Download presentation
Presentation is loading. Please wait.
Published byGerard Morris Modified over 9 years ago
1
Data Protection and Computer Misuse Act material Modified by Eric from Mary’s slides
2
Ethical issues 2 Some computer databases hold a lot of personal details Personal data needs to be protected Unethical to misuse personal data Some computer systems hold sensitive information Security arrangements allow authorised access only Unethical to misuse or break into secure systems Legislation in place to make unethical use of computers also unlawful
3
Data Protection Acts 3 Legal protection for personal data How many organisations hold information about you? Think about a few Share some examples
4
Data held about us 4 These organisations hold information about us: College Loan company Bank Mobile phone provider Library Local council DVLA Insurance company DHSS A typical adult may be listed in 200 computer systems Holding inaccurate data may result in problems
5
Data Protection Act 1984 Updated 2000 Act updated 1999 - came into effect spring 2000 new Data Protection Principles Passed to implement the European Data Protection Directive includes some manual/paper records for the first time extra rights for data subjects exemptions include preventing or detecting crime catching or prosecuting offenders assessing or collecting tax or duty
6
Data Protection - key definitions (1) 6 Personal data: Any data or information about an individual stored in computers by companies or organisations Living individuals Includes expressions of opinion about the individual Data subject: Legal term referring to the individual whose data is held
7
Data Protection - key definitions (2) 7 Data controller: Person with defined responsibility for data protection within a company Could be a single person or a group of people Ensures that recorded data complies with the Act Holds detailed register of data to be held in the company Information Commissioner: Official who supervises enforcement of Data Protection Act Issues guidance Publishes views for example on retention of DNA profiles Takes action in breaches of Data Protection Act
8
Data Protection - eight principles 8 Data protection framed within 8 principles 1. Obtained and processed fairly and lawfully 2. Processed for specific purposes 3. Adequate, relevant and not excessive to processing purpose 4. Accurate and up to date 5. Not kept for longer than necessary 6. Processed in accordance with data subject rights 7. Secure 8. Not transferred outside EEA without assurance of protection Look at each in turn…
9
Principle 1 9 Data must be obtained and processed fairly and lawfully Obtained fairly from data subject Subject must be aware of what data is being collected and how it will be used Example of breach: Company employs a private detective to find out about a prospective senior employee and puts the information on the recruitment system
10
Principle 2 10 Data must be processed for specific purposes Cannot be used for another purpose unknown to subject Cannot be collected for provision of a service and then also used for another purpose without subject’s consent Example of breach: Someone wishing to start a new club borrows a list of his company’s customers as prospective members and also looks at other personal details to decide if they would be suitable club members
11
Principle 3 11 Data must be adequate, relevant and not excessive to processing purpose Cannot request more data than is needed for the task at hand Very tempting to collect data for a future purpose - but not legal Example of breach: Marketing department sends questionnaires to customers, asking for age, gender, ethnic background, quantity and brands of foods they buy, hobbies, date and place of birth Demographics and shopping habits fine for the purpose but hobbies and birth details are excessive
12
Principle 4 12 Data must be accurate and up to date Data controller under obligation to ensure accuracy If subject provides inaccurate data despite controller’s attempts at accuracy then principle not breached Data controller responsible for verifying accuracy Good way is to periodically request confirmation or update Example of breach: Customer unemployed when first taking out life insurance Subsequently found job and told the insurance company Insurance company failed to update records Customer later denied mortgage when insurance company told credit reference agency customer unemployed
13
Principle 5 13 Data must not be kept for longer than necessary Destroy data when it is finished with Can be done automatically by software Can be prompted by computer system Example of breach: Magazine publisher sends magazines to subscribers When subscription cancelled or not renewed, company keeps data about previous subscriber and keeps sending magazines
14
Principle 6 14 Data must be processed in accordance with data subject rights Data subjects have access rights that must be upheld Failure to comply with requests from Information Commissioner also breach this principle Example of breach: An employee asks to see the data held on her by the company but she is told that it is confidential and she is not allowed to see it
15
Principle 7 15 Data must be kept secure at all times Data controllers must apply appropriate security measures Prevent internal and external access by unauthorised users Hardware: card access to rooms, firewalls, CCTV etc Software: passwords, virus scanners, etc Organisational: internal audit, division of duties, dual control of cash Example of breach: When travelling to a meeting in another town, an employee accidentally leaves a file of insurance claims on the train
16
Principle 8 16 Data must not be transferred outside EEA without assurance of adequate protection No restriction of movement within European Economic Area Restricted data movement to countries without equivalent data protection Agreed on a country-by-country basis Within UK, European Commission decides what data can be transferred where Example of breach: A company sets up a new customer contact centre in a country that has no data protection legislation and sends all its customer files to that country
17
Applying data protection 17 There are steps to take to ensure compliance: Audit the information held in the organisation Apply each of the 8 principles to all collection, storage and use of personal data Collect, record, store and process current and future data in accordance with the rights of data subjects
18
Computer Misuse Act Legal protection for secure computer systems Intended to reduce online criminal activity Hacking into systems Changing information in computer files or databases Trying to access or change material Why Needed? History of ‘hackers’ breaking into computer systems D of E’s mailbox (Prestel) - hacked into 1986 difficult to prosecute Labour Party web-site just before 1997 general election
19
Computer Misuse Act Offences 19 Three types of offence Unauthorised access Unauthorised access with intent to continue Unauthorised modification Look at each in turn….
20
Unauthorised access 20 Unauthorised access to computer material Files Webpages Program code Operational schedules Email accounts Databases Financial accounts Personal details Company-confidential material
21
Unauthorised access with intent 21 Unauthorised access to computer material with intent to commit or facilitate further offences Covers intention to make changes to computer material Covers intention to make changes to settings To gain easier access next time To enable edits next time
22
Unauthorised modification 22 Unauthorised modification of computer material Files Operational schedules Planning schedules Database entries Passwords Program code And so on
23
Offences Translated 1.‘hacking’ no intention to cause harm is necessary for prosecution magistrates court, £5000 fine / up-to 6 months sentence 2.theft unauthorised access to computer material in order to commit theft by re-directing funds to own bank account trial by jury, unlimited fines / up-to 5 years sentence 3.malicious damage deliberate erasure or corruption of programs or data introduction of viruses and worms modifying or destroying another user's file or system files trial by jury, unlimited fines/ up-to 5 years sentence Other possible offences include theft of electricity, false accounting, suppression of documents, breach of copyright note: confidential information is not property, and so cannot be the subject matter of theft
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.