Internet Safety for IT usersCity & Guilds Limited End-Point Assessment Digital Skills & IT Revision

    This element empowers IT users to identify and mitigate the diverse risks encountered when using the internet, including malware, phishing, and identity th

    Topic Synopsis

    This element empowers IT users to identify and mitigate the diverse risks encountered when using the internet, including malware, phishing, and identity theft. Learners will develop practical strategies to safeguard personal and organisational data, implement security measures, and adhere to relevant legislation such as GDPR and the Computer Misuse Act. Mastery of these concepts ensures responsible and secure online practices in professional environments.

    Key Concepts & Core Principles

    Exam Tips & Revision Strategies

    Common Misconceptions & Mistakes to Avoid

    Examiner Marking Points

    Internet Safety for IT users

    CITY & GUILDS LIMITED
    vocational

    This element equips learners with essential knowledge and skills to navigate the internet safely, covering threat identification, personal and data protection, and adherence to legal frameworks. By understanding online risks such as malware, phishing, and identity theft, learners can apply proactive measures to safeguard themselves and others, while maintaining data security and complying with relevant legislation like GDPR and the Computer Misuse Act.

    19
    Learning Outcomes
    41
    Assessment Guidance
    43
    Key Skills
    19
    Key Terms
    43
    Assessment Criteria

    Assessment criteria

    City & Guilds Level 2 Diploma in IT User Skills
    City & Guilds Level 3 Award for IT Users (ITQ)
    City & Guilds Level 2 Award for IT Users (ITQ)
    City & Guilds Level 2 Certificate for IT Users (ITQ)
    City & Guilds Level 3 Certificate for IT Users (ITQ)
    City & Guilds Level 2 Diploma for IT Users (ITQ)
    City & Guilds Level 3 Diploma for IT Users (ITQ)
    City & Guilds Level 3 Diploma in IT User Skills
    City & Guilds Level 1 Award for IT Users - (ITQ)
    City & Guilds Level 1 Diploma for IT Users (ITQ)

    Topic Overview

    The City & Guilds Level 3 Diploma in IT User Skills is a comprehensive vocational qualification designed to equip students with advanced digital competencies essential for modern workplaces. This diploma covers a wide range of IT user skills, including word processing, spreadsheets, databases, presentation software, and digital communication tools. It goes beyond basic IT literacy, focusing on practical application, problem-solving, and efficiency in using software to achieve professional outcomes. Students learn to customise applications, automate tasks, and manage data securely, preparing them for roles such as IT support technician, digital administrator, or project coordinator.

    This qualification matters because digital skills are now a baseline requirement across almost all industries. Employers value candidates who can demonstrate proficiency in using IT tools to increase productivity, analyse data, and communicate effectively. The diploma aligns with the UK's National Occupational Standards for IT users, ensuring that what you learn is directly relevant to real-world job demands. By completing this course, you not only gain a recognised qualification but also build a portfolio of practical skills that can be applied immediately in any office environment.

    Within the broader subject of Digital Skills & IT, this diploma serves as a bridge between basic computer literacy and specialised IT certifications. It covers essential software applications like Microsoft Office (Word, Excel, PowerPoint, Access) and Google Workspace, as well as principles of information security and data management. The course is structured into mandatory and optional units, allowing you to tailor your learning to your career goals. Whether you aim to become a digital marketing assistant, a data entry specialist, or an IT trainer, this diploma provides the foundational skills needed to succeed.

    Key Concepts

    Core ideas you must understand for this topic

    • Advanced formatting and automation in word processing, including mail merge, macros, and collaborative editing.
    • Complex spreadsheet functions such as VLOOKUP, pivot tables, conditional formatting, and what-if analysis.
    • Database design principles: creating tables, establishing relationships, writing queries using SQL, and generating reports.
    • Effective presentation techniques: using master slides, embedding multimedia, and applying animation/transition effects for professional impact.
    • Digital communication and collaboration tools: managing emails, calendars, and shared workspaces (e.g., SharePoint, Teams).

