Legal Framework for ICT - Department of Computing

advertisement
Chapter 5
Legal Framework
Learning outcomes
Explain
difference between patent and copyright
Computer Miss use Act
List 8 principles of Data protection 1998
Explain what rights you have as a data subject in relation to persons or
organisations holding you details
Explain what companies must do to keep within the law if they keep
records of individuals on manual or electronic file
Explain the legal implication of computer hacking
Intellectual property
Internet is not a zone copyright free
zone.
 Varying national laws affecting sites
and the ease of downloading data
make it harder for Internet publisher
 But these rights still exists

Copyright vs patent

Copyright
 Rights to make copies, automatically belongs to the
author of any original or creative work.
 No one else may derive revenue from the work without
the copyright holder’s permission
 Copyrights, designs and patent Act 1988
• Covers moral rights:
• Even if the author has assigned copyright to another party
and no longer drives revenue from a work, they still have
the right to be recognised as the original author.

Patent
 Protects the right to exploit inventions,
 i.e. innovative computer hardware
 It does not exist automatically but it has to be granted
by a government patent office.
Copyright in computer
software

Copyright exists in works with are:




Original literary, dramatic, musical or artistic
work
Sound recordings, films, broadcasts
Typographical arrangements of published
editions
Under the 1988 Act, computer programs are
classified as literary work.

Copyrights protection includes the design
material and any documents provided with
program
The Copyright, Designs and
Patents Act 1989 covers:
Illegal copying of software.
 Illegal running of copyright software on more
than one machine unless covered by the
licence.
 Illegal for an organisation to encourage or
pressure its employees to copy of distribute
illegal software.

Copyright (cont’d)

Complications related to the Internet
 Files containing text and images or sound recording
can be rapidly transmitted through the Internet.
• Hard to monitor
• Copies, pirate or even perfect reproduction of the original

Computer processing documents creates transient
copies in the cache memory.
• Although it occurs outside the user’s direct control
• This could be a technical breach of copyright
• Transient copies have been excluded from copyright
liability under European Copyright Directive 2001 and
the UK copyrights and related right regulations 2003
Software Piracy

Software piracy can be defined as
"copying and using commercial
software purchased by someone else".

Software piracy is illegal.

Each pirated piece of software takes away
from company profits, reducing funds for
further software development initiatives.
Software information
industry association (SIIA)
According to SIIA
Most of the software on ebay and
other auction sites are illegal.
 In 2008


SIIA has managed to shut down
auction and classified ad site offering
products worth a combined $25
million dollars.
Software patent

Computer programs are not in general recognised as innovations. Hence,
they fall under copyright rather than patent law

UK and EU patents offices

Exceptions for programs which makes technical contributions. Or provide an
improvement of existing technology.
•
Improved program for translating between Japanese and English is not patentable
as linguistics is a mental process.
•
Image enhancement is patentable as it produces a technical improvement in a
technical area.
•
Can I patent computer software
http://www.intellectual-property.gov.uk/
See study guide pages 51-52-53 for more details
Defamation

Defamation:

Consists of publishing a statement which
harms or is likely to harm someone’s
reputation.

A defamation which is untrue falls
under the law of either libel or slander.
• Libel: defamation made in a permanent
form (written or printed)
• Slander: defamation made in a temporary
form, e.g., spoken
Defamation via electronic
communication

Is generally classed as libel:



Email
Newsgroups
Web-pages

Internet service providers may be liable for the content of
newsgroups or web-pages which they host

Employers may be liable for the content of email messages
sent by employees.


In 1997, the Norwich Union company paid £450,000 to a
health insurance, as result of libellous emails that have
been circulated among the Norwich Union staff. (Internet
law, p-28)
See study guide page 54 for more information.
Learning activity

The fact that employers could be
prosecuted following defamatory
emails has cited as one the
justifications for the practice of
monitoring employee’s use the
Internet. Do you think this is
reasonable?
The Computer Misuse Act
1990

The widespread use of computers and computer systems and the
misuse of them in the 1980’s led to a law making it a criminal
offence to do certain things.

