Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Protection and Computer Misuse Act material Modified by Eric from Mary’s slides.

Published byGerard Morris Modified over 9 years ago

Similar presentations

Presentation on theme: "Data Protection and Computer Misuse Act material Modified by Eric from Mary’s slides."— Presentation transcript:

1 Data Protection and Computer Misuse Act material Modified by Eric from Mary’s slides

2 Ethical issues 2  Some computer databases hold a lot of personal details  Personal data needs to be protected  Unethical to misuse personal data  Some computer systems hold sensitive information  Security arrangements allow authorised access only  Unethical to misuse or break into secure systems  Legislation in place to make unethical use of computers also unlawful

3 Data Protection Acts 3  Legal protection for personal data  How many organisations hold information about you?  Think about a few  Share some examples

4 Data held about us 4  These organisations hold information about us:  College  Loan company  Bank  Mobile phone provider  Library  Local council  DVLA  Insurance company  DHSS  A typical adult may be listed in 200 computer systems  Holding inaccurate data may result in problems

5 Data Protection Act 1984 Updated 2000  Act updated 1999 - came into effect spring 2000  new Data Protection Principles  Passed to implement the European Data Protection Directive  includes some manual/paper records for the first time  extra rights for data subjects  exemptions include  preventing or detecting crime  catching or prosecuting offenders  assessing or collecting tax or duty

6 Data Protection - key definitions (1) 6  Personal data:  Any data or information about an individual stored in computers by companies or organisations  Living individuals  Includes expressions of opinion about the individual  Data subject:  Legal term referring to the individual whose data is held

7 Data Protection - key definitions (2) 7  Data controller:  Person with defined responsibility for data protection within a company  Could be a single person or a group of people  Ensures that recorded data complies with the Act  Holds detailed register of data to be held in the company  Information Commissioner:  Official who supervises enforcement of Data Protection Act  Issues guidance  Publishes views for example on retention of DNA profiles  Takes action in breaches of Data Protection Act

8 Data Protection - eight principles 8  Data protection framed within 8 principles 1. Obtained and processed fairly and lawfully 2. Processed for specific purposes 3. Adequate, relevant and not excessive to processing purpose 4. Accurate and up to date 5. Not kept for longer than necessary 6. Processed in accordance with data subject rights 7. Secure 8. Not transferred outside EEA without assurance of protection  Look at each in turn…

9 Principle 1 9  Data must be obtained and processed fairly and lawfully  Obtained fairly from data subject  Subject must be aware of what data is being collected and how it will be used  Example of breach:  Company employs a private detective to find out about a prospective senior employee and puts the information on the recruitment system

10 Principle 2 10  Data must be processed for specific purposes  Cannot be used for another purpose unknown to subject  Cannot be collected for provision of a service and then also used for another purpose without subject’s consent  Example of breach:  Someone wishing to start a new club borrows a list of his company’s customers as prospective members and also looks at other personal details to decide if they would be suitable club members

11 Principle 3 11  Data must be adequate, relevant and not excessive to processing purpose  Cannot request more data than is needed for the task at hand  Very tempting to collect data for a future purpose - but not legal  Example of breach:  Marketing department sends questionnaires to customers, asking for age, gender, ethnic background, quantity and brands of foods they buy, hobbies, date and place of birth  Demographics and shopping habits fine for the purpose but hobbies and birth details are excessive

12 Principle 4 12  Data must be accurate and up to date  Data controller under obligation to ensure accuracy  If subject provides inaccurate data despite controller’s attempts at accuracy then principle not breached  Data controller responsible for verifying accuracy  Good way is to periodically request confirmation or update  Example of breach:  Customer unemployed when first taking out life insurance  Subsequently found job and told the insurance company  Insurance company failed to update records  Customer later denied mortgage when insurance company told credit reference agency customer unemployed

13 Principle 5 13  Data must not be kept for longer than necessary  Destroy data when it is finished with  Can be done automatically by software  Can be prompted by computer system  Example of breach:  Magazine publisher sends magazines to subscribers  When subscription cancelled or not renewed, company keeps data about previous subscriber and keeps sending magazines

14 Principle 6 14  Data must be processed in accordance with data subject rights  Data subjects have access rights that must be upheld  Failure to comply with requests from Information Commissioner also breach this principle  Example of breach:  An employee asks to see the data held on her by the company but she is told that it is confidential and she is not allowed to see it

15 Principle 7 15  Data must be kept secure at all times  Data controllers must apply appropriate security measures  Prevent internal and external access by unauthorised users  Hardware: card access to rooms, firewalls, CCTV etc  Software: passwords, virus scanners, etc  Organisational: internal audit, division of duties, dual control of cash  Example of breach:  When travelling to a meeting in another town, an employee accidentally leaves a file of insurance claims on the train

16 Principle 8 16  Data must not be transferred outside EEA without assurance of adequate protection  No restriction of movement within European Economic Area  Restricted data movement to countries without equivalent data protection  Agreed on a country-by-country basis  Within UK, European Commission decides what data can be transferred where  Example of breach:  A company sets up a new customer contact centre in a country that has no data protection legislation and sends all its customer files to that country