    Learning Objectives

    What you need to know and understand

    • Identify common internet-based threats and assess their potential impact.
    • Evaluate strategies for safeguarding personal information and protecting others online.
    • Apply data security measures to prevent unauthorized access and breaches.
    • Analyze legal requirements and organizational guidelines for online activity.
    • Demonstrate safe practices for password management and authentication.
    • Recognize and respond appropriately to suspicious online content and communications.
    • Understand the risks that can exist when using the Internet., Know how to safeguard self and others when working online., Take precautions to maintain data security., Follow legal constraints, guidelines and procedures which apply when working online.
    • Understand the risks that can exist when using the Internet., Know how to safeguard self and others when working online., Take precautions to maintain data security., Follow legal constraints, guidelines and procedures which apply when working online.
    • Understand the risks that can exist when using the Internet., Know how to safeguard self and others when working online., Take precautions to maintain data security., Follow legal constraints, guidelines and procedures which apply when working online.
    • Understand the risks that can exist when using the Internet., Know how to safeguard self and others when working online., Take precautions to maintain data security., Follow legal constraints, guidelines and procedures which apply when working online.
    • Understand the risks that can exist when using the Internet., Know how to safeguard self and others when working online., Take precautions to maintain data security., Follow legal constraints, guidelines and procedures which apply when working online.
    • Evaluate the range of internet risks, including phishing, ransomware, and identity theft, and their consequences for individuals and businesses.
    • Implement robust authentication methods and secure communication protocols to safeguard personal and professional data.
    • Apply data encryption, backup, and access control measures to maintain data integrity and confidentiality.
    • Analyze legal obligations under data protection legislation and organizational policies when processing personal information online.
    • Develop a comprehensive internet safety plan that integrates threat awareness, preventive actions, and reporting procedures.
    • Understand the risks that can exist when using the Internet., Know how to safeguard self and others when working online., Take precautions to maintain data security., Follow legal constraints, guidelines and procedures which apply when working online.
    • Understand the risks that can exist when using the Internet., Know how to safeguard self and others when working online., Take precautions to maintain data security., Follow legal constraints, guidelines and procedures which apply when working online.
    • Understand the risks that can exist when using the Internet., Know how to safeguard self and others when working online., Take precautions to maintain data security., Follow legal constraints, guidelines and procedures which apply when working online.

