1

Business and the Law

The Data Protection Act (1998)The Computer Misuse Act (1990)The Copyright, Designs and

Patents Act (1998)Freedom of Information Act

(Scotland) 2002

2

The Data Protection Act (1998)

3

The Data Protection Act (1998)

• Fears about the increase in the amount of data being held led to the Government introducing an Act in 1984 to guarantee the rights of the individual and this was replaced by the 1998 Act.

• Reasons for the worry

• Rapid growth in recent years of Information and Communications Technology

• Organisations now hold large databases holding huge quantities of information

• Global networks are able to share and distribute this information around the world in seconds

4

The Data Protection Act (1998)

• Privacy is a right we all expect.

• Personal details such as our age, medical records, personal family details, political and religious beliefs should not be freely available to everybody.

5

The Data Protection Act (1998)

• People now have the right to see what is stored on computer about them. For example, you can ask your bank for a copy of what their computer contains about you.

• However, some groups do not have to say what is on their computers.

• Can you suggest an example of one of these groups?

• Groups which hold information concerning crimes or national security do not have to say what is on their computers.

• You do not have access rights to police computers or to state security authorities.

6

The Data Protection Act (1998)

• TERMINOLOGY

• A data user is a person who holds and uses personal data about others or controls the use of it.

• A data subject is a person about whom personal data is stored by one or more data users.

•

7

Questions

• Outline reasons why the government introduced the Data Protection Act. (3 marks)

• Identify information which should not be freely available to everyone. (3 marks)

• Distinguish between a data user and a data subject. (1 mark)

8

The Data Protection Act (1998)

• Data subjects can normally see all of the data held about them, with some exceptions for example if it would affect:

• The way crime is detected or prevented

• Catching or prosecuting offenders

• Assessing or collecting taxes or duty

• The right to see certain health and social work details may also be limited

9

The Data Protection Act (1998)

• The Act states that :

• Any company wishing to hold data on computer about more than a few people must register with a central agency.

• This agency is known as the Office of the Data Protection Commissioner

• Independent of any political or business interests and has the power to have inaccurate records corrected or erased.

10

The Data Protection Act (1998)

• As with any legislation certain terms within the Data Protection Act have quite specific meanings.

• Personal Data means data* relating to a living individual who can be identified either from the data, or from that data along with other information in the possession of the data user/controller.

*Data means information in a form in which it can be processed.

11

The Data Protection Act (1998)

• Problems can arise if information is out of date or contains mistakes.

• For example, if a person living near to you had a similar name, he or she might be mistaken for you if the wrong address was entered.

• To minimise the chances of this, great care must be taken when entering data.

• For example double entry checks may be used.

12

The Data Protection Act (1998)

• To summarise the 8 Principles of ‘good information handling’ data must be:

• Processed fairly and lawfully• Processed for limited purposes• Adequate, relevant and not excessive• Accurate• Processed in accordance with the data subject’s rights• Not kept longer than necessary• Kept secure• Not transferred to countries without adequate protection

13

The Data Protection Act (1998)

• Rights given to individuals by the Act:• The right to be informed

• Informed of the:• actual personal data• The purposes for which the data is being

processed• The recipients to whom the data is

disclosed

14

Questions• Describe the role of the Data Protection Registrar.• (1 mark)

• Information held by supermarkets would be covered by the Data Protection Act. Outline the basic principles that the supermarkets must follow under the Act.

• (5 marks)

• Explain the impact of the Data Protection Act 1998 on business organisations.

• (4 marks)

15

Task

• Log on to the www.ico.gov.uk and find the answers to the following questions:

• A business has just received a subject access request. What should they do with it?

• How long should organisations keep data for? • A customer asks to see details of her son’s bank

account as he is seriously ill in hospital. What do you say?

• You are a data controller, and have received a request for information that you hold about an individual from another organisation. Can you release it?

16

Solutions• A subject access request is a request from an

individual, using their right under the Data Protection Act. They must decide, taking any exemptions into consideration, what information needs to be given. They have 40 calendar days to respond to the request and may request a fee of up to £10.

• The Data Protection Act says that information should be kept for no longer than is necessary. The Act does not specify what a ‘necessary’ period should be for particular information. Each case would be considered on its own merits. If an organisation is obliged to retain data for a given length of time under any other laws, this should be taken into consideration.

• For example, financial institutes may have to keep some information for up to six years in accordance with the Financial Services Authority regulations. A sole trader, however, may not need to keep information for longer than a month.

