AQA GCSE·💻 Computer Science

AQA GCSE Computer Science — Paper 1 (Computational thinking and programming)

⏱ 90 minutes📊 90 marks📄 Paper 1 (Computational thinking and programming)

📚 Subject revision notes ↩ All exam papers

ℹ️ About this paper: This is an exam-board-aligned practice paper written in the style of AQA GCSE — not an official past paper. Use it for timed practice, then check against the mark scheme included below. For official past papers, see the exam board's website.

00:00of 90:00

AQA GCSE Computer Science — Paper 1 (Computational thinking and programming)

Total marks: 90 · Duration: 90 minutes

Instructions to candidates

• Answer all questions in both Section A and Section B. • Write your answers in black ink or black ball-point pen. • You may use an AQA approved calculator. • For Section B extended response questions, you should write your answers in continuous prose where appropriate, ensuring your spelling, punctuation and grammar are accurate. • The marks for questions are shown in brackets. • The maximum mark for this paper is 90.

Paper

Section A — Structured Questions (54 marks)

Question 1

A school library uses a database to store information about books and members.

(a) State what is meant by the term primary key.

(2 marks)

(b) The library database contains the following two tables:

Books table:

BookID	Title	Author	Genre	OnLoan
B001	To Kill a Mockingbird	Harper Lee	Fiction	TRUE
B002	A Brief History of Time	Stephen Hawking	Science	FALSE
B003	1984	George Orwell	Fiction	TRUE

Members table:

MemberID	FirstName	Surname	YearGroup
M101	Sarah	Johnson	11
M102	James	Smith	10
M103	Amira	Khan	11

Write an SQL query to display the Title and Author of all books where the Genre is 'Fiction' and the book is currently on loan.

(3 marks)

(c) The library wants to track which member has borrowed which book.

Explain why a third table would be needed to implement this relationship properly.

(3 marks)

Question 2

A programmer is developing a game where players must guess a secret number between 1 and 100.

The following algorithm shows part of the game logic:

01  secret = random(1, 100)
02  attempts = 0
03  maxAttempts = 7
04  guessed = False
05  
06  WHILE guessed == False AND attempts < maxAttempts
07      guess = input("Enter your guess: ")
08      attempts = attempts + 1
09      
10      IF guess == secret THEN
11          OUTPUT "Correct! You win!"
12          guessed = True
13      ELSE
14          IF guess < secret THEN
15              OUTPUT "Too low"
16          ELSE
17              OUTPUT "Too high"
18          ENDIF
19      ENDIF
20  ENDWHILE
21  
22  IF guessed == False THEN
23      OUTPUT "Game over. The number was " + secret
24  ENDIF

(a) Identify the data structure used on line 01 to generate the secret number.

(1 mark)

(b) State the purpose of the variable attempts in this algorithm.

(1 mark)

(c) Explain why a WHILE loop is more appropriate than a FOR loop in this algorithm.

(2 marks)

(d) The programmer wants to add a feature that stores the player's name and their best score (fewest attempts) in a text file called "highscores.txt".

Write pseudocode to:

Ask the user for their name
Open the file in append mode
Write the name and number of attempts to the file
Close the file

(4 marks)

Question 3

A smartphone app tracks daily step counts for users.

(a) The app stores each day's step count in a one-dimensional array called steps. The array has 7 elements, representing Monday to Sunday.

The following pseudocode calculates the total steps for the week:

total = 0
FOR i = 0 TO 6
    total = total + steps[i]
ENDFOR
OUTPUT total

A programmer suggests using a two-dimensional array to store step data for multiple weeks.

Describe how a two-dimensional array could be used to store 4 weeks of daily step data.

(3 marks)

(b) The app uses the following function to determine if a user has met their daily target:

def checkTarget(steps, target):
    if steps >= target:
        return True
    else:
        return False

(i) State the data type that this function returns.

(1 mark)

(ii) Explain one advantage of using a function to perform this check rather than writing the code repeatedly throughout the program.

(2 marks)

(c) The app developer wants to implement a linear search algorithm to find the first day in the week where the user exceeded 10,000 steps.

Complete the pseudocode below to implement this linear search:

steps = [8500, 9200, 12000, 11500, 7800, 13000, 9500]
target = 10000
found = False
position = -1

FOR i = 0 TO 6
    IF ______________ THEN
        position = ______________
        ______________
    ENDIF
ENDFOR

IF position == -1 THEN
    OUTPUT "Target not reached any day"
ELSE
    OUTPUT "Target first reached on day " + ______________
ENDIF

(4 marks)

Question 4

Binary and hexadecimal are number systems used in computing.

(a) Convert the binary number 1011 0110 to:

(i) Denary (decimal)

(2 marks)

(ii) Hexadecimal

(2 marks)

(b) A computer uses an 8-bit two's complement system to represent signed integers.

(i) State the range of denary values that can be represented using 8-bit two's complement.

(2 marks)

(ii) Show how the denary number -23 would be represented in 8-bit two's complement binary.

(3 marks)

(c) Explain why hexadecimal is often used by programmers instead of binary when representing memory addresses or colour codes.

