Risk Training - Legal Issues


Legal Issues


The aim of this page is to discuss what the law says about various IT related issues, and to identify the risks of non-compliance. There are a lot of laws covering all of these issues, and it is well worth knowing where you stand with them all.

It is tempting to consider the legal aspects of Information technology to be both boring and "somebody else's problem". Alas, the risks of ignoring these laws may be the biggest risk you could take so beware.

In this section, we cover:

There are bound to be more coming up in the areas of Health and Safety and Employment, but these cover much of the applicable laws for IT related issues. We start off with the DP act and then move onto the others to show that theoretically, in this age of electronic storage and communication nothing can be hidden and people have a right to see what is being said about them or done with their data, and they may well have legal redress if a company is breaking the law.

Data protection Act 1998:

This came into force in March 2000 to bring the UK in line with Europe and governs how personal information held on computer and other media is processed. It encompasses eight principles which say that Data must be:
  1. Fairly and lawfully processed.
  2. Processed for limited purposes.
  3. Adequate, relevant and not excessive
  4. Accurate
  5. Not kept for longer than is necessary
  6. Processed in line with your rights
  7. Secure
  8. Not transferred to countries without adequate protection.
Processing of the data includes obtaining the data, recording, holding, organising, adapting, retrieving, disclosing, combining and erasing.

The Act allows an individual access to their data held on computer systems, and also on some other systems (including surveillance tapes and some paper media). The data covered includes any data that may possibly identify an individual and also as a new feature in this Act, any data that expresses an opinion about an individual.

It is vital that you take advice on data protection issues whenever you store or process any information on people - It is also worth reading down to the Defamation section in this document.

Computer Misuse Act 1990:

This Act contains three specific offences.
  1. Unauthorised access to a computer
  2. Unauthorised access to a computer with intent to commit a crime
  3. Unauthorised modification of computer data
One important impact of this Act is that it is advisable for an organisation to do a number of things: Some areas where the Computer Misuse act may become important are in: It should be noted that there really haven't been many prosecutions under this act. A lot of the time this is because companies do not have clear cut policies and do not keep sufficient audit trails. If you are hacked, and you want to get the hacker into court, you should be sure that you are are taking sufficient measures to make a prosecution more probable.

A final point: Generally speaking a section 1 offence of this Act is not an arrestable offence (though technically it does carry a maximum sentence of six months). If someone does access your systems accidentally and they are actually told that no further access is allowed then this will help ensure that any further access is covered by sections 2 and 3 which are far more serious crimes.

Obscenity Laws:

The Obscene Publications Acts of 1959 and 1964 define obscene and pornographic material. Section 1.1 of the 1959 act says that an article is "obscene" if the effect of any part of the article is:

To deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it.

Section 2(1) of the act says that it is an offence to publish an obscene article or have an obscene article for publication or gain - Publication is well defined in the Act as:

The Criminal Justices Bill of 1994 also amends this Act to include electronic data and digitised images which makes having obscene material available on a web site, or emailing obscene material an offence. Another important amendment made by the CJB is to make it an offence to have an indecent photograph or a "pseudo photograph" (i.e.: computer generated) of a child in their possession. There is also an offence of having "possession, ownership or control of an obscene article for publication for gain".

The Telecommunications Act 1984 says that it is an offence to send a message or other matter that is "grossly offensive or of an indecent, obscene or menacing character" by means of a public telecommunications system.

The Indecent Displays (Control) Act of 1981 can be a tricky one. This makes it illegal to publicly display indecent material. In this Act, both the person making the display and the person causing or permitting it are liable to prosecution. Thus a website owner, a company and a service provider may be liable for indecent publication and distribution. Under this Act, the material is not considered to be public if access is by subscription or membership.

Although the Blasphemy Act of 1697 is rarely used (prosecuted twice last century 1922 and 1977), it is one to be aware of although it only covers the Anglican Church. Newer laws are being introduced to cover incitement to Racial Hatred, and every hundred years or so there is a call to repeal or change the Blasphemy Act.

An important law to be aware of is a non British law, the US Communications and Decency Act of 1996. Although this has no jurisdiction in the UK, a lot of Internet traffic is via the US, and US laws have this horrible habit of rearing their head here. This Act was much opposed by the Internet community when it was brought out. The law targets websites and organisations which fail to police their users. It has had the effect of forcing a subscription or membership system that requires a member to be over 18 on certain sites.

The Act basically says that there is a crime committed by:

Whoever -

(i) makes, creates, or solicits, and (ii) initiates the transmission of,

any comment, request, suggestion, proposal, image or other communication which is obscene or indecent, knowing the recipient of the communication is under 18 years of age, regardless of whether the maker of such communication placed the call or initiated the communication.

This Act is being challenged under the First Amendment in the Supreme Courts, but it is still one to be aware of. In response to the CDA, the European Commission published its own code of practice, the "Illegal and Harmful Content on the Internet"; in response to this the Internet industry in the UK established its own code of practice which has very little practical value.

Libel and Defamation:

There is a saying in safe journalism which goes "If in doubt, leave it out". The UK's laws on Defamation, slander and libel are all fairly clear cut.

Recently, the UK Laws have been updated to theoretically give a lot more scope for free speech and criticism; the time limitations for defamation have been shortened and the procedure has also been much simplified.