17

Solutions

• Tell the customer that you will arrange to provide the information if she sends you written authorisation showing that she acts for her son.

• Generally the Act would not allow a disclosure to a third party data controller unless the individual had been informed of the disclosure (see the first principle - Fair Processing). However there are a number of exemptions that allow disclosure in certain circumstances.

18

Data Protection Videos

• Concern over data protection• Click Here• Computer tracking• Click here• BT monitoring customer information• Click here

19

Computer Misuse Act (1990)

20

Computer Misuse Act (1990)

• Since companies now depend greatly on computer data, precautions have to be taken against the data being lost, stolen or altered by unauthorised individuals.

21

Computer Misuse Act (1990)

• When introduced this Act was essentially aimed specifically at hackers.

• Hacking, computer fraud and computer viruses are all relatively new crimes that established UK laws were not designed to deal with.

• This Act makes ‘hacking’ and malicious acts, such as virus release, illegal.

22

Computer Misuse Act (1990)

• Prior to the passing of the Act a hacker could only be prosecuted for the theft of electricity under the then existing laws.

• It was essential that a new law be introduced in order to deal with these new crimes and this led to the Computer Misuse Act (1990)

23

Computer Misuse Act (1990)

What is a hacker?

• People who use their knowledge of computers to break into computer systems

• Some just leave harmless messages to show they have been there

• Some deliberately try to delete files or steal data

• The Act makes hacking illegal

24

Questions

• Describe the term “Hacker”..• (1 mark)

• Describe the reasons why the Computer Misuse Act was introduced.

• (2 marks)

25

Computer Misuse Act (1990)• What is a virus?

• A program that can make copies of itself on order to ‘infect’ other computers

• Viruses can spread from one computer to another via infected disks, downloaded files and e-mail.

• Virus scanning software can be used to protect systems

• BBC Virus Video

26

Computer Misuse Act (1990)

• The Computer Misuse Act (1990) applies to employees of a company who commit these offences from within as well as hackers who access computer systems remotely.

• The Act provides the means to prosecute those that deliberately interfere with a system, whether or not they do actual damage or not.

• The difficult part will be in catching the criminals and then demonstrating that they did not have the authority to access or modify the system.

27

Computer Misuse Act (1990)

• 3 new offences were created under the new Act:

• Unauthorised access to computer material

• Unauthorised access with an intent to commit further offences

• Unauthorised modification of computer material

28

Task

• Log on to the following article:

• Hacker step closer to extradition• BBC article

• Describe the offence Mr McKinnon committed to be prosecuted under the Computer Misuse Act 1990. (1 mark)

• Outline the specific charge against Mr McKinnon under the Act. (1 mark)

29

Computer Misuse Act (1990)

• Simply making something illegal will not stop people from doing it. Therefore sensible companies will not rely on this legislation to stop people from misusing their computer systems.

• Companies should incorporate appropriate security measures into their computer systems and keep backups.

• Having in place an IT Security policy known to all staff that states the limits on authority of system usage.

30

Computer Misuse Act (1990)

• Most companies will also include a clause relating to the unauthorised use of computer systems in an employee’s contract of employment.

• Any unauthorised use of a computer by an employee would probably lead to dismissal .

31

Computer Misuse Act (1990)

• Common methods of protection are:

• Keeping computer rooms locked

• Having password access to important files

• Keeping backup copies of vital information in fire- and bomb-proof safes

• Sending data down ‘phone lines as code (encryption) so that computer ‘hackers’ cannot access it.

32

Computer Misuse Act (1990)

• Those breaking in from the outside should be told before they can do any damage that they must not proceed any further.

• The more barriers that can be placed in the way of a hacker the better.

• Anyone who is forced to bypass a number of security checks will be unable to claim afterwards that they did not intend to do so.

33

Questions

• Outline how a business can protect electronic information. (4 marks)

• Making something illegal doesn’t necessarily stop people doing it. Describe how a business can stop people misusing their computer systems. (3 marks)

34

Read these 2 articles

• Facebook targeted by hackers• BBC article

• Monster website hit by major breach• BBC article

• Write a brief summary of the issues arising in these articles.

35

Copyright, Designs and Patent Act 1988

36

Copyright • Prevents copying of original work. • Businesses wanting to use the copyright have to pay the

holder a royalty or copyright fee. • E.g. a marketing company wanting to make a television

advertisement using an Eminem song would need to get permission of the copyright holders of the song and the recording.