    Assessment Criteria

    Key criteria assessors look for in your portfolio

    • Award credit for identifying at least three specific online threats with examples of their consequences.
    • Credit given for explaining safeguarding measures such as using antivirus software, VPNs, and secure browsing habits.
    • Evidence must include reference to relevant legislation (e.g., GDPR, Computer Misuse Act) and how it applies to online behaviour.
    • In practical tasks, demonstrate ability to configure privacy settings and recognize phishing attempts.
    • Award credit for demonstrating the ability to conduct a thorough risk assessment of internet activities, identifying specific threats such as phishing emails, social engineering, and unsecured Wi-Fi networks.
    • Award credit for showing clear evidence of implementing protective measures, including the configuration of firewalls, use of VPNs, and application of two-factor authentication, with documented rationale.
    • Award credit for correctly categorising and applying relevant UK legislation (e.g., Data Protection Act 2018, Computer Misuse Act 1990) and organisational IT security policies in scenario-based tasks.
    • Award credit for effectively communicating internet safety guidelines to others, such as creating a user awareness poster or delivering a short presentation tailored to a non-technical audience.
    • Award credit for accurately identifying at least three distinct types of internet risks (e.g., malware, phishing, identity theft) with clear explanations of each.
    • Credit demonstration of safeguarding measures such as setting strong passwords, recognising secure websites (HTTPS), and avoiding suspicious links or attachments.
    • Credit evidence of procedures to maintain data security, including regular backups, use of antivirus software, and understanding of encryption for sensitive data.
    • Credit clear explanation of relevant legal constraints (e.g., Data Protection Act, Computer Misuse Act) and how they apply to online activities, along with adherence to organisational guidelines.
    • Award credit for demonstrating the ability to identify and explain at least three distinct types of internet risk (e.g., phishing, viruses, identity theft) with relevant workplace examples.
    • Expect evidence of correctly configuring browser security settings (e.g., pop-up blockers, cookie controls) and explaining their purpose.
    • Require description of procedures for safeguarding personal information when using social media, email, or cloud services, including password management and privacy settings.
    • Credit should be given for outlining key legal requirements from the Data Protection Act 2018 and Computer Misuse Act 1990, and how they apply to online activities, with reference to specific sections or principles.
    • Assess the use of appropriate terminology such as 'encryption', 'two-factor authentication', and 'social engineering' in context.
    • Award credit for identifying and explaining at least three distinct internet threats (e.g., ransomware, social engineering, unsecured Wi-Fi risks) with real-world examples.
    • Demonstrate the ability to configure browser security settings, enable two-factor authentication, and advise others on safe browsing practices, with supporting evidence.
    • Evidence of implementing data encryption, regular backups, and secure password management systems to protect sensitive information.
    • Show compliance with GDPR, Computer Misuse Act, and organisational IT policies through documented risk assessments and incident reporting procedures.
    • Award credit for clearly identifying and categorising common internet risks such as malware, phishing, identity theft, and social engineering attacks.
    • Credit should be given for demonstrating effective safeguarding practices, including configuring privacy settings, using strong authentication, and recognising secure websites.
    • Assessors should look for evidence that the learner can apply data protection measures, like encryption, secure backups, and safe data disposal, in a given scenario.
    • Marks should be allocated for accurately referencing relevant legislation (e.g., Data Protection Act, Computer Misuse Act) and explaining its implications for online behaviour.
    • Award credit for correctly identifying and categorizing a given online threat scenario.
    • Expect evidence of configuring browser security settings and explaining the rationale behind chosen safeguards.
    • Look for accurate application of encryption methods in practical tasks, such as encrypting emails or files.
    • Credit demonstration of understanding how GDPR principles apply to everyday online activities.
    • Assess the ability to produce a clear incident response checklist for a specified security breach.
    • Award credit for demonstrating a clear understanding of common internet threats (e.g., viruses, trojans, ransomware, social engineering) and their potential impact.
    • Evidence must show the learner can apply appropriate safeguarding measures, such as configuring firewalls, using strong authentication, and recognising secure websites (HTTPS, padlock icon).
    • Credit for correctly explaining procedures for maintaining data security, including encryption, regular backups, and secure file sharing practices.
    • The learner must reference relevant legislation (e.g., Data Protection Act 2018, GDPR, Computer Misuse Act 1990) and organisational policies when describing online conduct.
    • Accurately identify at least four distinct internet risks (e.g., malware, phishing, identity theft, social engineering) with relevant examples.
    • Clearly explain appropriate safeguards for different scenarios, such as using strong passwords, avoiding suspicious links, and configuring privacy settings.
    • Demonstrate practical data security precautions, including regular software updates, secure file storage, and safe use of removable media.
    • Outline the principles of the General Data Protection Regulation (GDPR) and describe how they apply when handling personal data online.
    • Provide evidence of following organisational procedures, such as reporting a security incident or adhering to an acceptable use policy.
    • Award credit for identifying at least three types of online risks (e.g., phishing, malware, identity theft, social engineering) and providing clear, distinct examples.
    • Award credit for demonstrating practical safeguarding measures, such as configuring browser security settings, using strong passwords, and enabling two-factor authentication, with evidence of application.
    • Award credit for explaining data security procedures, including the use of encryption for sensitive files, regular backups to external or cloud storage, and physical device security (e.g., locking screens, not leaving devices unattended).
    • Award credit for accurately referencing relevant legal constraints, such as the Data Protection Act, Computer Misuse Act, or copyright law, and explaining how they impact online behaviour (e.g., not sharing personal data without consent, avoiding illegal downloads).