(2 marks)

Question 5

A software company is developing a new application. The development team must choose between different programming paradigms.

(a) Name two programming paradigms.

(2 marks)

(b) The team decides to use object-oriented programming (OOP).

(i) State what is meant by the term encapsulation in object-oriented programming.

(2 marks)

(ii) The program includes a class called BankAccount with the following attributes:

accountNumber
balance
accountHolder

The class includes a method called withdraw(amount) that reduces the balance.

Write a class definition in a programming language of your choice (Python, Java, C# or VB.NET) that includes:

The three attributes listed above
A constructor method that initialises all three attributes
The withdraw(amount) method

(6 marks)

(c) Explain one advantage of using inheritance when developing the bank account system if the company needs to create both 'Savings Account' and 'Current Account' classes.

(2 marks)

Question 6

Computer systems must be protected against various security threats.

(a) Describe what is meant by a brute force attack.

(2 marks)

(b) A company requires employees to create passwords that meet the following criteria:

At least 12 characters long
Contains uppercase and lowercase letters
Contains at least one number
Contains at least one special character (!, @, #, etc.)

(i) Explain how these requirements help protect against brute force attacks.

(3 marks)

(ii) The company also implements two-factor authentication.

Explain how two-factor authentication provides additional security beyond just using a strong password.

(2 marks)

(c) Describe the purpose of penetration testing in maintaining system security.

(2 marks)

Section B — Extended Response (36 marks)

Question 7

A national retail company is considering whether to develop a new customer loyalty mobile app. The app would:

Track customer purchases in-store and online
Store customer personal data including name, address, email, and purchase history
Use customer location data to send notifications about nearby store offers
Store payment card details for quick checkout
Share anonymised shopping data with third-party marketing companies

The company believes the app will increase sales and customer engagement. However, there are concerns about data protection, customer privacy, and potential security vulnerabilities.

Discuss the ethical, legal and security issues the company should consider when developing and operating this customer loyalty app.

You should consider:

Data protection legislation and customer rights
Security measures needed to protect customer data
Ethical concerns about data collection and use
The balance between business benefits and customer privacy

(15 marks)

Question 8

Algorithms can be designed using different approaches to solve the same problem. Two important algorithm design approaches are divide and conquer (such as merge sort) and simple iterative approaches (such as bubble sort).

The table below shows the time taken (in milliseconds) for bubble sort and merge sort to sort different-sized lists of numbers:

Number of items	Bubble Sort (ms)	Merge Sort (ms)
100	5	2
1,000	450	18
10,000	45,000	180
100,000	4,500,000	2,000

A developer needs to create a system that frequently sorts large datasets containing between 50,000 and 200,000 items. The system must provide results quickly to maintain good user experience.

Evaluate which sorting algorithm would be most suitable for this system. Justify your recommendation by referring to:

Computational complexity and efficiency
The performance data provided
The specific requirements of the system
Any practical considerations for implementation

(12 marks)

The developer also needs to search through sorted datasets to find specific items.

Compare linear search and binary search algorithms for this purpose, recommending which would be most appropriate for searching sorted datasets.

(9 marks)

📋 Mark Scheme & Sample Answers

Hidden by default — attempt the paper first, then check your work against the examiner-style mark scheme.

⚡ Unlock with Pro

Mark Scheme

Section A — Structured Questions (54 marks)

Question 1

(a) State what is meant by the term primary key. (2 marks)

Award 1 mark for each point, up to maximum of 2:

A field/attribute that uniquely identifies each record/row in a table
No two records can have the same value for the primary key
Cannot be null/empty

Accept: unique identifier, cannot be duplicated Reject: "special field" without explanation of uniqueness

(b) SQL query (3 marks)

Award marks as follows:

1 mark: SELECT Title, Author
1 mark: FROM Books
1 mark: WHERE Genre = 'Fiction' AND OnLoan = TRUE

Accept:

Alternative syntax: OnLoan = 1, OnLoan = 'TRUE'
Different order of WHERE conditions
Use of single or double quotes consistently

Full acceptable answer:

SELECT Title, Author
FROM Books
WHERE Genre = 'Fiction' AND OnLoan = TRUE

(c) Explain why a third table would be needed. (3 marks)

Award 1 mark for each point, up to maximum of 3:

The relationship between Books and Members is many-to-many
One member can borrow many books / one book can be borrowed by many members (over time)
A linking/junction table is needed to implement a many-to-many relationship
This table would contain foreign keys from both the Books and Members tables
Could also store additional information such as date borrowed/date due

Accept: join table, associative entity, bridge table Typical creditable answers include any three relevant points about many-to-many relationships and linking tables

Question 2

(a) Identify the data structure (1 mark)

Function / built-in function / random function / procedure

Accept: method, subroutine Reject: "random" alone, "random number generator" without mentioning it's a function

(b) State the purpose of attempts (1 mark)

To count/track how many guesses the player has made
To count the number of times the loop has executed

Accept: keeps track of the number of attempts/guesses Reject: vague answers like "stores a number"

(c) Explain why WHILE loop is more appropriate (2 marks)

Award 1 mark for each point, up to maximum of 2:

The loop may terminate early if the player guesses correctly
A FOR loop runs a fixed/predetermined number of times
WHILE loop has two exit conditions (correct guess OR max attempts reached)
The number of iterations is not known in advance

Accept: condition-controlled loop more suitable than count-controlled loop

(d) Write pseudocode (4 marks)

Award marks as follows:

1 mark: Input/get player name and store in variable
1 mark: Open file "highscores.txt" in append/write mode
1 mark: Write name and attempts to file (both pieces of data)
1 mark: Close file

Example acceptable answer:

name = INPUT "Enter your name: "
myFile = OPENWRITE("highscores.txt")
myFile.WRITELINE(name + " " + attempts)
myFile.CLOSE()

Accept: various syntaxes for file operations (append, write mode specification) Accept: concatenation or comma-separated values Partial credit: Award marks even if minor syntax errors, provided intent is clear

Question 3

(a) Describe how 2D array could store 4 weeks of data (3 marks)

Award 1 mark for each point, up to maximum of 3:

Array would have 4 rows and 7 columns (or 7 rows and 4 columns)
Each row represents one week (or each column represents one week)
Each column represents one day (or each row represents one day)
Each element/cell stores the step count for that specific day in that specific week
Can be accessed using two indices, e.g., steps[week][day]

Accept: steps[0][0] to steps[3][6] or similar index ranges Minimum for full marks: Clear identification of dimensions, what rows/columns represent, and reference to accessing elements

(b)(i) State the data type returned (1 mark)

Boolean / Bool

Accept: True/False, logical Reject: "True or False" as a data type name (must use Boolean)

(b)(ii) Explain one advantage of using a function (2 marks)

Award 1 mark for identifying an advantage, 1 mark for explanation:

Possible answers include:

Reusability: The code can be called multiple times without rewriting it / reduces code duplication
Maintainability: If logic needs changing, only needs to change in one place / easier to debug
Readability: Makes code clearer / more understandable / self-documenting through function name
Testing: Can test the function independently / easier to find errors

Must have both identification AND explanation for full marks

(c) Complete the pseudocode (4 marks)

Award 1 mark for each correct completion:

IF steps[i] > target THEN or IF steps[i] >= 10000 THEN
position = i
found = True or break/exit loop statement
position or position + 1 (if they want to show day 1-7 rather than 0-6)

Example acceptable answer:

IF steps[i] > target THEN
    position = i
    found = True
ENDIF

Output line: position or position + 1

Accept: various loop exit strategies (BREAK, setting i = 7, etc.)

Question 4

(a)(i) Convert 1011 0110 to denary (2 marks)

Working: 128 + 32 + 16 + 4 + 2 = 182

Award marks:

1 mark: Correct method shown (e.g., binary place values or partial calculation)
1 mark: Correct answer (182)

Accept: answer only for both marks if correct If incorrect answer: Award 1 mark for correct method shown

(a)(ii) Convert to hexadecimal (2 marks)

Working: 1011 = B 0110 = 6 Answer: B6

Award marks:

1 mark: Splitting into nibbles / showing conversion of each 4-bit group
1 mark: Correct answer (B6)

Accept: 0xB6, B6h (with notation) Accept: answer only if correct

(b)(i) State the range of values (2 marks)

-128 to +127 or -128 to 127

Award marks:

1 mark: Correct lower bound (-128)
1 mark: Correct upper bound (+127)

Accept: -128 ≤ x ≤ 127 or equivalent notation Reject: -127 to +128 (incorrect)

(b)(ii) Show -23 in 8-bit two's complement (3 marks)

Method:

+23 in binary: 0001 0111
Invert bits: 1110 1000
Add 1: 1110 1001

Answer: 1110 1001

Award marks:

1 mark: Positive binary representation shown (0001 0111)
1 mark: Bits inverted correctly (1110 1000)
1 mark: Add 1 to get final answer (1110 1001)

Accept: Answer only if correct (for full marks) Partial credit: Award marks for steps shown even if final answer incorrect

(c) Explain why hexadecimal is used instead of binary (2 marks)

Award 1 mark for each point, up to maximum of 2:

Hexadecimal is more compact / shorter to write / fewer digits needed
Easier for humans to read / less prone to errors / easier to remember
Each hex digit represents exactly 4 bits / one byte = two hex digits
Reduces likelihood of transcription errors

Accept: Any two valid reasons with sufficient explanation Example full answer: "Hexadecimal is shorter and easier to read than binary. A single hex digit represents 4 bits, making it more compact."