• Duration of copyright

• For literary, dramatic, musical or artistic works: 70 years from the end of the calendar year in which the last remaining author of the work dies, the work is made available to the public

37

Patents

• New inventions should be patented to stop other businesses from copying it.

• In the UK, patents are registered with the Patents Office but it is important to do it internationally.

• Under the act, a patent in the UK lasts for 20 years, after which any business can copy it.

• Registering internationally is very expensive and an important start up cost for small businesses.

• Possible for a business to make and market their own patent or licence it to other businesses.

38

Copyright, Designs and Patent Act ( 1988)

• Copying computer software without the authority of the copyright holder, or software piracy, is now a criminal offence under this 1988 Act.

• The Act covers:

– Stealing software– Using illegally copied software and manuals – Running purchased software on two or more machines without

a suitable licence.

• For example:

• The copyright owner’s permission is needed, to translate a program written in one computer language into an equivalent program in another language.

39

Copyright, Designs and Patent Act ( 1988)

• Quite often, organisations will purchase software licences to cover the number of workstations on their network. They then neglect to buy additional software licences as they buy more workstations. A particular concern is criminals who “pirate” software, copy the software and documentation and sell it cheaply.

40

Copyright, Designs and Patent Act 1988

• This Act gives the creators of literary, dramatic, musical and artistic works the right to control the ways in which their material may be used.

• This Act provides the same rights to authors of computer programs as to those of literary, dramatic and musical works.

41

Questions

• Distinguish between a patent and a copyright.

• (2 marks)

• Describe the Copyright Designs and Patent Act 1988

• (3 marks)• • Outline the offences that the Copyright

Designs and Patent Act 1988 covers.• (3 marks)

42

Copyright, Designs and Patent Act ( 1988)

• The legal penalties for breaking the copyright law include unlimited fines and up to two years in prison.

• It has been estimated that half the software used is copied illegally and in some countries pirated software accounts for 90% of the total.

43

Task

• Read the following article:

• Schools ‘risk copyright breach’• Click here

• Write a brief summary of the copyright issues in the article.

44

Freedom of Information Act (2002 Scotland)

45

Freedom of Information Act (2002 Scotland)

• The Freedom of Information Act gives members of the public a wide-ranging right to see all kinds of information held by the government and public authorities.

• You can use the Act to find out about a problem affecting your community and to check whether an authority is doing enough to deal with it.

46

Which bodies are covered by the legislation?

• Scottish Government and its agencies,

• The Scottish Parliament,• Local authorities, • NHS bodies, • police forces, • schools, colleges and universities

47

What information is covered by the FOI Act?

• The FOI Act apply to any recorded information held by or on behalf of an authority.

• paper records, emails, information stored on computer, audio or video cassettes, microfiche, maps, photographs, handwritten notes or any other form of recorded information.

• Unrecorded information which is known to officials but not recorded is not covered.

48

How do I apply for information under the Act?

• Log on and read the following article:

• Guide to Freedom of Information (Scotland) Act 2002

• Write a brief summary of the process - make sure you include the following information:

• What duties do officials have?• What format can your request be in? • What timescale should the organisation reply within?• Can an organisation refuse to disclose information? Give

examples when they can do this and the process you must follow.

49

How do I apply for information under the Act?

• A request for information under the FOI Act should be in writing:

• letter• email • Fax

• Tape or voice mail is also valid

• The request should be made directly to the authority and most will have a FOI officer.

50

Other points• The individual does not need to say why they want

the information

• The authority has to supply the information within 20 working days or reply giving reasons why they are going to be later.

• May be asked to make a contribution to costs of photocopying etc, work stops until payment is received but the 20 day countdown is still in place.

• A Scottish authority does not have to provide information if it would cost more than £600 to do so.

51

PROBLEMS FOR ORGANISATIONS

• Time consuming

• Complying with the 20 day limit

• Cost implications – may not get the full cost from the applicant

• All organisations have had to appoint a Freedom of Information officer

• Have to ensure that all records can bear scrutiny at a later date

52

Questions

• Identify bodies covered by the Freedom of Information (Scotland) Act 2002.

• (5 marks)

• Which sector are these bodies in?• (1 mark)

• Describe the impact on an organisation of the introduction of the Freedom of Information (Scotland) Act 2002

• (3 marks)

53

Summary Question

• The ability of organisations to store, process and communicate vast amounts of information has led to an increase in legislation designed to protect individuals.

• Describe three pieces of legislation designed to protect individuals from misuse of information. Your description should include at least two facts about each piece of legislation.