Data Protection and Computer Misuse Act material

Modified by Eric from Mary’s slides

Ethical issues

2

Some computer databases hold a lot of personal details Personal data needs to be protected Unethical to misuse personal data

Some computer systems hold sensitive information Security arrangements allow authorised access only Unethical to misuse or break into secure systems

Legislation in place to make unethical use of computers also unlawful

Data Protection Acts

3

Legal protection for personal data

How many organisations hold information about you? Think about a few Share some examples

Data held about us

4

These organisations hold information about us: College Loan company Bank Mobile phone provider Library Local council DVLA Insurance company DHSS

A typical adult may be listed in 200 computer systems

Holding inaccurate data may result in problems

Data Protection Act 1984 Updated 2000 Act updated 1999 - came into effect spring

2000 new Data Protection Principles

Passed to implement theEuropean Data Protection Directive

includes some manual/paper records for the first time

extra rights for data subjects exemptions include

preventing or detecting crime catching or prosecuting offenders assessing or collecting tax or duty

Data Protection - key definitions (1)

6

Personal data: Any data or information about an individual stored in

computers by companies or organisations Living individuals Includes expressions of opinion about the individual

Data subject: Legal term referring to the individual whose data is

held

Data Protection - key definitions (2)

7

Data controller: Person with defined responsibility for data protection

within a company Could be a single person or a group of people Ensures that recorded data complies with the Act Holds detailed register of data to be held in the company

Information Commissioner: Official who supervises enforcement of Data Protection

Act Issues guidance Publishes views for example on retention of DNA profiles Takes action in breaches of Data Protection Act

Data Protection - eight principles

8

Data protection framed within 8 principles1. Obtained and processed fairly and lawfully2. Processed for specific purposes3. Adequate, relevant and not excessive to processing

purpose4. Accurate and up to date5. Not kept for longer than necessary6. Processed in accordance with data subject rights7. Secure8. Not transferred outside EEA without assurance of

protection Look at each in turn…

Principle 1

9

Data must be obtained and processed fairly and lawfully Obtained fairly from data subject Subject must be aware of what data is being

collected and how it will be used Example of breach:

Company employs a private detective to find out about a prospective senior employee and puts the information on the recruitment system

Principle 2

10

Data must be processed for specific purposes Cannot be used for another purpose unknown to

subject Cannot be collected for provision of a service and

then also used for another purpose without subject’s consent

Example of breach: Someone wishing to start a new club borrows a list of

his company’s customers as prospective members and also looks at other personal details to decide if they would be suitable club members

Principle 3

11

Data must be adequate, relevant and not excessive to processing purpose Cannot request more data than is needed for the

task at hand Very tempting to collect data for a future purpose -

but not legal Example of breach:

Marketing department sends questionnaires to customers, asking for age, gender, ethnic background, quantity and brands of foods they buy, hobbies, date and place of birth

Demographics and shopping habits fine for the purpose but hobbies and birth details are excessive

Principle 4

12

Data must be accurate and up to date Data controller under obligation to ensure accuracy If subject provides inaccurate data despite controller’s

attempts at accuracy then principle not breached Data controller responsible for verifying accuracy Good way is to periodically request confirmation or update

Example of breach: Customer unemployed when first taking out life insurance Subsequently found job and told the insurance company Insurance company failed to update records Customer later denied mortgage when insurance company

told credit reference agency customer unemployed

Principle 5

13

Data must not be kept for longer than necessary Destroy data when it is finished with Can be done automatically by software Can be prompted by computer system

Example of breach: Magazine publisher sends magazines to subscribers When subscription cancelled or not renewed,

company keeps data about previous subscriber and keeps sending magazines

Principle 6

14

Data must be processed in accordance with data subject rights Data subjects have access rights that must be

upheld Failure to comply with requests from Information

Commissioner also breach this principle Example of breach:

An employee asks to see the data held on her by the company but she is told that it is confidential and she is not allowed to see it

Principle 7

15

Data must be kept secure at all times Data controllers must apply appropriate security

measures Prevent internal and external access by unauthorised

users Hardware: card access to rooms, firewalls, CCTV etc Software: passwords, virus scanners, etc Organisational: internal audit, division of duties, dual

control of cash Example of breach:

When travelling to a meeting in another town, an employee accidentally leaves a file of insurance claims on the train

Principle 8

16

Data must not be transferred outside EEA without assurance of adequate protection No restriction of movement within European

Economic Area Restricted data movement to countries without

equivalent data protection Agreed on a country-by-country basis Within UK, European Commission decides what data

can be transferred where Example of breach:

A company sets up a new customer contact centre in a country that has no data protection legislation and sends all its customer files to that country

Applying data protection

17

There are steps to take to ensure compliance: Audit the information held in the organisation Apply each of the 8 principles to all collection,

storage and use of personal data Collect, record, store and process current and future

data in accordance with the rights of data subjects

Computer Misuse Act Legal protection for secure computer

systems Intended to reduce online criminal activity

Hacking into systems Changing information in computer files or

databases Trying to access or change material

Why Needed? History of ‘hackers’ breaking into computer systems

D of E’s mailbox (Prestel) - hacked into 1986 difficult to prosecute

Labour Party web-site just before 1997 general election

Computer Misuse Act Offences

19

Three types of offence Unauthorised access Unauthorised access with intent to continue Unauthorised modification

Look at each in turn….

Unauthorised access

20

Unauthorised access to computer material Files Webpages Program code Operational schedules Email accounts Databases Financial accounts Personal details Company-confidential material

Unauthorised access with intent

21

Unauthorised access to computer material with intent to commit or facilitate further offences Covers intention to make changes to computer

material Covers intention to make changes to settings

To gain easier access next time To enable edits next time

Unauthorised modification

22

Unauthorised modification of computer material Files Operational schedules Planning schedules Database entries Passwords Program code And so on

Offences Translated1. ‘hacking’

no intention to cause harm is necessary for prosecution

magistrates court, £5000 fine / up-to 6 months sentence

2. theft unauthorised access to computer material in order to

commit theft by re-directing funds to own bank account

trial by jury, unlimited fines / up-to 5 years sentence3. malicious damage

deliberate erasure or corruption of programs or data introduction of viruses and worms modifying or destroying another user's file or system files

trial by jury, unlimited fines/ up-to 5 years sentence

Other possible offences include theft of electricity, false accounting, suppression of

documents, breach of copyright note: confidential information is not property, and so cannot be

the subject matter of theft