4.1 Legislation

4.1.1 Understand the key points and implications to employers of the relevant health and safety legislation:

Health and Safety at Work Act:

The health and safety at work regulations that are currently in place within the UK is held in high regard globally as legislation, to the point that other countries use this legislation as a benchmark for their own.

Created in 1974 the regulation was created as a result of a significant amount of harm and death related to employees undertaking their work roles and responsibilities. The government established a group of people chaired by Lord Robens to create a report on safety and health at work.  Lord Robens was tasked to create legislation that fit all business types regardless of size, from self-employed to large organisations. 

o key points:

– provide a safe working environment

– ensure staff are properly trained

– adequate welfare provision

– provide relevant information, instruction and supervision

You have been tasked with creating an engaging activity for 16-18 year olds on the Health and Safety at Work etc Act 1974, specifically linked to the digital support services sector. This activity should last 10-15 minutes and involve both a learning element and interactive participation. 
Your activity can be create in any type of application to enable the interactivity, this could be in scratch, Contruct 3, Wayfinder, Kahoot, GimKit or any other. This needs to be fun and entertaining for the targeted audiences. Examples of previous student work can be seen using the link below.
The Health Inspector on Scratch

You have been tasked with creating an informative presentation that includes examples and casestudies of the Health and Safety at work Act.

Activity Title: Ensuring Safety in the Digital Support Workspace

Objective:
By the end of the activity, you will understand key aspects of the Health and Safety at Work etc Act 1974 and how they apply to the digital support services sector. You will explore real-world examples from a well-known organisation and propose solutions to common safety challenges.

Materials Needed:
    •    Access to a computer or tablet with internet for research
    •    Whiteboard or flipchart for note-taking (optional for classroom setting)
    •    Handouts summarising the Health and Safety at Work etc Act 1974 (optional)

Step-by-Step Activity Plan:
 
   1.    Introduction (5 minutes)
Briefly explain the key points of the Health and Safety at Work etc Act 1974, focusing on its relevance to the digital support services sector. Highlight the importance of both physical safety (e.g., ergonomic workspaces) and mental health (e.g., managing stress in a high-demand environment).
Example:
“The Act is designed to ensure that employers provide a safe working environment for their employees. In digital support services, this can include everything from making sure workers have the right equipment to prevent injuries, to ensuring their mental health is supported during busy periods.”

    2.    Group Research (10 minutes)
Split into small groups and research how a well-known organisation, such as Google, applies health and safety measures within its digital support teams. Focus on aspects such as:
    •    Ergonomics (adjustable desks, chairs, screen positioning)
    •    Mental health support (stress management, mental health days)
    •    Work-from-home health policies (safe home office setup, guidance on screen time)
    •    Emergency procedures (fire drills, reporting unsafe working conditions)
Each group should use available resources (e.g., company blogs, news articles, or health and safety documentation) to identify 2-3 safety measures that Google has implemented.
   
3.    Group Presentations (5-10 minutes)
After the research phase, each group will present their findings, focusing on how these health and safety measures align with the Health and Safety at Work etc Act 1974.
Example Presentation:
“Google has implemented several health and safety measures that align with the 1974 Act. They provide adjustable workstations to prevent physical strain, offer counselling services to employees, and ensure that staff working remotely are supported with proper ergonomic advice.”

    4.    Interactive Discussion (5-10 minutes)
Group discussion what additional ways digital support teams can improve health and safety practices. Focus your conversation on areas like managing prolonged screen time, dealing with high-stress situations, and ensuring safety for remote workers.
Example Question:
“If you were managing a digital support team at Google, what other safety measures would you put in place to ensure your team’s well-being?”

    5.    Conclusion (2-5 minutes)
Summarise the key points discussed, emphasising how the Health and Safety at Work etc Act 1974 protects employees in the digital support services sector. Reinforce the importance of both physical and mental health in the workplace and think about these issues as you enter your future careers.

By engaging in this activity, you will have applied theoretical knowledge of the Health and Safety at Work etc Act 1974 to real-world examples from a major organisation, thinking critically about health and safety in a sector you may enter in the future.

Manual handling operations:

o key points:

– avoid hazardous manual handling operations as far as possible

– assess any hazardous manual handling operations

– provide information on load and centre of gravity

– reduce the risk of injury so far as is reasonably practicable

Work at height regulations:

The regulations around "working at height 2005" play a very important part when linked to the installation of possible network infrastructure as placing equipment such as network access points (APs), Wi-Fi hubs and physical network cabling. These elements of a network can be located in ceilings and overhead gantries that require access to be done using ladders and in some situations scissor lifts called cherry pickers. As a result, the legislation is designed to ensure that employees are protected when undertaking any activities associated to accessing this equipment. The legislation requires that any employer ensure appropriate precautions are in place to reduce any possible injury, such as falling from height.

The Legislation and regulation ensure that the employee understands their duty to protect its employees by;

Ensuring that the equipment they are using or provided with is suitable for the job being undertaken, that it is strong enough for the task in hand, and that it is regularly checked for integrity and maintenance.

Appropriate training has been provided to ensure that the employees don't act in a way that could lead to harm to them or others, such as overreaching.

Provide the employees and potential members of the public with protection that reduces their being hit by falling materials.

Identifying Work at Height Risks in a Digital Support Environment

Objective:
You will develop an understanding of the Work at Height Regulations 2005 and apply them in the context of digital support services, specifically in identifying risks when dealing with cabling, server racks, and other equipment maintenance that may involve working at height.

Duration: 10-15 minutes

Materials Needed:
    •    Notepad or digital device for note-taking
    •    Floor plan or basic map of the educational environment (optional)

Instructions:
    1.    Introduction (2 minutes):
You will be briefly introduced to the Work at Height Regulations 2005, which are laws designed to prevent injuries and accidents when working at height. Examples could include accessing high server racks, cable installations, or fixing projectors.
    2.    Task Explanation (3 minutes):
You will be tasked with identifying potential risks associated with working at height within your current educational environment (e.g., IT support office, classroom, or server room). You will leave the classroom and observe locations where digital equipment maintenance may require working at height.
    3.    Activity (5 minutes):
You will walk around the educational environment and find at least two locations where work at height might occur. Consider:
    •    Where a ladder or steps would be needed (e.g., adjusting a ceiling-mounted projector, accessing cabling on high walls or ceiling panels).
    •    Whether there are secure, safe means to access the area.
    •    Any hazards like unstable surfaces, improper equipment, or inadequate protective measures.
    4.    Example Scenario:
You might observe the server room, where the top shelf of a rack is used for critical hardware. You should note that reaching this level requires the use of steps or a ladder, and you should evaluate whether proper equipment is in place to access the height safely (e.g., if the ladder is sturdy, if there are railings, and if the space is clear of obstructions).
    5.    Reflection & Discussion (5 minutes):
Once you return, you will share your observations. You will describe one risk you identified and suggest how it could be mitigated in line with the Work at Height Regulations 2005 (e.g., use of secure ladders, ensuring no tripping hazards below the workspace, using harnesses if necessary).

Expected Output Example:
You might report:
“In the server room, the top shelf of the rack requires a ladder to reach. The ladder present was sturdy but positioned on uneven flooring, which could cause instability. To comply with the Work at Height Regulations 2005, the ladder should be moved to a flat surface or a platform should be used to ensure stability before accessing the top shelf.”

This activity should encourage you to recognise the importance of safety when working at height in digital support roles and to think critically about how to mitigate risks in your surroundings.

o key points:

– make sure the work is properly planned, supervised and carried out by competent people

– do as much work as possible from the ground

– ensure workers can get safely to and from where they work at height

– ensure equipment is suitable, stable and strong enough for the job

– provide protection from falling objects

– consider emergency evacuation rescue procedures

Display screen equipment:

o implications to employers:

– conduct a display screen equipment workstation assessment

– reduce risks including making sure workers take breaks from display screen equipment work

– provide an eye test if an employee asks for one

– provide training and information for employees.

Have you ever had neck pain after a long gaming session or after doing work on a computer, or, found that your eyes have gotten tired and sore after looking at screens all day? This is where the Health and Safety (Display Screen Equipment) Regulations 1992 come in. This regulation is designed to protect users who continually use display screens for a long period.
 

Some of the key principles of the regulations to keep you safe when using computers, laptops, and tablets for extended periods are:

• Adequate Training: Just like learning the controls in a game, employers need to train staff on using screens safely. This could involve learning proper posture, taking breaks, and adjusting screen settings to avoid eye strain.

• Adequate Welfare Provision: Imagine getting a health boost after defeating a boss! Employers need to provide breaks for staff to move around, stretch, and rest their eyes. This could be short breaks every hour or longer breaks throughout the day.

• Safe Working Environment: Wouldn't it be annoying to fight enemies in a dark, cramped cave? Similarly, the regulations ensure a safe working environment for screen users. This includes proper lighting, comfortable seating, and avoiding glare on the screen. Imagine a well-lit gaming setup with an ergonomic chair – that's what they're aiming for!
   

