1. www.ICT-Teacher.com

2. Objectives  Legislation:  Understand that implementation of legislation will impact on procedures within an organisation.  Describe the methods of enforcing and controlling data protection legislation within an organisation.  Describe the methods of enforcing and controlling software misuse legislation within an organisation.  Describe the methods of enforcing and controlling health and safety legislation within an organisation.  Discuss the implications of the various types of legislation.

3. Objectives  Audit requirements:  Understand that many information systems are subject to audit.  Understand the impact of audit on data and information control.  Describe the need for audit and the role of audit management/software tools in information systems.  Understand the function of audit trails and describe applications of use, e.g. ordering systems; student tracking; police vehicle enquiries.

4. Regulations 1. Data Protection Act 1984 & 1998. 2. Computer Misuse Act 1990. 3. Copyright Designs & Patents Act 1988. 4. Health and Safety Regulations 1992.

5. Data Protection Act 1998  Consists of eight data protection principals.  Applies to organisations that hold personal data.  Personal data must be kept secure, should be accurate, and must not be misused.  Employees with access need to understand the implications of the Act.  A security manager or administrator put in control of access to the data.  Operating procedures to ensure privacy.

6. Data Protection Policy  Customer service: Company policy available to interested parties; Data subject told what data is kept and why; Data to be accurate, and errors corrected; Data only used for the purpose it was collected; Data only sold on if the subject has consented; Data only collected with consent in general; Data subject allowed access and their concerns listened to.

7. Data Protection Policy  Organisation: Company policy publicised for all staff concerned; Staff to be held accountable over privacy issues and could be liable under the Act if they leak data; Issues of privacy to be part of the information system, including security, accuracy and up-dating; A security policy adopted with an administrator; The security policy to deal with accidental as well as malicious damage and theft; Staff to be aware of policy on passwords, physical security, back-up of files, with regular checks performed on security by the administrator.

8. Buying and Selling Personal Data  A company may be in business just to collect private data to sell to other companies.  The data subject has to have given permission for it to be traded.  This may have been granted unknowingly by a tick box not being ticked etc.

9. Enforcing Data Protection  Data protection controller in the organisation to advise staff and enforce rules.  Employees aware of their responsibilities.  Follow up any incidents to ensure no breaches have taken place.  Hardware kept in secure areas.  Staff must not keep a personal copy of the database.

10. Enforcing Data Protection  Staff to be trained properly in the use of personal data in a database, and aware of the obligations of the organisation under the Act.  Passwords must be hard to break, and changed regularly.  Staff must not bring in personal software.  A log of all access should be kept as a record of individual access.  Levels of access should be differentiated for different job users.

11. Software Misuse Act 1990  Employees need to be aware of:  Have a clear job description of what they are allowed to do, and not allowed to do.  Not to introduce unauthorised software.  No unauthorised work done on the system.  Data disks have to be scanned for viruses if used outside the system.  Separation of duties whereby no one person is responsible for everything, different parts have different managers.  Controllers to do regular audit checks of who has used the database and what have they accessed.

12. Software Copyright  It is illegal to copy software or run software that is not licensed for the purpose.  The company information systems administrator is responsible for the licence.  He must run an audit of what and how many of each software is used and delete any that is used over the licence agreement.  Ensure there is enough licences for the company work to be done.  Educate the staff of the consequences to them and the company.  Ensure that staff are aware of the legalities and sign a written agreement.

13. Health and Safety  Each organisation should have a Health and safety officer to check and report to management the state of the environment, the furniture and the equipment that is used by staff.  Good staff training and proper use of computers in the working environment, including the correct posture, breaks to stop eye strain and RSI, etc.  Eye tests should be offered regularly and glasses supplied if needed.  Faulty equipment should be changed promptly.  Regular evaluation of work space should be done to protect the workforce and minimise claims made against the organisation.

15. Audit Requirements  A systematic assessment of the entire computer system including the hardware and software.  There is special software that does an audit trail e.g.:  A trail can track the progress of an item ordered by ‘phone until its despatch.  The payment can be checked against the order in case of any queries, and for stocktaking purposes.

17. Fraud  An audit check will uncover fraud.  It will check any irregularities in orders and payments and report back to the administrator.  Staff are to be made aware of these procedures to deter the possibility of fraud.  Staff logging in bogus customers etc will be detected during an audit check and a customer tracking system.