4.1 Legislation

4.1.1 Understand the key points and implications to employers of the relevant health and safety legislation:

Health and Safety at Work Act:

The health and safety at work regulations that are currently in place within the UK is held in high regard globally as legislation, to the point that other countries use this legislation as a benchmark for their own.

Created in 1974 the regulation was created as a result of a significant amount of harm and death related to employees undertaking their work roles and responsibilities. The government established a group of people chaired by Lord Robens to create a report on safety and health at work.  Lord Robens was tasked to create legislation that fit all business types regardless of size, from self-employed to large organisations. 

o key points:

– provide a safe working environment

– ensure staff are properly trained

– adequate welfare provision

– provide relevant information, instruction and supervision

You have been tasked with creating an engaging activity for 16-18 year olds on the Health and Safety at Work etc Act 1974, specifically linked to the digital support services sector. This activity should last 10-15 minutes and involve both a learning element and interactive participation. 
Your activity can be create in any type of application to enable the interactivity, this could be in scratch, Contruct 3, Wayfinder, Kahoot, GimKit or any other. This needs to be fun and entertaining for the targeted audiences. Examples of previous student work can be seen using the link below.
The Health Inspector on Scratch

You have been tasked with creating an informative presentation that includes examples and casestudies of the Health and Safety at work Act.

Activity Title: Ensuring Safety in the Digital Support Workspace

Objective:
By the end of the activity, you will understand key aspects of the Health and Safety at Work etc Act 1974 and how they apply to the digital support services sector. You will explore real-world examples from a well-known organisation and propose solutions to common safety challenges.

Materials Needed:
    •    Access to a computer or tablet with internet for research
    •    Whiteboard or flipchart for note-taking (optional for classroom setting)
    •    Handouts summarising the Health and Safety at Work etc Act 1974 (optional)

Step-by-Step Activity Plan:
 
   1.    Introduction (5 minutes)
Briefly explain the key points of the Health and Safety at Work etc Act 1974, focusing on its relevance to the digital support services sector. Highlight the importance of both physical safety (e.g., ergonomic workspaces) and mental health (e.g., managing stress in a high-demand environment).
Example:
“The Act is designed to ensure that employers provide a safe working environment for their employees. In digital support services, this can include everything from making sure workers have the right equipment to prevent injuries, to ensuring their mental health is supported during busy periods.”

    2.    Group Research (10 minutes)
Split into small groups and research how a well-known organisation, such as Google, applies health and safety measures within its digital support teams. Focus on aspects such as:
    •    Ergonomics (adjustable desks, chairs, screen positioning)
    •    Mental health support (stress management, mental health days)
    •    Work-from-home health policies (safe home office setup, guidance on screen time)
    •    Emergency procedures (fire drills, reporting unsafe working conditions)
Each group should use available resources (e.g., company blogs, news articles, or health and safety documentation) to identify 2-3 safety measures that Google has implemented.
   
3.    Group Presentations (5-10 minutes)
After the research phase, each group will present their findings, focusing on how these health and safety measures align with the Health and Safety at Work etc Act 1974.
Example Presentation:
“Google has implemented several health and safety measures that align with the 1974 Act. They provide adjustable workstations to prevent physical strain, offer counselling services to employees, and ensure that staff working remotely are supported with proper ergonomic advice.”

    4.    Interactive Discussion (5-10 minutes)
Group discussion what additional ways digital support teams can improve health and safety practices. Focus your conversation on areas like managing prolonged screen time, dealing with high-stress situations, and ensuring safety for remote workers.
Example Question:
“If you were managing a digital support team at Google, what other safety measures would you put in place to ensure your team’s well-being?”

    5.    Conclusion (2-5 minutes)
Summarise the key points discussed, emphasising how the Health and Safety at Work etc Act 1974 protects employees in the digital support services sector. Reinforce the importance of both physical and mental health in the workplace and think about these issues as you enter your future careers.

By engaging in this activity, you will have applied theoretical knowledge of the Health and Safety at Work etc Act 1974 to real-world examples from a major organisation, thinking critically about health and safety in a sector you may enter in the future.

Manual handling operations:

o key points:

– avoid hazardous manual handling operations as far as possible

– assess any hazardous manual handling operations

– provide information on load and centre of gravity

– reduce the risk of injury so far as is reasonably practicable

Work at height regulations:

The regulations around "working at height 2005" play a very important part when linked to the installation of possible network infrastructure as placing equipment such as network access points (APs), Wi-Fi hubs and physical network cabling. These elements of a network can be located in ceilings and overhead gantries that require access to be done using ladders and in some situations scissor lifts called cherry pickers. As a result, the legislation is designed to ensure that employees are protected when undertaking any activities associated to accessing this equipment. The legislation requires that any employer ensure appropriate precautions are in place to reduce any possible injury, such as falling from height.

The Legislation and regulation ensure that the employee understands their duty to protect its employees by;

Ensuring that the equipment they are using or provided with is suitable for the job being undertaken, that it is strong enough for the task in hand, and that it is regularly checked for integrity and maintenance.

Appropriate training has been provided to ensure that the employees don't act in a way that could lead to harm to them or others, such as overreaching.

Provide the employees and potential members of the public with protection that reduces their being hit by falling materials.

Identifying Work at Height Risks in a Digital Support Environment

Objective:
You will develop an understanding of the Work at Height Regulations 2005 and apply them in the context of digital support services, specifically in identifying risks when dealing with cabling, server racks, and other equipment maintenance that may involve working at height.

Duration: 10-15 minutes

Materials Needed:
    •    Notepad or digital device for note-taking
    •    Floor plan or basic map of the educational environment (optional)

Instructions:
    1.    Introduction (2 minutes):
You will be briefly introduced to the Work at Height Regulations 2005, which are laws designed to prevent injuries and accidents when working at height. Examples could include accessing high server racks, cable installations, or fixing projectors.
    2.    Task Explanation (3 minutes):
You will be tasked with identifying potential risks associated with working at height within your current educational environment (e.g., IT support office, classroom, or server room). You will leave the classroom and observe locations where digital equipment maintenance may require working at height.
    3.    Activity (5 minutes):
You will walk around the educational environment and find at least two locations where work at height might occur. Consider:
    •    Where a ladder or steps would be needed (e.g., adjusting a ceiling-mounted projector, accessing cabling on high walls or ceiling panels).
    •    Whether there are secure, safe means to access the area.
    •    Any hazards like unstable surfaces, improper equipment, or inadequate protective measures.
    4.    Example Scenario:
You might observe the server room, where the top shelf of a rack is used for critical hardware. You should note that reaching this level requires the use of steps or a ladder, and you should evaluate whether proper equipment is in place to access the height safely (e.g., if the ladder is sturdy, if there are railings, and if the space is clear of obstructions).
    5.    Reflection & Discussion (5 minutes):
Once you return, you will share your observations. You will describe one risk you identified and suggest how it could be mitigated in line with the Work at Height Regulations 2005 (e.g., use of secure ladders, ensuring no tripping hazards below the workspace, using harnesses if necessary).