   

• Suitable Information, Instruction & Supervision: Every good game has a handy guide, right? Employers need to provide staff with clear information on how to use screens safely. This could be posters, online resources, or even talks from health and safety experts. IT support can also play a role by helping set up screens and suggesting ergonomic adjustments.

5-Minute Challenge: In Pairs assess your computer setup for 5 minutes. Here's what to check: 
Posture: Are you sitting up straight with your back supported?  
Screen Distance: Is the screen an arm's length away? 
Lighting: Is there any glare on the screen? 
Breaks: Do you take breaks to move around and rest your eyes?

Discuss any improvements you can make and how you can work with your tutor to create a screen-safe environment.

Now that you have reflected on your own work areas use the government checklist (provided using the button below) to see what is expected of an employer for thier employees.
Display screen equipment (DSE) workstation checklist

Create a poster that uses terminology and images that a 16 year old might use to inform them of the DSE legislation of 1992. Using images in your poster will support your information and explainations, ensure that any images are referenced and attributed.

4.1.2 Understand the health and safety risks and preventative measures of working with digital systems:

Possible risks

Using display screen equipment

Musculoskeletal Disorders (MSDs): Poor posture and a poorly designed workstation can cause pain and disorders in the neck, shoulders, back, arms, wrists, and hands. This includes conditions such as repetitive strain injury (RSI).

Eye Strain and Visual Problems: Extended screen use can cause tired eyes, discomfort, temporary blurred vision, dry eyes, and headaches, a condition known as Computer Vision Syndrome (CVS). It does not cause permanent eye damage but can highlight pre-existing vision problems.

Fatigue and Stress: Long periods of static work, intense concentration, or poorly designed software/work organisation can lead to general physical and mental fatigue, and stress.

Working at heights

Falls from height: Distraction caused by looking at a screen or interacting with a digital device (tablet, phone, laptop) can lead to a loss of balance, misstep, or a failure to notice an edge or opening, resulting in a fall.

Falling objects: Digital devices and their accessories (batteries, styluses) can be dropped, posing a serious injury risk to people and damage to equipment below.

Manual handling issues: Carrying digital devices, especially with accessories (stands, spare batteries, etc.), to and from elevated work areas can increase manual handling strain, particularly if safe access is limited

Cable installation (ground level, onto walls)

Electric Shock and Burns: The primary hazard from contact with live wires or damaged cables, which can cause severe injury or death.

Arc Flash and Explosions: Damage to underground or in-wall cables can cause an explosion and intense flash, leading to severe burns.

Slips, Trips, and Falls: Trailing cables at ground level are a significant tripping hazard in the workplace, leading to potential injuries, additional to working at any height on a ladder.

Mechanical Damage: Cables are vulnerable to damage from sharp objects, crushing, or excessive pulling/bending during installation, which can compromise their integrity and create electrical or fire hazards.

Fire Hazards: Faulty wiring, overloaded circuits, or damaged equipment can lead to fires.

Ergonomic Risks: Improper manual handling of heavy cable spools can lead to musculoskeletal injuries.

Eye Injuries: Fiber optic cables pose a risk of eye injury from the light they carry, requiring appropriate eye protection. 

Manual handling

Musculoskeletal Disorders (MSDs): The primary risk is developing MSDs, which include pain and disorders in the neck, shoulders, back, arms, wrists, and hands.

Work-Related Upper Limb Disorders (WRULDs) / Repetitive Strain Injury (RSI): Prolonged, uninterrupted work with a keyboard and mouse, or use of handheld devices (like PDAs and smartphones) with poor posture, can lead to these overuse injuries.

Back Pain: Incorrect seating, inadequate back support, and improper lifting techniques are major causes of chronic back pain.

Fatigue: Maintaining the same position for extended periods, or working with excessive workloads, can cause muscle fatigue and strain.

Injuries from Transporting Equipment: Carrying heavy or unbalanced loads (e.g., a laptop in a single-shoulder bag) can strain muscles and joints.

Accidents: Obstructions in the work area, poor lighting, or unstable flooring when moving equipment can lead to trips, slips, and falls. 

Health and safety requirements

Methods of mitigating risk:

Adequate training

For any organisation, it is vital to ensure that the workforce has the appropriate training, skills, and knowledge to carry out their duties and responsibilities effectively, competently, and most importantly, safely. Adequate training helps to reduce the risk of human error, ensures compliance with organisational policies and legal requirements, and supports a consistent standard of working practice across the organisation.

Many organisations now utilise e-learning platforms as a primary method of delivering training and sharing essential knowledge with employees. E-learning enables staff to access training materials at a time and pace that suits their individual learning needs, promoting flexibility and inclusivity within the workforce. In addition, digital training platforms allow organisations to deliver consistent, up-to-date content, track learner progress, and maintain accurate records of completed training for audit and compliance purposes. This approach not only supports ongoing professional development but also contributes to improved efficiency, reduced training costs, and a safer working environment.

Safe working environment

Suitable provision of relevant safety equipment

Safe working practices

Suitable provision of relevant information, instruction and supervision.

4.1.3 Understand Data Security and Protection legislation, including their effect on organisations and individuals:

Data Protection Act/General Data Protection Regulations:

Purpose of legislation

Data protection legislation sets out clear rules that govern how organisations collect, use, store, share, and dispose of personal information. This applies to a wide range of organisations, including private businesses, public sector bodies, and government departments. The legislation is designed to ensure that personal data is handled lawfully, fairly, and securely, protecting individuals from misuse, unauthorised access, and excessive data collection, while also giving people greater control over how their information is processed and shared.

Eight principles.

1. Lawfulness, Fairness and Transparency

Personal data must be processed:

• Lawfully – there must be a valid legal basis (e.g. consent, contract, legal obligation)

• Fairly – data must not be used in ways that would surprise or disadvantage the individual

• Transparently – individuals must be informed about how their data is used (usually via a privacy notice)

Example (Digital Support):
A college must clearly explain to students why it collects attendance data and how long it will be kept.

2. Purpose Limitation

Personal data must be:

• Collected for specific, explicit, and legitimate purposes

• Not reused for unrelated purposes without further consent or legal justification

Example:
Customer contact details collected for IT support tickets must not later be used for marketing unless permission is given.

3. Data Minimisation

Only data that is:

• Adequate

• Relevant

• Limited to what is necessary

should be collected.

Example:
A helpdesk form should not ask for a user’s home address if email support is sufficient.

4. Accuracy

Personal data must be:

• Accurate

• Kept up to date

• Corrected or deleted promptly if incorrect

Example:
An asset register must be updated when devices are reassigned to different users.

5. Storage Limitation

Data must:

• Not be kept longer than necessary

• Have defined retention periods

Example:
Old support tickets containing personal data should be securely deleted after the organisation’s retention period expires.

6. Integrity and Confidentiality (Security)

Personal data must be processed securely, protecting it from:

• Unauthorised access

• Accidental loss

• Destruction or damage

This includes technical and organisational security measures.

Examples:

• Strong passwords and multi-factor authentication

• Encryption of laptops and backups

• Role-based access control (RBAC)

7. Accountability

Organisations must:

• Take responsibility for complying with the principles

• Demonstrate compliance through documentation and policies

Examples:

• Staff training records

• Data protection policies

• Incident response procedures

8. Rights of the Data Subject

Individuals have rights over their personal data, including:

• Right to access

• Right to rectification

• Right to erasure (“right to be forgotten”)

• Right to restrict processing

• Right to data portability

• Right to object

Example:
A user can request a copy of all personal data held about them by an IT service provider.

4.1.4 Understand Computer Misuse legislation:

The computer Misuse act was introduced in 1990, however it was partially introduced in 1988 in response to a legal case titled "R v Gold & Schifreen (1988) where a journalist hacker broke into the then Duke of Edinburgh’s (Prince Phillip) email account. Once the general public were aware of the situation there was outcry that uncovered the fact that no law existed against computer hacking. As a result of this the legislation was created partially and released in 1988 followed 2 years later with the full release.

How easy is it to get caught out? 

Refelect on your own use of digital devices, have you experienced this?

The principles of the Computer Misuse Act (CMA) 1990

Key aspects of the feature governing unauthorized access include:

Prohibition of Unauthorised Access: The Act clearly defines unauthorised access as accessing computer systems, programs, or data without proper authorisation. This includes bypassing security measures or accessing areas of a computer system beyond one's authorised privileges.

Protection of Data: The legislation aims to protect the confidentiality, integrity, and availability of data by preventing unauthorised access. This helps safeguard sensitive information from being accessed, modified, or deleted without proper authorisation.Scope: The legislation applies to unauthorised access to any computer system, whether it's owned by individuals, businesses, or the government. It covers a wide range of devices and networks, including computers, servers, and online platforms.

• consequences for company and employee

Penalties: The Act establishes penalties for unauthorized access, including fines and imprisonment, depending on the severity of the offense. For example, accessing a computer system without authorisation with the intent to commit further offenses carries a maximum penalty of up to 2 years in prison and/or a fine.

• employee awareness

• types of crimes covered by legislation.

Secure Your Digital Vault

Objective: Understand the importance of authorization and security in compliance with the Computer Misuse Act 1990.