Question 5

(a) Name two programming paradigms (2 marks)

Award 1 mark for each correct paradigm:

Procedural / imperative
Object-oriented
Functional
Declarative
Event-driven
Logic programming

Reject: "high-level" and "low-level" (these are not paradigms)

(b)(i) State what is meant by encapsulation (2 marks)

Award 1 mark for each point, up to maximum of 2:

Bundling/combining data (attributes) and methods together in a class
Hiding the internal workings/data from outside the class
Restricting direct access to some of an object's components
Data can only be accessed/modified through defined methods
Use of private/public access modifiers

Accept: Information hiding, data protection Typical full answer requires mention of both data/methods together AND restricted access

(b)(ii) Write class definition (6 marks)

Award marks as follows:

1 mark: Correct class declaration with appropriate name
1 mark: Three attributes declared (accountNumber, balance, accountHolder)
1 mark: Constructor/init method declared correctly
1 mark: Constructor initialises all three attributes
1 mark: withdraw method declared with parameter
1 mark: withdraw method correctly reduces balance

Example acceptable answer (Python):

class BankAccount:
    def __init__(self, accountNumber, balance, accountHolder):
        self.accountNumber = accountNumber
        self.balance = balance
        self.accountHolder = accountHolder
    
    def withdraw(self, amount):
        self.balance = self.balance - amount

Example acceptable answer (Java):

public class BankAccount {
    private String accountNumber;
    private double balance;
    private String accountHolder;
    
    public BankAccount(String accountNumber, double balance, String accountHolder) {
        this.accountNumber = accountNumber;
        this.balance = balance;
        this.accountHolder = accountHolder;
    }
    
    public void withdraw(double amount) {
        balance = balance - amount;
    }
}

Accept: Various syntaxes appropriate to chosen language Accept: Minor syntax errors if logic is clear Note: Do not penalise for missing data validation, access modifiers, or return statements unless they fundamentally break the code structure

(c) Explain one advantage of inheritance (2 marks)

Award 1 mark for identifying advantage, 1 mark for context/explanation:

Possible answers:

Code reuse: Common attributes/methods (accountNumber, balance, accountHolder, withdraw) can be defined once in parent class / SavingsAccount and CurrentAccount inherit these automatically
Easier maintenance: Changes to common functionality only need to be made in parent class / automatically applies to both child classes
Extensibility: Each account type can have specific additional methods (e.g., interest calculation for savings) while keeping shared functionality

Must relate answer to the context of bank accounts for full marks

Question 6

(a) Describe brute force attack (2 marks)

Award 1 mark for each point, up to maximum of 2:

Systematically trying every possible combination/password
Until the correct one is found
Automated/uses software to try combinations rapidly
Tries all combinations from a defined character set

Accept: "trial and error method", "trying all possible passwords" Typical full answer: "A method where all possible password combinations are tried systematically until the correct one is found."

(b)(i) Explain how requirements help protect against brute force (3 marks)

Award 1 mark for each point, up to maximum of 3:

Increases the number of possible password combinations / increases the password space
Makes it take longer to try all combinations / more time-consuming for attackers
12 character minimum increases the number of possible passwords significantly
Requiring different character types (upper, lower, number, special) increases complexity
Larger character set means exponentially more combinations to try

Accept: Mathematical explanations (e.g., "with 26 lowercase, 26 uppercase, 10 digits, and 10 special characters = 72^12 combinations") Look for understanding that more complex requirements = more possible combinations = harder to crack

(b)(ii) Explain how two-factor authentication provides additional security (2 marks)

Award 1 mark for each point, up to maximum of 2:

Requires two different types of verification / something you know (password) and something you have (phone/token)
Even if password is compromised/stolen, attacker cannot access system without second factor
Second factor is time-limited / expires quickly
Typically sent to a device only the legitimate user has access to

Accept: Explanation of "two-factor" or "multi-factor" authentication Typical full answer: "Two-factor authentication requires both a password and a second verification method, such as a code sent to a mobile phone, so even if the password is stolen the attacker cannot access the account."

(c) Describe purpose of penetration testing (2 marks)

Award 1 mark for each point, up to maximum of 2:

Simulates real attacks to identify vulnerabilities/weaknesses
Tests security measures before attackers exploit them
Performed by security professionals/ethical hackers
Helps organisation fix security issues before they cause harm
Identifies weaknesses in system security

Accept: "ethical hacking", "security testing" Typical full answer: "Penetration testing simulates attacks on a system to identify security vulnerabilities so they can be fixed before malicious attackers exploit them."

Section B — Extended Response (36 marks)

Question 7 — Discuss ethical, legal and security issues (15 marks)

Level-based marking:

Level 4 (13-15 marks): Comprehensive discussion

Detailed analysis of multiple ethical, legal AND security issues
Specific reference to relevant legislation (Data Protection Act 2018, GDPR, Computer Misuse Act)
Thorough consideration of data protection principles (lawfulness, transparency, purpose limitation, data minimisation, etc.)
Evaluates competing interests (business benefits vs customer privacy)
Provides specific, relevant security measures (encryption, secure authentication, regular security audits)
Well-structured response with clear reasoning
Uses technical terminology accurately throughout

Level 3 (9-12 marks): Clear discussion

Sound discussion of several ethical, legal OR security issues with some depth
References data protection legislation, possibly with some specific detail
Discusses some data protection principles
Considers both business and customer perspectives but may be unbalanced
Suggests some appropriate security measures
Reasonably well-structured response
Generally accurate use of technical terminology

Level 2 (5-8 marks): Basic discussion

Basic coverage of ethical, legal or security issues
Awareness of data protection requirements but may be vague or general
Limited consideration of competing interests
Mentions some security measures but may lack detail
Response may lack clear structure
Some technical terminology used but may be imprecise