    Assessment Guidance

    Guidance for achieving higher grades

    • 💡In written assessments, always link practical actions to specific risks or legal requirements to demonstrate full understanding.
    • 💡When answering scenario-based questions, explicitly reference relevant legislation and organizational procedures.
    • 💡For practical tasks, ensure evidence shows step-by-step application of security measures, not just final outcomes.
    • 💡Use correct terminology (e.g., 'phishing', 'two-factor authentication', 'encryption') to convey technical competence.
    • 💡In portfolio-based assessments, provide concrete screenshots and logs demonstrating security configurations you have personally applied, not just theoretical descriptions.
    • 💡When responding to scenario questions, explicitly state the legal or organisational policy framework you are referencing, and explain how it applies to the specific situation.
    • 💡For practical tasks, adopt a layered security approach and document why each layer (physical, network, application, user) is necessary, showing understanding of defence in depth.
    • 💡Use real-world case studies of security incidents to illustrate your points; assessors value the ability to learn from actual breaches and recommend preventive measures.
    • 💡When describing risks, always link the threat to a potential consequence (e.g., phishing can lead to financial loss) to show depth of understanding.
    • 💡For safeguarding questions, structure answers around the individual, the data, and the organisation, demonstrating a layered approach to security.
    • 💡In data security scenarios, mention both preventative (firewalls, updates) and reactive (incident response, reporting) measures to gain full marks.
    • 💡When discussing legal constraints, reference specific legislation by name and give a brief example of its application, such as how the Data Protection Act requires consent for data processing.
    • 💡When describing risks, always provide a clear example relevant to a typical workplace scenario to demonstrate applied understanding and context.
    • 💡For safeguarding questions, structure answers around the 'CIA triad' (Confidentiality, Integrity, Availability) to show systematic thinking and comprehensive coverage.
    • 💡In assignments, reference specific legislation clauses (e.g., Data Protection Act principles, Computer Misuse Act Section 1) for higher marks; avoid generic statements like 'it's against the law'.
    • 💡Use real-world case studies or recent news stories about data breaches to illustrate points and show wider awareness.
    • 💡For the assignment, ensure you provide specific, contextualised examples from your own work or a simulated environment rather than generic descriptions.
    • 💡When discussing legislation, reference the specific acts and explain their impact on everyday online activities, not just name them.
    • 💡Include screenshots or logs as evidence of implementing security measures, ensuring they are prominently annotated to demonstrate understanding.
    • 💡Structure your response to systematically address each learning outcome, using headings to guide the assessor through your evidence.
    • 💡When producing portfolio evidence, use real-life scenarios or case studies to show practical application of safeguards, such as screenshots of privacy settings configured or examples of phishing email identification.
    • 💡Always cross-reference your answers to the specific assessment criteria; for example, if asked about legal constraints, explicitly name the relevant law and cite how it applies.
    • 💡For evidence of safeguarding others, include examples of how you would educate or advise colleagues, such as creating a simple guide on password security or spotting scams.
    • 💡In written assignments, use technical terms accurately (e.g., 'encryption', 'two-factor authentication') to demonstrate depth of understanding and meet grading criteria.
    • 💡In written responses, always link practical actions to specific legal requirements (e.g., mention 'Data Protection Act principle of accountability' when describing audit trails).
    • 💡Use real-world examples to illustrate threats and safeguards; reference recent high-profile data breaches to show currency.
    • 💡For practical assessments, provide step-by-step evidence of your security configurations, including screenshots where allowed.
    • 💡When answering safeguarding questions, explicitly state whether you are protecting yourself, colleagues, or clients, and tailor the measures accordingly.
    • 💡Stay updated with the latest cybersecurity trends and legislation, as assessors may value awareness of current developments.
    • 💡When answering assignment questions, always relate technical solutions to real-world scenarios, showing how they mitigate specific risks.
    • 💡Ensure responses clearly link to the legal frameworks provided in the learning materials; avoid vague statements about 'the law' without naming specific acts.
    • 💡For practical assessments, demonstrate systematic checks—such as verifying URL legitimacy and inspecting security certificates—rather than relying on intuition.
    • 💡Always link your answers to real-world scenarios or case studies to demonstrate practical understanding.
    • 💡Use correct technical terminology (e.g., ‘encryption’, ‘two-factor authentication’) to show depth of knowledge.
    • 💡When completing portfolio work, annotate screenshots or records clearly to evidence how you have met each learning outcome.
    • 💡Stay informed about current online threats and legal updates, as these may feature in assessment scenarios.
    • 💡Read assignment briefs carefully to ensure you address every aspect of the criteria, especially the distinction between safeguarding self and safeguarding data.
    • 💡When describing safeguarding measures, always link them to specific risks – for example, explain how a firewall helps block unauthorised access attempts by hackers.
    • 💡For data security questions, mention the CIA triad (Confidentiality, Integrity, Availability) as a framework, and give concrete examples like using encryption for confidentiality and backups for availability.
    • 💡In any task on legal constraints, name the legislation explicitly and apply it to a realistic online scenario, such as stating that the Data Protection Act requires you to keep customer information secure when storing it on a cloud service.
    • 💡If asked to produce a guide or presentation, structure it clearly with sections on risks, safeguards, data security, and legal aspects, and include practical screenshots or step-by-step instructions to demonstrate competence.
    • 💡When answering questions about software features, always mention the specific menu or tab where the feature is found (e.g., 'On the Insert tab, in the Illustrations group'). This shows you know the interface, not just the concept.
    • 💡For practical assessments, demonstrate efficiency by using keyboard shortcuts and quick access toolbar commands. Examiners look for speed and accuracy, not just correct results.
    • 💡In database tasks, always normalise your tables to at least third normal form (3NF) to avoid data redundancy. Show your reasoning for table relationships and primary/foreign keys.

