Legal & Ethical Research
for MovieCrew

MovieCrew is a web application that lets users create accounts, write film reviews, follow other users, and receive personalised movie recommendations. Because the platform collects personal data — including names, email addresses, passwords, and viewing preferences — it has to comply with UK data protection law. On top of that, since the platform could potentially be accessed by people under 18, the Online Safety Act 2023 is also relevant.

This document looks at four key legal areas: what lawful basis MovieCrew uses to process personal data, how the data minimisation principle applies, what security measures are needed, and what age verification requirements exist under the Online Safety Act. Each section includes a screenshot from the relevant regulator's website (the ICO for data protection, and Ofcom for online safety) as evidence of the source material.

Under the UK GDPR, you can't just collect and use people's personal data whenever you feel like it — you need a valid legal reason, called a "lawful basis." The ICO lists six possible lawful bases, and you have to pick the most appropriate one for each thing you're doing with the data before you start processing it.

Screenshot — ico.org.uk: A Guide to Lawful Basis

For MovieCrew, the most relevant lawful basis is contract — when a user signs up and creates an account, they're entering into an agreement with the platform. Processing their name, email, and password is necessary to actually provide the service they've signed up for. Without that data, you can't create their account or let them log in, so the processing is genuinely necessary for the contract.

For things like sending optional marketing emails or using analytics to improve the site, the lawful basis would shift to consent — the user would need to actively opt in, and they should be able to withdraw that consent at any time. The ICO is clear that you can't just swap between lawful bases once you've started — you need to get it right from the beginning and document your decision.

• MovieCrew's primary lawful basis is contract — processing is necessary to provide the service users sign up for.
• Optional features like marketing emails require separate consent from the user.
• The lawful basis must be documented and included in the privacy policy before data collection begins.
• Users must be told which lawful basis applies to each type of processing in plain, clear language.

Data minimisation is one of the core principles of the UK GDPR. The basic idea is simple: only collect the personal data you actually need, and nothing more. The ICO breaks this down into three requirements — the data must be adequate (enough to do the job), relevant (actually connected to your purpose), and limited to what is necessary (you're not holding more than you need).

Screenshot — ico.org.uk: Principle (c) Data Minimisation

For MovieCrew, this means thinking carefully about what data is actually needed at each stage. To create an account, you need a username, email address, and password — that's it. You don't need a phone number, date of birth, or home address just to let someone write a film review. Asking for extra information "just in case" would be a breach of this principle.

The recommendation engine is an interesting case. It uses data about which films a user has rated and what genres they seem to like. That data is directly relevant to the purpose (generating recommendations), so it's fine to use. But if the system were to also track things like what time of day someone logs in or how long they spend on each page, that would go beyond what's necessary for recommendations and would need a separate justification.

• Only collect data that is adequate, relevant, and limited to what is necessary.
• Sign-up should require only username, email, and password — nothing more.
• Recommendation data (ratings, genre preferences) is justified as it's directly necessary for that feature.
• Data should be reviewed periodically and deleted when it's no longer needed.

The UK GDPR requires organisations to put in place "appropriate technical and organisational measures" to keep personal data secure. This is sometimes called the security principle, and it applies to both the organisation itself and any third-party processors it uses. The ICO's guidance makes clear that what counts as "appropriate" depends on the nature of the data and the risks involved.

Screenshot — ico.org.uk: A Guide to Data Security

For MovieCrew, the most sensitive data is user passwords and email addresses. Passwords must never be stored in plain text — they should be hashed using a strong algorithm like bcrypt or Argon2. The platform already uses JWT tokens for authentication, which is a reasonable approach, but those tokens need to be stored securely (e.g. in httpOnly cookies rather than localStorage) to prevent cross-site scripting attacks from stealing them.

The ICO also mentions the need to ensure "confidentiality, integrity and availability" of systems. For MovieCrew, this means making sure the database is not publicly accessible, that SQL injection is prevented through parameterised queries, and that the application is kept up to date with security patches. If there were ever a data breach, the ICO would expect the organisation to be able to detect it and respond quickly.

• Passwords must be hashed using bcrypt or Argon2 — never stored in plain text.
• JWT tokens should be stored in httpOnly cookies to prevent XSS attacks.
• Database should not be publicly accessible; use environment variables for credentials.
• All user inputs must be validated and sanitised to prevent SQL injection.
• A process should exist to detect and report data breaches within 72 hours (as required by UK GDPR).

The Online Safety Act 2023 introduced new duties for online services that could be accessed by children. Ofcom, the UK's communications regulator, is responsible for enforcing these duties. The Act defines "children" as anyone under 18, and it requires services to think carefully about whether children might be using their platform and what risks that creates.

Screenshot — ofcom.org.uk: Age Assurance Duties under the Online Safety Act

MovieCrew is primarily a film review and recommendation platform, which means it doesn't host pornographic content or the most harmful categories of material. However, it is a user-to-user service — users can post reviews, follow each other, and interact. This means it falls within the scope of the Online Safety Act and needs to carry out a children's risk assessment to understand what risks the platform might pose to under-18 users.

From 25 July 2025, services that allow pornography must have "highly effective" age assurance in place. MovieCrew doesn't allow that type of content, so the strictest age verification requirements don't apply. However, Ofcom's guidance still expects services to consider whether their content or features could harm children, and to put appropriate protections in place. For MovieCrew, this might mean adding a minimum age requirement (e.g. 13+) to the sign-up process and making sure the recommendation algorithm doesn't surface content that would be inappropriate for younger users.

• MovieCrew is a user-to-user service and falls within the scope of the Online Safety Act.
• A children's risk assessment should be carried out to identify potential harms.
• A minimum age requirement (e.g. 13+) should be included in the sign-up process.
• Full "highly effective" age assurance is only mandatory for services hosting pornographic content.
• Content moderation should be in place to handle any inappropriate user-generated reviews.

MovieCrew uses The Movie Database (TMDB) API to pull in film data — titles, posters, descriptions, cast information, and ratings. TMDB is a community-built database that offers a free API for non-commercial use. Before using any third-party dataset or API, it's important to check the licensing terms to make sure the intended use is permitted.

TMDB's terms allow free use of their API for non-commercial projects, which covers a student project like MovieCrew. However, there are some important conditions: the application must display the TMDB logo and attribution wherever their data is used, the API must not be used to create a competing database, and the data cannot be cached or stored permanently in a way that bypasses the API. For MovieCrew, this means the film data should be fetched live from the API rather than copied into a local database.

• TMDB API is free for non-commercial and educational use — suitable for this project.
• Attribution is required: the TMDB logo and disclaimer must appear wherever their data is shown.
• Film data should not be permanently stored in a local database — it should be fetched via the API.
• The API key must be kept private (stored as an environment variable, not hardcoded).