Expected Output Example:
You might report:
“In the server room, the top shelf of the rack requires a ladder to reach. The ladder present was sturdy but positioned on uneven flooring, which could cause instability. To comply with the Work at Height Regulations 2005, the ladder should be moved to a flat surface or a platform should be used to ensure stability before accessing the top shelf.”

This activity should encourage you to recognise the importance of safety when working at height in digital support roles and to think critically about how to mitigate risks in your surroundings.

o key points:

– make sure the work is properly planned, supervised and carried out by competent people

– do as much work as possible from the ground

– ensure workers can get safely to and from where they work at height

– ensure equipment is suitable, stable and strong enough for the job

– provide protection from falling objects

– consider emergency evacuation rescue procedures

Display screen equipment:

o implications to employers:

– conduct a display screen equipment workstation assessment

– reduce risks including making sure workers take breaks from display screen equipment work

– provide an eye test if an employee asks for one

– provide training and information for employees.

Have you ever had neck pain after a long gaming session or after doing work on a computer, or, found that your eyes have gotten tired and sore after looking at screens all day? This is where the Health and Safety (Display Screen Equipment) Regulations 1992 come in. This regulation is designed to protect users who continually use display screens for a long period.
 

Some of the key principles of the regulations to keep you safe when using computers, laptops, and tablets for extended periods are:

• Adequate Training: Just like learning the controls in a game, employers need to train staff on using screens safely. This could involve learning proper posture, taking breaks, and adjusting screen settings to avoid eye strain.

• Adequate Welfare Provision: Imagine getting a health boost after defeating a boss! Employers need to provide breaks for staff to move around, stretch, and rest their eyes. This could be short breaks every hour or longer breaks throughout the day.

• Safe Working Environment: Wouldn't it be annoying to fight enemies in a dark, cramped cave? Similarly, the regulations ensure a safe working environment for screen users. This includes proper lighting, comfortable seating, and avoiding glare on the screen. Imagine a well-lit gaming setup with an ergonomic chair – that's what they're aiming for!
   

   

• Suitable Information, Instruction & Supervision: Every good game has a handy guide, right? Employers need to provide staff with clear information on how to use screens safely. This could be posters, online resources, or even talks from health and safety experts. IT support can also play a role by helping set up screens and suggesting ergonomic adjustments.

5-Minute Challenge: In Pairs assess your computer setup for 5 minutes. Here's what to check: 
Posture: Are you sitting up straight with your back supported?  
Screen Distance: Is the screen an arm's length away? 
Lighting: Is there any glare on the screen? 
Breaks: Do you take breaks to move around and rest your eyes?

Discuss any improvements you can make and how you can work with your tutor to create a screen-safe environment.

Now that you have reflected on your own work areas use the government checklist (provided using the button below) to see what is expected of an employer for thier employees.
Display screen equipment (DSE) workstation checklist

Create a poster that uses terminology and images that a 16 year old might use to inform them of the DSE legislation of 1992. Using images in your poster will support your information and explainations, ensure that any images are referenced and attributed.

4.1.2 Understand the health and safety risks and preventative measures of working with digital systems:

Possible risks

Using display screen equipment

Musculoskeletal Disorders (MSDs): Poor posture and a poorly designed workstation can cause pain and disorders in the neck, shoulders, back, arms, wrists, and hands. This includes conditions such as repetitive strain injury (RSI).

Eye Strain and Visual Problems: Extended screen use can cause tired eyes, discomfort, temporary blurred vision, dry eyes, and headaches, a condition known as Computer Vision Syndrome (CVS). It does not cause permanent eye damage but can highlight pre-existing vision problems.

Fatigue and Stress: Long periods of static work, intense concentration, or poorly designed software/work organisation can lead to general physical and mental fatigue, and stress.

Working at heights

Falls from height: Distraction caused by looking at a screen or interacting with a digital device (tablet, phone, laptop) can lead to a loss of balance, misstep, or a failure to notice an edge or opening, resulting in a fall.

Falling objects: Digital devices and their accessories (batteries, styluses) can be dropped, posing a serious injury risk to people and damage to equipment below.

Manual handling issues: Carrying digital devices, especially with accessories (stands, spare batteries, etc.), to and from elevated work areas can increase manual handling strain, particularly if safe access is limited

Cable installation (ground level, onto walls)

Electric Shock and Burns: The primary hazard from contact with live wires or damaged cables, which can cause severe injury or death.

Arc Flash and Explosions: Damage to underground or in-wall cables can cause an explosion and intense flash, leading to severe burns.

Slips, Trips, and Falls: Trailing cables at ground level are a significant tripping hazard in the workplace, leading to potential injuries, additional to working at any height on a ladder.

Mechanical Damage: Cables are vulnerable to damage from sharp objects, crushing, or excessive pulling/bending during installation, which can compromise their integrity and create electrical or fire hazards.

Fire Hazards: Faulty wiring, overloaded circuits, or damaged equipment can lead to fires.

Ergonomic Risks: Improper manual handling of heavy cable spools can lead to musculoskeletal injuries.

Eye Injuries: Fiber optic cables pose a risk of eye injury from the light they carry, requiring appropriate eye protection. 

Manual handling

Musculoskeletal Disorders (MSDs): The primary risk is developing MSDs, which include pain and disorders in the neck, shoulders, back, arms, wrists, and hands.

Work-Related Upper Limb Disorders (WRULDs) / Repetitive Strain Injury (RSI): Prolonged, uninterrupted work with a keyboard and mouse, or use of handheld devices (like PDAs and smartphones) with poor posture, can lead to these overuse injuries.

Back Pain: Incorrect seating, inadequate back support, and improper lifting techniques are major causes of chronic back pain.

Fatigue: Maintaining the same position for extended periods, or working with excessive workloads, can cause muscle fatigue and strain.

Injuries from Transporting Equipment: Carrying heavy or unbalanced loads (e.g., a laptop in a single-shoulder bag) can strain muscles and joints.

Accidents: Obstructions in the work area, poor lighting, or unstable flooring when moving equipment can lead to trips, slips, and falls. 

