Mark Schemes BTEC Level 3 National Extended Certificate in IT
Mark Scheme — Predicted Paper 2
Unit 1: Information Technology Systems
BTEC Level 3 National Extended Certificate in Information Technology
Paper Reference
RA10/IT/U1/PP2
Total marks
90
For levels-based questions, use the Level Descriptors holistically alongside the indicative content. Indicative content is not a checklist — reward any well-developed, contextualised response.
For revision purposes only. Not an official Pearson qualification document.
Question 1 — Thornton's Furniture (22 marks)
(a)Identify the type of network used by Thornton's Furniture within a single store.1 mark
Local Area Network / LAN (1)
Do not accept: WAN / PAN / VPN
(b)Explain one reason why the online shop must use HTTPS when customers enter payment details.2 marks
Award one mark for identification, one mark for linked justification.
HTTPS encrypts data transmitted between the customer's browser and the website (1) so that payment card details cannot be intercepted and read by a third party (1)
HTTPS verifies the identity of the website (1) so customers can be certain they are connecting to the genuine Thornton's shop and not a fraudulent imitation (1)
(c)Describe three validation methods that could be used in the customer account registration form.3 marks
Award one mark per correct method, up to three marks. Method name alone is sufficient.
Format check (1) — ensures email address matches expected format, e.g. name@domain.com (1)
Presence check (1) — ensures required fields such as email and password are not left empty (1)
Range check (1) — ensures postcode or date of birth is within an acceptable range (1)
Type check (1) — ensures only correct data type entered in each field (1)
Accept any appropriate/alternative validation method
(d)Explain two benefits to Thornton's Furniture of selling products through an online shop.4 marks
Award one mark for identification and one mark for linked justification, up to four marks.
Available 24/7 (1) — customers can browse and purchase outside of store opening hours, increasing potential revenue (1)
Wider customer reach (1) — the company can reach customers across the UK rather than only shoppers near the two Midlands stores (1)
Lower overhead costs (1) — no additional retail premises are needed to reach a larger customer base online (1)
Customer data collection (1) — purchase history and browsing data can be used to personalise future marketing (1)
(e)Discuss the implications for Thornton's Furniture of using social media for marketing.6 marks — Levels
Indicative Content
Wider audience — social media platforms reach large audiences, including demographics who may not have discovered the physical stores
Cost-effective — organic posting is free; targeted advertising is cheaper than print or TV advertising
Two-way engagement — customers can ask questions, share reviews, and Thornton's can respond directly
Direct sales link — posts can include links driving customers directly to the online shop
Negative reviews — dissatisfied customers can post complaints publicly, which could damage the brand
Time investment — managing accounts and creating engaging content requires significant ongoing staff effort
Legal/data: running targeted paid ads requires compliance with GDPR regarding use of customer data
Staff posting risks — employees may inadvertently share inappropriate content
Platform dependency — if a platform changes its algorithm or terms, reach can be significantly reduced
Level
Mark
Descriptor
0
0
No rewardable material.
1
1–2
Basic application. Considers only benefits or only drawbacks. Limited development. (AO2)
2
3–4
Good application covering both benefits and drawbacks in the retail context. Implications are developed with some reference to Thornton's situation. (AO2/AO3a)
3
5–6
Comprehensive application. Covers a range of marketing benefits, reputational risks, legal considerations (GDPR), and practical implications such as time and platform dependence, clearly applied to a small furniture retailer. (AO2/AO3a)
(f)Discuss the implications of data protection legislation for Thornton's Furniture as an online retailer.6 marks — Levels
Indicative Content
UK GDPR applies to all personal data collected from customers (names, addresses, payment data)
Thornton's must have a lawful basis to collect and process customer data — typically consent or contract
Customers must be informed how their data is used through a clear privacy policy
Data minimisation — only data necessary for processing orders should be collected
Payment card data must be stored securely or not stored at all (PCI DSS compliance)
Customers have the right to access, correct, or request deletion of their data
In the event of a data breach, Thornton's must notify the ICO within 72 hours
Marketing emails require explicit consent from customers (email marketing rules)
Third-party services used (e.g. payment processors) must have data processing agreements in place
Non-compliance could result in ICO fines up to £17.5 million or 4% of global turnover
Level
Mark
Descriptor
0
0
No rewardable material.