Materials Needed: Personal computer or laptop Internet connection Basic understanding of computer operations

Steps:
1 - Introduction to the Act: Explain what the Computer Misuse Act 1990 is and why it's important for protecting digital information.

2 - Create a Digital Vault: Create a digital vault on a computer using encryption software. This could be a folder where you store sensitive files such as passwords, personal documents, or financial records.
3 - Set Authorization Levels: Set up authorisation levels for accessing the digital vault. This could involve creating a strong password or using biometric authentication if available.
4 - Test Authorisation: Demonstrate the importance of proper authorisation by attempting to access the digital vault without permission. Discuss why this would be illegal under the Computer Misuse Act 1990.
5 - Implement Security Measures: Implement additional security measures such as firewall protection, antivirus software, and regular software updates to further protect the digital vault from unauthorised access.
6 - Discuss Legal Implications: Discuss the potential legal implications of unauthorised access under the Computer Misuse Act 1990. Emphasize the importance of staying within the bounds of the law and respecting others' digital privacy.
7 - Reflection: Reflect on what has be learnt. Think about how you can apply these principles to safeguard your digital information and promote ethical behavior in your IT practices.

This activity provides a practical and hands-on approach for the you to understand the concept of unauthorised access and the importance of authorisation and security measures in compliance with the Computer Misuse Act 1990. It also encourages you to have critical thinking about digital ethics and responsible behavior in handling sensitive information.

4.1.5 Understand Equality legislation:

The nine protected characteristics

The Equality act of 2010 was bought about by the imalgimation of a number of anti-discrimination laws and legislations in 2010. The act identifies nine principles and chararcters that are protected, these are.

1. Age

Protection against discrimination based on a person’s age or age group (young or old) means that individuals must be treated fairly and equally regardless of how old they are, whether they are younger or older than the average person in a particular setting. Under UK equality legislation, it is unlawful to disadvantage someone simply because of assumptions, stereotypes, or generalisations linked to their age.

This protection applies across employment, education, training, and the provision of goods and services. Decisions such as recruitment, promotion, access to training, pay, redundancy selection, and dismissal must be based on ability, competence, experience, and performance, not age.

Age discrimination can take several forms:

• Direct discrimination - treating someone less favourably because of their age (e.g. refusing to hire someone because they are “too young” or “too old”).

• Indirect discrimination - applying policies that disadvantage a particular age group without a valid justification (e.g. requiring a set number of years’ experience that is unnecessary for the role).

• Harassment - age-related jokes, comments, or behaviour that create an intimidating or offensive environment.

• Victimisation - treating someone unfairly because they have complained about age discrimination or supported someone else’s complaint.

In practice, this means employers and organisations must:

• Use age-neutral language in job advertisements and policies.

• Offer equal access to training and development, regardless of age.

• Avoid assumptions such as younger people being unreliable or older people being resistant to change.

• Ensure performance management and redundancy decisions are objective and evidence-based.

Failure to uphold age protection can lead to employment tribunal claims, compensation awards, reputational damage, and loss of skilled or experienced individuals, all of which can negatively affect organisational performance and workplace culture.

In practice (compliant)

• A company advertises roles using skills and experience, not age-related language.

• Training opportunities are offered equally to apprentices, early-career staff, and older employees.

Not followed (non-compliant)

• A job advert states “ideal for a young, energetic graduate”.

• Older workers are excluded from training because they are “nearing retirement”.

Consequences for organisations

• Employment tribunal claims

• Compensation awards

• Reputational damage and negative publicity

• Loss of experienced staff

2. Disability

A physical or mental impairment that has a substantial and long-term negative effect on day-to-day activities refers to the legal definition of a disability under UK equality legislation. This protection ensures that individuals are not treated less favourably because of a disability and are supported to participate fully in work, education, and society.

A condition is considered a disability when:

• Physical or mental - it may affect the body (e.g. mobility, sight, hearing) or mental health (e.g. anxiety disorders, depression).

• Substantial - the effect is more than minor or trivial.

• Long-term - the condition has lasted, or is expected to last, 12 months or more.

• Day-to-day activities - it impacts normal activities such as walking, concentrating, reading, communicating, or using IT systems.

This protection covers both visible and non-visible (hidden) disabilities, including conditions such as dyslexia, autism, diabetes, epilepsy, and long-term mental health conditions.

Disability discrimination can occur in several ways:

• Direct discrimination - treating someone unfairly because of their disability.

• Indirect discrimination - applying policies that disadvantage disabled people (e.g. rigid working hours).

• Discrimination arising from disability - treating someone unfairly because of something connected to their disability (e.g. disability-related absence).

• Harassment and victimisation - creating a hostile environment or penalising someone for raising concerns.

In practice, organisations have a legal duty to make reasonable adjustments to remove barriers that disadvantage disabled individuals. This may include:

• Providing specialist equipment or assistive technology.

• Adjusting working hours or duties.

• Offering alternative assessment or communication methods.

• Making physical changes to buildings or workspaces.

Failure to support disabled individuals or make reasonable adjustments can result in employment tribunal claims, significant financial compensation, enforcement action by regulators, and serious reputational damage. Organisations that proactively support disability inclusion benefit from improved staff wellbeing, higher retention, and a more diverse and effective workforce.

In practice (compliant)

• Providing reasonable adjustments, such as:

  • Screen readers for visually impaired staff

  • Flexible working hours

  • Modified duties or equipment

Not followed (non-compliant)

• Refusing to adjust a workstation for an employee with chronic pain.

• Dismissing performance issues without considering disability-related needs.

Consequences for organisations

• Legal action for failure to make reasonable adjustments

• Costly settlements

• Enforcement action by the Equality and Human Rights Commission (EHRC)

3. Gender Reassignment

Protection for people who are transitioning, have transitioned, or identify as transgender means that individuals must not be discriminated against because of their gender reassignment status. Under UK equality legislation, a person is protected if they are proposing to undergo, are undergoing, or have undergone a process to reassign their sex, and this protection applies regardless of whether medical treatment or surgery is involved.

This protection recognises that gender reassignment is a deeply personal process and that individuals have the right to be treated with dignity, respect, and privacy in all areas of life, including employment, education, and access to services.

Discrimination related to gender reassignment can take several forms:

• Direct discrimination - treating someone less favourably because they are transgender (e.g. refusing promotion due to their transition).

• Indirect discrimination - policies or practices that disadvantage trans people without justification (e.g. inflexible dress codes).

• Harassment - unwanted conduct such as jokes, intrusive questions, or deliberate misuse of names or pronouns.

• Victimisation - treating someone unfairly because they have raised concerns or supported others regarding trans rights.

In practice, organisations are expected to:

• Respect an individual’s chosen name, title, and pronouns.

• Update records confidentially and accurately.

• Ensure access to appropriate facilities, such as toilets or changing areas.

• Maintain strict confidentiality about a person’s gender history.

Failure to uphold protections for transgender individuals can result in legal claims, compensation awards, and significant reputational damage. It can also lead to a toxic workplace culture, reduced staff wellbeing, and higher turnover. Organisations that actively support gender identity inclusion benefit from stronger trust, improved morale, and a more inclusive and respectful environment for all.

In practice (compliant)

• Respecting chosen names and pronouns.

• Updating HR records confidentially and appropriately.

• Allowing access to correct toilets and facilities.

Not followed (non-compliant)

• Deliberate misgendering by managers.

• Excluding a trans employee from customer-facing roles.

Consequences for organisations

• Discrimination and harassment claims

• Severe reputational harm

• Loss of trust among staff and customers

4. Marriage and Civil Partnership

Protection for people who are married or in a civil partnership (employment-related only) means that employees and job applicants must not be treated less favourably because they are legally married or in a civil partnership. Under UK equality legislation, this protection applies specifically within employment and workplace contexts, such as recruitment, promotion, pay, training, and dismissal.

This characteristic recognises that an individual’s legal relationship status should have no bearing on their ability to perform a role or access workplace opportunities. It applies equally to opposite-sex marriages and same-sex civil partnerships.

Discrimination related to marriage or civil partnership may include:

• Direct discrimination - treating someone unfairly because they are married or in a civil partnership (e.g. overlooking them for promotion due to assumptions about family commitments).

• Indirect discrimination - applying workplace policies that disadvantage married or civil-partnered employees without objective justification.

• Victimisation - treating someone unfavourably because they have raised concerns or supported a complaint related to this protection.

In practice, employers must:

• Ensure recruitment and promotion decisions are based on merit, skills, and performance, not marital status.

• Provide equal access to workplace benefits, training, and development opportunities.

• Avoid assumptions that married employees are less flexible or more distracted by personal responsibilities.

• Treat civil partnerships with the same respect and recognition as marriage.

Failure to comply with this protection can result in employment tribunal claims, financial compensation, and damage to organisational reputation. It can also negatively affect staff morale and trust. Organisations that apply fair and inclusive practices create a more respectful working environment and benefit from higher employee engagement and retention.

In practice (compliant)

• Equal access to benefits, promotions, and training regardless of marital status.