Health and safety requirements

Methods of mitigating risk:

Adequate training

For any organisation, it is vital to ensure that the workforce has the appropriate training, skills, and knowledge to carry out their duties and responsibilities effectively, competently, and most importantly, safely. Adequate training helps to reduce the risk of human error, ensures compliance with organisational policies and legal requirements, and supports a consistent standard of working practice across the organisation.

Many organisations now utilise e-learning platforms as a primary method of delivering training and sharing essential knowledge with employees. E-learning enables staff to access training materials at a time and pace that suits their individual learning needs, promoting flexibility and inclusivity within the workforce. In addition, digital training platforms allow organisations to deliver consistent, up-to-date content, track learner progress, and maintain accurate records of completed training for audit and compliance purposes. This approach not only supports ongoing professional development but also contributes to improved efficiency, reduced training costs, and a safer working environment.

Safe working environment

Suitable provision of relevant safety equipment

Safe working practices

Suitable provision of relevant information, instruction and supervision.

4.1.3 Understand Data Security and Protection legislation, including their effect on organisations and individuals:

Data Protection Act/General Data Protection Regulations:

Purpose of legislation

Data protection legislation sets out clear rules that govern how organisations collect, use, store, share, and dispose of personal information. This applies to a wide range of organisations, including private businesses, public sector bodies, and government departments. The legislation is designed to ensure that personal data is handled lawfully, fairly, and securely, protecting individuals from misuse, unauthorised access, and excessive data collection, while also giving people greater control over how their information is processed and shared.

Eight principles.

1. Lawfulness, Fairness and Transparency

Personal data must be processed:

• Lawfully – there must be a valid legal basis (e.g. consent, contract, legal obligation)

• Fairly – data must not be used in ways that would surprise or disadvantage the individual

• Transparently – individuals must be informed about how their data is used (usually via a privacy notice)

Example (Digital Support):
A college must clearly explain to students why it collects attendance data and how long it will be kept.

2. Purpose Limitation

Personal data must be:

• Collected for specific, explicit, and legitimate purposes

• Not reused for unrelated purposes without further consent or legal justification

Example:
Customer contact details collected for IT support tickets must not later be used for marketing unless permission is given.

3. Data Minimisation

Only data that is:

• Adequate

• Relevant

• Limited to what is necessary

should be collected.

Example:
A helpdesk form should not ask for a user’s home address if email support is sufficient.

4. Accuracy

Personal data must be:

• Accurate

• Kept up to date

• Corrected or deleted promptly if incorrect

Example:
An asset register must be updated when devices are reassigned to different users.

5. Storage Limitation

Data must:

• Not be kept longer than necessary

• Have defined retention periods

Example:
Old support tickets containing personal data should be securely deleted after the organisation’s retention period expires.

6. Integrity and Confidentiality (Security)

Personal data must be processed securely, protecting it from:

• Unauthorised access

• Accidental loss

• Destruction or damage

This includes technical and organisational security measures.

Examples:

• Strong passwords and multi-factor authentication

• Encryption of laptops and backups

• Role-based access control (RBAC)

7. Accountability

Organisations must:

• Take responsibility for complying with the principles

• Demonstrate compliance through documentation and policies

Examples:

• Staff training records

• Data protection policies

• Incident response procedures

8. Rights of the Data Subject

Individuals have rights over their personal data, including:

• Right to access

• Right to rectification

• Right to erasure (“right to be forgotten”)

• Right to restrict processing

• Right to data portability

• Right to object

Example:
A user can request a copy of all personal data held about them by an IT service provider.

4.1.4 Understand Computer Misuse legislation:

The computer Misuse act was introduced in 1990, however it was partially introduced in 1988 in response to a legal case titled "R v Gold & Schifreen (1988) where a journalist hacker broke into the then Duke of Edinburgh’s (Prince Phillip) email account. Once the general public were aware of the situation there was outcry that uncovered the fact that no law existed against computer hacking. As a result of this the legislation was created partially and released in 1988 followed 2 years later with the full release.

How easy is it to get caught out? 

Refelect on your own use of digital devices, have you experienced this?

The principles of the Computer Misuse Act (CMA) 1990

Key aspects of the feature governing unauthorized access include:

Prohibition of Unauthorised Access: The Act clearly defines unauthorised access as accessing computer systems, programs, or data without proper authorisation. This includes bypassing security measures or accessing areas of a computer system beyond one's authorised privileges.

Protection of Data: The legislation aims to protect the confidentiality, integrity, and availability of data by preventing unauthorised access. This helps safeguard sensitive information from being accessed, modified, or deleted without proper authorisation.Scope: The legislation applies to unauthorised access to any computer system, whether it's owned by individuals, businesses, or the government. It covers a wide range of devices and networks, including computers, servers, and online platforms.

• consequences for company and employee

Penalties: The Act establishes penalties for unauthorized access, including fines and imprisonment, depending on the severity of the offense. For example, accessing a computer system without authorisation with the intent to commit further offenses carries a maximum penalty of up to 2 years in prison and/or a fine.

• employee awareness

• types of crimes covered by legislation.

Secure Your Digital Vault

Objective: Understand the importance of authorization and security in compliance with the Computer Misuse Act 1990.

Materials Needed: Personal computer or laptop Internet connection Basic understanding of computer operations

Steps:
1 - Introduction to the Act: Explain what the Computer Misuse Act 1990 is and why it's important for protecting digital information.

2 - Create a Digital Vault: Create a digital vault on a computer using encryption software. This could be a folder where you store sensitive files such as passwords, personal documents, or financial records.
3 - Set Authorization Levels: Set up authorisation levels for accessing the digital vault. This could involve creating a strong password or using biometric authentication if available.
4 - Test Authorisation: Demonstrate the importance of proper authorisation by attempting to access the digital vault without permission. Discuss why this would be illegal under the Computer Misuse Act 1990.
5 - Implement Security Measures: Implement additional security measures such as firewall protection, antivirus software, and regular software updates to further protect the digital vault from unauthorised access.
6 - Discuss Legal Implications: Discuss the potential legal implications of unauthorised access under the Computer Misuse Act 1990. Emphasize the importance of staying within the bounds of the law and respecting others' digital privacy.
7 - Reflection: Reflect on what has be learnt. Think about how you can apply these principles to safeguard your digital information and promote ethical behavior in your IT practices.

This activity provides a practical and hands-on approach for the you to understand the concept of unauthorised access and the importance of authorisation and security measures in compliance with the Computer Misuse Act 1990. It also encourages you to have critical thinking about digital ethics and responsible behavior in handling sensitive information.

4.1.5 Understand Equality legislation:

The nine protected characteristics

The Equality act of 2010 was bought about by the imalgimation of a number of anti-discrimination laws and legislations in 2010. The act identifies nine principles and chararcters that are protected, these are.