17 Applying data protection 17  There are steps to take to ensure compliance:  Audit the information held in the organisation  Apply each of the 8 principles to all collection, storage and use of personal data  Collect, record, store and process current and future data in accordance with the rights of data subjects

18 Computer Misuse Act  Legal protection for secure computer systems  Intended to reduce online criminal activity  Hacking into systems  Changing information in computer files or databases  Trying to access or change material  Why Needed?  History of ‘hackers’ breaking into computer systems  D of E’s mailbox (Prestel) - hacked into 1986  difficult to prosecute  Labour Party web-site  just before 1997 general election

19 Computer Misuse Act Offences 19  Three types of offence  Unauthorised access  Unauthorised access with intent to continue  Unauthorised modification  Look at each in turn….

20 Unauthorised access 20  Unauthorised access to computer material  Files  Webpages  Program code  Operational schedules  Email accounts  Databases  Financial accounts  Personal details  Company-confidential material

21 Unauthorised access with intent 21  Unauthorised access to computer material with intent to commit or facilitate further offences  Covers intention to make changes to computer material  Covers intention to make changes to settings  To gain easier access next time  To enable edits next time

22 Unauthorised modification 22  Unauthorised modification of computer material  Files  Operational schedules  Planning schedules  Database entries  Passwords  Program code  And so on

23 Offences Translated 1.‘hacking’  no intention to cause harm is necessary for prosecution  magistrates court, £5000 fine / up-to 6 months sentence 2.theft  unauthorised access to computer material in order to commit theft by re-directing funds to own bank account  trial by jury, unlimited fines / up-to 5 years sentence 3.malicious damage  deliberate erasure or corruption of programs or data  introduction of viruses and worms  modifying or destroying another user's file or system files  trial by jury, unlimited fines/ up-to 5 years sentence  Other possible offences include  theft of electricity, false accounting, suppression of documents, breach of copyright  note: confidential information is not property, and so cannot be the subject matter of theft

Download ppt "Data Protection and Computer Misuse Act material Modified by Eric from Mary’s slides."

Similar presentations

Commercial Data Processing Computer Crime. Computer crime can be very hard to prevent. Typical crimes involve destroying, corrupting or changing the data.

Commercial Data Processing Computer Crime. Computer crime can be very hard to prevent. Typical crimes involve destroying, corrupting or changing the data.
Data Security and legal issues Starter :- 5 Minutes Make a list of all the companies and organisations that you believe holds data on you. Write down what.

Data Security and legal issues Starter :- 5 Minutes Make a list of all the companies and organisations that you believe holds data on you. Write down what.
Data Protection Information Management / Jody McKenzie.

Data Protection Information Management / Jody McKenzie.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Data Protection.

Data Protection.
Legislation & ICT By Savannah Inkster. By Savannah Computer Laws 1.Data Protection ActData Protection Act 2.Computer Misuse ActComputer Misuse Act 3.Copyright,

Legislation & ICT By Savannah Inkster. By Savannah Computer Laws 1.Data Protection ActData Protection Act 2.Computer Misuse ActComputer Misuse Act 3.Copyright,
The Health and safety Act, is an act to make further provision for securing the health and safety and welfare of persons at work.For protecting others.

The Health and safety Act, is an act to make further provision for securing the health and safety and welfare of persons at work.For protecting others.
Legislation in ICT.

Legislation in ICT.
University of Sunderland Professionalism and Personal Skills Unit 11 Professionalism and Personal Skills Computer Legislation.

University of Sunderland Professionalism and Personal Skills Unit 11 Professionalism and Personal Skills Computer Legislation.
Legislation in ICT. Data Protection Act (1998) What is the Data Protection Act (1998) and why was it created? What are the eight principles of the Data.

Legislation in ICT. Data Protection Act (1998) What is the Data Protection Act (1998) and why was it created? What are the eight principles of the Data.
Data Protection Act.

Data Protection Act.
Data Protection Act 1998. Description The Data Protection Act controls how your personal information can be used and protects from the misuse of your.

Data Protection Act Description The Data Protection Act controls how your personal information can be used and protects from the misuse of your.
Audiences NI Data Protection Workshop

Audiences NI Data Protection Workshop
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
The Data Protection Act

The Data Protection Act
The Legal Framework Can you work out which slide each bullet point should go on?!

The Legal Framework Can you work out which slide each bullet point should go on?!
Data Protection for Church of Scotland Congregations

Data Protection for Church of Scotland Congregations
CENTRAL SCOTLAND POLICE Data Protection & Information Security Stuart Macfarlane Information Governance Unit Police Service of Scotland.

CENTRAL SCOTLAND POLICE Data Protection & Information Security Stuart Macfarlane Information Governance Unit Police Service of Scotland.
UNIT 3C Security of Information. SECURITY OF INFORMATION Firms use passwords to prevent unauthorised access to computer files. They should be made up.

UNIT 3C Security of Information. SECURITY OF INFORMATION Firms use passwords to prevent unauthorised access to computer files. They should be made up.

Similar presentations

Ads by Google