1
1–2
Basic knowledge of data protection. Limited application to an online retail context. (AO2)
2
3–4
Good application of UK GDPR principles to Thornton's situation. Considers obligations and consequences. (AO2/AO3a)
3
5–6
Comprehensive application of multiple UK GDPR obligations (consent, rights, breach notification, data minimisation, marketing rules), clearly applied to an online retailer collecting customer payment and personal data. (AO2/AO3a)
Question 1 Total: 22 marks
Question 2 — Goldstone Solicitors (22 marks)
(a)State one function of the network OS that ensures staff can only access files relevant to their role.1 mark
File permissions / access control (1)
User accounts / user account management (1)
Accept any appropriate response describing file/role-based access control
(b)Give two reasons why client documents should be encrypted when stored on the firm's server.2 marks
Award one mark for each correct reason, up to two marks.
If the server is accessed by an unauthorised person or stolen, encrypted files cannot be read without the encryption key (1)
If a cyber attack results in files being copied, encrypted data remains unreadable to the attacker (1)
Encryption demonstrates compliance with GDPR requirements for securing special category / sensitive personal data (1)
(c)Describe three measures Goldstone Solicitors could implement to prevent unauthorised access to client data.3 marks
Award one mark per measure, up to three marks.
Strong passwords and MFA on all staff accounts (1)
File permissions limiting access to client files to the relevant solicitor only (1)
Physical access control (key card / PIN) on the server room (1)
Firewall to prevent external intrusion attempts (1)
Antivirus software to prevent malware gaining access to stored files (1)
Accept any other appropriate response
(d)Explain two implications of the Computer Misuse Act for Goldstone Solicitors.4 marks
Award one mark for identification and one mark for linked justification, up to four marks.
Staff accessing client files or accounts without authorisation commits an offence under the Computer Misuse Act (1) so the firm must enforce strict access controls and audit staff account activity (1)
A hacker gaining access to the firm's network commits an offence under the Act (1) which means the firm must have security measures to prevent and detect intrusions, and report breaches to authorities (1)
Using another staff member's login credentials without permission (1) is an offence, requiring the firm to prohibit credential sharing in its acceptable use policy (1)
(e)Discuss the implications for Goldstone Solicitors of choosing open-source office software rather than proprietary, with reference to security.6 marks — Levels
Indicative Content
Open-source: publicly visible source code — researchers can find and report vulnerabilities quickly
Open-source: same visibility means malicious actors can study code; risk of targeted exploits
Open-source: patch frequency depends on community; may be slower than proprietary vendor
Proprietary: vendor security team issues regular patches included in the £15,000 licence
Proprietary: vendor accountability — if a known vulnerability leads to a client data breach, recourse available
Proprietary: professional support including security guidance; more suited to a regulated legal environment
Open-source: no vendor lock-in but may lack enterprise security features (audit trails, DLP)
Both require additional layers: firewall, staff training, encryption, MFA
For a law firm, client confidentiality obligations and regulatory expectations make vendor accountability critical
Level
Mark
Descriptor
0
0
No rewardable material.
1
1–2
Basic application about open-source or proprietary software. Limited reference to security or legal context. (AO2)
2
3–4
Good application covering security aspects of both software types applied to a solicitors' firm. (AO2/AO3a)
3
5–6
Comprehensive application. Detailed discussion of patch management, vendor accountability, community support vs professional support, and specific obligations of a law firm handling client data. (AO2/AO3a)
(f)Draw a flowchart to show the process for secure handling of client data from login to deletion.6 marks
Award one mark for each appropriate stage shown, up to a maximum of six marks.
Marking Guidance:
Access to client data shown — 1 mark
Transmission of client data shown — 1 mark
Storage of client data shown — 1 mark
Security methods at stages shown, for example MFA, encryption or file permissions — 1 mark
Secure deletion shown — 1 mark
Logical sequence with clear labels / annotations — 1 mark
Accept any other appropriate flowchart showing the client-data process with clear sequence and annotations.
Question 2 Total: 22 marks
Question 3 — Pinnacle Pension Fund (22 marks)
(a)Identify the cloud model in which infrastructure is dedicated exclusively to one organisation.1 mark
Private cloud (1)
Do not accept: public cloud / hybrid cloud
(b)Give two features of a hybrid cloud model.2 marks
Combines both private and public cloud components (1)
Sensitive data can be kept on the private cloud while less sensitive tasks use the public cloud (1)
Allows an organisation to scale using public cloud during periods of high demand (1)
(c)Describe three factors the pension fund should consider when selecting a cloud system for its member portal.3 marks
Award one mark per factor, up to three marks.
