View
215
Download
0
Category
Preview:
Citation preview
Unit 1_9The Legal Framework
Introduction
This lesson will cover the following areas of computer law
– The Data Protection Acts 1984 & 1998
– The Computer Misuse Act 1990
The Data Protection Act:Why?
During the late 1970’s and early 1980’s there was a major growth of computer systems containing personal data
As this personal data had become more easily accessible, many people became concerned that this data could be misused
Definitions (cont)
Data Subject
– A living identifiable person about whom data is held. An identifiable person is someone who can be identified, directly or indirectly, in particular by reference to an identification number or the person’s physical, physiological, mental, economic, cultural or social characteristics.
Definitions (cont)
Personal Data
– This legislation only covers data that identifies a living, individual, natural person. Data that is covered by the Act includes electronic, manual and recorded data - anything which can identify an individual. Once any identifiers linking data to a natural person have been removed then it no longer constitutes “personal data” and is therefore not covered by the provisions of the 1998 Act. It is therefore worth considering at what point in the survey process is the earliest that personal identifiers can be removed from the data.
Definitions (cont)
Data Controllers
– Data controllers are those who control and determine the use of data they hold. All data controllers must notify with the Office of the Information Commissioner (OIC).
Definitions (cont)
Data Processing
– “Processing” means obtaining, recording or holding data or carrying out any operation or set of operations on the data including: the organisation, adaptation or alteration of the data; retrieval, consultation or use of the data; disclosure of the data by transmission, dissemination or otherwise making available; alignment, blocking, erasure or destruction of the data.
Definitions (cont)
Consent – Data subjects must have a clear understanding of
what will happen as a result of providing information. In the case of market research it can be assumed that this condition has been satisfied by the respondent agreeing to be interviewed following an explanation of the nature and objectives of the research. If there is any likelihood of data subjects needing to be re-contacted then consent must be obtained at the first interview.
Definitions (cont)
Sensitive data – Explicit consent is required for processing
sensitive data. This means that the consent must be absolutely clear and based on a detailed explanation of how the data will be used. This is defined as personal information covering:
• race or ethnic origin • political opinions• religious beliefs • trade union membership • physical or mental health • sexual life• the commission or alleged commission of an
offence or any proceedings for an offence committed and the outcome.
The Eight Principles
1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed (unless it complies with sets of conditions):– Consent given– Necessary: contract, legal, vital interests
The Eight Principles
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
The Eight Principles (Cont.)
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
The Eight Principles (Cont.)
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
The Eight Principles (Cont.)
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
The Eight Principles (Cont.)
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. – Must ensure a level of security appropriate to the
harm that might result from a breach of security and the nature of the data to be protected.
– The reliability of staff having access to the personal data.
The Eight Principles (Cont.)
8. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. – The United States is not considered to have
adequate safeguards in place. ( "Safe Harbour" rules 1/11/2000)
– Companies with head offices outside the EEA have to realise they may no longer be able satisfy requests to send personal data to head office.
Complaints/Registrations
The Information Commissioner is the person in charge of enforcing the DPA. At the moment the Information officer is Mr Richard Thomas (pictured below).
Some of the duties of the Information Commissioner are:• The Information Commissioner's Office accepts
registrations.• The Information Commissioner deals with complaints• He is the ombudsman
Exemptions
Exemptions To The Law• Some not for profit organisations• Processing of personal data for personal, family or household
affairs (including recreational purposes).• Data controllers who only process personal data for the
maintenance of a public register.• Data controllers who only process personal data for any one or all
of the following purposes for their own business.• staff administration• advertising, marketing and public relations• accounts and records• Special categories under which data may be held
– National security– Prevention of crime– Collection of tax or duty– Where the disclosure of medical data my harm the data subject– Exam results
Your Rights
The Rights of a Data Subject Include:An individual is entitled, upon written request, to be supplied with a
copy of any personal data held about yourself.
The data controller may charge a fee
Rights include:– Right to compensation for unauthorised disclosure of data– Right to compensation for inaccurate data– Right of access to data and to apply for rectification or erasure
where data are inaccurate– Right to compensation for unauthorised access, loss or
destruction of data
The Computer Misuse Act: Why?