Not followed (non-compliant)

• Assuming married employees are less flexible.

• Denying opportunities to staff in civil partnerships.

Consequences for organisations

• Tribunal claims

• Breach of employment law

• Damage to workplace morale

5. Pregnancy and Maternity

Protection during pregnancy and maternity leave means that individuals must not be treated unfairly because they are pregnant, have recently given birth, or are on maternity leave. Under UK equality legislation, pregnancy and maternity is a protected characteristic that ensures individuals are supported during this period and are able to return to work without disadvantage.

This protection applies from the start of pregnancy through to the end of statutory maternity leave and covers all aspects of employment, including recruitment, pay, promotion, training, redundancy, and dismissal.

Discrimination related to pregnancy and maternity can include:

• Direct discrimination - treating someone less favourably because they are pregnant or on maternity leave (e.g. refusing promotion or dismissing them due to pregnancy).

• Unfair dismissal - terminating employment for reasons connected to pregnancy or maternity.

• Detriment - placing someone at a disadvantage, such as removing responsibilities or excluding them from opportunities.

In practice, employers are required to:

• Carry out pregnancy risk assessments to protect health and safety.

• Allow time off for antenatal appointments.

• Provide statutory maternity leave and pay in line with the law.

• Ensure employees can return to the same job, or a suitable alternative, after maternity leave.

• Support flexible working requests where appropriate.

Failure to uphold pregnancy and maternity protections can lead to automatic unfair dismissal claims, significant financial compensation, and serious reputational damage. It can also undermine workplace trust and staff wellbeing. Organisations that actively support pregnant employees and new parents benefit from higher staff retention, improved morale, and a positive organisational culture.

In practice (compliant)

• Conducting pregnancy risk assessments.

• Allowing maternity leave and flexible return-to-work arrangements.

Not followed (non-compliant)

• Dismissing an employee due to pregnancy.

• Penalising absence related to maternity.

Consequences for organisations

• Automatic unfair dismissal claims

• High compensation payouts

• Regulatory scrutiny

6. Race

Includes colour, nationality, ethnic or national origin refers to the protected characteristic of race under UK equality legislation. This protection ensures that individuals are not discriminated against, harassed, or victimised because of their racial background or heritage, and that everyone is treated fairly and with respect.

Race protection covers a wide range of characteristics, including:

• Colour - skin colour or complexion.

• Nationality - citizenship or legal national status.

• Ethnic origin - shared cultural traditions, language, or ancestry.

• National origin - country or region where a person was born or has family roots.

This protection applies across employment, education, housing, healthcare, and access to goods and services.

Race discrimination can take several forms:

• Direct discrimination - treating someone less favourably because of their race (e.g. refusing to hire someone due to their accent or skin colour).

• Indirect discrimination - policies that disadvantage certain racial groups without objective justification (e.g. recruitment practices that favour only local qualifications when equivalents exist).

• Harassment - racist language, jokes, stereotyping, or exclusion.

• Victimisation - penalising someone for reporting or supporting a complaint about racial discrimination.

In practice, organisations are expected to:

• Implement fair and transparent recruitment and promotion processes.

• Provide equality and diversity training to staff.

• Challenge racist behaviour immediately and effectively.

• Monitor policies and outcomes to identify and address racial inequality.

Failure to comply with race protection can result in serious legal consequences, including employment tribunal claims, large compensation awards, and intervention by regulatory bodies. It can also cause significant reputational damage, loss of public confidence, and reduced staff morale. Organisations that actively promote racial equality benefit from a more inclusive culture, improved decision-making, and stronger relationships with employees and service users.

In practice (compliant)

• Fair recruitment processes with anonymised applications.

• Zero-tolerance policies for racist language or behaviour.

Not followed (non-compliant)

• Racial harassment ignored by management.

• Promotion decisions influenced by ethnicity.

Consequences for organisations

• Serious reputational damage

• Legal penalties and compensation

• Loss of public contracts or funding

7. Religion or Belief

Includes religious beliefs, philosophical beliefs, or lack of belief refers to the protected characteristic of religion or belief under UK equality legislation. This protection ensures that individuals are not treated unfairly because of what they believe, how they practise their beliefs, or because they do not hold any religious or philosophical belief.

This protection covers:

• Religious beliefs - such as Christianity, Islam, Hinduism, Judaism, Sikhism, Buddhism, and other recognised religions.

• Philosophical beliefs - beliefs that are genuinely held, serious, and affect how a person lives their life (e.g. ethical veganism).

• Lack of belief - protection for people who do not follow a religion or belief system.

Religion or belief discrimination can take several forms:

• Direct discrimination - treating someone less favourably because of their religion or belief (e.g. refusing employment because of religious dress).

• Indirect discrimination - policies that disadvantage people of certain beliefs without justification (e.g. mandatory work times that conflict with religious observance).

• Harassment - offensive comments, jokes, or behaviour relating to religion or belief.

• Victimisation - treating someone unfairly because they have raised or supported a complaint.

In practice, organisations should:

• Accommodate reasonable requests related to religious observance, such as prayer breaks or flexible working hours.

• Allow religious dress or symbols unless there is a genuine and proportionate reason (such as health and safety).

• Foster a culture of mutual respect and understanding.

• Ensure policies are inclusive and do not disadvantage particular belief groups.

Failure to respect religion or belief protections can lead to employment tribunal claims, financial compensation, and reputational harm. It may also create a divisive or hostile environment, reducing staff engagement and wellbeing. Organisations that actively respect religious diversity benefit from a more inclusive workplace and stronger relationships with employees and service users.

In practice (compliant)

• Allowing prayer space or flexible breaks.

• Respecting religious dress unless a genuine safety reason exists.

Not followed (non-compliant)

• Mocking religious practices.

• Refusing reasonable requests for religious observance.

Consequences for organisations

• Discrimination and harassment claims

• Loss of workforce diversity

• Negative press coverage

8. Sex

Protection against discrimination based on being male or female refers to the protected characteristic of sex under UK equality legislation. This protection ensures that individuals are treated fairly and equally regardless of whether they are male or female, and that decisions are based on ability, merit, and performance rather than gender-based assumptions or stereotypes.

This protection applies across employment, education, training, and the provision of goods and services.

Sex discrimination can take several forms:

• Direct discrimination - treating someone less favourably because of their sex (e.g. refusing promotion because someone is female or male).

• Indirect discrimination - policies or practices that disadvantage one sex more than the other without objective justification (e.g. work patterns that disproportionately affect women).

• Harassment - unwanted behaviour related to sex that violates dignity or creates a hostile or offensive environment.

• Victimisation - treating someone unfairly because they have raised or supported a complaint about sex discrimination.

In practice, organisations must:

• Ensure equal pay for equal work, in line with equal pay legislation.

• Provide fair access to recruitment, promotion, training, and development opportunities.

• Prevent and address sexual harassment through clear policies and training.

• Avoid gender stereotypes, such as assumptions about leadership ability or technical competence.

Failure to comply with sex discrimination protections can result in employment tribunal claims, equal pay disputes, substantial financial penalties, and serious reputational damage. It can also negatively affect organisational culture, leading to reduced morale and trust. Organisations that promote gender equality benefit from improved staff engagement, better decision-making, and a more inclusive and productive workplace.

In practice (compliant)

• Equal pay for equal work.

• Fair promotion and development opportunities.

Not followed (non-compliant)

• Gender pay inequality.

• Excluding women from senior roles or technical teams.

Consequences for organisations

• Gender pay gap reporting failures

• Tribunal claims

• Loss of public trust and brand credibility

9. Sexual Orientation

Protection for lesbian, gay, bisexual, and heterosexual individuals refers to the protected characteristic of sexual orientation under UK equality legislation. This protection ensures that individuals are not treated unfairly, harassed, or excluded because of who they are attracted to, who they form relationships with, or how they identify their sexual orientation.

Sexual orientation protection applies equally to:

• Lesbian individuals

• Gay individuals

• Bisexual individuals

• Heterosexual individuals

It covers all stages of employment and service provision, including recruitment, promotion, training, dismissal, education, and access to goods and services.

Discrimination related to sexual orientation can take several forms:

• Direct discrimination - treating someone less favourably because of their sexual orientation (e.g. refusing promotion because someone is gay).

• Indirect discrimination - policies that disadvantage people of a particular sexual orientation without justification.

• Harassment – homophobic, biphobic, or derogatory language, jokes, or behaviour.

• Victimisation - treating someone unfairly because they have reported discrimination or supported another complaint.

In practice, organisations are expected to:

• Maintain inclusive policies that clearly prohibit discrimination and harassment.

• Challenge inappropriate language or behaviour immediately.

• Ensure equal access to benefits, training, and career progression.

• Create an environment where individuals feel safe to be open about their identity without fear of negative consequences.

Failure to uphold sexual orientation protections can result in employment tribunal claims, financial compensation, and serious reputational damage. It can also lead to a hostile workplace culture, reduced staff wellbeing, and higher staff turnover. Organisations that actively promote inclusionand equality benefit from increased trust, stronger teamwork, and a more positive organisational reputation.

