Chapter 5 Legal Framework Learning outcomes Explain difference between patent and copyright Computer Miss use Act List 8 principles of Data protection 1998 Explain what rights you have as a data subject in relation to persons or organisations holding you details Explain what companies must do to keep within the law if they keep records of individuals on manual or electronic file Explain the legal implication of computer hacking Intellectual property Internet is not a zone copyright free zone. Varying national laws affecting sites and the ease of downloading data make it harder for Internet publisher But these rights still exists Copyright vs patent Copyright Rights to make copies, automatically belongs to the author of any original or creative work. No one else may derive revenue from the work without the copyright holder’s permission Copyrights, designs and patent Act 1988 • Covers moral rights: • Even if the author has assigned copyright to another party and no longer drives revenue from a work, they still have the right to be recognised as the original author. Patent Protects the right to exploit inventions, i.e. innovative computer hardware It does not exist automatically but it has to be granted by a government patent office. Copyright in computer software Copyright exists in works with are: Original literary, dramatic, musical or artistic work Sound recordings, films, broadcasts Typographical arrangements of published editions Under the 1988 Act, computer programs are classified as literary work. Copyrights protection includes the design material and any documents provided with program The Copyright, Designs and Patents Act 1989 covers: Illegal copying of software. Illegal running of copyright software on more than one machine unless covered by the licence. Illegal for an organisation to encourage or pressure its employees to copy of distribute illegal software. Copyright (cont’d) Complications related to the Internet Files containing text and images or sound recording can be rapidly transmitted through the Internet. • Hard to monitor • Copies, pirate or even perfect reproduction of the original Computer processing documents creates transient copies in the cache memory. • Although it occurs outside the user’s direct control • This could be a technical breach of copyright • Transient copies have been excluded from copyright liability under European Copyright Directive 2001 and the UK copyrights and related right regulations 2003 Software Piracy Software piracy can be defined as "copying and using commercial software purchased by someone else". Software piracy is illegal. Each pirated piece of software takes away from company profits, reducing funds for further software development initiatives. Software information industry association (SIIA) According to SIIA Most of the software on ebay and other auction sites are illegal. In 2008 SIIA has managed to shut down auction and classified ad site offering products worth a combined $25 million dollars. Software patent Computer programs are not in general recognised as innovations. Hence, they fall under copyright rather than patent law UK and EU patents offices Exceptions for programs which makes technical contributions. Or provide an improvement of existing technology. • Improved program for translating between Japanese and English is not patentable as linguistics is a mental process. • Image enhancement is patentable as it produces a technical improvement in a technical area. • Can I patent computer software http://www.intellectual-property.gov.uk/ See study guide pages 51-52-53 for more details Defamation Defamation: Consists of publishing a statement which harms or is likely to harm someone’s reputation. A defamation which is untrue falls under the law of either libel or slander. • Libel: defamation made in a permanent form (written or printed) • Slander: defamation made in a temporary form, e.g., spoken Defamation via electronic communication Is generally classed as libel: Email Newsgroups Web-pages Internet service providers may be liable for the content of newsgroups or web-pages which they host Employers may be liable for the content of email messages sent by employees. In 1997, the Norwich Union company paid £450,000 to a health insurance, as result of libellous emails that have been circulated among the Norwich Union staff. (Internet law, p-28) See study guide page 54 for more information. Learning activity The fact that employers could be prosecuted following defamatory emails has cited as one the justifications for the practice of monitoring employee’s use the Internet. Do you think this is reasonable? The Computer Misuse Act 1990 The widespread use of computers and computer systems and the misuse of them in the 1980’s led to a law making it a criminal offence to do certain things. The Act covers a variety of misuses that couldn’t be covered by the existing laws of the time. These include: Deliberate damage by planting viruses Using computers to carry out unauthorised work Copying computer programs Hacking into a system to view private information Various frauds including stealing money from banks The Computer Misuse Act Covers: Unauthorised access to computer programs or data; Unauthorised access with a further criminal intent; Unauthorised modification of computer material (programs or data). Three Specific Offences Section 1 (unauthorised access) Access a program or data stored on a computer • Knowing the access is unauthorised • This is why login screens often carry a message saying that access is limited to authorised persons: • This may not prevent a determined hacker getting access to the system. The maximum prison sentence is 6 months. Offences Section 2: (unauthorised + further offence) Unauthorised access and intent of committing a further offence, • Access private data, company records in order to commit fraud, blackmail. The maximum prison sentence is 5 years. Offences Section 3: (unauthorised access + modification) Unauthorised access plus Modification of the computers contents • Altering data: • A nurse might use doctor’s password to alter patient’s drug dosages and treatments records • Removing data, • e.g. to cover up evidence of wrong doing • Adding data: • e.g. sending email under a false name results in unauthorised modifications to the content of the mail server. The maximum prison sentence is 5 years. What the CMA does not cover? Denial of service attacks, (see next chapter) Sponsored links on websites A company pays on for advertising only if a user click on the link The advertiser’s competitors can click many times causing the advertiser to run up a bill which does not bring them new business. What Data is Held on Individuals? By institutions: Criminal information, Educational information; Medical Information; Financial information; Employment information; Marketing information; Other: consider: mobile phones, ATM’s, city centre cameras, store loyalty cards, credit cards, the Internet. The Data Protection Act 1998 overview General overview of the act • • • • What is the act? Definitions Changes since 1984 act Principles of the act Transitional Relief Implications for Colleges and Departments Things to keep in mind Resources What is the Data Protection Act? Intended to balance interests of data subjects with data controllers. Freedom to process data vs. privacy of individuals. 