1. Age

Protection against discrimination based on a person’s age or age group (young or old) means that individuals must be treated fairly and equally regardless of how old they are, whether they are younger or older than the average person in a particular setting. Under UK equality legislation, it is unlawful to disadvantage someone simply because of assumptions, stereotypes, or generalisations linked to their age.

This protection applies across employment, education, training, and the provision of goods and services. Decisions such as recruitment, promotion, access to training, pay, redundancy selection, and dismissal must be based on ability, competence, experience, and performance, not age.

Age discrimination can take several forms:

• Direct discrimination - treating someone less favourably because of their age (e.g. refusing to hire someone because they are “too young” or “too old”).

• Indirect discrimination - applying policies that disadvantage a particular age group without a valid justification (e.g. requiring a set number of years’ experience that is unnecessary for the role).

• Harassment - age-related jokes, comments, or behaviour that create an intimidating or offensive environment.

• Victimisation - treating someone unfairly because they have complained about age discrimination or supported someone else’s complaint.

In practice, this means employers and organisations must:

• Use age-neutral language in job advertisements and policies.

• Offer equal access to training and development, regardless of age.

• Avoid assumptions such as younger people being unreliable or older people being resistant to change.

• Ensure performance management and redundancy decisions are objective and evidence-based.

Failure to uphold age protection can lead to employment tribunal claims, compensation awards, reputational damage, and loss of skilled or experienced individuals, all of which can negatively affect organisational performance and workplace culture.

In practice (compliant)

• A company advertises roles using skills and experience, not age-related language.

• Training opportunities are offered equally to apprentices, early-career staff, and older employees.

Not followed (non-compliant)

• A job advert states “ideal for a young, energetic graduate”.

• Older workers are excluded from training because they are “nearing retirement”.

Consequences for organisations

• Employment tribunal claims

• Compensation awards

• Reputational damage and negative publicity

• Loss of experienced staff

2. Disability

A physical or mental impairment that has a substantial and long-term negative effect on day-to-day activities refers to the legal definition of a disability under UK equality legislation. This protection ensures that individuals are not treated less favourably because of a disability and are supported to participate fully in work, education, and society.

A condition is considered a disability when:

• Physical or mental - it may affect the body (e.g. mobility, sight, hearing) or mental health (e.g. anxiety disorders, depression).

• Substantial - the effect is more than minor or trivial.

• Long-term - the condition has lasted, or is expected to last, 12 months or more.

• Day-to-day activities - it impacts normal activities such as walking, concentrating, reading, communicating, or using IT systems.

This protection covers both visible and non-visible (hidden) disabilities, including conditions such as dyslexia, autism, diabetes, epilepsy, and long-term mental health conditions.

Disability discrimination can occur in several ways:

• Direct discrimination - treating someone unfairly because of their disability.

• Indirect discrimination - applying policies that disadvantage disabled people (e.g. rigid working hours).

• Discrimination arising from disability - treating someone unfairly because of something connected to their disability (e.g. disability-related absence).

• Harassment and victimisation - creating a hostile environment or penalising someone for raising concerns.

In practice, organisations have a legal duty to make reasonable adjustments to remove barriers that disadvantage disabled individuals. This may include:

• Providing specialist equipment or assistive technology.

• Adjusting working hours or duties.

• Offering alternative assessment or communication methods.

• Making physical changes to buildings or workspaces.

Failure to support disabled individuals or make reasonable adjustments can result in employment tribunal claims, significant financial compensation, enforcement action by regulators, and serious reputational damage. Organisations that proactively support disability inclusion benefit from improved staff wellbeing, higher retention, and a more diverse and effective workforce.

In practice (compliant)

• Providing reasonable adjustments, such as:

  • Screen readers for visually impaired staff

  • Flexible working hours

  • Modified duties or equipment

Not followed (non-compliant)

• Refusing to adjust a workstation for an employee with chronic pain.

• Dismissing performance issues without considering disability-related needs.

Consequences for organisations

• Legal action for failure to make reasonable adjustments

• Costly settlements

• Enforcement action by the Equality and Human Rights Commission (EHRC)

3. Gender Reassignment

Protection for people who are transitioning, have transitioned, or identify as transgender means that individuals must not be discriminated against because of their gender reassignment status. Under UK equality legislation, a person is protected if they are proposing to undergo, are undergoing, or have undergone a process to reassign their sex, and this protection applies regardless of whether medical treatment or surgery is involved.

This protection recognises that gender reassignment is a deeply personal process and that individuals have the right to be treated with dignity, respect, and privacy in all areas of life, including employment, education, and access to services.

Discrimination related to gender reassignment can take several forms:

• Direct discrimination - treating someone less favourably because they are transgender (e.g. refusing promotion due to their transition).

• Indirect discrimination - policies or practices that disadvantage trans people without justification (e.g. inflexible dress codes).

• Harassment - unwanted conduct such as jokes, intrusive questions, or deliberate misuse of names or pronouns.

• Victimisation - treating someone unfairly because they have raised concerns or supported others regarding trans rights.

In practice, organisations are expected to:

• Respect an individual’s chosen name, title, and pronouns.

• Update records confidentially and accurately.

• Ensure access to appropriate facilities, such as toilets or changing areas.

• Maintain strict confidentiality about a person’s gender history.

Failure to uphold protections for transgender individuals can result in legal claims, compensation awards, and significant reputational damage. It can also lead to a toxic workplace culture, reduced staff wellbeing, and higher turnover. Organisations that actively support gender identity inclusion benefit from stronger trust, improved morale, and a more inclusive and respectful environment for all.

In practice (compliant)

• Respecting chosen names and pronouns.

• Updating HR records confidentially and appropriately.

• Allowing access to correct toilets and facilities.

Not followed (non-compliant)

• Deliberate misgendering by managers.

• Excluding a trans employee from customer-facing roles.

Consequences for organisations

• Discrimination and harassment claims

• Severe reputational harm

• Loss of trust among staff and customers

4. Marriage and Civil Partnership

Protection for people who are married or in a civil partnership (employment-related only) means that employees and job applicants must not be treated less favourably because they are legally married or in a civil partnership. Under UK equality legislation, this protection applies specifically within employment and workplace contexts, such as recruitment, promotion, pay, training, and dismissal.

This characteristic recognises that an individual’s legal relationship status should have no bearing on their ability to perform a role or access workplace opportunities. It applies equally to opposite-sex marriages and same-sex civil partnerships.