Security (1) — the provider must protect member financial data with encryption and access controls appropriate for financial services
Scalability (1) — the system must handle increased traffic at quarter-end and annual statement periods
Regulatory compliance (1) — the provider must meet FCA, PRA and UK GDPR requirements for financial data
Cost (1) — subscription costs must be weighed against in-house infrastructure costs
Uptime / reliability (1) — members must be able to access their pension information without service outages
(d)Explain two security risks of storing pension fund data on a public cloud.4 marks
Data sovereignty (1) — data may be stored on servers outside the UK, creating compliance issues under UK GDPR regarding cross-border data transfers (1)
Third-party access risk (1) — the cloud provider's staff may have access to pension data, increasing insider threat risk (1)
Shared infrastructure (1) — public cloud uses multi-tenant infrastructure, raising the risk that a vulnerability affecting another tenant could expose pension data (1)
Internet-facing systems (1) — public cloud components accessible via the internet are at greater risk of attack than on-premise servers (1)
(e)Discuss the implications for Pinnacle Pension Fund of enabling staff to work remotely and access central financial systems.6 marks — Levels
Indicative Content
Productivity benefit — staff can work from satellite offices or home without travelling to head office
Talent retention — flexible working is valued by employees and aids recruitment and retention
Security risk — accessing highly sensitive pension data from remote locations over public networks creates interception risk
VPN essential — all remote access must use VPN to encrypt connections between satellite offices and central systems
MFA required — staff must use MFA given the sensitivity of pension data
Device security — remote devices must have encryption, antivirus, and remote wipe capability
FCA / regulatory implications — regulators require financial firms to control data access regardless of location
Audit logging required — all remote access must be logged to detect unauthorised activity
Staff training on security when working remotely
Level
Mark
Descriptor
0
0
No rewardable material.
1
1–2
Basic application about remote working. Limited reference to financial services context. (AO2)
2
3–4
Good application covering both benefits and risks of remote working at a financial services organisation. (AO2/AO3a)
3
5–6
Comprehensive application. Covers productivity benefits, security risks (VPN, MFA, device security), regulatory obligations, and audit requirements, clearly contextualised to a pension fund handling sensitive member financial data. (AO2/AO3a)
(f)Discuss the implications for Pinnacle Pension Fund of migrating its IT operations to a hybrid cloud infrastructure.6 marks — Levels
Indicative Content
Sensitive member and financial data can remain on the private cloud, meeting FCA/GDPR requirements
Less sensitive analytics and reporting tasks can move to public cloud, reducing costs
Scalability: public cloud component can scale at quarter-end reporting periods without capital investment
Complexity: managing two cloud environments requires specialist IT skills and governance
Security: data moving between private and public elements must be encrypted
Data sovereignty: any data stored in public cloud must remain within UK/EU to meet GDPR
Disaster recovery: public cloud provides additional resilience if private infrastructure fails
Vendor management: contracts with private host and public provider both require careful management
Migration risk: transitioning existing systems to cloud involves downtime and data migration challenges
Level
Mark
Descriptor
0
0
No rewardable material.
1
1–2
Basic knowledge of hybrid cloud. Limited application to the pension fund context. (AO2)
2
3–4
Good application covering multiple implications for a financial services organisation migrating to hybrid cloud. (AO2/AO3a)
3
5–6
Comprehensive application. Discusses data segregation, scalability, complexity, security, regulatory compliance (FCA/GDPR), and migration risk explicitly in the context of a £2bn pension fund. (AO2/AO3a)
(a)State the name of the UK data protection legislation that regulates how organisations process personal data.1 mark
UK GDPR / UK General Data Protection Regulation (1)
Data Protection Act 2018 (1)
Accept either
(b)Give two rights that data subjects have under UK GDPR.2 marks
Right of access / subject access request (1)
Right to erasure / right to be forgotten (1)
Right to rectification (1)
Right to restrict processing (1)
Right to data portability (1)
Right to object (to processing) (1)
(c)Describe how Evergreen Recruitment Agency should respond if it suffers a personal data breach.3 marks
Award one mark per correct action, up to three marks.