In practice (compliant)

• Inclusive policies and staff training.

• Challenging homophobic language immediately.

Not followed (non-compliant)

• Harassment ignored or dismissed as “banter”.

• Denying promotion due to sexual orientation.

Consequences for organisations

• Legal claims and compensation

• Workplace culture breakdown

• High staff turnover

Further guidance is provided to organisations through a number of governmental webpages.
The Equality Act and protected characteristics | Local Government Association

Equality in the Workplace – Protected Characteristics Presentation

You will focus on one of the protected characteristics covered by the Equality Act 2010 and explain how it must be protected at work.

How You Will Work
You will work in a small team of 2–3 students
Each team will be given one protected characteristic
No two teams will work on the same characteristic
You will create and deliver a short presentation (5–7 minutes)

The 9 Protected Characteristics
Your teacher will assign your group one of the following:
 - Age
 - Disability
 - Gender reassignment
 - Marriage and civil partnership
 - Pregnancy and maternity
 - Race
 - Religion or belief
 - Sex
 - Sexual orientation

What Your Presentation MUST Include
Your presentation must contain all of the sections below. Missing sections may mean you do not meet the learning outcome.

1. Explain the Protected Characteristic
You must:
 - Clearly explain what your assigned protected characteristic means
 - Describe how it applies in a workplace setting
 - Give at least one example (e.g. recruitment, promotion, training, working conditions)

2. Explain Employer Responsibilities
You must explain:
 - What employers are legally required to do to protect this characteristic
 - How employers should treat staff fairly
 - Any adjustments or policies employers must have in place
Examples may include:
 - Equality and diversity policies
 - Fair recruitment practices
 - Reasonable adjustments for staff

3. Case Study of Failure
You must include a real or realistic case study where an employer failed to meet their legal responsibilities.
You must explain:
 - What the employer did wrong
 - Which protected characteristic was affected
 - How this affected the employee or individual
 - What happened to the employer as a result

4. Consequences for Employers
You must explain what can happen if an employer does not follow equality legislation, such as:
 - Legal action or employment tribunals
 - Financial penalties
 - Damage to reputation
 - Loss of staff trust and morale

5. How Employers Can Do Better
You must suggest practical ways employers can prevent discrimination, for example:
 - Staff training
 - Clear reporting procedures
 - Fair workplace policies
 - Inclusive working practices

Presentation Rules
Every group member must speak
Use clear and professional language
Slides should support what you say, not be full of text
Include at least one image, diagram, or visual

Types of discrimination:

Direct Discrimination

Definition
Direct discrimination occurs when someone is treated less favourably than another person because of a protected characteristic (such as age, disability, gender reassignment, race, religion, sex, or sexual orientation).

This type of discrimination is intentional and often easy to identify because the unfair treatment is clearly linked to who the person is.

Workplace Example
An employer refuses to promote a qualified female employee because they believe “men are better suited to leadership roles”.

Case Study: Pregnancy Discrimination
A UK tribunal case involved a woman being dismissed shortly after informing her employer she was pregnant. Her employer claimed the dismissal was due to “performance issues”, but evidence showed her performance had been rated positively before the pregnancy announcement.

Indirect Discrimination

Definition
Indirect discrimination happens when a policy, rule, or working practice applies to everyone but disadvantages a particular group with a protected characteristic.

Importantly, this discrimination is often unintentional.

Workplace Example
A company introduces a rule that all staff must work late on Friday evenings. This disadvantages Muslim employees who attend Friday prayers.

Case Study: Working Hours Policy
In a UK case, a retail employer required all managers to work full-time hours, including weekends. A female employee returning from maternity leave requested flexible working, which was refused.

Harassment

Definition
Harassment is unwanted behaviour related to a protected characteristic that violates someone’s dignity or creates an intimidating, hostile, degrading, humiliating, or offensive environment.

It can be:

• Verbal (comments, jokes)

• Physical

• Written or digital (emails, messages)

Workplace Example
An employee repeatedly makes jokes about a colleague’s disability, despite being asked to stop.

Case Study: Racial Harassment at Work
In a UK tribunal case, an employee was subjected to repeated racial slurs and “banter” by colleagues. Management failed to take action when complaints were raised.

Victimisation

Definition
Victimisation occurs when someone is treated unfairly because they have made, supported, or are believed to have made a complaint about discrimination or harassment.

This includes:

• Being disciplined

• Being denied promotion

• Being excluded or dismissed

Workplace Example
An employee raises a formal grievance about racial discrimination and is later excluded from training opportunities as a result.

Case Study: Retaliation After Complaint
In a UK case, an employee who supported a colleague’s discrimination claim was later passed over for promotion and given negative appraisals.

Create an infographic on the different types of descrimination that occur, Provide examples of where this has happened and the consiquences to orgnisations and individuals. Your inforgraphic should be as informative as is possible including images that capture the attention of others.

• where individuals are protected

• when to take action against discrimination

o time limits for claims.

4.1.6 Understand Intellectual Property legislation:

"Its all Mine, or is it?

Create a infomative presentation to discuss and explain the priniples of Interlectual Property or IP. Discuss, what it protects, who it protects, the ownership of it. Explain the protection that is given and what protection areas that there are. Where you are able to provide examples of breaches, or agreements with employees and organisations that have happened. 

• unregistered designs

• registered designs

• patents.

US vs China over IP

“Who Owns It?”

Learning focus: Understanding Intellectual Property, ownership, and misuse in the UK

Scenario (Read this first)
You work for a small digital company that creates:
 - Websites
 - Apps
 - Logos
 - Training videos
 - Social media content

Your manager has discovered that some content may have been copied, reused, or shared incorrectly.
Your job is to decide who owns the work, what type of Intellectual Property applies, and whether the use is legal or illegal.

Task 1 - IP Decision Cards (8 minutes)
Your teacher will give you (or display) 4 short scenarios.
For each scenario, discuss and decide:
 - What type of Intellectual Property is involved?
 - Copyright
 - Trademark
 - Patent
 - Design right
 - Is this use allowed or not?
 - Allowed
 - Not allowed
 - Why? (Give one clear reason)

Example Scenarios
Scenario A
A student copies code from GitHub and submits it as their own coursework.
Scenario B
A business uses a competitor’s logo on their website “by mistake”.
Scenario C
A developer creates a new mobile app using an original idea and original code.
Scenario D
Someone downloads an image from Google and uses it on a business website without permission.


Task 2 - Quick Share & Challenge (3 minutes)
Each group:
Chooses one scenario
Explains their decision in 30 seconds
Other groups can:
Agree
Challenge the decision
Ask “What law protects that?”


Task 3 - Rapid-Fire Quiz (2 minutes)
Quick questions.
Put thumbs up for legal or thumbs down for illegal.
Examples:
“Using music in a YouTube video without permission”
“Creating your own logo for a new brand”
“Sharing paid software with friends”

What You Should Now Understand by the end of this activity, you should be able to:
Explain what Intellectual Property is
Identify different types of IP
Recognise legal vs illegal use
Understand why IP law exists in the UK
Apply IP rules to real digital and workplace scenarios


Stretch (If Time Allows)
Answer this question verbally or in writing:
Why is Intellectual Property especially important in digital industries like IT, media, and software development?

4.1.7 Understand Electrical Waste legislation:

The WEEE regulations are a set of environmental regulations that are designed to ensure that any electrical equipment is recycled, reused, or disposed of in an ethical and non-environmentally impacting way. Within companies, any electrical material or devices are in most situations, disposed of in specialist bins that external contractors will take away and do the recycling of the materials if they cannot be reused again, however, in some situations, some of the electrical devices may need to be destroyed beyond any repair or reuse as these may store personal and sensitive information, and must be disposed of destructively.

WEEE legislation is necessary because electrical equipment contains toxic materials, such as lead and mercury, which can cause environmental damage if disposed of incorrectly. In addition, most IT equipment stores personal or organisational data, meaning unsafe disposal can lead to data breaches and security incidents. Under WEEE, organisations are required to use authorised disposal routes and ensure equipment is recycled or treated safely.

Consider what mineral resources are used in most electronic devices, how are these found/collected/created? what environmental impact does the gathering of these resources have on the globe? 

The following video shows, the poppular TV show Gold Rush and the efforts of miners to get as much gold as they can mine. Reflect on the images in the video and the equipment that is used and the materials that these use to get to the gold. Now we should think, what electronics we have in our cupboards and draws that we no longer use. What would be done with these?

In small groups of 2-3 reflect on the disposal of electrical equipment, research and discuss the main minerals found in most electrical devices and the current issue of e-waste in the UK.

o key features:

governs the safe and environmentally responsible disposal of electrical equipment

What the Legislation says
Review and discuss with others the WEEE legislation that is applied in the UK. Using the following link explore the principles, what organisations can do to ensure that they meet these expectations and obide by the prinicples in thier practices

Regulations: Waste Electrical and Electronic Equipment (WEEE)  GOV.UK

Waste Electrical and Electronic Equipment Regulations

A medium-sized UK financial services company undertook a routine IT refresh, replacing over 120 desktop PCs, laptops, and network switches. Due to time pressure and a lack of clear internal procedures, the organisation instructed facilities staff to remove the old equipment. The devices were collected by a general waste contractor, not a licensed WEEE disposal provider.
Several of the machines still contained hard drives with customer data, including names, addresses, and partial financial records.

