📏
Units: Include measurement units in column headers (e.g. "Price (£)", "Weight (kg)", "Speed (Mbps)").
↕️
Consistent formatting: All data in same format, proper alignment, borders for clarity. Numbers right-aligned, text left-aligned.
🚫
No merged cells in exam answers — keep simple. Aim for clarity over style in an exam context.
Written Reports & Policies
Professional Text Standards
✂️
Concise writing: Brief and to the point. Use short sentences. Avoid padding — every sentence should add value. Technical documents are not essays.
🎯
Audience-appropriate language: Technical jargon for IT professionals, plain English for non-technical stakeholders. Always know who you're writing for.
📑
Structure: Headings, sub-headings, numbered sections, bullet points for lists. Easy to navigate and reference.
📊
System diagrams: High-level maps showing hardware components, software systems, network connections, and how they interact. Used to plan and communicate IT infrastructure.
🔗
Synoptic link: LAD connects directly to Component 1 planning tools — Gantt charts, task lists, and work breakdown structures. The exam may ask you to draw a diagram AND explain how it fits into a project plan.
Quick Reference
Learning Aim D Keywords
Flowchart
Step-by-step process diagram using standard symbols — Terminator, Process, Decision, Input/Output.
DFD
Data Flow Diagram — shows how data moves between entities, processes, and data stores in a system.
IFD
Information Flow Diagram — shows detailed information exchanged between people and departments.
Entity
External user, department, or organisation that interacts with a system in a DFD.
Data Store
Where data is stored within a system — D for digital, M for manual, labelled with D1, D2 etc.
Terminator
Oval symbol marking the Start or End of a flowchart process.
Decision
Diamond symbol representing a Yes/No or True/False choice — splits into two paths.
CC
Carbon Copy — email feature sending a visible copy to additional recipients.
BCC
Blind Carbon Copy — hidden recipients, protects email addresses (DPA compliant).
Gantt Chart
Visual planning tool showing tasks, responsibilities, and deadlines on a timeline.
Standard Notation
Using prescribed, universally understood symbols so diagrams are technically accurate.
System Diagram
High-level map of hardware, software, and network connections in an IT infrastructure.
📐 Quick Quiz — Learning Aim D Score: 0/0
📐Tasks — Learning Aim D
  • 1
    Symbol test: Draw the correct flowchart symbol for each: (a) The start of a login process; (b) Checking if a password is correct; (c) Displaying "Access Granted" on screen; (d) Storing the login attempt in a log file.
  • 2
    DFD creation: A school library has students, a librarian, a book database, and a reservation system. Draw a Level 0 DFD (Context Diagram) showing the system and its entities. Then draw a Level 1 DFD showing the internal processes.
  • 3
    Email decision: A manager needs to email 50 clients about a price increase AND copy the sales team. Which feature is used for clients and which for the sales team? Explain your reasoning with specific reference to DPA 2018.
  • 4
    DFD rules: A student's DFD has two entities (Customer and Supplier) with an arrow directly between them labelled "Order". Identify the error and draw the corrected version.
🔥 6-Mark Diagram Challenge: An online shop takes orders from customers, processes payments via a bank, updates a stock database, and sends delivery instructions to a courier. Draw a fully labelled DFD showing all entities, processes, data stores, and data flows with correct notation.
Exam Sharpener · 2 Marks
"A manager needs to email all 200 of the company's clients with a newsletter. Explain which email feature they should use and why."2 Marks
Feature (1)
The manager should use BCC (Blind Carbon Copy) to send the newsletter to all 200 clients simultaneously.
Why (1)
BCC hides each recipient's email address from all other recipients — meaning the 200 clients' addresses are not visible to each other, protecting their personal data in accordance with DPA 2018 (data should not be disclosed without consent).
Master the exam technique

Exam Mastery.

The BLT method — your secret weapon for 4–9 mark questions

The BLT Method — Point · Because · Leads To · Therefore
P
Point
State a clear, specific fact, feature, or benefit. One idea only — don't combine.
B
Because
Explain WHY this point is true or relevant. Use "because", "so that", "as it".
L
Leads To
Describe the IMPACT or outcome — what happens as a result. The business consequence.
T
Therefore
Final conclusion linking back to the specific organisation or scenario in the question.
WAGOLL example (6 marks): "One benefit is scalability (P), because the company only pays for the cloud storage it actually uses (B), which means storage capacity can increase automatically during busy periods without buying new hardware (L). Therefore, for a fast-growing e-commerce business, cloud scalability eliminates the risk of the system crashing during peak sales periods like Black Friday (T)."
1
State / Give (1–2 marks)
Recall specific facts. Keep it short — one precise sentence per mark. No paragraphs. "Encryption" is enough for the point mark. "Encryption scrambles data so unauthorised users cannot read it" secures the second.
2
Explain (2–4 marks)
One or two DISTINCT P+B pairs. Always use "so that" or "because" to connect the point to the reason. If two points are the same idea rephrased, you'll only score 2.
3
Discuss (6 marks)
Two BLT strands + a Therefore. Always name the organisation from the scenario in your conclusion. Generic answers cap at 4/6. Contextualised answers reach 6/6.
4
Evaluate (9 marks)
Three BLT strands + a Therefore that judges which factor is most important and why. Be the judge — "While X is important, Y is more critical for this organisation because..." Never sit on the fence.
Five Golden Rules.
Rule 1
Legal ≠ Ethical ≠ Acceptable. The exam loves to blur these. Always distinguish: something can be technically legal under DPA but still ethically wrong if users didn't genuinely understand what they consented to.
Rule 2
Rule 2
Name the act and the year. "DPA 2018", "CMA 1990", "Equality Act 2010", "Police & Justice Act 2006". A wrong year or vague reference like "the data law" loses marks instantly.
Rule 3
Link to the scenario. Every Discuss and Evaluate answer must reference the specific organisation named in the question. Replace generic examples with the given context.
Rule 4
Rule 4
Diagrams: use standard symbols. Wrong shape = mark lost. No arrowheads = mark lost. Decision diamond without Yes/No labels = mark lost. Entities connected directly in a DFD = mark lost.
Rule 5
AO4 questions need connections. The highest-mark questions test whether you can LINK ideas from across all four Learning Aims. A data breach involves LAB (security), LAC (DPA), and LAA (downtime/cloud implications).
AO Overview
AO1 — Know facts and terms · AO2 — Understand concepts · AO3 — Apply to scenarios · AO4 — Connect across the whole component. Higher marks always require AO3 and AO4.