Assess the breach to determine what data was affected and the risk to data subjects (1)
Report the breach to the ICO within 72 hours if likely to result in risk to individuals' rights and freedoms (1)
Notify affected data subjects directly if the breach poses a high risk to their rights and freedoms (1)
Document the breach in the organisation's internal breach register (1)
Take steps to contain and prevent further exposure of personal data (1)
(d)Explain two ethical implications for Evergreen Recruitment Agency of retaining candidate data indefinitely.4 marks
Privacy violation (1) — candidates are unaware their personal data is still being held long after their job search ended, violating their reasonable expectation of privacy (1)
Unequal power relationship (1) — the agency has detailed personal information about candidates without their knowledge, creating an imbalance of power candidates cannot challenge (1)
Risk of data misuse (1) — indefinitely retained data could be used for purposes beyond recruitment, such as marketing, without candidates' consent (1)
Harm to vulnerable candidates (1) — health information retained beyond its purpose could be accessed and used in ways that damage candidates' interests (1)
(e)Discuss the implications of the Computer Misuse Act and data protection legislation for Evergreen Recruitment Agency.6 marks — Levels
Indicative Content
Computer Misuse Act: if an employee accesses candidate records beyond their role, this is an offence
Computer Misuse Act: if a third party hacks the agency's systems to access candidate data, they commit an offence — agency must have measures to detect and report this
Computer Misuse Act: the agency must have an acceptable use policy preventing staff from misusing computer systems
UK GDPR: health data is special category data requiring explicit consent or specific legal basis to process
UK GDPR: storing data indefinitely breaches the storage limitation principle
UK GDPR: sharing candidate data with employers requires a lawful basis and data processing agreements
UK GDPR: ICO investigation could result in a formal enforcement notice or significant financial penalty
ICO can fine up to £17.5 million or 4% of global turnover for serious GDPR breaches
Reputational harm — exposure of the agency's practices could deter candidates from registering
Level
Mark
Descriptor
0
0
No rewardable material.
1
1–2
Basic knowledge of Computer Misuse Act or GDPR. Limited application to the recruitment agency context. (AO2)
2
3–4
Good application covering implications of both pieces of legislation to the agency's situation. (AO2/AO3a)
3
5–6
Comprehensive application covering Computer Misuse Act obligations, multiple GDPR obligations (special category data, storage limitation, lawful basis, ICO penalties), and the specific risks for a recruitment agency holding sensitive candidate data. (AO2/AO3a)
(f)Discuss the extent to which Evergreen Recruitment Agency is complying with UK GDPR, with reference to the data it holds and shares. (Principles; data subject rights; special category data)8 marks — Levels
Indicative Content
Health information is special category data — requires explicit consent or specific condition; the agency appears to lack this
Data minimisation principle breached — retaining all data for all candidates indefinitely, far beyond what is needed
Storage limitation principle breached — data must not be held longer than necessary; indefinite retention is a clear breach
Sharing data with employers requires a lawful basis — candidates should consent or this should be clearly communicated at collection
Transparency principle: candidates were unaware data was being retained and shared — information obligation not met
Candidates have the right to access their data (the complaint was raised this way) and the right to erasure
With 50,000+ records, agency likely required to appoint a Data Protection Officer (DPO)
ICO could issue enforcement notice, require data deletion, and impose a significant fine
A Data Protection Impact Assessment (DPIA) should be conducted for high-risk processing of health data
Corrective actions: implement a clear retention policy, obtain explicit consent for health data, issue updated privacy notice
Level
Mark
Descriptor
0
0
No rewardable material.
1
1–3
Basic GDPR knowledge. Identifies that data should be kept securely or that sharing requires permission. Limited analysis of compliance failures. (AO2)
2
4–6
Good application analysing several GDPR failures including storage limitation, special category data, and/or data subject rights, applied to the agency's practices. Some analysis of implications. (AO2/AO3a/AO3b)
3
7–8
Comprehensive application thoroughly analysing compliance failures across multiple UK GDPR principles and rights (storage limitation, data minimisation, transparency, special category data, right of access), implications of ICO enforcement, and required corrective actions, with a clear evaluative judgement. (AO2/AO3a/AO3b)