Discrimination related to marriage or civil partnership may include:

• Direct discrimination - treating someone unfairly because they are married or in a civil partnership (e.g. overlooking them for promotion due to assumptions about family commitments).

• Indirect discrimination - applying workplace policies that disadvantage married or civil-partnered employees without objective justification.

• Victimisation - treating someone unfavourably because they have raised concerns or supported a complaint related to this protection.

In practice, employers must:

• Ensure recruitment and promotion decisions are based on merit, skills, and performance, not marital status.

• Provide equal access to workplace benefits, training, and development opportunities.

• Avoid assumptions that married employees are less flexible or more distracted by personal responsibilities.

• Treat civil partnerships with the same respect and recognition as marriage.

Failure to comply with this protection can result in employment tribunal claims, financial compensation, and damage to organisational reputation. It can also negatively affect staff morale and trust. Organisations that apply fair and inclusive practices create a more respectful working environment and benefit from higher employee engagement and retention.

In practice (compliant)

• Equal access to benefits, promotions, and training regardless of marital status.

Not followed (non-compliant)

• Assuming married employees are less flexible.

• Denying opportunities to staff in civil partnerships.

Consequences for organisations

• Tribunal claims

• Breach of employment law

• Damage to workplace morale

5. Pregnancy and Maternity

Protection during pregnancy and maternity leave means that individuals must not be treated unfairly because they are pregnant, have recently given birth, or are on maternity leave. Under UK equality legislation, pregnancy and maternity is a protected characteristic that ensures individuals are supported during this period and are able to return to work without disadvantage.

This protection applies from the start of pregnancy through to the end of statutory maternity leave and covers all aspects of employment, including recruitment, pay, promotion, training, redundancy, and dismissal.

Discrimination related to pregnancy and maternity can include:

• Direct discrimination - treating someone less favourably because they are pregnant or on maternity leave (e.g. refusing promotion or dismissing them due to pregnancy).

• Unfair dismissal - terminating employment for reasons connected to pregnancy or maternity.

• Detriment - placing someone at a disadvantage, such as removing responsibilities or excluding them from opportunities.

In practice, employers are required to:

• Carry out pregnancy risk assessments to protect health and safety.

• Allow time off for antenatal appointments.

• Provide statutory maternity leave and pay in line with the law.

• Ensure employees can return to the same job, or a suitable alternative, after maternity leave.

• Support flexible working requests where appropriate.

Failure to uphold pregnancy and maternity protections can lead to automatic unfair dismissal claims, significant financial compensation, and serious reputational damage. It can also undermine workplace trust and staff wellbeing. Organisations that actively support pregnant employees and new parents benefit from higher staff retention, improved morale, and a positive organisational culture.

In practice (compliant)

• Conducting pregnancy risk assessments.

• Allowing maternity leave and flexible return-to-work arrangements.

Not followed (non-compliant)

• Dismissing an employee due to pregnancy.

• Penalising absence related to maternity.

Consequences for organisations

• Automatic unfair dismissal claims

• High compensation payouts

• Regulatory scrutiny

6. Race

Includes colour, nationality, ethnic or national origin refers to the protected characteristic of race under UK equality legislation. This protection ensures that individuals are not discriminated against, harassed, or victimised because of their racial background or heritage, and that everyone is treated fairly and with respect.

Race protection covers a wide range of characteristics, including:

• Colour - skin colour or complexion.

• Nationality - citizenship or legal national status.

• Ethnic origin - shared cultural traditions, language, or ancestry.

• National origin - country or region where a person was born or has family roots.

This protection applies across employment, education, housing, healthcare, and access to goods and services.

Race discrimination can take several forms:

• Direct discrimination - treating someone less favourably because of their race (e.g. refusing to hire someone due to their accent or skin colour).

• Indirect discrimination - policies that disadvantage certain racial groups without objective justification (e.g. recruitment practices that favour only local qualifications when equivalents exist).

• Harassment - racist language, jokes, stereotyping, or exclusion.

• Victimisation - penalising someone for reporting or supporting a complaint about racial discrimination.

In practice, organisations are expected to:

• Implement fair and transparent recruitment and promotion processes.

• Provide equality and diversity training to staff.

• Challenge racist behaviour immediately and effectively.

• Monitor policies and outcomes to identify and address racial inequality.

Failure to comply with race protection can result in serious legal consequences, including employment tribunal claims, large compensation awards, and intervention by regulatory bodies. It can also cause significant reputational damage, loss of public confidence, and reduced staff morale. Organisations that actively promote racial equality benefit from a more inclusive culture, improved decision-making, and stronger relationships with employees and service users.

In practice (compliant)

• Fair recruitment processes with anonymised applications.

• Zero-tolerance policies for racist language or behaviour.

Not followed (non-compliant)

• Racial harassment ignored by management.

• Promotion decisions influenced by ethnicity.

Consequences for organisations

• Serious reputational damage

• Legal penalties and compensation

• Loss of public contracts or funding

7. Religion or Belief

Includes religious beliefs, philosophical beliefs, or lack of belief refers to the protected characteristic of religion or belief under UK equality legislation. This protection ensures that individuals are not treated unfairly because of what they believe, how they practise their beliefs, or because they do not hold any religious or philosophical belief.

This protection covers:

• Religious beliefs - such as Christianity, Islam, Hinduism, Judaism, Sikhism, Buddhism, and other recognised religions.

• Philosophical beliefs - beliefs that are genuinely held, serious, and affect how a person lives their life (e.g. ethical veganism).

• Lack of belief - protection for people who do not follow a religion or belief system.

Religion or belief discrimination can take several forms:

• Direct discrimination - treating someone less favourably because of their religion or belief (e.g. refusing employment because of religious dress).

• Indirect discrimination - policies that disadvantage people of certain beliefs without justification (e.g. mandatory work times that conflict with religious observance).

• Harassment - offensive comments, jokes, or behaviour relating to religion or belief.

• Victimisation - treating someone unfairly because they have raised or supported a complaint.

In practice, organisations should:

• Accommodate reasonable requests related to religious observance, such as prayer breaks or flexible working hours.

• Allow religious dress or symbols unless there is a genuine and proportionate reason (such as health and safety).

• Foster a culture of mutual respect and understanding.

• Ensure policies are inclusive and do not disadvantage particular belief groups.

Failure to respect religion or belief protections can lead to employment tribunal claims, financial compensation, and reputational harm. It may also create a divisive or hostile environment, reducing staff engagement and wellbeing. Organisations that actively respect religious diversity benefit from a more inclusive workplace and stronger relationships with employees and service users.

In practice (compliant)

• Allowing prayer space or flexible breaks.

• Respecting religious dress unless a genuine safety reason exists.