Level 1 (1-4 marks): Limited response

Limited or superficial discussion
May list issues without development
Little or no reference to legislation
Minimal consideration of implications
Few relevant technical terms used
Lack of structure

0 marks: No creditable content

Indicative content (not exhaustive):

Legal issues:

Data Protection Act 2018 / GDPR compliance requirements
Need for lawful basis for processing (likely legitimate interest or consent)
Customer rights (right to access, right to erasure, right to data portability)
Privacy notices must be clear about data collection and use
Sharing data with third parties requires transparency and possibly consent
Location tracking particularly sensitive personal data
Storing payment details regulated by PCI DSS standards
Accountability and demonstrating compliance
Data Protection Impact Assessment (DPIA) required for high-risk processing
Must have Data Protection Officer
Potential fines for non-compliance (up to 4% of global turnover)

Ethical issues:

Informed consent - customers must understand what they agree to
Transparency about how data is used
Location tracking raises surveillance concerns
Profiling customers based on shopping habits
Sharing data with third parties - customers may not expect this
Balancing business benefit against customer privacy
'Anonymised' data can often be re-identified
Targeted marketing can be manipulative
Potential for discrimination based on shopping patterns
Children's data requires extra protection

Security issues:

Payment card data is highly valuable target for attackers
Need for encryption of data in transit and at rest
Secure authentication (strong passwords, 2FA)
Regular security testing / penetration testing
Employee access controls / least privilege
Protection against SQL injection, brute force attacks
Secure API connections with third parties
Regular security patches and updates
Incident response plan for data breaches
Backup and disaster recovery
Physical security of servers
Vetting of third-party partners

Balance / evaluation:

App provides business benefits (increased sales, customer insight)
Customers may value convenience and personalised offers
However, data breach could cause significant harm and reputational damage
Must weigh benefit against risk
Minimise data collection to only what's necessary
Give customers genuine choice and control

Question 8 — Evaluate sorting algorithms (12 marks) and Compare search algorithms (9 marks)

Part A: Evaluate sorting algorithms (12 marks)

Level-based marking:

Level 4 (10-12 marks): Comprehensive evaluation

Detailed analysis of both algorithms using the data provided
Clear understanding of computational complexity (O(n²) vs O(n log n))
Specific calculations or comparisons using the data table
Thorough justification of recommendation for the specific scenario (50k-200k items)
Considers multiple practical factors (memory usage, implementation complexity, stability)
Evaluates trade-offs between different factors
Reaches clear, well-justified conclusion
Accurate technical terminology throughout

Level 3 (7-9 marks): Sound evaluation

Good comparison of both algorithms with reference to data
Understanding of efficiency differences shown
Uses data table to support arguments
Reasonable justification for recommendation
Considers some practical factors
Clear conclusion reached
Generally accurate terminology

Level 2 (4-6 marks): Basic evaluation

Basic comparison of algorithms
Some reference to data or efficiency
Limited justification of recommendation
May focus on one algorithm more than comparing
Conclusion may be present but weakly justified
Some technical terms used

Level 1 (1-3 marks): Limited response

Limited or superficial comparison
Little use of data provided
Weak or no justification
May just describe rather than evaluate
Few technical terms used

0 marks: No creditable content

Indicative content for sorting evaluation:

Computational complexity:

Bubble sort has O(n²) time complexity / quadratic growth
Merge sort has O(n log n) time complexity / log-linear growth
As dataset size increases, difference becomes dramatic
At 100k items: bubble sort takes 4,500,000ms (4500 seconds / 75 minutes) vs merge sort 2000ms (2 seconds)

Analysis of data:

When items increase from 100 to 1,000 (10×), bubble sort time increases by 90× but merge sort only 9×
When items increase from 1,000 to 10,000 (10×), bubble sort increases 100× but merge sort only 10×
Pattern shows bubble sort scales very poorly
For 50k-200k items (the requirement), merge sort would remain under a few seconds while bubble sort would take hours

Specific recommendation:

Merge sort clearly more suitable for this system
Meets requirement for quick results / good user experience
Bubble sort would be completely impractical at these sizes
50k items: bubble sort would take approximately 1,125 seconds (nearly 19 minutes) vs merge sort ~1 second

Practical considerations:

Merge sort requires more memory (creates copies of arrays)
Merge sort more complex to implement
However, performance benefit far outweighs these drawbacks
Merge sort is stable (maintains relative order of equal elements)
Modern systems have sufficient memory for merge sort
Implementation complexity is one-off cost; performance matters every execution

Conclusion:

Strong recommendation for merge sort
Performance difference is critical for user experience
Only practical choice for datasets of this size

Part B: Compare search algorithms (9 marks)

Level-based marking:

Level 3 (7-9 marks): Comprehensive comparison

Detailed comparison of both algorithms
Clear understanding that binary search requires sorted data / specification states data is sorted
Explains how each algorithm works
Quantifies efficiency difference (linear O(n) vs logarithmic O(log n))
Clear, justified recommendation
Accurate technical terminology

Level 2 (4-6 marks): Sound comparison

Reasonable comparison of both algorithms
Awareness that binary search more efficient for sorted data
Some explanation of operation
Basic recommendation made
Generally accurate terminology