What Went Wrong
The organisation failed in several key areas:
WEEE non-compliance: Electrical equipment was not disposed of through an authorised WEEE scheme
Poor data handling: Hard drives were not wiped, removed, or destroyed
Lack of staff training: Facilities staff were unaware of legal responsibilities
No audit trail: There was no waste transfer documentation
Weeks later, some of the equipment was discovered at an unregulated recycling site, with data still accessible on the drives.

What Should Have Happened
If WEEE legislation and safe disposal procedures had been followed:
All devices would have been logged as end-of-life assets

Storage media would have been:
Securely wiped using certified software
Or physically destroyed (e.g. shredding)
Equipment would have been collected by a licensed WEEE contractor
Disposal would be documented using waste transfer notes
Staff roles and responsibilities would be clearly defined

Safe disposal

Environmentally responsible disposal.

Environmentally responsible disposal is the process of getting rid of waste, particularly electrical and electronic equipment (WEEE), in a way that minimises harm to the environment and protects human health while fully complying with UK environmental legislation. Electrical equipment often contains hazardous substances such as heavy metals and chemicals, which can cause serious environmental damage if released into soil or water. Environmentally responsible disposal ensures these materials are handled safely and prevents pollution and long-term ecological harm.

Rather than disposing of electrical items in landfill, environmentally responsible disposal focuses on reuse, recycling, and safe treatment of waste through approved methods. Equipment that is still functional may be refurbished and reused, extending its lifespan and reducing the demand for new raw materials. Where reuse is not possible, devices are dismantled so that valuable materials such as copper, aluminium, and plastics can be recovered and recycled. Any hazardous components are removed and treated in specialist facilities.

This process is carried out by licensed and authorised waste contractors who follow strict regulations and provide documentation such as waste transfer notes to demonstrate compliance. By using approved disposal routes, organisations reduce their legal risk, support sustainability objectives, and demonstrate ethical and professional practice. Overall, environmentally responsible disposal plays a vital role in protecting the environment, supporting the circular economy, and ensuring organisations meet their legal and social responsibilities.

UK Organisations That Provide Environmentally Responsible Disposal

Veolia

Veolia is one of the UK’s largest waste management companies and provides WEEE-compliant recycling services for businesses and public sector organisations.

Services include:

• Collection and recycling of IT equipment

• Separation of hazardous materials

• Resource recovery and reuse

Biffa

Biffa offers environmentally responsible WEEE disposal and works closely with organisations to reduce landfill waste.

Services include:

• WEEE recycling collections

• Environmental compliance reporting

• Sustainable waste management solutions

Recycling Lives

Recycling Lives focuses on ethical recycling and reuse, particularly for IT and electronic equipment.

Services include:

• IT refurbishment and reuse

• Responsible recycling of non-reusable equipment

• Strong environmental and social responsibility focus

Computer Disposals Ltd

A specialist IT asset disposal (ITAD) provider that combines secure data destruction with environmentally responsible recycling.

Services include:

• Secure hard drive destruction

• WEEE-compliant recycling

• Certification and audit trails

Benefits of Using Environmentally Responsible Disposal Organisations

Environmental benefits

Reduces landfill waste and pollution
Prevents release of hazardous substances
Supports recycling and circular economy principles

Legal and compliance benefits

Ensures compliance with WEEE Regulations
Provides waste transfer notes and audit evidence
Reduces risk of fines or enforcement action

Professional and reputational benefits

Demonstrates corporate social responsibility
Builds trust with customers and stakeholders
Supports sustainability policies and ESG targets

Operational benefits

Clear processes and expert handling
Reduced burden on internal staff
Professional handling of hazardous materials

Drawbacks of Using Specialist Disposal Organisations

Cost

Specialist WEEE and IT disposal services can be more expensive than general waste collection
Secure data destruction often carries additional charges

Administrative overhead

Requires contracts, scheduling, and record-keeping
May involve audits or compliance checks

Logistics

Collection times may need to be booked in advance
Organisations may need secure storage for equipment before collection

Limited control

Disposal is handled externally, meaning organisations must trust third-party providers
Due diligence is required to ensure contractors are genuinely compliant

Although environmentally responsible disposal organisations can involve higher costs and increased administration, these drawbacks are outweighed by the legal protection, environmental benefits, and reduced security risk they provide. Using licensed WEEE providers ensures compliance with legislation, protects sensitive data, and supports sustainability objectives.

For organisations handling IT equipment, environmentally responsible disposal should be viewed not as an optional expense, but as a necessary part of professional and ethical practice.

To Dispose or not Dispose That is the question
Using the following worksheet, and working pairs work through the tasks and questions, you will reflect back to the group on your findings and suggestions. 
WEEE worksheet

4.1.8 Understand the interrelationships between digital support and security

and digital legislation, and make judgements about the impact on

organisations, society and individuals.

4.1.9 Know that international law applies to some offences:

• international law in cyberspace

• international law and surveillance.

4.2 Guidelines

4.2.1 Know the sources of codes of conduct:

Organisations

Professional

British Computer Society (BCS)

The BCS code of conduct has four key principles, 

• Make IT for Everyone
• What you know, learn what you dont
• Respect the organisation or individual you work with
• Keep IT real. Keep IT Professional. Pass IT on

These condes act as powerfull endorsements of individuals integrity and ethics whilst working as IT professionals. 

"Know IT yourself"
Using the link below, look further in to the 4 priniciples/codes that are used by the BCS. Create a powerpoint that explains these in more detail.

BCS Code of Conduct for members - Ethics for IT professionals | BCS

The Institution of Analysts and Programmers (IAP)

The Institution of Analysts and Programmers (IAP) is a professional body that supports both the public and its members by helping individuals enter the IT profession, providing technical expertise, and promoting high standards in software development. The IAP offers guidance on IT careers, particularly in systems analysis and programming, and advises on relevant training courses and qualifications, including recommending approved courses delivered by partner universities and private training providers, many of which contribute towards IAP membership or allow direct entry as a Graduate member (GradIAP).

In addition, the IAP provides technical assistance through its members, who work across all areas of business and industry and may be available for consultancy, with verified credentials listed in the Register of Consultants. The organisation also supports employers, clients, and the public by confirming members’ qualifications and membership grades. Alongside this, the IAP fosters Communities of Practice (COPs) focused on improving software for society, bringing together professionals with shared interests in areas such as cyber security, health, transport, cloud computing, artificial intelligence, robotics, IoT, defence, telecoms, and software development, helping to encourage collaboration, knowledge sharing, and professional development across the IT sector.

The IAP Code of Conduct covers 4 areas these are;

 - Duty to the Public

 - Duty to the Profession

 - Duties to the Institution of Analysts and Programmers

 - Duties to Clients and Employers

"Investigate And Present (IAP)"
Using the link below, look further in to the 4 priniciples/codes that are used by the IAP. Create a powerpoint that explains these in more detail.

iap.org.uk/code-of-conduct

Chartered Institute of Information Security (CIISec)

The Chartered Institute of Information Security (CIISec) is the world’s first cyber and information security body to receive Royal Charter status, highlighting its leadership in raising professional standards across the sector. It operates as an independent, not-for-profit organisation governed by its members and provides a trusted, central voice for the cyber and information security profession. Representing over 35,000 professionals at all stages of their careers, CIISec supports its community through programmes focused on professional development, recognition and career success. Its core objectives include promoting the advancement and sharing of knowledge for the public benefit, establishing and upholding high ethical and professional standards in the UK and internationally, and acting as an authoritative body for consultation and research on education and issues of public interest within cyber and information security.

THe CIISec has 3 areas of conduct,

 -  Maintain Professionalism

 - Act in an Ethical Manner

 - Promote Best Practice

"Investigate And Present (IAP)"
Using the link below, look further in to the 3 priniciples/codes that are used by the CIISec. Create a powerpoint that explains these in more detail.

Code of Conduct & Ethics - CIISec

Governmental.

Governmental codes of conduct and professional behaviour standards originate from:

1. Primary legislation (Acts of Parliament).

2. Government departments issuing policy and statutory guidance.

3. Regulatory authorities (e.g. ICO, HSE).

4. Official statutory codes of practice.

5. Public sector conduct frameworks (e.g. Civil Service Code).

In digital support and IT roles, aligning codes of conduct with these governmental sources ensures lawful, ethical and high-quality professional practice.

 The focus in these bodies is to minimises risk to the public, to protect rights and freedoms of those linked to practices and contact with services that are offered by organisation ensuring that competence and accountability is kept so that organisations maintain integrity and trust.

4.2.2 Understand how guidelines in codes of conduct influence professional

Professional codes of conduct provide structured guidelines that shape behaviour in the workplace. They act as a bridge between organisational policies, legal requirements and day-to-day professional practice. By setting clear expectations, codes of conduct ensure individuals operate within defined standards, protecting both the public and the organisation.

