Legal and Ethical Issues Information Systems Legal and Ethical Issues

Business Simulation Business simulation functional areas Purpose of Information data capture and storage systems for: Personnel, Purchasing, Operations, Sales, Finance Business Simulation

Legal and Ethical Issues Legal Issues: Data Protection Act 1998 Freedom of Information 2000 Computer Misuse Act 1990 Legal and Ethical Issues

What are the eight principles of the Data Protection Act 1998?

Data Protection Act 1998 Framework for handling data Gives individuals right to know what info is held If you process data you must register with DPA registrar and ensure that personal information is: Fairly and lawfully processed Processed for limited purposes Adequate, relevant and not excessive Accurate and up-to-date Not kept for longer than necessary Processed in-line with your rights Secure Not transferred to other countries without adequate protection Data Protection Act 1998

Freedom of Information Act 2000 Access to official information Individuals or organisations have right to request information from who? How long do they have to respond? Can the information be withheld: if so on what grounds? Freedom of Information Act 2000

Freedom of Information Act 2000 Access to official information Individuals or organisations have right to request information from: Any public authority – including local and central government The police NHS Colleges and schools They have 20 days to provide the information. May refuse if the information is exempt eg if releasing the information could prejudice national security or damage commercial interests. Freedom of Information Act 2000

Computer Misuse Act 1990 How many offences are there? What are they? What other act(s) cover this area? Computer Misuse Act 1990

Computer Misuse Act 1990 Three offences: Unauthorised access to any computer programme or data eg using someone else’s logon ID and password Unauthorised access with intent to commit a serious crime Unauthorised modification of computer contents. I.e. impairing the operation of a computer, a program or the reliability of data, includes preventing access to any program or data. E.g. the introduction of a virus, modifying another users files or changing financial or administrative data. Minor changes to tighten up act introduced through Police and Justice Act 2006, made unauthorised acts with intent to impair the operation of a computer illegal. Computer Misuse Act 1990

Ethical issues Codes of Practice Organisational Policies Information ownership Ethical issues

Make clear what use can be made of computing resources to support purpose of organisation Often define how much private use Eg Use of E-mail – threatening/harassing, spam, limited private use Use of the internet – inappropriate classes, eg pornography, gambling. Limited personal use. Rules on postings to organisation’s web-server. Personal pages. Whistle-blowing – protect users who draw attention to other’s misuse. Protect IT administrators (run servers and first to spot)! Codes of Practice

Codes of Practice Activity: Carry out research to find examples of computer codes of practice Produce a code of practice for a top secret military or government establishment eg Credenhill or Cheltenham. Produce a code of practice for a small web design or computer consultancy company. List the areas in which these are similar; List the areas in which they are different. Explain why they differ. Codes of Practice

Organisational Policies Might depend on hierarchy. If organisation is ‘need-to-know’ will be many restrictions on access to information. E.g. Databases, e-mail servers and files in secure central data centre. IT security and data centre staff control tight security on access (including updates). Decentralised organisation may have limited access for geographical reasons. May be few restrictions on site but limited connectivity between sites. Organisational Policies

Information ownership Data Dept. that produced data should own every field in every record. Responsibility for making sure it is: Accurate. Consistent, timely. Information Many owners may have originated the data to produce a piece of information. Often dept responsible for defining or running the program that produces the information owns it. Other than IT information eg network performance IT should not be responsible for information ownership. IT should be guardians, not owners. Information ownership

Operational issues Security of information Back-ups Health and Safety Organisational Policies Business Continuance Plan Costs Impact of increasing sophistication of systems Operational issues

Security of information Users expect data to be kept secure: i.e. safe from unauthorised or unexpected access, alteration or destruction. Management specify who can look at and update information e.g. small organisation, simple structure anyone can look, list of who can update. Larger organisations more complex rules. May require a log of who has accessed or updated information. IT dept have responsibility to advise on security and implement rules. Security of information

Good practice to make frequent back-ups in case of physical or processing problems. Full back-up – all information Partial back-up – only information which has changed since last full back-up. IT department should practise recovering backed-up files – Restore from full back-up, apply partial back-ups to check they are working. Back-ups

Health and Safety Relatively low risk Regulations relating to screens and monitors, position and use. Positioning of keyboards, mice, chairs, tables. Computer users are entitled to eye-tests. Breaks away from the computer (look out of window) Other existing office, or other workplace environment, laws apply. Health and Safety

Organisational Policies Policy for use of information systems E.g. keeping information confidential Procedure for correcting anomalous information Can apply equally to computer-based and non-computer based systems. Organisational Policies

Business Continuance Plan How operations can continue if any major system (or combination of systems) should fail. These could be IT systems. The service delivered may be more limited. E.g. Dual network, attach alternate terminals to each network; complete failure of one network means that at half terminals keep working. E.g. retailer may opt for more tills or point of sale terminals than really required to allow for failures. May have two servers to allow for server failure. Cost implication, decisions based on analysis of risk: How likely is the failure x cost of failure = justification for ‘redundant’ items. Cannot cover everything. Business Continuance Plan

Business Continuance Plan Case study: A business has offices in Upton-on Severn, area known to flood. Office building includes basement and four storeys above ground. Where should it install the servers for its information systems? What actions should the BCP include in the event of flooding? One day the staff arrive to find water cascading through all the storeys of the building due to a leak; there was an old air-conditioning reservoir on the roof and this had sprung a leak. The building has to be closed for several weeks while the leak is fixed and building dries out and is cleaned. What actions should be initiated from the BCP? Are there any additional actions that would be useful? How can the effects of the leak be minimised? What could have been done to prevent this incident? Business Continuance Plan

Costs Total benefits of IT system >> cost of system Considerations Additional resources required One-off costs of new equipment purchase and installation User tests and training on-going (running) costs Cost of development Can be a large part of budget On-going updates and modifications. Costs

Impact of increasing sophistication of systems Early systems based on manual systems: little training , simple software. Systems and computing becoming increasingly complex and sophisticated. Requirements More trained personnel: user training – basic computing features, equipment, new processes, transactions, queries, reports. More complex software: development software hides complexity from application builder. Builder can focus on business problems. Creates better, more complex systems – great until it all goes wrong then need development software expert and business software specialist. Impact of increasing sophistication of systems

Activity Customer information and constraints Focus on organisation that uses customer information: e.g. local council, college, shop, restaurant Consider legal, ethical, operational and other constraints. What constraints affect the way the organisation uses customer information? How does the organisation deal with these constraints? Activity