Level 1 (1-3 marks): Limited comparison

Basic or superficial comparison
Limited technical understanding shown
Weak or no recommendation
Few technical terms used

0 marks: No creditable content

Indicative content for search comparison:

Linear search:

Checks each element sequentially from start to end
Time complexity O(n) - worst case checks every element
Works on unsorted or sorted data
Simple to implement
For 100,000 items, might need to check all 100,000 elements
Average case: checks n/2 elements

Binary search:

Repeatedly divides sorted dataset in half
Compares target with middle element
Eliminates half of remaining data each step
Time complexity O(log n) - logarithmic
Requires data to be sorted (which it is in this scenario)
More complex to implement (recursive or iterative)
For 100,000 items, maximum ~17 comparisons (log₂ 100,000)

Comparison:

Binary search vastly more efficient for large sorted datasets
100,000 items: linear search up to 100,000 checks vs binary search maximum 17 checks
Difference becomes more dramatic as dataset grows
200,000 items: linear up to 200,000 vs binary ~18 comparisons

Recommendation:

Binary search strongly recommended
Question states datasets are sorted - meets binary search prerequisite
Performance crucial for user experience / quick results
Efficiency gain from logarithmic vs linear is enormous at these data sizes
Example: finding item in 100k dataset - binary search up to 6,000× faster than linear search in worst case

Sample Answers with Examiner Commentary

Question 7 — Sample Answers

Grade 9 (top of Higher) answer

The company must consider several interconnected legal, ethical, and security issues when developing this app.

Legal considerations are primarily governed by the Data Protection Act 2018 and GDPR. The company must establish a lawful basis for processing personal data - most likely legitimate interest for business purposes, though location tracking and sharing with third parties may require explicit consent. The company must conduct a Data Protection Impact Assessment (DPIA) because the app processes sensitive location data and payment details, representing high-risk processing. Customers have specific rights under GDPR including the right to access their data, right to erasure ("right to be forgotten"), and right to data portability. The company must provide clear privacy notices explaining exactly what data is collected, how it's used, and with whom it's shared. Sharing anonymised data with third parties is particularly problematic as anonymisation is often reversible through data matching, and this must be transparent to customers. Payment card storage is regulated by PCI DSS standards requiring specific security controls. Non-compliance with GDPR can result in fines up to 4% of global turnover or €20 million.

Ethical issues go beyond legal compliance. The app collects extensive personal data including shopping habits, locations, and financial information, creating a detailed profile of customers. While the business benefits from increased sales and customer insights, customers may not fully understand the implications when they consent, especially regarding third-party data sharing. Location tracking is particularly intrusive - customers may not realise their movements are constantly monitored, raising surveillance concerns. The company has an ethical duty to practice data minimisation, collecting only essential data, but the app specification suggests collecting more data than strictly necessary. There's also potential for discriminatory practices if shopping patterns are used to make decisions about offers or services. The company must balance legitimate business interests against customer privacy rights, considering whether customers would reasonably expect their data to be used in these ways.

Security issues are critical given the sensitive data involved. Payment card details are high-value targets for cybercriminals, requiring encryption both in transit (using TLS) and at rest (database encryption). The company must implement robust authentication including strong password policies and two-factor authentication. Regular penetration testing should identify vulnerabilities before attackers exploit them. Security measures must protect against common attacks including SQL injection, brute force attacks, and man-in-the-middle attacks. Access controls should follow the principle of least privilege, ensuring employees only access data necessary for their role. Third-party marketing companies represent additional risk - data must be shared securely via encrypted APIs, and partner vetting is essential. The company needs an incident response plan for potential data breaches, including notification procedures required by law (within 72 hours of becoming aware). Regular security audits, patching, and staff security training are essential ongoing measures.

In conclusion, while the app offers business benefits, the risks are substantial. The company must implement comprehensive security measures, ensure full legal compliance including GDPR, and make genuine ethical commitments to transparency and customer control. The reputational damage from a data breach could far outweigh the business benefits, and customer trust depends on responsible data handling. The company should minimize data collection, give customers meaningful control including easy opt-out, and be completely transparent about third-party data sharing.

Mark: 15/15

Examiner commentary: This is an exemplary response demonstrating comprehensive understanding across all three areas. The candidate provides specific legal references (GDPR, DPIA, PCI DSS) with accurate details about requirements and penalties. Ethical analysis goes beyond simple statements to evaluate competing interests and consider implications customers might not understand. Security recommendations are specific and technical (TLS encryption, SQL injection, least privilege) rather than generic. The response is well-structured, uses precise terminology throughout, and reaches a balanced, justified conclusion. This demonstrates the analytical depth and technical accuracy expected at Grade 9.

Grade 6 (solid pass) answer

The company needs to think about data protection laws, ethical issues about privacy, and keeping data secure.

Legal issues: The company must follow the Data Protection Act and GDPR. This means they need permission from customers to collect their data and they have to protect it properly. Customers have rights to see what data is stored about them and can ask for it to be deleted. The company has to tell customers what data they collect and what they do with it. They could get big fines if they break the rules. Payment card details have special rules about how they must be stored safely.