Until the early to mid 1980’s most people who used a computer in order to commit a crime could be dealt with under existing laws
For Example - using a computer to:
– steal money or property– obtain credit or services dishonestly– evade a debt or liability
could be tried under the Theft Act of 1968
The Computer Misuse Act: Why?
Hacking in the early 1980’s was not considered a crime - more a minor irritation
During the mid to late 80’s hackers became
– more daring– Malicious
Data was now being damaged leading to:
– at best - inconvenience and its related costs– at worst - large amounts of money being lost
and some companies ‘going bust’(Remember, these losses are almost always ‘passed on’ to the consumer!)
The Computer Misuse Act: Why?
There were a number of failed prosecutions brought against hackers at this time (using existing legislation)
This highlighted the problem of how to categorise hacking within the existing laws
The Computer Misuse Act: Why?
The most famous case (and the one that is said to have precipitated the Computer Misuse Act ), was that of R vs Gold. The exact offence with which the men were charged was:‘making a false instrument, namely a device on or in which information is recorded or stored by electronic means with the intention of using it to induce the Prestel computer to accept it as genuine and by reason of so accepting it to do an act to the prejudice of British Telecommunications plc’
The Computer Misuse Act: Why?
The men concerned had hacked into the BT Prestel account and gained access to all the customer ID numbers. They left a number of messages in the Duke of Edinburgh’s private mailbox.
The Computer Misuse Act: Why?
The two men were convicted but appealed to the High Court
Their appeal was upheld as the machine used was both the ‘deceived’ and the ‘false instrument’
A Royal Commission was set up following the result of the appeal and as a result of their recommendations, the Computer Misuse Act was enacted
The Computer Misuse Act
The Computer Misuse Act
The act has three “Levels”
1. Unauthorised access to a computer system (Hacking)
2. Unauthorised access with intent (Fraud)3. Unauthorised modification of computer
materials (Viruses)
The Computer Misuse ActSection (Level)1 refers to the basic hacking offence. It
states that a person is guilty of an offence if:
– he causes a computer to perform any function with the intent to secure access to any program or data held in a computer
– the access he intends to secure is unauthorised
– he knows at the time when he causes the computer to perform the function that this is the case
The Computer Misuse Act
Section (level) 2 refers to Ulterior Intent. It states that a person is guilty of an offence if:– he commits the basic hacking offence
described earlier in order to commit or facilitate (help in) the commission of further crimes
The Computer Misuse Act
Ulterior Intent Examples: – trying to gain access to an Electronic Fund
Transfer system to obtain money – trying to obtain personal data stored on
computer for blackmailing purposes
(A person can be found guilty of this offence even if the second offence turns out to be impossible (no information available that can be used for blackmail). It is the intention that is important)
The Computer Misuse Act
Section 3 refers to Criminal Damage. It states that a person is guilty of an offence if:– he commits any act that causes unauthorised
modification of the contents of any computer; and at the time that the act is performed, he has both the requisite intent and knowledge to perform this act
The Computer Misuse Act
Within Section (Level) 3 the requisite intent is described as intent to :– impair the operation of any computer
or– prevent or hinder access to any computer or
data held in any computer
or– impair the operation of any program or the
reliability of any data
The Computer Misuse Act
Criminal Damage Examples:
– distributing a virus (even though you don’t know which computer may be affected)
– adding data to a database
– changing passwords
The Computer Misuse Act
The Computer Misuse Act also clarifies the position with regard to international jurisdiction. It makes it an offence:– to use a computer in this country to commit a crime
in another country
or– to use a computer in another country to commit a
crime in this country
The Computer Misuse ActSentencing:
–Initially, decisions made by judges with regard to defendants who were prosecuted under the Act varied quite considerably.–However, there has been an increasing severity of judgements against hackers with one judge summing up with:
“Those who seek to wreak mindless havoc on one of the vital tools of our age cannot expect lenient treatment”
Infosec
In order to provide complete information security services, an organization should have at least the following security policies:
– Information policy– Security policy– Computer use– User management– System Administration (SysAdmin) procedures– Incident response procedures– Configuration management– Design methodology– Disaster recovery plans
Disaster Recovery
Some firms provide complete disaster recovery services. See Heathcote chapter 46.
Find out how HP (Hewlett Packard) can provide its customers with disaster recovery and produce a report describing what they can do.
Recommended