1984 act was updated by the 1998 act. On 24th on October 1998. Came into force on the 1st of March 2000. Changes Since the 1984 Act DPA 1998 Much broader than the old act. More rights for data subjects. Covers relevant manual filing systems. New category of data – sensitive data. Transitional relief: • If data processing has been in effect before 24th of October then • For automated data • Data controller has till 23rd of October to comply with the act • For manual data • Data controller has till 23rd of October 2007 to comply with the act. Rules about export of data to non-EEA countries. Definitions Personal Data: Data Subject: is the person who is responsible for the control of the data in a business or organisation. Relevant Filing System: retrieving, holding, sorting, deleting The Data Controller: is the individual that the data is about. Processing: is about a person who is alive and can be identified by that data. Readily accessible information about living individuals The Commissioner: is the person responsible for enforcing the law, including ensuring the owners of the data use good practice, and the individuals are aware of their rights. Data Protection Act 1998 PDA 1998 has 8 principles Principles of the act – 1. Non-sensitive Personal data must be processed fairly and lawfully and shall not be processed unless one of the below is met (schedule 2). Consent – the most important Contract Legal Obligation Vital interests of subject (life or death!) Public functions Balance of interest Sensitive Personal Data Racial or ethnic origin Political opinions Religious/similar beliefs (note food!) Trade Union Membership Health Sexual Life Offences Sensitive Personal Data May only be held if one of the below is met: Explicit and informed consent Employment Law Vital Interests of Subject Legal Proceedings Medical Purposes (by medical professionals) Equal opportunities monitoring Principles of the act – 2. Data must be obtained only for one or more specified lawful purposes. Must not use data for a new incompatible purpose without subject’s consent. Have a data protection statement explaining what data will be held and why and get consent from new students/staff as they arrive. Principles of the act – 3 & 4. Personal data must be adequate, relevant and not excessive. Must not stock up on data without a reason that can be justified – consent! Personal data shall be accurate and up-to-date. This is an ongoing requirement and means data needs to be kept under constant review. Principles of the act – 5. Personal data may not be kept for any longer than is necessary for its stated purpose(s). This potentially creates a problem with old staff/members data. Consent from all new staff/members to keep their data after they have left as this is a different purpose to keeping it while they are here. Principles of the act – 6. Personal data must be processed in accordance with the rights of data subjects This means that you cannot do things that violate the rights given to data subjects under the new act, especially denying access to data. Rights of data subjects Must be informed if personal data are being processed and given a description of the personal data and for what purpose it is being held for. May prevent processing for purposes of direct marketing. Right to see algorithms used in automated decision making (credit scoring etc.). Compensation, rectification, blocking, destruction. Access rights Right to have communicated to him/her in an intelligible form the information constituting the data. No right to rifle through filing systems, computers etc. Right to be informed of logic involved in automated processing. Request must be in writing, fee up to £10 may be charged and identity may be thoroughly checked. Enforced Access It is an offence to force subjects to exercise their access rights to data held by others Includes data about cautions, criminal convictions and certain social security records Right to prevent processing Unwarranted substantial damage or distress to subject. 21 days to comply with request. Exemption if processing is necessary for performance of contract with subject, or there is a legal obligation, or the vital interests of the subject are at stake. Exemptions to access rights Prevention and detection of crime Apprehension or prosecution of offenders Collection of tax or other duty Research, history, statistics. Exam marks – 40 days after date of announcement or 5 months of access request. Confidential references. Principles of the act – 7. Technical or organisational measures must be taken to prevent unauthorised or unlawful processing of data and accidental loss, damage or destruction of data. First is related to IT support staff (backups, password security etc.) but everyone can help. Second is about being careful with keys, having access controls Principles of the act – 8. Personal data may not be transferred overseas unless the receiving country has an adequate level of protection for it. US does not. Transfer is OK if contract is in place with the abroad party or the subject has consented. Data Protection Commissioner is preparing standard contracts. International data transfer Principle 8 puts restrictions on the transfer of data from EU to non-EU countries. For companies holding their call centre in Asia. For this transfer to be lawful an adequate International data transfer (cont’d) For a transfer of data to non EU countries to be lawful, an adequate an adequate level of data protection has achieved: Some countries are recognised by EU to having a DPA to the same standard as EU countries The transfer may be lawful if the subject has given their consent or Of standard contractual clauses are in force. Or the non EU country has a voluntary scheme recognised by EU • Safe-Harbor: a voluntary scheme by the US dept of commerce. Under this scheme a set of principle broadly similar to the 8 principle of the EU DPA http://www.actnow.org.uk/media/articles/Data_Protection_Act_1998_Transitional_Provisions.pdf Exercise Give an example of common business activity involving transfer of data from one country to another State all the measures that needs to be taken for a transfer of from EU to non EU to be lawful. Activity Run through some scenarios where the Computer Misuse Act can be used to decide whether the activity is legal or illegal. Good examples are found on page 59, in Understanding ICT by Stephen Doyle (Nelson Thornes). Run through some scenarios to determine whether the Data Protection Act has been breached or not. Good examples are found on page 67, in Understanding ICT by Stephen Doyle (Nelson Thornes). Resources http://www.dataprotection.gov.uk/ http://www.admin.ox.ac.uk/oxonly/dp/ http://users.ox.ac.uk/~aesb/dpa.ppt data.protection@admin.ox.ac.uk