The A to Z of data protection and privacy law for employees on the front line or in a position of responsibility.

What's included

  • Public
  • Onsite class
  • Foundation
  • Pre-course
  • Day
  • Classroom
  • End of course
    BCS examination

Course Overview

The BCS Foundation Certificate in Data Protection will benefit anyone who's role encompasses the protection of an individual's personal information or their privacy.

The Certificate gives confidence and knowledge to those with data protection responsibilities, which form part of their role. It is ideally suited for businesses preparing for the implementation of the General Data Protection Regulation (GDPR). It also benefits new starters embarking on a career in Information Rights, acting as a stepping stone towards the Practitioner Certificate.

The aim is to impart a general understanding of UK data protection law. It includes the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications Regulations 2003 (PECR). It also examines changes to UK law with the introduction of the General Data Protection Regulation (2016).

Delivered over 3 days. The course follows the latest BCS Syllabus and prepares participants for the BCS Foundation Exam. The BCS one-hour multiple-choice examination concludes the course.

Who should attend

This course is intended for:

  • Data Protection Officers in small and medium size businesses
  • Information Governance (IG) and Information Assurance (IA) teams
  • Marketing professions and heads of customer facing departments
  • It also benefits corporate IT and HR teams along with project managers

By obtaining the Foundation Certificate, individuals will:

  • Hold a recognised accredited qualification in data protection
  • Have an understanding of individual and organisational responsibilities under DPA
  • Be better placed to support their organisation in managing and handling customer/staff data in compliance with the DPA

The BCS Foundation Certificate in Data Protection aligns with the vocational qualification QCF Level 2. Note, this link is advisory and for comparison purposes only. Ofqual does not regulate BCS qualifications.


The BCS Foundation Certificate in Data Protection course is conducted over 3 consecutive days.

The following schedule is intended as a guide:

Day 1 9:00 Introduction & Housekeeping
9:10 Course Aims - Examination details and technique
9:30 How to read an Act of Parliament
9:45 Historical overview and background
10:15 Introducing the Information Commissioner
10:30 Morning refreshments
10:45 Data Protection Act - Definitions
12:45 Lunch
13:30 Multiple-choice exercise
12:45 Data Protection Act - Principle 1, inc. Schedules 2 and 3
15:00 Afternoon tea
15:30 Data Protection Act - Principle 2 - 5
Homework Revision reading and multi-choice sample questions
Day 2 9:00 Review and questions
9:10 Data Protection Act - Principle 6
10:30 Morning refreshments
10:45 Data Protection Act - Principles 7 and 8
11:30 Awareness and Notification
12:00 Main Exemptions & Subject Access Modifications
12:30 Lunch
13:15 Disclosures & Confidentiality
14:30 The ICO - Codes of Practice & Good Practice
15:00 Afternoon tea
15:15 Good Practice cont.
Homework Revision reading and multi-choice sample questions
Day 3 9:00 Review and questions
9:10 Enforcement
10:30 Morning refreshments
10:45 Enforcement cont.
11:30 Privacy & Electronic Communications Regulations 2003
12:30 Lunch
13:00 Revision Exercises
15:30 BCS 1 hour multiple-choice examination

Course contents

The topics covered in this course include:

  • Preliminary
    • Course Aims
    • Exam Technique and format
  • Introduction
    • Context of DP Law and reading the Act
  • Historical Overview
    • The EU Directive
    • The Human Rights Act 1998
  • Introduction to the Information Commissioner
    • The Office of the Information Commissioner
    • The Roles of the ICO
    • Awareness of The General Data Protection Regulations (GDPR)
  • Definitions
    • Types of processing data under the Act
    • Personal and Sensitive personal data
    • Relevant filing and processing
    • Data Protection Act’98 characters
      • Data Subject
      • Data Controller
      • Data Processor
      • Recipient
      • 3rd Parties
  • Data Protection Principles
    1. Processing Fairly and Lawfully
      • Schedules 2 and 3
    2. Specified and lawful processing
    3. Adequate, relevant and not excessive
    4. Accurate and where necessary up-to-date
    5. Retention – not held for longer than necessary
    6. The rights of the Data Subject
      • Including further qualified rights
    7. Security
    8. Overseas transfers
      • Including Schedule 4
  • Notification
    • Introduction
      • Who should notify
      • Fees
      • Required information
    • Exemptions to notification
  • Exemptions
    • Exemption Provisions
      • Subject Assess provision
      • Subject Information Provision
      • Non-disclosure Provision
    • Understanding where disclosure of personal data is withheld
      • Domestic Purposes
      • Crime and taxation
      • Confidential References, Management Forecasts, and Negotiations
      • Special purposes – Journalism, Literature and Artistic
      • Research, History, and Statistics
      • Vulnerable Persons
    • Understanding where disclosures are permitted
      • Crime and taxation section 29(3)
      • Disclosures required by law to be made public
      • Disclosures required by law and in connection with legal proceedings
      • Common law of confidentiality
  • Role of the Information Commissioner
    • The office of the ICO
      • Functions of the Commissioner
      • Role of the ICO
      • The Codes of Practice
    • Enforcement
      • Undertakings
      • Notices
      • Powers of Entry and inspection
  • The offence of Unlawful obtaining or disclosure of personal data
    • The defences in law
    • The Privacy and Electronic Communication Regulations 2003 (PECR)
  • Further regulations affecting marketing 2009
  • Direct Marketing by Electronic Means
    • Solicited and unsolicited marketing
    • Individual and corporate subscribers
    • Market research, sugging and lead generation
  • Consent
    • Implied
    • Indirect
    • Proof of consent
  • Direct marketing by telephone
    • Preference Services
  • Direct marketing by electronic mail
    • Soft-opt-in

