Risktraining.info

Data protection Act 1998:

1. Fairly and lawfully processed.
2. Processed for limited purposes.
3. Adequate, relevant and not excessive
4. Accurate
5. Not kept for longer than is necessary
6. Processed in line with your rights
7. Secure
8. Not transferred to countries without adequate protection.

The Act allows an individual access to their data held on computer systems, and also on some other systems (including surveillance tapes and some paper media). The data covered includes any data that may possibly identify an individual and also as a new feature in this Act, any data that expresses an opinion about an individual.

1. Unauthorised access to a computer
2. Unauthorised access to a computer with intent to commit a crime
3. Unauthorised modification of computer data

• Identify the owner of a system
• Have clear guidelines as to who has access and who doesn't and state them.
• Have clear policy on levels of access
• There should be no ambiguity about the access to which an individual is allowed.

• Username sharing (accountability for your own staff)
• Accessing someone else's documents / email
• Installing software without permission
• Distributing viruses (accidentally or on purpose))
• Using external networks

To deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it.

Section 2(1) of the act says that it is an offence to publish an obscene article or have an obscene article for publication or gain - Publication is well defined in the Act as:

• sells, lets on hire, gives or lends where publication is to an individual
• distributes, circulates where publication is on a larger scale
• the mere offer for sale or letting on hire constitutes publication

The Criminal Justices Bill of 1994 also amends this Act to include electronic data and digitised images which makes having obscene material available on a web site, or emailing obscene material an offence. Another important amendment made by the CJB is to make it an offence to have an indecent photograph or a "pseudo photograph" (i.e.: computer generated) of a child in their possession. There is also an offence of having "possession, ownership or control of an obscene article for publication for gain".

The Telecommunications Act 1984 says that it is an offence to send a message or other matter that is "grossly offensive or of an indecent, obscene or menacing character" by means of a public telecommunications system.

The Indecent Displays (Control) Act of 1981 can be a tricky one. This makes it illegal to publicly display indecent material. In this Act, both the person making the display and the person causing or permitting it are liable to prosecution. Thus a website owner, a company and a service provider may be liable for indecent publication and distribution. Under this Act, the material is not considered to be public if access is by subscription or membership.

Although the Blasphemy Act of 1697 is rarely used (prosecuted twice last century 1922 and 1977), it is one to be aware of although it only covers the Anglican Church. Newer laws are being introduced to cover incitement to Racial Hatred, and every hundred years or so there is a call to repeal or change the Blasphemy Act.

An important law to be aware of is a non British law, the US Communications and Decency Act of 1996. Although this has no jurisdiction in the UK, a lot of Internet traffic is via the US, and US laws have this horrible habit of rearing their head here. This Act was much opposed by the Internet community when it was brought out. The law targets websites and organisations which fail to police their users. It has had the effect of forcing a subscription or membership system that requires a member to be over 18 on certain sites.

The Act basically says that there is a crime committed by:

Whoever -

• in interstate or foreign communications -
• by means of a telecommunications device knowingly -

any comment, request, suggestion, proposal, image or other communication which is obscene or indecent, knowing the recipient of the communication is under 18 years of age, regardless of whether the maker of such communication placed the call or initiated the communication.

Recently, the UK Laws have been updated to theoretically give a lot more scope for free speech and criticism; the time limitations for defamation have been shortened and the procedure has also been much simplified.

In March 2000, the well known litigant Dr Laurence Godfrey successfully sued Demon Internet because Demon had not taken sufficient steps in his opinion to remove some third-party defamatory material about him from their systems.

To successfully claim malicious falsehood, the claimant must be able to prove:

• The defendant published words about the claimant which were false.
• They were published maliciously
• That publication has caused special damage.

The Defamation Acts 1952 and 1996 are the main acts covering this, it should be noted that all electronic publication is technically "non verbal" (avoiding the pitfalls of phone calls which is a one to one medium and hence not covered)

It is not required that someone be able to prove special damage:

• If the words are likely to cause pecuniary damage to the claimant and are published in writing or another permanent form (or)
• If the words are likely to cause pecuniary damage to the claimant in respect of any office, profession, calling, trade or business held or carried on by him at the time of the publication.

