unit 1_9 the legal framework. introduction this lesson will cover the following areas of computer...

Unit 1_9The Legal Framework

Introduction

This lesson will cover the following areas of computer law

– The Data Protection Acts 1984 & 1998

– The Computer Misuse Act 1990

The Data Protection Act:Why?

During the late 1970’s and early 1980’s there was a major growth of computer systems containing personal data

As this personal data had become more easily accessible, many people became concerned that this data could be misused

Definitions (cont)

Data Subject

– A living identifiable person about whom data is held. An identifiable person is someone who can be identified, directly or indirectly, in particular by reference to an identification number or the person’s physical, physiological, mental, economic, cultural or social characteristics.

Definitions (cont)

Personal Data

– This legislation only covers data that identifies a living, individual, natural person. Data that is covered by the Act includes electronic, manual and recorded data - anything which can identify an individual. Once any identifiers linking data to a natural person have been removed then it no longer constitutes “personal data” and is therefore not covered by the provisions of the 1998 Act. It is therefore worth considering at what point in the survey process is the earliest that personal identifiers can be removed from the data.

Definitions (cont)

Data Controllers

– Data controllers are those who control and determine the use of data they hold. All data controllers must notify with the Office of the Information Commissioner (OIC).

Definitions (cont)

Data Processing

– “Processing” means obtaining, recording or holding data or carrying out any operation or set of operations on the data including: the organisation, adaptation or alteration of the data; retrieval, consultation or use of the data; disclosure of the data by transmission, dissemination or otherwise making available; alignment, blocking, erasure or destruction of the data.

Definitions (cont)

Consent – Data subjects must have a clear understanding of

what will happen as a result of providing information. In the case of market research it can be assumed that this condition has been satisfied by the respondent agreeing to be interviewed following an explanation of the nature and objectives of the research. If there is any likelihood of data subjects needing to be re-contacted then consent must be obtained at the first interview.

Definitions (cont)

Sensitive data – Explicit consent is required for processing

sensitive data. This means that the consent must be absolutely clear and based on a detailed explanation of how the data will be used. This is defined as personal information covering:

• race or ethnic origin • political opinions• religious beliefs • trade union membership • physical or mental health • sexual life• the commission or alleged commission of an

offence or any proceedings for an offence committed and the outcome.

The Eight Principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed (unless it complies with sets of conditions):– Consent given– Necessary: contract, legal, vital interests

The Eight Principles

2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

The Eight Principles (Cont.)

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.


4. Personal data shall be accurate and, where necessary, kept up to date.

5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.


6. Personal data shall be processed in accordance with the rights of data subjects under this Act.


7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. – Must ensure a level of security appropriate to the

harm that might result from a breach of security and the nature of the data to be protected.

– The reliability of staff having access to the personal data.


8. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. – The United States is not considered to have

adequate safeguards in place. ( "Safe Harbour" rules 1/11/2000)

– Companies with head offices outside the EEA have to realise they may no longer be able satisfy requests to send personal data to head office.

Complaints/Registrations

The Information Commissioner is the person in charge of enforcing the DPA. At the moment the Information officer is Mr Richard Thomas (pictured below).

Some of the duties of the Information Commissioner are:• The Information Commissioner's Office accepts

registrations.• The Information Commissioner deals with complaints• He is the ombudsman

http://www.informationcommissioner.gov.uk/

Exemptions

Exemptions To The Law• Some not for profit organisations• Processing of personal data for personal, family or household

affairs (including recreational purposes).• Data controllers who only process personal data for the

maintenance of a public register.• Data controllers who only process personal data for any one or all

of the following purposes for their own business.• staff administration• advertising, marketing and public relations• accounts and records• Special categories under which data may be held

– National security– Prevention of crime– Collection of tax or duty– Where the disclosure of medical data my harm the data subject– Exam results

Your Rights

The Rights of a Data Subject Include:An individual is entitled, upon written request, to be supplied with a

copy of any personal data held about yourself.

The data controller may charge a fee

Rights include:– Right to compensation for unauthorised disclosure of data– Right to compensation for inaccurate data– Right of access to data and to apply for rectification or erasure

where data are inaccurate– Right to compensation for unauthorised access, loss or

destruction of data

The Computer Misuse Act: Why?