Not followed (non-compliant)

• Mocking religious practices.

• Refusing reasonable requests for religious observance.

Consequences for organisations

• Discrimination and harassment claims

• Loss of workforce diversity

• Negative press coverage

8. Sex

Protection against discrimination based on being male or female refers to the protected characteristic of sex under UK equality legislation. This protection ensures that individuals are treated fairly and equally regardless of whether they are male or female, and that decisions are based on ability, merit, and performance rather than gender-based assumptions or stereotypes.

This protection applies across employment, education, training, and the provision of goods and services.

Sex discrimination can take several forms:

• Direct discrimination - treating someone less favourably because of their sex (e.g. refusing promotion because someone is female or male).

• Indirect discrimination - policies or practices that disadvantage one sex more than the other without objective justification (e.g. work patterns that disproportionately affect women).

• Harassment - unwanted behaviour related to sex that violates dignity or creates a hostile or offensive environment.

• Victimisation - treating someone unfairly because they have raised or supported a complaint about sex discrimination.

In practice, organisations must:

• Ensure equal pay for equal work, in line with equal pay legislation.

• Provide fair access to recruitment, promotion, training, and development opportunities.

• Prevent and address sexual harassment through clear policies and training.

• Avoid gender stereotypes, such as assumptions about leadership ability or technical competence.

Failure to comply with sex discrimination protections can result in employment tribunal claims, equal pay disputes, substantial financial penalties, and serious reputational damage. It can also negatively affect organisational culture, leading to reduced morale and trust. Organisations that promote gender equality benefit from improved staff engagement, better decision-making, and a more inclusive and productive workplace.

In practice (compliant)

• Equal pay for equal work.

• Fair promotion and development opportunities.

Not followed (non-compliant)

• Gender pay inequality.

• Excluding women from senior roles or technical teams.

Consequences for organisations

• Gender pay gap reporting failures

• Tribunal claims

• Loss of public trust and brand credibility

9. Sexual Orientation

Protection for lesbian, gay, bisexual, and heterosexual individuals refers to the protected characteristic of sexual orientation under UK equality legislation. This protection ensures that individuals are not treated unfairly, harassed, or excluded because of who they are attracted to, who they form relationships with, or how they identify their sexual orientation.

Sexual orientation protection applies equally to:

• Lesbian individuals

• Gay individuals

• Bisexual individuals

• Heterosexual individuals

It covers all stages of employment and service provision, including recruitment, promotion, training, dismissal, education, and access to goods and services.

Discrimination related to sexual orientation can take several forms:

• Direct discrimination - treating someone less favourably because of their sexual orientation (e.g. refusing promotion because someone is gay).

• Indirect discrimination - policies that disadvantage people of a particular sexual orientation without justification.

• Harassment – homophobic, biphobic, or derogatory language, jokes, or behaviour.

• Victimisation - treating someone unfairly because they have reported discrimination or supported another complaint.

In practice, organisations are expected to:

• Maintain inclusive policies that clearly prohibit discrimination and harassment.

• Challenge inappropriate language or behaviour immediately.

• Ensure equal access to benefits, training, and career progression.

• Create an environment where individuals feel safe to be open about their identity without fear of negative consequences.

Failure to uphold sexual orientation protections can result in employment tribunal claims, financial compensation, and serious reputational damage. It can also lead to a hostile workplace culture, reduced staff wellbeing, and higher staff turnover. Organisations that actively promote inclusionand equality benefit from increased trust, stronger teamwork, and a more positive organisational reputation.

In practice (compliant)

• Inclusive policies and staff training.

• Challenging homophobic language immediately.

Not followed (non-compliant)

• Harassment ignored or dismissed as “banter”.

• Denying promotion due to sexual orientation.

Consequences for organisations

• Legal claims and compensation

• Workplace culture breakdown

• High staff turnover

Further guidance is provided to organisations through a number of governmental webpages.
The Equality Act and protected characteristics | Local Government Association

Equality in the Workplace – Protected Characteristics Presentation

You will focus on one of the protected characteristics covered by the Equality Act 2010 and explain how it must be protected at work.

How You Will Work
You will work in a small team of 2–3 students
Each team will be given one protected characteristic
No two teams will work on the same characteristic
You will create and deliver a short presentation (5–7 minutes)

The 9 Protected Characteristics
Your teacher will assign your group one of the following:
 - Age
 - Disability
 - Gender reassignment
 - Marriage and civil partnership
 - Pregnancy and maternity
 - Race
 - Religion or belief
 - Sex
 - Sexual orientation

What Your Presentation MUST Include
Your presentation must contain all of the sections below. Missing sections may mean you do not meet the learning outcome.

1. Explain the Protected Characteristic
You must:
 - Clearly explain what your assigned protected characteristic means
 - Describe how it applies in a workplace setting
 - Give at least one example (e.g. recruitment, promotion, training, working conditions)

2. Explain Employer Responsibilities
You must explain:
 - What employers are legally required to do to protect this characteristic
 - How employers should treat staff fairly
 - Any adjustments or policies employers must have in place
Examples may include:
 - Equality and diversity policies
 - Fair recruitment practices
 - Reasonable adjustments for staff

3. Case Study of Failure
You must include a real or realistic case study where an employer failed to meet their legal responsibilities.
You must explain:
 - What the employer did wrong
 - Which protected characteristic was affected
 - How this affected the employee or individual
 - What happened to the employer as a result

4. Consequences for Employers
You must explain what can happen if an employer does not follow equality legislation, such as:
 - Legal action or employment tribunals
 - Financial penalties
 - Damage to reputation
 - Loss of staff trust and morale

5. How Employers Can Do Better
You must suggest practical ways employers can prevent discrimination, for example:
 - Staff training
 - Clear reporting procedures
 - Fair workplace policies
 - Inclusive working practices

Presentation Rules
Every group member must speak
Use clear and professional language
Slides should support what you say, not be full of text
Include at least one image, diagram, or visual

Types of discrimination:

Direct Discrimination

Definition
Direct discrimination occurs when someone is treated less favourably than another person because of a protected characteristic (such as age, disability, gender reassignment, race, religion, sex, or sexual orientation).

This type of discrimination is intentional and often easy to identify because the unfair treatment is clearly linked to who the person is.

Workplace Example
An employer refuses to promote a qualified female employee because they believe “men are better suited to leadership roles”.

Case Study: Pregnancy Discrimination
A UK tribunal case involved a woman being dismissed shortly after informing her employer she was pregnant. Her employer claimed the dismissal was due to “performance issues”, but evidence showed her performance had been rated positively before the pregnancy announcement.