    Common Mistakes

    Common errors to avoid in your coursework

    • Assuming antivirus alone provides complete protection without safe browsing practices.
    • Confusing data security with physical device security.
    • Failing to update software regularly, leading to vulnerabilities.
    • Not recognizing that legal constraints apply to personal as well as professional online activity.
    • Confusing data security with data privacy; for instance, focusing solely on encryption without considering lawful bases for data processing under GDPR.
    • Assuming that antivirus software alone provides complete protection, neglecting other critical practices like regular software updates and user education.
    • Misapplying legislation, such as citing the Computer Misuse Act for data breaches that should fall under the Data Protection Act, or failing to recognise the distinction between civil and criminal liability.
    • Overlooking the human factor in internet safety, such as not addressing social engineering tactics like tailgating or pretexting in risk evaluations.
    • Confusing data security with data privacy; learners often use these terms interchangeably without recognising that security involves protective measures while privacy concerns lawful handling and consent.
    • Assuming that a website with HTTPS is automatically trustworthy; they may overlook other signs of phishing or fake sites that use SSL certificates.
    • Failing to specify practical steps for safeguarding others, such as not sharing personal information online or reporting suspicious behaviour, instead focusing only on self-protection.
    • Misinterpreting legal guidelines as optional rather than mandatory, leading to insufficient detail on consequences of non-compliance like fines or legal action.
    • Confusing viruses with phishing attacks, or not distinguishing between malware types (e.g., spyware vs. ransomware).
    • Assuming that a single security measure (like antivirus) provides complete protection, without layering security controls or recognising human factors.
    • Misunderstanding the legal implications of sharing copyrighted material or personal data without consent, overlooking the conditions of implied consent under GDPR/DPA.
    • Failing to recognise that public Wi-Fi networks pose additional risks, and that VPNs or secure connections are necessary.
    • Overlooking the importance of regular software updates as a security practice.
    • Assuming antivirus software alone provides complete protection against all online threats.
    • Overlooking the importance of regular software updates and patch management in preventing exploits.
    • Failing to distinguish between personal and professional legal obligations, leading to non-compliance with workplace data handling procedures.
    • Using the same password across multiple accounts, increasing vulnerability to credential stuffing attacks.
    • Assuming that using antivirus software alone provides complete protection against all online threats, neglecting other layers like firewalls or user awareness.
    • Believing that private or incognito browsing mode guarantees anonymity and full data security, without understanding its limitations.
    • Failing to differentiate between organisational and personal legal responsibilities, often overlooking employer-specific IT policies.
    • Overlooking the importance of regular software updates and patches as a key defense against evolving security vulnerabilities.
    • Conflating data security with data privacy, leading to incorrect measures being proposed.
    • Relying solely on technical solutions like firewalls without addressing human factors such as social engineering.
    • Underestimating the importance of software updates, leaving systems exposed to known vulnerabilities.
    • Failing to distinguish between personal and organizational responsibilities when safeguarding data online.
    • Misinterpreting legal consent requirements, especially for cookies and marketing communications.
    • Confusing different types of malware (e.g., treating a virus and a worm as identical) or underestimating social engineering tactics.
    • Failing to distinguish between security measures for personal versus organisational contexts, leading to inadequate protection strategies.
    • Overlooking the importance of regular software updates and patch management in maintaining internet safety.
    • Incorrectly assuming that HTTPS alone guarantees a website's legitimacy without checking for other indicators like domain authenticity.
    • Assuming antivirus software alone is sufficient for complete protection, neglecting other layers like firewalls and user awareness.
    • Using the same password across multiple accounts or choosing easily guessable passwords, compromising account security.
    • Believing that public Wi-Fi networks are inherently secure, leading to data interception risks.
    • Failing to recognise phishing attempts, especially those that appear to come from trusted sources but contain subtle red flags.
    • Ignoring the importance of software updates, leaving systems vulnerable to known exploits.
    • Confusing types of malware (e.g., equating a virus with a worm) or failing to recognise phishing attempts as distinct from spam.
    • Believing that antivirus software alone provides complete protection, neglecting other measures like software updates, firewalls, or user vigilance.
    • Assuming that personal data is only financial information, overlooking that names, addresses, and photos also require protection under data security.
    • Misunderstanding copyright, thinking that any online material is free to use regardless of licensing, or not recognising that sharing copyrighted files without permission is illegal.
    • Misconception: 'Knowing how to use Word and Excel is enough to pass.' Correction: The diploma requires you to demonstrate advanced features like macros, pivot tables, and database queries. Basic proficiency won't suffice; you need to show you can automate tasks and analyse data efficiently.
    • Misconception: 'Database skills are only for IT specialists.' Correction: Databases are used in many roles, from customer relationship management to inventory tracking. Understanding how to design and query databases is a valuable skill for administrative and managerial positions.
    • Misconception: 'Security is just about having strong passwords.' Correction: Information security in this diploma covers data encryption, backup strategies, access controls, and compliance with GDPR. You must understand policies and procedures, not just technical measures.