The Protection from Harassment Act 1997 states that a person must not pursue a course of conduct (a) which amounts to harassment of another; and (b) which he or she knows or ought to know amounts to harassment of the other.

Beware of complacency and thinking your internal email is safe In 1995, rumours started to spread that Western Provident (Insurance) was in financial difficulty and was being investigated by the DTI. These reports appeared on the internal mail system of Norwich Union staff and WP believed that NU may use these rumours to damage them and obtain new business. WP issued a libel action against NU and obtained a court order to obtain hard copies of all of NU's allegedly defamatory emails.

The case was settled a year later and NU paid 450,000 pounds and publicly apologised. These days, with the DP Act allowing people access to anything you say about them, anything you say should be treated with great care.

Copyright law is very similar to print, you have to be pretty careful what you steal from other people to use on your web site - The best bet is to get permission before doing it. If you link to someone else's site, take care to make sure that people know that this is an external link - A Shetland Isles newspaper won a case against another for linking its articles so that they appeared as though they may come off their own site.

Software piracy is a big problem these days and the industry is quite good a policing this for medium and large organisations. The Federation Against Software Theft (FAST) runs "Shop your company" lines for current and ex-employees to shop organisations using illegal software and more and more, software is coming with built in "anti-piracy" controls that will report illegal use over the Internet. The best way to make sure you don't get into trouble is to keep careful audits of the software you are using and importantly, to stop your employees from installing software of their own.

The Trademark issue is not an easy one to talk about because it covers so many jurisdictions and the laws simply don't make sense - Trademark law is usually involved with domain name disputes, and the courts are slow to catch up with reality in this area.

As an example of the sheer stupidity, and the lengths to which lawyers will twist the law, one new decision in the ongoing legal saga of domain name disputes is a recent decision by the US Supreme Court that says a ".com" address is a piece of property, with its own geographical existence in the Commonwealth of Virginia (home of the .com registry). This now means that if the "owner" of a .com address does not live in the state of Virginia, they may be classed as absentee owners of property and sued in the state of Virginia by virtue of you injuring somebody with that property.

There are three distinct types of discrimination:

• Direct discrimination is when a person is treated differently to another on the grounds of sex, race or marital status.
• Indirect discrimination is when an employer makes the requirements and conditions of a job such that it would be difficult for someone of one sex, race or marital status to be able to comply with those conditions.
• Victimisation is where a person is treated unfavourably because they have taken action or complained about discrimination.

The Sexual Discrimination Act 1975 makes sex discrimination unlawful in employment, training and various other areas. It is unlawful to discriminate in the way an employee is offered access to training, promotion and other benefits.

The Race Relations Act 1976 makes it similarly illegal to negatively discriminate on the grounds of colour, race, nationality and ethnic origin.

The Human Rights Act 1998 is a huge act with many implications and it implements the European Convention of Human Rights into English law.

The Convention guarantees a great deal of things, but some of the important ones are as follows:

• Right to Life (article 2)
• Protection from torture and inhuman or degrading treatment or punishment (article 3)
• Protection from slavery and forced or compulsory labour (article 4)
• The right to liberty and security of person (article 5)
• The right to a fair trial (article 6)
• Protection from retrospective criminal offences (article 7)
• The protection of private and family life (article 8)
• Freedom of thought, conscience and religion (article 9)
• Freedom of expression (article 10)
• Freedom of association and assembly (article 11)
• The right to marry and found a family (article 12)
• Freedom from discrimination (article 13)

The European Equal Treatment Directive should be incorporated into law by December 2003 and it will outlaw discrimination in employment on the grounds of sexual orientation, religion, belief, disability and age.

We have discussed the Communications Decency Act in the US, and mentioned the legal black-hole that is International Trademark Law. Another point of interest, however, is that the French Government have finally repealed their somewhat over-zealous encryption laws that disallowed most forms of encryption to be communicated into, out of or across French communications systems.

The British Government are still considering laws under a new Electronic Commerce Bill that would force people with encrypted data to lodge a decoding key and algorithm with a "trusted party" so that the government could decrypt the data. Obviously, this is causing huge amounts of upset and Tony Blair backed off this bill in 1999. It will be interesting to see if, in the aftermath of September 11th they try and slip this one back in.