Indirect Discrimination

Definition
Indirect discrimination happens when a policy, rule, or working practice applies to everyone but disadvantages a particular group with a protected characteristic.

Importantly, this discrimination is often unintentional.

Workplace Example
A company introduces a rule that all staff must work late on Friday evenings. This disadvantages Muslim employees who attend Friday prayers.

Case Study: Working Hours Policy
In a UK case, a retail employer required all managers to work full-time hours, including weekends. A female employee returning from maternity leave requested flexible working, which was refused.

Harassment

Definition
Harassment is unwanted behaviour related to a protected characteristic that violates someone’s dignity or creates an intimidating, hostile, degrading, humiliating, or offensive environment.

It can be:

• Verbal (comments, jokes)

• Physical

• Written or digital (emails, messages)

Workplace Example
An employee repeatedly makes jokes about a colleague’s disability, despite being asked to stop.

Case Study: Racial Harassment at Work
In a UK tribunal case, an employee was subjected to repeated racial slurs and “banter” by colleagues. Management failed to take action when complaints were raised.

Victimisation

Definition
Victimisation occurs when someone is treated unfairly because they have made, supported, or are believed to have made a complaint about discrimination or harassment.

This includes:

• Being disciplined

• Being denied promotion

• Being excluded or dismissed

Workplace Example
An employee raises a formal grievance about racial discrimination and is later excluded from training opportunities as a result.

Case Study: Retaliation After Complaint
In a UK case, an employee who supported a colleague’s discrimination claim was later passed over for promotion and given negative appraisals.

Create an infographic on the different types of descrimination that occur, Provide examples of where this has happened and the consiquences to orgnisations and individuals. Your inforgraphic should be as informative as is possible including images that capture the attention of others.

• where individuals are protected

• when to take action against discrimination

o time limits for claims.

4.1.6 Understand Intellectual Property legislation:

• unregistered designs

• registered designs

• patents.

US vs China over IP

“Who Owns It?”

Learning focus: Understanding Intellectual Property, ownership, and misuse in the UK

Scenario (Read this first)
You work for a small digital company that creates:
 - Websites
 - Apps
 - Logos
 - Training videos
 - Social media content

Your manager has discovered that some content may have been copied, reused, or shared incorrectly.
Your job is to decide who owns the work, what type of Intellectual Property applies, and whether the use is legal or illegal.

Task 1 - IP Decision Cards (8 minutes)
Your teacher will give you (or display) 4 short scenarios.
For each scenario, discuss and decide:
 - What type of Intellectual Property is involved?
 - Copyright
 - Trademark
 - Patent
 - Design right
 - Is this use allowed or not?
 - Allowed
 - Not allowed
 - Why? (Give one clear reason)

Example Scenarios
Scenario A
A student copies code from GitHub and submits it as their own coursework.
Scenario B
A business uses a competitor’s logo on their website “by mistake”.
Scenario C
A developer creates a new mobile app using an original idea and original code.
Scenario D
Someone downloads an image from Google and uses it on a business website without permission.


Task 2 - Quick Share & Challenge (3 minutes)
Each group:
Chooses one scenario
Explains their decision in 30 seconds
Other groups can:
Agree
Challenge the decision
Ask “What law protects that?”


Task 3 - Rapid-Fire Quiz (2 minutes)
Quick questions.
Put thumbs up for legal or thumbs down for illegal.
Examples:
“Using music in a YouTube video without permission”
“Creating your own logo for a new brand”
“Sharing paid software with friends”

What You Should Now Understand by the end of this activity, you should be able to:
Explain what Intellectual Property is
Identify different types of IP
Recognise legal vs illegal use
Understand why IP law exists in the UK
Apply IP rules to real digital and workplace scenarios


Stretch (If Time Allows)
Answer this question verbally or in writing:
Why is Intellectual Property especially important in digital industries like IT, media, and software development?

4.1.7 Understand Electrical Waste legislation:

The WEEE regulations are a set of environmental regulations that are designed to ensure that any electrical equipment is recycled, reused, or disposed of in an ethical and non-environmentally impacting way. Within companies, any electrical material or devices are in most situations, disposed of in specialist bins that external contractors will take away and do the recycling of the materials if they cannot be reused again, however, in some situations, some of the electrical devices may need to be destroyed beyond any repair or reuse as these may store personal and sensitive information, and must be disposed of destructively.

In small groups of 2-3 reflect on the disposal of electrical equipment, research and discuss the main minerals found in most electrical devices and the current issue of e-waste in the UK.

o key features:

governs the safe and environmentally responsible disposal of electrical equipment

• Waste Electrical and Electronic Equipment Regulations

• safe disposal

• environmentally responsible disposal.

4.1.8 Understand the interrelationships between digital support and security

and digital legislation, and make judgements about the impact on

organisations, society and individuals.

4.1.9 Know that international law applies to some offences:

• international law in cyberspace

• international law and surveillance.

4.2 Guidelines

4.2.1 Know the sources of codes of conduct:

Organisations

Professional

British Computer Society (BCS)

The BCS code of conduct has four key principles, 

• Make IT for Everyone
• What you know, learn what you dont
• Respect the organisation or individual you work with
• Keep IT real. Keep IT Professional. Pass IT on

These condes act as powerfull endorsements of individuals integrity and ethics whilst working as IT professionals. 

"Know IT yourself"
Using the link below, look further in to the 4 priniciples/codes that are used by the BCS. Create a powerpoint that explains these in more detail.

BCS Code of Conduct for members - Ethics for IT professionals | BCS

The Institution of Analysts and Programmers (IAP)

The Institution of Analysts and Programmers (IAP) is a professional body that supports both the public and its members by helping individuals enter the IT profession, providing technical expertise, and promoting high standards in software development. The IAP offers guidance on IT careers, particularly in systems analysis and programming, and advises on relevant training courses and qualifications, including recommending approved courses delivered by partner universities and private training providers, many of which contribute towards IAP membership or allow direct entry as a Graduate member (GradIAP).

In addition, the IAP provides technical assistance through its members, who work across all areas of business and industry and may be available for consultancy, with verified credentials listed in the Register of Consultants. The organisation also supports employers, clients, and the public by confirming members’ qualifications and membership grades. Alongside this, the IAP fosters Communities of Practice (COPs) focused on improving software for society, bringing together professionals with shared interests in areas such as cyber security, health, transport, cloud computing, artificial intelligence, robotics, IoT, defence, telecoms, and software development, helping to encourage collaboration, knowledge sharing, and professional development across the IT sector.