    Frequently Asked Questions

    Common questions students ask about this topic

    Before You Start

    Prior knowledge that will help with this topic

    • Basic computer literacy: ability to use a keyboard, mouse, and navigate the operating system.
    • Foundational knowledge of Microsoft Office or similar productivity suite (e.g., creating documents, simple spreadsheets, basic presentations).
    • Understanding of file management: saving, organising, and retrieving files in different formats.

    Key Terminology

    Essential terms to know

    • Threat identification and risk analysis
    • Personal and collective online safety
    • Data protection and security measures
    • Legal and ethical online conduct
    • Security software and safe browsing
    • Understand the risks that can exist when using the Internet., Know how to safeguard self and others when working online., Take precautions to maintain data security., Follow legal constraints, guidelines and procedures which apply when working online.
    • Understand the risks that can exist when using the Internet., Know how to safeguard self and others when working online., Take precautions to maintain data security., Follow legal constraints, guidelines and procedures which apply when working online.
    • Understand the risks that can exist when using the Internet., Know how to safeguard self and others when working online., Take precautions to maintain data security., Follow legal constraints, guidelines and procedures which apply when working online.
    • Understand the risks that can exist when using the Internet., Know how to safeguard self and others when working online., Take precautions to maintain data security., Follow legal constraints, guidelines and procedures which apply when working online.
    • Understand the risks that can exist when using the Internet., Know how to safeguard self and others when working online., Take precautions to maintain data security., Follow legal constraints, guidelines and procedures which apply when working online.
    • Online threat landscape
    • Personal safeguarding techniques
    • Data security measures
    • Legal and regulatory compliance
    • Ethical online conduct
    • Incident prevention and response
    • Understand the risks that can exist when using the Internet., Know how to safeguard self and others when working online., Take precautions to maintain data security., Follow legal constraints, guidelines and procedures which apply when working online.
    • Understand the risks that can exist when using the Internet., Know how to safeguard self and others when working online., Take precautions to maintain data security., Follow legal constraints, guidelines and procedures which apply when working online.
    • Understand the risks that can exist when using the Internet., Know how to safeguard self and others when working online., Take precautions to maintain data security., Follow legal constraints, guidelines and procedures which apply when working online.

    Ready to learn?

    AI-powered learning tailored to this unit

    Related Topics in CITY & GUILDS LIMITED vocational Digital Skills & IT

    City & Guilds Level 4 End-Point Assessment for Business Analyst - Core Content

    View Topic

    3D Animation Software

    View Topic

    3D Animation Software

    View Topic

    3D Animation Software

    View Topic