Until the early to mid 1980’s most people who used a computer in order to commit a crime could be dealt with under existing laws

For Example - using a computer to:

– steal money or property– obtain credit or services dishonestly– evade a debt or liability

could be tried under the Theft Act of 1968


Hacking in the early 1980’s was not considered a crime - more a minor irritation

During the mid to late 80’s hackers became

– more daring– Malicious

Data was now being damaged leading to:

– at best - inconvenience and its related costs– at worst - large amounts of money being lost

and some companies ‘going bust’(Remember, these losses are almost always ‘passed on’ to the consumer!)


There were a number of failed prosecutions brought against hackers at this time (using existing legislation)

This highlighted the problem of how to categorise hacking within the existing laws


The most famous case (and the one that is said to have precipitated the Computer Misuse Act ), was that of R vs Gold. The exact offence with which the men were charged was:‘making a false instrument, namely a device on or in which information is recorded or stored by electronic means with the intention of using it to induce the Prestel computer to accept it as genuine and by reason of so accepting it to do an act to the prejudice of British Telecommunications plc’


The men concerned had hacked into the BT Prestel account and gained access to all the customer ID numbers. They left a number of messages in the Duke of Edinburgh’s private mailbox.


The two men were convicted but appealed to the High Court

Their appeal was upheld as the machine used was both the ‘deceived’ and the ‘false instrument’

A Royal Commission was set up following the result of the appeal and as a result of their recommendations, the Computer Misuse Act was enacted

The Computer Misuse Act


The act has three “Levels”

1. Unauthorised access to a computer system (Hacking)

2. Unauthorised access with intent (Fraud)3. Unauthorised modification of computer

materials (Viruses)

The Computer Misuse ActSection (Level)1 refers to the basic hacking offence. It

states that a person is guilty of an offence if:

– he causes a computer to perform any function with the intent to secure access to any program or data held in a computer

– the access he intends to secure is unauthorised

– he knows at the time when he causes the computer to perform the function that this is the case


Section (level) 2 refers to Ulterior Intent. It states that a person is guilty of an offence if:– he commits the basic hacking offence

described earlier in order to commit or facilitate (help in) the commission of further crimes


Ulterior Intent Examples: – trying to gain access to an Electronic Fund

Transfer system to obtain money – trying to obtain personal data stored on

computer for blackmailing purposes

(A person can be found guilty of this offence even if the second offence turns out to be impossible (no information available that can be used for blackmail). It is the intention that is important)


Section 3 refers to Criminal Damage. It states that a person is guilty of an offence if:– he commits any act that causes unauthorised

modification of the contents of any computer; and at the time that the act is performed, he has both the requisite intent and knowledge to perform this act


Within Section (Level) 3 the requisite intent is described as intent to :– impair the operation of any computer

or– prevent or hinder access to any computer or

data held in any computer

or– impair the operation of any program or the

reliability of any data


Criminal Damage Examples:

– distributing a virus (even though you don’t know which computer may be affected)

– adding data to a database

– changing passwords


The Computer Misuse Act also clarifies the position with regard to international jurisdiction. It makes it an offence:– to use a computer in this country to commit a crime

in another country

or– to use a computer in another country to commit a

crime in this country

The Computer Misuse ActSentencing:

–Initially, decisions made by judges with regard to defendants who were prosecuted under the Act varied quite considerably.–However, there has been an increasing severity of judgements against hackers with one judge summing up with:

“Those who seek to wreak mindless havoc on one of the vital tools of our age cannot expect lenient treatment”

Infosec

In order to provide complete information security services, an organization should have at least the following security policies:

– Information policy– Security policy– Computer use– User management– System Administration (SysAdmin) procedures– Incident response procedures– Configuration management– Design methodology– Disaster recovery plans

Disaster Recovery

Some firms provide complete disaster recovery services. See Heathcote chapter 46.

Find out how HP (Hewlett Packard) can provide its customers with disaster recovery and produce a report describing what they can do.

unit 1_9 the legal framework. introduction this lesson will cover the following areas of computer...

Documents