1.6.2 Legal Implications

The organisation must then use the data in the way they said they would. If it doesn't register, or uses the data in a way that it hasn't declared, then it may be subject to legal sanctions. The DPA 1998 lays down eight principles of good practise, supported legally, which organisations must follow.

1. "Personal data shall be processed fairly and lawfully". This means that a company must be up-front about collecting personal data. It must seek permission from individuals to collect and process their personal details before they actually do it.

2. "Personal data shall be adequate, relevant and not excessive". We have already said that an organisation must declare to the Commissioner that it intends to collect data for one or more reasons. It must then collect only the information it actually needs and not collect any data that it doesn't really need.

3. "Personal data shall be accurate and, where necessary, kept up-to-date". An organisation must make attempts to ensure the information is accurate and up-to-date. For example, a school may, once a year, print off the personal details it holds about you, send them home and get someone to check, sign and return it. Any data can then be changed as necessary.

4. "Personal data ... shall not be kept for longer than is necessary". Companies must remove data if they do not need it any more. They should have a procedure in place to ensure that data kept on file is regularly reviewed.

5. "Personal data shall be processed in accordance with the rights of data subjects". An organisation must have in place a procedure to allow anyone who has data kept about them to see that data. This usually means having a form available so that any individual can request to see their data in writing. There is sometimes a small fee payable as well. The organisation must then provide the data within a fixed time.

6. "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss" An organisation must take practical steps to ensure the data is safe and secure. These can include restricting access to files using password protection and encryption, restricting access to the hardware that can access files and having a procedure to back-up files daily and storing the back-ups in a fire safe or securely off-site.

7. "Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection". In other words, data cannot be sent or accessed from another country outside of the EEA unless they have similar legislation to the DPA. If you have a web site that holds personal details that can be accessed by someone from another country, then this law applies to you!

8. "Personal data shall be obtained only for one or more specified and lawful purposes". In other words, an organisation has to use the data they collect in the way that they said they would use the data when they registered with the Commissioner.

Some Disadvantages of the DPA

While most people would agree that the legislation is useful, there are some drawbacks. Some people would argue that while it sounds good in practice, it is very difficult to enforce.

• e.g 1. if you are running a small club and store members' details on the computer, you are supposed to be registered - but how many are?

  • The DPA legislation means extra administration and expense for an organisation.

• e.g 2. Somebody has to be responsible and take the time to ensure that data is kept accurate and up-to-date.

  • • to administer the system that allows somebody to see their details.

    • to be responsible for making sure a company follows the DPA.

  • This involves that person being away from the core activities of the organisation and therefore an expense for the company.

Also, some might argue that the last principle of the Act described above is impossible and impractical to enforce.

• How can you monitor who accesses data from an online database via a web site from another country?

• How can you enforce regulations?

• Conviction rates are low.

Cookies

It is difficult for one country to impose its values and laws on people in other countries.

One approach is to have legislation that crosses national boundaries.

• Directive 95/46/EC is European legislation that lays down rules designed to protect the rights and privacy of individuals with regard to data kept about them across Europe.

• Directive 97/66/EC is another piece of legislation concerned with provisions for data privacy and protection in the telecom industry.SPAM, cookies and Directive on Privacy and Electronic Communication (2002/58/EC)

From August 2003, it became illegal to send unsolicited emails to people, commonly known as SPAM. Emails can be sent if the recipient actually 'opts in' - they have agreed in advance to receive email promotions and adverts. In addition, 'cookies' will be controlled.

A cookie is a small program that is placed on your computer by a web page. It collects information about you and what you look at and then sends this information back to the web page. This information can then be used for marketing purposes.

• You must be clearly told that a cookie is to be placed on your computer and must have the ability to decline them.

The Computer Misuse Act 1990

This law was brought in to specifically deal with hackers, people who seek to gain unauthorised access to computer systems.