BCS Foundation Certificate in Data Protection (FCDP) Syllabus

Knowledge of UK data protection law, and an understanding of how it is applied in practice, is important for any organisation holding personal information. The BCS Foundation Certificate in Data Protection is designed for those who wish to get a sound grounding in the key elements of the law and its practical application.

1. Introduction (3% - 0.5 hours of course work)

The objective is to ensure a basic appreciation of the context of data protection law, and a basic understanding of the role of the role of the Information Commissioner.

1.1 Context of Data Protection law

  • EU Data Protection Directive 1995/46/EC
  • Privacy and Electronic Communications Directive 2002/58/EC
  • UK Human Rights Act 1998
  • EU Charter of fundamental rights and freedoms (Article 8)

Candidates are expected to have a basic understanding of the aims of these four key legal instruments. Candidates are not expected to have a detailed knowledge of their provisions.

1.2 The role of the Information Commissioner

  • Provision of guidance
  • Codes of practice
  • Enforcement role

NB details of enforcement provisions and specific codes are covered elsewhere in the syllabus

2. Identification of processing subject to the Act (13% - 2 hours of course work)

The objective is to ensure that candidates know the key definitions in the Act and how to apply them in order to identify which information and processing activities are subject to the Act.

  • Definition of ‘Data’ (1(1) a, b and c)
  • Definition of Relevant Filing System
  • Definition of Personal Data (including Sensitive Personal Data)
  • Definition of Data Controller · Definition of Data Processor
  • Definition of Processing
  • Definition of Data Subject
  • Domestic purposes exemption (Section 36)
3. Understanding the principles (31% - 5 hours of course work)

The objective is to ensure an understanding of how the principles regulate the processing of personal data, as well as an understanding of the application of individual principles in the light of the interpretation provisions in Part II of Schedule 1. Candidates will be required to show an understanding of the need to interpret and apply the principles in context.

  • First and Second Principles, including transparency, Schedules 2 and 3 and purpose limitation
  • Third Principle
  • Fourth Principle
  • Fifth Principle
  • Sixth Principle
  • Seventh Principle – including data processing contracts
  • Eighth Principle – including:
    • What constitutes a transfer
    • The implications of transferring personal data outside of the EEA
    • A broad appreciation of the different ways of achieving adequacy
    • An understanding of Schedule 4

NB Candidates are not expected to have an in-depth understanding of the detail of the different options for ensuring adequacy.

4. The rights (13% - 2 hours of course work)

The objective is to ensure an awareness of all the rights conferred by the Act and a more detailed understanding of the application of key rights

Awareness of:

  • Rights in relation to automated decision taking
  • Right to rectification, blocking, erasure and destruction

A more detailed understanding of:

  • Right to attempt to prevent processing likely to cause damage or distress
  • Right to prevent processing for the purpose of direct marketing
  • Right to compensation
  • Right of subject access - including:
    • Process, timescale and fee
    • Approach to third-party data
    • An awareness of the existence of the main exemptions

Candidates are only expected to know the standard fee not to know, for example, the fee regime in respect of educational records.

Candidates are not expected to have a detailed knowledge of the subject information exemptions but are expected to understand the main areas in which exemptions are likely to be applicable and have a basic understanding of the effect of these provisions:

  • Crime and Taxation - Section 29(1)
  • Serious harm in connection with certain types of records - Data Protection (Subject Access Modification) (Social work) Order 2000 and Data Protection (Subject Access Modification) (Health) Order 2000
  • Negotiations - Schedule 7
5. Privacy and Electronic Communications (EC Directive) Regulations 2003 – rules relating to direct marketing (6% - 1.0 hours of course work)

The objective is to ensure an awareness of the relationship between the Regulations and the Act, and an awareness of the main provisions relating to marketing:

  • Objective and broad scope
  • Provisions relating to marketing calls (automated and live)
  • Provisions relating to marketing emails and SMS

NB Candidates are not expected to know the conditions for marketing by fax

The only preference service candidates are expected to know about is the Telephone Preference Service (TPS)/ Corporate Telephone Preference (CTPS)

6. Notification (3% - 0.5 hours of course work)

The objective is to ensure a broad awareness of notification including:

The requirement for data controllers to notify unless they are exempt (including a broad understanding of the ‘core business purposes’ exemption, not for profit exemption, and the fact that processing of manual data does not require notification)

The requirement for data controllers to comply with the DPA even if they are exempt from notification

NB Candidates are expected to be aware that there are fees for notification but are not expected to have knowledge of the fee structure or to know the registrable particulars.