In March 2000, the well known litigant Dr Laurence Godfrey successfully sued Demon Internet because Demon had not taken sufficient steps in his opinion to remove some third-party defamatory material about him from their systems.

To successfully claim malicious falsehood, the claimant must be able to prove:

The Defamation Acts 1952 and 1996 are the main acts covering this, it should be noted that all electronic publication is technically "non verbal" (avoiding the pitfalls of phone calls which is a one to one medium and hence not covered)

It is not required that someone be able to prove special damage:

The Protection from Harassment Act 1997 states that a person must not pursue a course of conduct (a) which amounts to harassment of another; and (b) which he or she knows or ought to know amounts to harassment of the other.

Beware of complacency and thinking your internal email is safe In 1995, rumours started to spread that Western Provident (Insurance) was in financial difficulty and was being investigated by the DTI. These reports appeared on the internal mail system of Norwich Union staff and WP believed that NU may use these rumours to damage them and obtain new business. WP issued a libel action against NU and obtained a court order to obtain hard copies of all of NU's allegedly defamatory emails.

The case was settled a year later and NU paid 450,000 pounds and publicly apologised. These days, with the DP Act allowing people access to anything you say about them, anything you say should be treated with great care.

Copyright, trademarks and piracy:

The Copyright, Designs and Patents Act 1988 covers a lot of this area. It is interesting to note that computer programs can be classed as "literary works".

Copyright law is very similar to print, you have to be pretty careful what you steal from other people to use on your web site - The best bet is to get permission before doing it. If you link to someone else's site, take care to make sure that people know that this is an external link - A Shetland Isles newspaper won a case against another for linking its articles so that they appeared as though they may come off their own site.

Software piracy is a big problem these days and the industry is quite good a policing this for medium and large organisations. The Federation Against Software Theft (FAST) runs "Shop your company" lines for current and ex-employees to shop organisations using illegal software and more and more, software is coming with built in "anti-piracy" controls that will report illegal use over the Internet. The best way to make sure you don't get into trouble is to keep careful audits of the software you are using and importantly, to stop your employees from installing software of their own.

The Trademark issue is not an easy one to talk about because it covers so many jurisdictions and the laws simply don't make sense - Trademark law is usually involved with domain name disputes, and the courts are slow to catch up with reality in this area.

As an example of the sheer stupidity, and the lengths to which lawyers will twist the law, one new decision in the ongoing legal saga of domain name disputes is a recent decision by the US Supreme Court that says a ".com" address is a piece of property, with its own geographical existence in the Commonwealth of Virginia (home of the .com registry). This now means that if the "owner" of a .com address does not live in the state of Virginia, they may be classed as absentee owners of property and sued in the state of Virginia by virtue of you injuring somebody with that property.

One thing that may be worth thinking about is who holds Intellectual Property and Copyright to materials written by your staff whilst in your employ. This should be made clear in a standard employment contract unless waived by either party. Care should also be taken with who keeps the Intellectual Property Rights to work done by third-party companies and contractors and should be explicitly written into contract.


Whilst discrimination is not an IT issue as such, it is one of those pitfalls which may well show up; it is therefore worth covering briefly.

There are three distinct types of discrimination:

The Sexual Discrimination Act 1975 makes sex discrimination unlawful in employment, training and various other areas. It is unlawful to discriminate in the way an employee is offered access to training, promotion and other benefits.

The Race Relations Act 1976 makes it similarly illegal to negatively discriminate on the grounds of colour, race, nationality and ethnic origin.

The Human Rights Act 1998 is a huge act with many implications and it implements the European Convention of Human Rights into English law.

The Convention guarantees a great deal of things, but some of the important ones are as follows:

The European Equal Treatment Directive should be incorporated into law by December 2003 and it will outlaw discrimination in employment on the grounds of sexual orientation, religion, belief, disability and age.

A final note on this subject: New Disability Acts come into effect soon which may well bring its own implications regarding access to your website. It may well insist that the blind and badly-sighted, for example, have equal access to content on your site than people with vision. The relevant acts are the Disability Discrimination Act 1995 and the Disability Discrimination (Employment) Regulations 1996.

Foreign and other relevant laws:

Foreign Law Compliance on the Internet is another legal quagmire, and basically there is not much more to say than it is a good idea to get a local lawyer to check out any legal risk factors whenever you step into a new territory.

We have discussed the Communications Decency Act in the US, and mentioned the legal black-hole that is International Trademark Law. Another point of interest, however, is that the French Government have finally repealed their somewhat over-zealous encryption laws that disallowed most forms of encryption to be communicated into, out of or across French communications systems.

The British Government are still considering laws under a new Electronic Commerce Bill that would force people with encrypted data to lodge a decoding key and algorithm with a "trusted party" so that the government could decrypt the data. Obviously, this is causing huge amounts of upset and Tony Blair backed off this bill in 1999. It will be interesting to see if, in the aftermath of September 11th they try and slip this one back in.

Other new laws may also be rushed in after September 11th and recent race riots to cover incitement to racial hatred.

Further Reading:

This bit needs something in it!

Risk Training Info. Email: info@risktraining.info
Copyright © 2002 Michael Lawrie. All rights reserved. For more information on using these documents click here.