|
This section has some information on laws
concerning the use of computer and telecommunications equipment. It also has information
on International Standards and best practices to help define corporate management
policies.
All Personal Data about a living individual
held in a structured and accessible filing system is protected under the principals of the
Data Protection Act of 1998. Failure to comply with this Act can result in prosecution
leading to a fine, individuals suing for compensation and Data Holders being forced to
destroy any offending data. Personal data includes any data through which any individual
may be identified.
One of the most significant changes between
this act and the previous Act of 1984 is that this Act includes provision for the
protection of paper records as opposed to only electronically stored records.
The eight key Data Protection Act principles
are:
 | Personal data shall be processed fairly and
lawfully and, in particular, shall not be processed unless certain conditions specified in
the Act regarding the sensitivity of information are met |
| Personal data shall be obtained only for one
or more specified and lawful purposes, and shall not be further processed in any manner
incompatible with that purpose or those purposes |
| Personal data shall be adequate, relevant and
not excessive in relation to the purpose or purposes for which they are processed |
| Personal data shall be accurate and, where
necessary, kept up to date |
| Personal data processed for any purpose or
purposes shall not be kept for longer than is necessary for that purpose or those purposes |
| Personal data shall be processed in
accordance with the rights of data subjects under this Act |
| Appropriate technical and organisational
measures shall be taken against unauthorised or unlawful processing of personal data and
against accidental loss or destruction of, or damage to, personal data |
| Personal data shall not be transferred to a
country or territory outside the European Economic Area unless that country or territory
ensures an adequate level of protection for the rights and freedoms of data subjects in
relation to the processing of personal data |
Breach of the Data protection Act can result
in fines, legal action and loss of the data in question. Further detail can be found at
the web site of the Information Commissioner at http://www.dataprotection.gov.uk.
This act is designed to secure computers and
data against unauthorised access or modification and covers a number of offences:
| Causing a computer to perform any function
with intent to secure access to any program or data held in any computer, if the access
they intend to secure is unauthorised and they are aware of this fact. Also if they
attempt to access said information with intent to commission further offences. |
| It is an offence to modify computer material
without authorisation. Modification includes the impairment of operation of any computer,
prevention or hindering of access to any program or data and the impairment of the
operation of any program or the reliability of data. |
Copyright Designs & Patents Act
1988
This act is designed to protect the rights
of companies/individuals who create information of many types.
Defamation Act 1996
States the legal liability of authors and
publishers with respect to information published by them.
Regulation of Investigatory Powers Act
2000
The Regulation of
Investigatory Powers Act 2000 gives employers the right to monitor employee communications
in a number of circumstances. These include: in the interests of national security; to
prevent or detect a crime; to investigate or detect unauthorised use of telecommunication
systems; or to obtain evidence of the communications themselves (for example in a
situation where the employee is suspected of being in breach of duty to the employer).
Human Rights Act 1998
The Human Rights
Act comprises of 12 of the European
Convention of Human Rights articles.
The objectives of this British Standard are:
| To serve as a single reference point for
identifying the range of controls needed for most situations encountered in industry and
commerce. |
| To enable mutual trust to be established
between networked sites and trading partners, and provide a basis for management of IT
users and service providers. |
| The standard contains one hundred suggested
controls intended for guidance. It also acknowledges that every organisation has a
different set of requirements. |
Organisation can gain accreditation against
Part 2 of the code.
European Data Protection Directive
This directive requires member states to put
measures in place to provide people with a level of rights in the collection, storage,
use, protection and transfer of personal information information. In the UK this has been
covered by the Data Protection Act. Breach of the
directive can result in fines, legal action and loss of the data in question. The European
Union has put restrictions on the transport of personal information to countries who do
not enforce legislation for the protection of personal data. Agreements for the transfer
of personal information outside of the European Union is also controlled. The Safe Harbor
Agreement is a framework for the transmission of personal information between the UK and
US.
Article 8 ("Right to respect for
private and family life") states the following:
1. Everyone has the right to respect for his
private and family life, his home and his correspondence.
2. There shall be no interference by a
public authority with the exercise of this right except such as is in accordance with the
law and is necessary in a democratic society in the interests of national security, public
safety or the economic well-being of the country, for the prevention of disorder or crime,
for the protection of health or morals, or for the protection of the rights and freedoms
of others.
Staff should be aware that information
security legislation is enforced by a number of countries throughout the world. All staff
who require to travel outside the UK on business and use computing equipment should make
themselves aware of the local laws.
ISO 17799 -
Information Technology - Code of Practice for Information Security Management
This is the international version of BS 7799.
| The stated objectives are to serve as a
single reference point for identifying the range of controls needed for most situations
encountered in industry and commerce. |
| To enable mutual trust to be established
between networked sites and trading partners, and provide a basis for management of IT
users and service providers. |
| The standard contains one hundred suggested
controls intended for guidance. It also acknowledges that every organisation has a
different set of requirements.
|
Information Security Forum Standard of Good Practice
The Forum's Standard of Good Practice provides a set of high-level objectives for
information security together with the associated statements of good practice. It can be
used to improve the level of security in an organisation. The Forum have made the Standard
free to use and can be found at www.isfsecuritystandard.com.
United States Law
Information on information security relates
law can be found at the Computer Crime and Intellectual Property
Section (CCIPS) of the Criminal Division of the U.S.
Department of Justice at http://www.cybercrime.gov/.
Below re a description of some relevant legislation.
Children's Online Privacy and Protection
Act of 1998 (COPPA)
This Act states how web site operators
should treat information passed to them by children thus protecting their information.
More information can be found at The Federal Trade Commission Kidz Privacy site at http://www.ftc.gov/bcp/conline/edcams/kidzprivacy/index.html
and a copy of the Act can be found at the center for Democracy and Technology at http://www.cdt.org/legislation/105th/privacy/coppa.html.
Gramm-Leach-Bliley Act
Amongst other things this act imposes
restrictions on banks etc. from the disclosure of account specific information (such as
account numbers) to 3rd parties for marketing purposes. Financial institutions are
required to inform customers of their privacy policies and procedures and customers have
the right to refuse to allow their personal information to be shared within the financial
industry. Another aspect of the act is the requirement for safeguards to maintain the
confidentiality of customer information.
Health Insurance Portability and
Accountancy Act 1996 (HIPPA)
This Act requires a standard approach to the
exchange of health related information and the enforcement of Standards to protect the
confidentiality and security of such data. More information can be found at the Department
of Health and Human Services web site at http://aspe.hhs.gov/admnsimp/index.htm
and the Health Care Financing Administration at http://www.hcfa.gov/hipaa/hipaahm.htm.
Patriot Act
The proposed Anti-Terrorism Act (ATA) 2001
states that computer hacking is a terrorist act punishable by up to life
imprisonment. The Patriot Act is a reinterpretation of the proposed Anti-Terrorism
Act that takes the intention of the accused into consideration and support the true
interpretation of terrorism & Cyberterrorism. To paraphrase Whatis.com cyberterrisim is "...any premeditated,
politically motivated attack against information, computer systems, computer programs, and
data which results in violence against non-combatant targets by sub-national groups or
clandestine agents." For more information go to http://www.cybercrime.gov/PatriotAct.htm.
| 