The Act covers a variety of misuses that couldn’t be covered by the
existing laws of the time. These include:





Deliberate damage by planting viruses
Using computers to carry out unauthorised work
Copying computer programs
Hacking into a system to view private information
Various frauds including stealing money from banks
The Computer Misuse Act
Covers:

Unauthorised access to computer
programs or data;

Unauthorised access with a further
criminal intent;

Unauthorised modification of
computer material (programs or data).
Three Specific Offences

Section 1 (unauthorised access)

Access a program or data stored on a computer
• Knowing the access is unauthorised
• This is why login screens often carry a message
saying that access is limited to authorised persons:
• This may not prevent a determined hacker getting
access to the system.

The maximum prison sentence is 6 months.
Offences

Section 2: (unauthorised + further
offence)

Unauthorised access and intent of
committing a further offence,
• Access private data, company records in
order to commit fraud, blackmail.

The maximum prison sentence is 5
years.
Offences

Section 3: (unauthorised access + modification)


Unauthorised access plus
Modification of the computers contents
• Altering data:
• A nurse might use doctor’s password to alter patient’s drug
dosages and treatments records
• Removing data,
• e.g. to cover up evidence of wrong doing
• Adding data:
• e.g. sending email under a false name results in unauthorised
modifications to the content of the mail server.

The maximum prison sentence is 5 years.
What the CMA does not
cover?
Denial of service attacks, (see next
chapter)
 Sponsored links on websites

A company pays on for advertising
only if a user click on the link
 The advertiser’s competitors can click
many times causing the advertiser to
run up a bill which does not bring
them new business.

What Data is Held on
Individuals?

By institutions:







Criminal information,
Educational information;
Medical Information;
Financial information;
Employment information;
Marketing information;
Other: consider: mobile phones, ATM’s, city centre
cameras, store loyalty cards, credit cards, the Internet.
The Data Protection Act
1998

overview

General overview of the act
•
•
•
•




What is the act?
Definitions
Changes since 1984 act
Principles of the act
Transitional Relief
Implications for Colleges and Departments
Things to keep in mind
Resources
What is the Data Protection Act?
Intended to balance interests of data
subjects with data controllers.
 Freedom to process data vs. privacy
of individuals.
 1984 act was updated by the 1998
act.

On 24th on October 1998.
 Came into force on the 1st of March
2000.

Changes Since the 1984 Act

DPA 1998





Much broader than the old act.
More rights for data subjects.
Covers relevant manual filing systems.
New category of data – sensitive data.
Transitional relief:
• If data processing has been in effect before 24th of October
then
• For automated data
• Data controller has till 23rd of October to comply with the
act
• For manual data
• Data controller has till 23rd of October 2007 to comply
with the act.

Rules about export of data to non-EEA countries.
Definitions

Personal Data:


Data Subject:


is the person who is responsible for the control of the data in a
business or organisation.
Relevant Filing System:


retrieving, holding, sorting, deleting
The Data Controller:


is the individual that the data is about.
Processing:


is about a person who is alive and can be identified by that data.
Readily accessible information about living individuals
The Commissioner:

is the person responsible for enforcing the law, including ensuring
the owners of the data use good practice, and the individuals are
aware of their rights.
Data Protection Act 1998

PDA 1998 has 8 principles
Principles of the act – 1.

Non-sensitive Personal data must be
processed fairly and lawfully and shall not
be processed unless one of the below is
met (schedule 2).






Consent – the most important
Contract
Legal Obligation
Vital interests of subject (life or death!)
Public functions
Balance of interest
Sensitive Personal Data
Racial or ethnic origin
 Political opinions
 Religious/similar beliefs (note food!)
 Trade Union Membership
 Health
 Sexual Life
 Offences

Sensitive Personal Data

May only be held if one of the below is met:






Explicit and informed consent
Employment Law
Vital Interests of Subject
Legal Proceedings
Medical Purposes (by medical professionals)
Equal opportunities monitoring
Principles of the act – 2.

Data must be obtained only for one or
more specified lawful purposes.
Must not use data for a new
incompatible purpose without
subject’s consent.
 Have a data protection statement
explaining what data will be held and
why and get consent from new
students/staff as they arrive.