Ethical issues: It might not be ethical to track customers' locations because this is invading their privacy. People might not realise how much data is being collected about them. Shopping data tells the company a lot about people's lives and habits. Sharing data with other companies is questionable because customers might not want this even if they agreed to terms and conditions without reading them properly. The company is making money from customer data which some people might think is unfair. However, customers do get benefits like special offers based on what they like.

Security issues: The app stores sensitive information including payment cards, addresses, and shopping history so it must be kept secure. Hackers might try to steal this data so the company needs encryption to protect it. They should use firewalls and antivirus software. Passwords should be strong and the company could use two-factor authentication. The data should be backed up in case something goes wrong. Staff should be trained about security so they don't accidentally cause problems. Third-party companies the data is shared with might not be as secure, creating additional risks.

Overall, the company can develop the app but must take data protection seriously. They need good security measures and should be honest with customers about what data is collected. Following the law is essential to avoid fines and losing customer trust.

Mark: 10/15

Examiner commentary: This response demonstrates sound understanding of the main issues and covers legal, ethical, and security aspects as required. The candidate correctly identifies relevant legislation (GDPR) and customer rights, though without the specific detail of the Grade 9 answer (no mention of DPIA, specific fine levels, or PCI DSS). Ethical discussion is reasonable but somewhat superficial - it identifies privacy concerns but doesn't deeply analyze the competing interests or specific implications. Security recommendations are generally appropriate but more generic (firewalls, antivirus, backups) rather than the specific technical measures of a top answer. The response is adequately structured and reaches a conclusion, but lacks the analytical depth and precise terminology for higher marks. This is a solid mid-grade response.

Grade 3 (near miss) answer

The company has to be careful about personal data because of privacy laws. There are also security risks with having an app that stores information.

Legal: The Data Protection Act says companies can't just take people's data without asking. They have to get permission first and tell people what they're going to do with it. If the company breaks the law they might get in trouble. People are allowed to see their data if they want to.

Ethical: It's not right to spy on customers by tracking where they go. People should have privacy and not be followed around. The company is only doing this to make more money which is putting profit before people. Customers might not know all their information is being stored. Shopping data is personal and shouldn't be shared with other companies because that's private information.

Security: Hackers could steal the payment card numbers and use them to take money from customers. This would be bad for customers and for the company. The company should use passwords to protect the data. They should also have security software to stop viruses. If someone hacks the database they could get all the customer information. The company needs to make sure their WiFi is secure and that staff don't give away passwords.

Conclusion: The company should only make the app if they can definitely keep it secure and follow all the privacy laws. Otherwise customers won't trust them and might not use it.

Mark: 5/15

Examiner commentary: This response shows basic awareness of relevant issues but lacks the depth and technical accuracy needed for higher grades. The legal section mentions the Data Protection Act but doesn't demonstrate real understanding of what compliance involves - "get permission" is oversimplified (doesn't distinguish between consent and other lawful bases). The ethical discussion identifies privacy concerns but treats the issue in black-and-white terms without acknowledging the balance between legitimate business interests and privacy. The security section includes a common misconception - WiFi security and viruses are largely irrelevant to this scenario; the candidate has listed generic "security things" rather than analyzing the specific risks of this app. Missing are specific requirements like encryption, what type of attacks are realistic threats, or technical controls needed. The response lacks structure and precise terminology. To improve, the candidate needs to develop points with specific examples, use accurate technical language, and demonstrate deeper understanding of requirements rather than making general statements.

Question 8 (Part A - Sorting) — Sample Answers

Grade 9 (top of Higher) answer

Merge sort is significantly more suitable than bubble sort for this system, and the performance data clearly demonstrates why.

Computational complexity analysis: Bubble sort has O(n²) time complexity, meaning the time grows quadratically as the dataset size increases. Merge sort has O(n log n) complexity, which grows much more slowly. We can see this pattern in the data provided. When dataset size increases from 1,000 to 10,000 items (a 10× increase), bubble sort time increases from 450ms to 45,000ms (100× increase), while merge sort only increases from 18ms to 180ms (10× increase). This demonstrates the quadratic nature of bubble sort versus the logarithmic-linear nature of merge sort.

Analysis for the specific requirement: The system needs to sort datasets between 50,000 and 200,000 items. Using the data, we can extrapolate approximate performance. For 100,000 items, bubble sort takes 4,500,000ms which is 4,500 seconds or 75 minutes - completely impractical for a system requiring quick results for good user experience. Merge sort takes only 2,000ms (2 seconds) for the same dataset. For 50,000 items, bubble sort would take approximately 1,125,000ms (over 18 minutes) while merge sort would take roughly 1,000ms (1 second). At 200,000 items, bubble sort would take astronomical time (approximately 18,000 seconds or 5 hours) while merge sort would remain under 5 seconds. This dramatic difference makes merge sort the only viable option.

Practical considerations: While merge sort does have some disadvantages - it requires additional memory space as it creates temporary arrays during the merge process, and it's more complex to implement correctly - these are far outweighed by the performance benefits. Modern computer systems have sufficient memory to handle the space requirements of merge sort, even for datasets of 200,000 items. Implementation complexity is a one-time cost during development, whereas the performance impact affects every single sort operation. Additionally, merge sort is a stable sort, meaning it preserves the relative order of equal elements, which can be important if the system needs to sort by multiple criteria.