In sectors such as IT, cybersecurity and digital support services, professional conduct is often guided by organisations such as Chartered Institute for IT and Chartered Institute of Information Security, whose codes emphasise lawful practice, competence, integrity and responsibility.

This ensures quality of work by:

• Minimising risk to the public - reducing data breaches, system failures, and misuse of information.

• Acting with competence and integrity - ensuring decisions are based on skill, ethical judgement and compliance with the law.

Behaviour

Meeting Deadlines

Codes of conduct often require professionals to act diligently and responsibly. This includes managing time effectively and delivering work within agreed timescales.

How Guidelines Influence Behaviour

• Professionals are expected to plan workloads realistically.

• They must communicate early if delays are likely.

• They must not compromise quality or legal compliance simply to meet a deadline.

Linked Example

An IT support technician is tasked with deploying a software security patch across a school network. The organisation’s policy requires testing before full rollout.

If the technician rushes the process to meet a deadline without testing, it could:

• Cause system instability.

• Disrupt teaching and learning.

• Create new vulnerabilities.

By following procedures properly:

• The patch is tested in a controlled environment.

• Risks are assessed.

• Documentation is completed.

This approach minimises risk to users and ensures the technician demonstrates competence and integrity. Meeting deadlines is important, but meeting them professionally without bypassing safeguards is what ensures quality.

Acting with Competence and Integrity

Codes of conduct require individuals to:

• Work within the limits of their expertise.

• Seek support when necessary.

• Undertake continuing professional development.

• Avoid conflicts of interest.

Example

If an IT professional is asked to configure a firewall but lacks sufficient knowledge, acting with integrity means:

• Acknowledging the limitation.

• Requesting training or specialist support.

• Not guessing or implementing unsafe configurations.

This ensures:

• Systems remain secure.

• The public is protected.

• Professional standards are upheld.

Competence ensures quality; integrity ensures ethical decision-making.

• meeting deadlines

• effective communication

Maintaining Confidentiality and Trust

Confidentiality is central to most professional codes of conduct, particularly in digital and data-driven environments.

How Guidelines Influence Behaviour, Professionals must:

• Protect sensitive information.

• Access data only when authorised.

• Avoid sharing information without lawful basis.

• Follow secure data handling procedures.

Linked Example

A digital support technician has access to staff and student personal data stored on a management system. The code of conduct requires:

• Logging out of systems when not in use.

• Not discussing personal data in public spaces.

• Encrypting devices containing sensitive information.

If confidentiality is breached:

• Individuals may suffer harm (identity theft, reputational damage).

• The organisation could face legal penalties.

• Public trust may be lost.

By adhering to professional standards and legislation such as the Data Protection Act, the technician ensures:

• Risk to the public is minimised.

• Work is carried out lawfully.

• Trust between service provider and user is maintained.

Trust is fundamental in professional relationships. Without it, systems cannot function effectively.

4.2.3 Know the sources of digital industry standards:

International Organization for Standardization (ISO)

The International Organization for Standardization (ISO) is an independent, non-governmental international organisation that develops and publishes global standards.

It was founded in 1947 and is made up of national standards bodies from over 160 countries. In the UK, the national member body representing ISO is the British Standards Institution (BSI).

ISO creates agreed standards to ensure that products, services, and systems are:

• Safe

• Reliable

• Efficient

• Consistent

• Compatible internationally

The main purposes of ISO are:

To Ensure Quality and Consistency

ISO standards provide agreed frameworks so that organisations can deliver products and services that meet customer and regulatory requirements.

To Improve Safety

Standards help reduce risk, protect consumers, and ensure safe working practices.

To Support International Trade

By using globally recognised standards, companies can trade internationally without needing to meet different technical requirements for each country.

To Promote Best Practice

ISO standards are built using expert knowledge from industry professionals, ensuring organisations follow proven and effective methods.

Some widely recognised ISO standards include:

ISO 27001

ISO 27001 is an internationally recognised standard for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS). Its purpose is to help organisations systematically protect sensitive information, including customer data, financial records and intellectual property. The standard is built around risk management: organisations must identify information assets, assess threats and vulnerabilities, evaluate risk levels, and apply appropriate security controls from Annex A (such as access control, encryption, incident response and supplier security). It follows a continual improvement model (Plan-Do-Check-Act), requiring regular monitoring, internal audits and management reviews. Certification demonstrates that an organisation has structured, documented and independently verified information security processes, which is particularly important in digital support, cybersecurity and data protection environments where confidentiality, integrity and availability must be maintained.

• Focus: Information Security Management Systems (ISMS)

• Used to protect data and manage cybersecurity risks

• Highly relevant in digital support and IT roles

ISO 9001

ISO 9001 is the world’s most widely adopted Quality Management System (QMS) standard. It focuses on ensuring that organisations consistently meet customer and regulatory requirements while continually improving their processes. The standard emphasises customer satisfaction, leadership commitment, process control, evidence-based decision-making and risk-based thinking. Organisations must document procedures, monitor performance, address non-conformities, and implement corrective actions where issues arise. ISO 9001 does not specify how a product or service must be delivered; instead, it ensures that systems are in place to maintain consistency, reliability and quality. Certification to ISO 9001 can enhance reputation, increase customer confidence and improve operational efficiency by reducing waste, duplication and errors.

• Focus: Quality Management Systems

• Ensures consistent service and product quality

• Common across all industries

ISO 14001

ISO 14001 provides a framework for an Environmental Management System (EMS), helping organisations manage their environmental responsibilities in a systematic and sustainable way. The standard requires organisations to identify environmental aspects and impacts (such as waste generation, energy use, emissions and resource consumption), comply with legal obligations, and set measurable environmental objectives. Like other ISO management standards, it follows the Plan-Do-Check-Act cycle and promotes continual improvement. ISO 14001 supports organisations in reducing their environmental footprint, improving resource efficiency and demonstrating corporate social responsibility. Certification signals to customers, regulators and stakeholders that the organisation actively manages environmental risks and is committed to sustainable practices.

• Focus: Environmental management

• Helps organisations reduce environmental impact

Web Content Accessibility guidelines (WCAG)

The Web Content Accessibility Guidelines (WCAG) are internationally recognised guidelines developed by the World Wide Web Consortium (W3C) to make web content more accessible to people with disabilities. WCAG provides a framework to ensure websites, applications and digital services can be used by individuals with visual, auditory, physical, speech, cognitive and neurological impairments. The purpose of WCAG is to remove digital barriers and promote inclusive design, ensuring that everyone can perceive, understand, navigate and interact with online content. In the UK, WCAG is particularly important because public sector websites must meet WCAG standards under accessibility regulations linked to the Equality Act 2010.

WCAG is structured around four core principles known as POUR: content must be Perceivable (e.g., providing alternative text for images and captions for videos), Operable (e.g., ensuring full keyboard navigation and avoiding content that causes seizures), Understandable (e.g., clear language, predictable navigation and helpful error messages), and Robust (e.g., compatibility with assistive technologies such as screen readers). The guidelines are organised into testable success criteria across three levels of compliance: A (minimum), AA (standard requirement for most organisations), and AAA (highest level). Together, these criteria provide practical standards that developers and organisations use to design and evaluate accessible digital content.

World Wide Web Consortium (W3C)

The World Wide Web Consortium (W3C) is the main international organisation responsible for developing standards that ensure the long-term growth, stability and interoperability of the World Wide Web. Founded in 1994 by Tim Berners-Lee (the creator of the URL, HTML and HTTP protocols that enabled the creation of the internet), the W3C brings together member organisations, industry experts and the public to create open standards that allow websites, browsers and web technologies to work consistently across different devices and platforms. Its purpose is to ensure that the web remains accessible, secure, compatible and usable for everyone worldwide.

The W3C develops and maintains key web standards such as HTML, CSS, and accessibility frameworks like WCAG. It produces technical specifications, design principles and validation tools to guide developers in building compliant and interoperable websites. The organisation also promotes areas such as web security, privacy, internationalisation and mobile responsiveness. By creating universal technical standards rather than proprietary systems, the W3C ensures that the web remains open, consistent and accessible across different browsers, operating systems and technologies.

Internet Engineering Task Force (IETF)

The Internet Engineering Task Force (IETF) is an open international community of network designers, engineers, researchers and vendors who develop and promote voluntary technical standards that ensure the smooth operation of the internet. Formed in 1986, the IETF’s primary purpose is to improve the way the internet works by creating standards that support interoperability, reliability and security across global networks. Unlike regulatory bodies, the IETF operates through collaboration and consensus, allowing experts worldwide to contribute to the development of internet technologies.

The IETF produces standards known as Request for Comments (RFCs), which define how internet protocols function. These include foundational technologies such as Transmission Control Protocol (TCP), Internet Protocol (IP), and Hypertext Transfer Protocol (HTTP). The organisation works through specialised working groups focusing on areas such as routing, security, transport, and application protocols. By developing open, publicly available standards, the IETF ensures that devices, networks and services across the world can communicate effectively and securely.