Principles of the act – 3 & 4.

Personal data must be adequate,
relevant and not excessive.


Must not stock up on data without a
reason that can be justified – consent!
Personal data shall be accurate and
up-to-date.

This is an ongoing requirement and
means data needs to be kept under
constant review.
Principles of the act – 5.

Personal data may not be kept for any
longer than is necessary for its stated
purpose(s).


This potentially creates a problem with old
staff/members data.
Consent from all new staff/members to keep
their data after they have left as this is a
different purpose to keeping it while they are
here.
Principles of the act – 6.

Personal data must be processed in
accordance with the rights of data subjects

This means that you cannot do things that
violate the rights given to data subjects
under the new act, especially denying
access to data.
Rights of data subjects




Must be informed if personal data are being
processed and given a description of the
personal data and for what purpose it is
being held for.
May prevent processing for purposes of
direct marketing.
Right to see algorithms used in automated
decision making (credit scoring etc.).
Compensation, rectification, blocking,
destruction.
Access rights

Right to have communicated to him/her in an
intelligible form the information constituting the data.

No right to rifle through filing systems, computers etc.

Right to be informed of logic involved in automated
processing.

Request must be in writing, fee up to £10 may be
charged and identity may be thoroughly checked.
Enforced Access

It is an offence to force subjects to
exercise their access rights to data
held by others

Includes data about cautions, criminal
convictions and certain social security
records
Right to prevent processing



Unwarranted substantial damage or distress
to subject.
21 days to comply with request.
Exemption if processing is necessary for



performance of contract with subject, or
there is a legal obligation, or
the vital interests of the subject are at stake.
Exemptions to access rights






Prevention and detection of crime
Apprehension or prosecution of offenders
Collection of tax or other duty
Research, history, statistics.
Exam marks – 40 days after date of
announcement or 5 months of access
request.
Confidential references.
Principles of the act – 7.

Technical or organisational
measures must be taken to prevent
unauthorised or unlawful processing
of data and accidental loss, damage
or destruction of data.
First is related to IT support staff
(backups, password security etc.)
but everyone can help.
 Second is about being careful with
keys, having access controls

Principles of the act – 8.

Personal data may not be transferred
overseas unless the receiving country has
an adequate level of protection for it.


US does not.
Transfer is OK if contract is in place with the
abroad party or the subject has consented.

Data Protection Commissioner is preparing
standard contracts.
International data transfer

Principle 8 puts restrictions on the
transfer of data from EU to non-EU
countries.


For companies holding their call
centre in Asia.
For this transfer to be lawful an
adequate
International data transfer
(cont’d)

For a transfer of data to non EU countries to be lawful,
an adequate an adequate level of data protection has
achieved:
 Some countries are recognised by EU to having a
DPA to the same standard as EU countries
 The transfer may be lawful if the subject has given
their consent or
 Of standard contractual clauses are in force.
 Or the non EU country has a voluntary scheme
recognised by EU
• Safe-Harbor: a voluntary scheme by the US dept of
commerce. Under this scheme a set of principle broadly
similar to the 8 principle of the EU DPA
http://www.actnow.org.uk/media/articles/Data_Protection_Act_1998_Transitional_Provisions.pdf
Exercise
Give an example of common business
activity involving transfer of data from
one country to another
 State all the measures that needs to
be taken for a transfer of from EU to
non EU to be lawful.

Activity

Run through some scenarios where the
Computer Misuse Act can be used to
decide whether the activity is legal or illegal.
Good examples are found on page 59, in
Understanding ICT by Stephen Doyle (Nelson Thornes).

Run through some scenarios to determine
whether the Data Protection Act has been
breached or not.
Good examples are found on page 67, in
Understanding ICT by Stephen Doyle (Nelson Thornes).
Resources

http://www.dataprotection.gov.uk/

http://www.admin.ox.ac.uk/oxonly/dp/

http://users.ox.ac.uk/~aesb/dpa.ppt

data.protection@admin.ox.ac.uk
Download