7. Enforcement (13% - 2 hours of course work)

The objective is to ensure an awareness of the ways in which the Information Commissioner and the Courts enforce the provisions of the Act.

The candidates will be expected to have an awareness of:

  • Information Notices
  • Undertakings
  • Enforcement Notices
  • Civil Monetary Penalties
  • Power to conduct a compulsory audit (Section 41A Assessment Notices)
  • Section 55

Candidates should understand where enforcement powers apply to the DPA and to PECR

8. Understanding when disclosures are permitted (9% - 1.5 hours of course work)

Objectives include a basic knowledge of:

  • Fairness and compatibility in the context of making disclosures of personal data
  • Disclosures that may be permitted, including use of exemptions Section 29 (3), Section 35 (1) and (2)
  • Powers and constraints other than data protection (e.g. confidentiality, a basic awareness of the fact that there may be other considerations for public sector organisations making disclosures)
  • Considerations when sharing data (the Information Commissioner’s Data Sharing Code of Practice)
9. Good practice (9% - 1.5 hours of course work)

Objectives include a basic knowledge of;

9.1 Codes of practice

  • The status and use of codes of practice
  • An awareness of ICO codes in key areas - Privacy Notices, Subject Access, Employment Practices, CCTV – but not the content of those codes

9.2 Making compliance happen in practice

A basic understanding of:

  • The reasons for and broad approach to making Privacy Impact Assessments
  • Role of a Data Protection Officer
  • Training of staff

The full BCS FC-DP Syllabus can be viewed syllabus on the BCS website.

BCS Exam

Duration and Format of the Examination

The format for the examination is a one-hour multiple-choice examination. The examination is closed book i.e. no materials can be taken into the examination room.

The BCS Examination is held on the last afternoon of the course.

Pass Mark

The pass mark is 26/40.

This equates to 65%

Format of the Examination

Type Multiple-choice, 40 Questions.
Duration 1 Hour. An additional 15 minutes will be allowed for candidates sitting the examination in a language that is not their native language
Supervised Yes
Open Book No
Pass Mark 26/40 (65%)
Distinction Mark None
Calculators Calculators cannot be used during this examination
Delivery Paper based examination

Additional time for candidates requiring Reasonable Adjustments

Candidates may request additional time if they require reasonable adjustments. Please refer to the reasonable adjustments policy for detailed information on how and when to apply.

Additional time for candidates whose language is not the language of the exam

An additional 25% (15 minutes) will be allowed for candidates sitting the examination in a language that is not their mother tongue. If the examination is taken in a language that is not the candidate’s native/official language, then they are entitled to use their own paper language dictionary (whose purpose is translation between the examination language and another national language) during the examination. Electronic versions of dictionaries will not be allowed into the examination room.

Course dates

Code Course Start Duration Location Booking
FC-DP BCS Foundation Certificate in Data Protection 12 Feb 18 3 days Bedford Book now
3 Apr 18 3 days Bedford Book now
29 May 18 3 days Bedford Book now
5 Sep 18 3 days Bedford Book now
3 Dec 18 3 days Bedford Book now

Onsite option

If you have a team of 3 or more, we can deliver the training at your location.

Let us know when you have in mind and the size of your group.

Ask about an Onsite Course

What our customers have to say

  • Good overall structure, well paced and easy going and personable tutor.

    Thoroughly enjoyable

    Prakash Mistry
  • Joyce is a fantastic tutor who thoroughly knows her subject and made a very dry course incredibly enjoyable. The delivery and materials are excellent and I will be recommending Freevacy for future use.

    Caroline Higton
  • Joyce made the course very interesting and will help me a lot with my job.

    Diane Ahearn
  • Joyce is very knowledgeable and patient when dealing with all our queries and questions. Very good course.

    Christine Elliott
  • The tutor made the course very interesting.

    Lorna Geach
  • Thank you Joyce @ Freevacy - Excellent knowledge and delivery.

    Pete Cokell
  • We needed in-house DP and FOI training for the whole team – both the “old hands” and the new learners. Freevacy offered us sessions on-site, plus supported revision up to the exam. The trainer directed learning at the right level for each person, with 100% success.

    Robert Beane, Veritau Ltd