In the early days of computing, hackers were seen as 'a little bit naughty'. It soon became apparent that they can cause untold damage to national security, can cause havoc with a company's legitimate operations and can steal a lot of money! Existing legislation was difficult to apply to hackers.

The result was the Computer Misuse Act 1990.The act does three things.

1. It makes it illegal to access data to which you have no right.

• • e.g. you are not allowed to try to guess or find out a friend's password and then gain access to their files! You can be fined and jailed for up to 6 months.

2. It makes a more serious offence of accessing data to which you have no right with the intention of carrying out other crimes.

• • e.g. if you hacked into a bank's system with the intention of stealing credit card numbers, then you would fall foul of this law.

  • You can be fined and jailed for up to 5 years.

3. It makes it illegal to change any data. If you hack into an area to which you have no right and start deleting files or modifying data then you will be breaking this law. You can be fined and jailed for up to 5 years.

The Copyright and Patents Act 1988

People who write, paint, compose music, design web pages or invent something, for example, have 'intellectual rights' over what they have done. They own the copyright. This means that somebody who wants to use what they have done must get permission first from the copyright owner. The copyright holder can refuse to give permission, give permission freely, give permission but attach some conditions of use or could charge for permission. These rights are enshrined in law in The Copyright and Patents Act 1988. For example, If you find a web site you like, you cannot make copies of the web site. You cannot burn copies of the web site on to CD without permission nor can you use images you found there without permission. Many web sites, photographs and images now incorporate software that 'stamps' the images with the copyright owner's details. If you do a computing project as part of your course, you cannot include work in your project that somebody else has done without properly giving credit to the author. If you do use somebody else's work without giving it due credit then this is known as plagiarism. It is both unethical and a breach of copyright. There are many web sites offering projects for sale for both school work and university work. Educational institutions and exam boards have become very wise to these sites and now regularly run software through submitted coursework to look for passages that have been stolen.

Other Legislation

There are other laws that have an impact on users of computers. These include the Human Rights Act 1998, the European Convention on Human Rights, the Freedom of Information Act 2000, the Anti-terrorism and the Crime and Security Act 2001.

TASK 14 - A company has just been set up to market educational books. It intends to keep details about potential customers in its computer database. State the practical steps that the organisation should take to comply with the Data Protection Act 1998. You should ensure you mention the Data Protection Commissioner and that you cover the 8 principles in the Act.

TASK 15 - State the European legislation that has similar aims to the DPA 1998.

TASK 16 - Suggest two problems with enforcing UK law on somebody in the USA.

TASK 17 - What is a 'hacker'?

TASK 18 - State the Act that targets specifically the activities of hackers and outline the offences contained in the Act.

TASK 19 - What does it mean if something is 'copyright'? State the law that covers copyright issues?

TASK 20 - What does 'plagiarism' mean? Outline the steps that a university could take to make students aware of the issue and reduce the occurrences of plagiarism in work handed in.

Accessing controversial information via the Internet

One country's laws and values are not necessarily another country's laws and values. If one country decides that hard-core pornography is perfectly legal to show and sell and their citizens put web sites on the Internet, how can another country like the UK stop people viewing this kind of material, even though it is against the law in the UK? The answer is that it can't. Nobody owns or runs the Internet so it is very difficult for anyone to have control over it. We live in a democracy and we expect freedom of expression and to a large degree freedom of information. Most citizens, however, accept that there are times when there is a 'national security' argument for having some information restricted. Before the Internet, each country could decide exactly what their nationals could have access to. Post Internet, however, the situation has completely changed. It is very easy to set up anonymous web sites that have all kinds of controversial material on including pornography, how to make a nuclear bomb and libellous gossip. This information crosses every boundary. It is therefore very difficult to convict anyone of anything anymore!

TASK 21 - Do some research on the history of the Internet. Who 'invented' it and for what purpose did it come into being?

TASK 22 - What is 'controversial information'? Give examples of information that could be considered 'controversial'.

TASK 23 - Explain why it is difficult to control the Internet.

Environmental issues