Electronic Industries Alliance/Telecommunications Industry Association (EIA/TIA)

The Telecommunications Industry Association (TIA), formerly associated with the Electronic Industries Alliance (EIA), is a standards organisation that develops technical standards for telecommunications infrastructure and electronic systems. Historically known as EIA/TIA, the partnership produced widely adopted standards to ensure compatibility, safety and performance within networking and telecommunications systems. Their purpose is to create structured and consistent specifications so that cabling, connectors and network components function reliably together across different manufacturers and installations.

EIA/TIA standards focus heavily on structured cabling systems, data transmission performance and telecommunications infrastructure design. One of the most recognised standards is TIA-568, which defines wiring standards for commercial buildings, including cable categories (such as Cat5e, Cat6 and Cat6a), pin configurations (e.g., T568A and T568B), performance requirements and installation guidelines. These standards ensure that network installations support required data speeds, reduce interference, and maintain reliability. By following EIA/TIA standards, organisations can ensure consistent network performance, easier maintenance, future scalability and interoperability between equipment from different vendors.

British Standard (BS)

The British Standards Institution (BSI) is the United Kingdom’s national standards body, responsible for developing and publishing British Standards (often referred to as BS standards). Founded in 1901, BSI works with industry experts, government departments and consumer groups to create standards that ensure products, services and systems are safe, reliable and of high quality. British Standards support best practice across a wide range of sectors, including construction, engineering, information technology, cybersecurity and environmental management. BSI also represents the UK in international standardisation bodies such as ISO and the European standards organisations.

British Standards include both purely national standards (e.g., BS 7671 for electrical installations) and those adopted from European or international standards, often labelled as BS EN or BS ISO. They cover areas such as quality management, health and safety, environmental protection, information security and product testing. BSI also operates certification schemes such as the well-known Kitemark, which demonstrates that a product or service meets specific safety and performance requirements. By adhering to British Standards, organisations can demonstrate compliance with legal requirements, improve operational consistency and build customer confidence through recognised quality assurance.

Institute of Electrical and Electronics Engineers (IEEE)

The Institute of Electrical and Electronics Engineers (IEEE) is a global professional association dedicated to advancing technology in electrical engineering, electronics, computing and telecommunications. Founded in 1963, IEEE brings together engineers, researchers and industry professionals to develop technical standards, publish research, and promote innovation. One of its key purposes is to create internationally recognised standards that ensure technology systems are compatible, safe and interoperable across manufacturers and countries.

IEEE develops widely used technical standards, particularly in networking and communications. For example, the IEEE 802.3 standard defines Ethernet networking, while IEEE 802.11 defines Wi-Fi communication protocols. The IEEE 802 family of standards outlines how devices connect, transmit data and maintain reliable communication over wired and wireless networks. By following IEEE standards, manufacturers and organisations ensure devices such as routers, switches and network cards can communicate effectively, supporting consistent performance and global connectivity.

Payment Card Industry Security Standards Council (PCI SSC).

The Payment Card Industry Security Standards Council (PCI SSC) is an international standards body founded in 2006 by major payment card brands to improve the security of card payment transactions worldwide. Its primary purpose is to develop and maintain security standards that protect cardholder data and reduce payment fraud. The PCI SSC does not enforce laws itself; instead, it sets mandatory security requirements that organisations must follow if they store, process or transmit payment card information. Compliance is required by card issuers and acquiring banks, making adherence essential for businesses that accept card payments.

The PCI SSC is best known for developing the Payment Card Industry Data Security Standard (PCI DSS), which outlines technical and operational controls for safeguarding cardholder data. PCI DSS includes requirements such as maintaining secure networks and firewalls, encrypting transmitted data, implementing strong access control measures, regularly monitoring and testing networks, and maintaining an information security policy. The council also provides additional standards covering point-of-sale security and payment application security. By complying with PCI standards, organisations reduce the risk of data breaches, financial penalties and reputational damage while demonstrating a commitment to secure payment processing.

Stand up for Standards

The Digital Support and Security sector encompasses a wide range of areas that directly and indirectly influence how organisations operate, how devices function, and the processes and procedures that must be adhered to in order to maintain security, reliability and compliance.

The organisations and governing bodies referenced above play a significant role within this sector, helping to shape standards, best practice, legislation, and professional conduct.

Task:
Working in groups of no more than three, create a clear and simple presentation that summarises:
 - The organisation’s name and purpose
 - What the organisation does
 - The standards, guidance, or regulations it provides
 - Your understanding of its overall impact on the Digital Support and Security sector

Your presentation should demonstrate not only factual knowledge, but also your ability to explain why the organisation is important and how it influences professional practice within the industry.

4.2.4 Understand the purpose of acceptable use policies (AUP):

• purpose of AUP

• typical content:

o permitted activities

o prohibited activities

o working practices including confidentiality

o communication etiquette including projecting correct

organisation image

o sanctions/penalties.

4.2.5 Understand the importance of whistleblowing procedures.

Whistleblowing procedures matter in Digital Support and Security because the work is high-trust, high-impact and often invisible until it goes wrong. Support teams routinely handle privileged access (admin accounts, remote tools, service desks, logs, backups, identity systems) and sensitive data. If someone spots a serious weakness poor access controls, an unsafe “workaround”, pressure to hide an incident, or non-compliant data handling a clear, trusted whistleblowing route can be the difference between early containment and a major breach.

Why it’s important in the UK (and in cyber/digital support specifically)

1) Early warning for hidden risks

• Cyber and IT support risks often sit in configuration, process and governance (e.g., shared admin accounts, unmanaged endpoints, unsupported systems, weak change control). A whistleblowing route helps staff raise concerns before an incident occurs or escalates.

2) Legal protection encourages speaking up

• In the UK, workers are protected when they make a “protected disclosure” in the public interest under whistleblowing law (linked to the Public Interest Disclosure Act 1998 / Employment Rights Act framework). Protection covers unfair dismissal and “detriment” (being treated worse for speaking up).

• ACAS guidance also clarifies what people can whistleblow about and how to make a disclosure properly.

3) Supports compliance and good governance

• Security teams are often balancing “keep services running” with “do it safely”. Whistleblowing supports a culture where staff can challenge decisions that increase risk (e.g., bypassing MFA, delaying patching, ignoring audit findings) without fear.

• It also supports regulatory expectations around responsible handling of data and security incidents e.g., the ICO’s breach guidance and routes for protected disclosures to the ICO where relevant.

4) Protects customers, citizens and critical services

• In Digital Support and Security, the “public interest” angle is often strong: insecure identity systems, mishandled personal data, or ignored vulnerabilities can affect thousands/millions of users.

5) Improves professional standards

• A good speak-up culture reduces the chance of “normalised deviance” (unsafe practices becoming routine) and strengthens learning after incidents (root cause fixes, not blame).

What a strong whistleblowing procedure looks like (practical, sector-relevant)

In a Digital Support/Security context, a policy should be explicit about:

• What to raise: security vulnerabilities, unsafe configurations, data mishandling, falsified audit evidence, suppression of incidents, risky supplier practices, credential sharing, unauthorised monitoring, etc.

• How to raise it safely: multiple routes (line manager, security lead, HR, independent hotline), option to raise concerns confidentially, clear separation from personal grievances.

• Triage and response: acknowledge receipt, risk-rank (e.g., “critical vulnerability affecting identity/auth”), assign an investigator independent of the allegation, preserve evidence, and document actions.

• Escalation paths: to senior leadership / audit committee and (where appropriate) external bodies (e.g., regulator). The ICO explicitly provides routes for whistleblowers making protected disclosures relating to information rights/data protection.

• No retaliation: clear statement and enforcement because fear of detriment is the main reason people stay silent.

• Learning loop: feed outcomes into security controls (patching, access management, training, supplier assurance).

Real-world case study (Digital Support & Security): UK One Login allegations

Context: The UK government’s “One Login” digital identity programme (used to access online public services) faced allegations raised by a cybersecurity professional acting as a whistleblower. Reporting in 2025 described concerns raised internally shortly after the service went live, including claims about governance and cyber security weaknesses, and that the whistleblower had advised senior leaders of serious security problems as part of their role.

Why this case illustrates whistleblowing’s importance in the sector

Identity systems are high-value targets: weaknesses in authentication, admin practices, or device compliance can create systemic risk (account takeover, fraud, and large-scale data exposure).

Concerns can be organisational, not just technical: the allegations described issues around governance/risk management as well as security controls exactly the kind of “process and leadership” risk that frontline cyber professionals may spot early.

Public interest is clear: identity services underpin access to government services; failures can affect large numbers of people and trust in digital public services.


Digital Support & Security learning points

Whistleblowing routes should be credible and independent enough that security staff believe concerns will be acted on.

Programmes should demonstrate evidence-based closure (documented remediation, independent assurance, clear risk ownership), otherwise whistleblowing may escalate externally often after trust breaks down.

Building “speak up” into security governance (audit committees, independent security assurance, red-team reporting lines) reduces the likelihood that concerns get stuck at middle-management level.

4.2.6 Understand the interrelationships between digital support and security and guidelines, and make judgements about the impact on organisations, society and individuals