Bubble sort's only advantage is simplicity of implementation and that it sorts in-place without requiring additional memory. However, these advantages are irrelevant when the algorithm takes hours to complete - no amount of simplicity compensates for that poor performance in a production system requiring good user experience.

Recommendation: Merge sort must be used for this system. The performance difference is not marginal but categorical - the difference between a 2-second response and a 75-minute wait at 100,000 items. For a system that "frequently" sorts large datasets, bubble sort would render the application completely unusable. Merge sort meets the user experience requirements and scales appropriately as dataset sizes vary within the 50,000-200,000 range. The investment in implementing the more complex algorithm will pay off with every execution.

Mark: 12/12

Examiner commentary: This is an outstanding response demonstrating deep understanding of algorithmic complexity and the ability to apply theoretical knowledge to a practical scenario. The candidate provides specific calculations using the data table, showing exactly why bubble sort is unsuitable (18 minutes to 5 hours for the required range). The response correctly identifies the O(n²) vs O(n log n) complexity and demonstrates understanding of what this means in practice. Practical considerations are evaluated objectively - acknowledging merge sort's disadvantages but correctly assessing their relative importance. The conclusion is clear, well-justified, and addresses the specific requirement ("frequently sorts," "good user experience"). This demonstrates the analytical rigor and technical precision expected at Grade 9.

Grade 6 (solid pass) answer

For this system, merge sort would be better than bubble sort because it is much faster for large datasets.

Looking at the table, bubble sort gets much slower as the dataset gets bigger. At 100 items it takes 5ms but at 100,000 items it takes 4,500,000ms which is about 75 minutes. Merge sort is much faster - only 2 seconds for 100,000 items. The system needs to sort between 50,000 and 200,000 items and needs to be quick, so bubble sort would be too slow. Users would not want to wait over an hour for results.

Bubble sort is O(n²) which means the time increases squared when the data gets bigger. Merge sort is O(n log n) which is much more efficient. This explains why the difference between them gets bigger as the dataset size increases. At small datasets like 100 items, there's not much difference (5ms vs 2ms) but at large sizes the difference is massive.

Merge sort does need more memory because it creates copies of parts of the array while it's sorting. This could be a problem if the computer doesn't have much memory. Merge sort is also harder to program because it uses recursion and is more complicated than bubble sort. Bubble sort is simpler - it just compares adjacent items and swaps them if they're in the wrong order, repeating until sorted.

However, for this system the speed is more important than memory usage or how easy it is to program. Modern computers have plenty of memory so that shouldn't be a problem. The difficult programming is only done once but the program will run many times, so having a fast algorithm is more important.

I would definitely recommend merge sort for this system because bubble sort is way too slow for datasets of 50,000 to 200,000 items. Merge sort will give users quick results which is what the system needs.

Mark: 8/12

Examiner commentary: This response demonstrates good understanding and makes appropriate use of the data provided. The candidate correctly identifies that bubble sort is impractical for the dataset sizes required and provides some specific evidence (75 minutes for 100,000 items). The response correctly states the computational complexity (O(n²) vs O(n log n)) and shows understanding of what this means. Practical factors are considered (memory usage, implementation complexity) and appropriately weighed against performance requirements. The conclusion is clear and appropriate. However, the analysis lacks the depth of the Grade 9 answer - no extrapolation for 50,000 or 200,000 items, less detailed explanation of why the complexity difference matters, and briefer consideration of practical factors (no mention of stability, less detailed cost-benefit analysis). The response is well-structured and reaches the correct conclusion with reasonable justification, making it a solid middle-grade answer.

Grade 3 (near miss) answer

Merge sort is faster than bubble sort so it should be used for this system.

The table shows that bubble sort takes longer than merge sort. At 10,000 items bubble sort takes 45,000ms but merge sort only takes 180ms. This shows merge sort is quicker. For 100,000 items bubble sort takes 4,500,000ms which is really slow but merge sort takes 2,000ms which is fast. The system needs to be quick so merge sort is better.

Bubble sort works by comparing two numbers next to each other and swapping them if they're in the wrong order. It keeps doing this until everything is sorted. Merge sort is more complicated and splits the list up then puts it back together in order.

Merge sort is better for big lists because it's faster. Bubble sort might be okay for small lists but not for big ones. The system uses big lists (50,000 to 200,000 items) so needs the faster algorithm.

One problem with merge sort is it's harder to understand and program. Bubble sort is easier because it's simpler. But speed is more important than being easy to program.

My recommendation is merge sort because it's faster and the system needs speed.

Mark: 4/12

Examiner commentary: This response identifies the correct recommendation and shows basic awareness that merge sort is faster,

Mark schemes are a Pro feature

Unlock full examiner-style mark schemes and grade-tiered sample answers across every paper.

See Pro pricing →

Finished the paper?

Reveal the mark scheme above, then dive into the topic notes to firm up anything you missed.

📚 Open subject revision notes →