The IAP Code of Conduct covers 4 areas these are;

 - Duty to the Public

 - Duty to the Profession

 - Duties to the Institution of Analysts and Programmers

 - Duties to Clients and Employers

"Investigate And Present (IAP)"
Using the link below, look further in to the 4 priniciples/codes that are used by the IAP. Create a powerpoint that explains these in more detail.

iap.org.uk/code-of-conduct

Chartered Institute of Information Security (CIISec)

The Chartered Institute of Information Security (CIISec) is the world’s first cyber and information security body to receive Royal Charter status, highlighting its leadership in raising professional standards across the sector. It operates as an independent, not-for-profit organisation governed by its members and provides a trusted, central voice for the cyber and information security profession. Representing over 35,000 professionals at all stages of their careers, CIISec supports its community through programmes focused on professional development, recognition and career success. Its core objectives include promoting the advancement and sharing of knowledge for the public benefit, establishing and upholding high ethical and professional standards in the UK and internationally, and acting as an authoritative body for consultation and research on education and issues of public interest within cyber and information security.

THe CIISec has 3 areas of conduct,

 -  Maintain Professionalism

 - Act in an Ethical Manner

 - Promote Best Practice

"Investigate And Present (IAP)"
Using the link below, look further in to the 3 priniciples/codes that are used by the CIISec. Create a powerpoint that explains these in more detail.

Code of Conduct & Ethics - CIISec

Governmental.

4.2.2 Understand how guidelines in codes of conduct influence professional

behaviour:

• ensure individuals follow policies, procedures and legislation

• ensure quality of work:

o minimising risk to the public

o acting with competence and integrity

• meeting deadlines

• effective communication

• maintaining confidentiality and trust.

4.2.3 Know the sources of digital industry standards:

• International Organization for Standardization (ISO)

• Web Content Accessibility guidelines (WCAG)

• World Wide Web Consortium (W3C®)

• Internet Engineering Task Force (IETF)

• Electronic Industries Alliance/Telecommunications Industry Association

(EIA/TIA)

• British Standard (BS)

• Institute of Electrical and Electronics Engineers (IEEE)

• Payment Card Industry Security Standards Council (PCI SSC).

4.2.4 Understand the purpose of acceptable use policies (AUP):

• purpose of AUP

• typical content:

o permitted activities

o prohibited activities

o working practices including confidentiality

o communication etiquette including projecting correct

organisation image

o sanctions/penalties.

4.2.5 Understand the importance of whistleblowing procedures.

Whistleblowing procedures matter in Digital Support and Security because the work is high-trust, high-impact and often invisible until it goes wrong. Support teams routinely handle privileged access (admin accounts, remote tools, service desks, logs, backups, identity systems) and sensitive data. If someone spots a serious weakness poor access controls, an unsafe “workaround”, pressure to hide an incident, or non-compliant data handling a clear, trusted whistleblowing route can be the difference between early containment and a major breach.

Why it’s important in the UK (and in cyber/digital support specifically)

1) Early warning for hidden risks

• Cyber and IT support risks often sit in configuration, process and governance (e.g., shared admin accounts, unmanaged endpoints, unsupported systems, weak change control). A whistleblowing route helps staff raise concerns before an incident occurs or escalates.

2) Legal protection encourages speaking up

• In the UK, workers are protected when they make a “protected disclosure” in the public interest under whistleblowing law (linked to the Public Interest Disclosure Act 1998 / Employment Rights Act framework). Protection covers unfair dismissal and “detriment” (being treated worse for speaking up).

• ACAS guidance also clarifies what people can whistleblow about and how to make a disclosure properly.

3) Supports compliance and good governance

• Security teams are often balancing “keep services running” with “do it safely”. Whistleblowing supports a culture where staff can challenge decisions that increase risk (e.g., bypassing MFA, delaying patching, ignoring audit findings) without fear.

• It also supports regulatory expectations around responsible handling of data and security incidents e.g., the ICO’s breach guidance and routes for protected disclosures to the ICO where relevant.

4) Protects customers, citizens and critical services

• In Digital Support and Security, the “public interest” angle is often strong: insecure identity systems, mishandled personal data, or ignored vulnerabilities can affect thousands/millions of users.

5) Improves professional standards

• A good speak-up culture reduces the chance of “normalised deviance” (unsafe practices becoming routine) and strengthens learning after incidents (root cause fixes, not blame).

What a strong whistleblowing procedure looks like (practical, sector-relevant)

In a Digital Support/Security context, a policy should be explicit about:

• What to raise: security vulnerabilities, unsafe configurations, data mishandling, falsified audit evidence, suppression of incidents, risky supplier practices, credential sharing, unauthorised monitoring, etc.

• How to raise it safely: multiple routes (line manager, security lead, HR, independent hotline), option to raise concerns confidentially, clear separation from personal grievances.

• Triage and response: acknowledge receipt, risk-rank (e.g., “critical vulnerability affecting identity/auth”), assign an investigator independent of the allegation, preserve evidence, and document actions.

• Escalation paths: to senior leadership / audit committee and (where appropriate) external bodies (e.g., regulator). The ICO explicitly provides routes for whistleblowers making protected disclosures relating to information rights/data protection.

• No retaliation: clear statement and enforcement because fear of detriment is the main reason people stay silent.

• Learning loop: feed outcomes into security controls (patching, access management, training, supplier assurance).

Real-world case study (Digital Support & Security): UK One Login allegations

Context: The UK government’s “One Login” digital identity programme (used to access online public services) faced allegations raised by a cybersecurity professional acting as a whistleblower. Reporting in 2025 described concerns raised internally shortly after the service went live, including claims about governance and cyber security weaknesses, and that the whistleblower had advised senior leaders of serious security problems as part of their role.

Why this case illustrates whistleblowing’s importance in the sector

Identity systems are high-value targets: weaknesses in authentication, admin practices, or device compliance can create systemic risk (account takeover, fraud, and large-scale data exposure).

Concerns can be organisational, not just technical: the allegations described issues around governance/risk management as well as security controls exactly the kind of “process and leadership” risk that frontline cyber professionals may spot early.

Public interest is clear: identity services underpin access to government services; failures can affect large numbers of people and trust in digital public services.


Digital Support & Security learning points

Whistleblowing routes should be credible and independent enough that security staff believe concerns will be acted on.

Programmes should demonstrate evidence-based closure (documented remediation, independent assurance, clear risk ownership), otherwise whistleblowing may escalate externally often after trust breaks down.

Building “speak up” into security governance (audit committees, independent security assurance, red-team reporting lines) reduces the likelihood that concerns get stuck at middle-management level.

4.2.6 Understand the interrelationships between digital support and security and guidelines, and make judgements about the impact on organisations, society and individuals