Computer LawsComputer LawsData Protection Act 1998Data Protection Act 1998

Computer Misuse Act 1990Computer Misuse Act 1990

Learning ObjectivesLearning Objectives

List the measures that must be taken in List the measures that must be taken in order to protect against hacking (physical order to protect against hacking (physical and software) and viruses.and software) and viruses.Explain the need for data protection legislation and to protect confidentiality of Data.Explain how this can be addressed.

Why do we need data protection legislation?

Many organisations store large amounts of Many organisations store large amounts of personal information about people on their personal information about people on their computer systems. computer systems. This may be data on customers, employees, This may be data on customers, employees,

suppliers, competitors, etc. suppliers, competitors, etc.

The increasing trend to store vast The increasing trend to store vast quantities of such data has worried many quantities of such data has worried many people. people.

ConcernsConcernsWho will be able to access this data? Who will be able to access this data? Will information about me be available over the Will information about me be available over the Internet, and therefore vulnerable to hackers? Internet, and therefore vulnerable to hackers? Can my records be sold on to someone else? Can my records be sold on to someone else? Is the data accurate? Is the data accurate? If it is stored, processed and transmitted by If it is stored, processed and transmitted by computer, who will check that it is accurate? computer, who will check that it is accurate? Will data about me be stored even if it is not Will data about me be stored even if it is not needed?needed?

In order to address these In order to address these concerns, the Data Protection concerns, the Data Protection

Act (1998) was passed.Act (1998) was passed.

Data Protection Act 1998Data Protection Act 1998Data must be obtained and processed lawfully. Data must be obtained and processed lawfully. Data must be obtained and specified for lawful Data must be obtained and specified for lawful purposes.purposes.Data stored must be relevant.Data stored must be relevant.Data stored must be kept accurate and up to date. Data stored must be kept accurate and up to date. Data stored must be kept no longer than necessary.Data stored must be kept no longer than necessary.Data must be processed within the data subject's Data must be processed within the data subject's rights.rights.Data must be kept secure. Data must be kept secure. Data must not be transferred to countries that do not Data must not be transferred to countries that do not have suitable data protection laws.have suitable data protection laws.

Personal data should be obtained Personal data should be obtained and processed fairly and lawfully.and processed fairly and lawfully.

This means that you should be told that This means that you should be told that data is being collected about you, and you data is being collected about you, and you should know what the data will be used should know what the data will be used for.for.

Personal data can be held only for Personal data can be held only for specified and lawful purposes.specified and lawful purposes.

The Data Controller has to state why they The Data Controller has to state why they want to collect and store information when want to collect and store information when they apply for permission to be able to do they apply for permission to be able to do so. so. If they use the data they have collected for If they use the data they have collected for other purposes, they are breaking the law. other purposes, they are breaking the law.

Personal data should be adequate, Personal data should be adequate, relevant and not excessive for the relevant and not excessive for the

required purpose.required purpose.Organisations should only collect the data that they need Organisations should only collect the data that they need and no more. and no more. Your school needs to know your parent's phone number Your school needs to know your parent's phone number in case they need to contact them in an emergency. in case they need to contact them in an emergency. However, they do not need to know what your However, they do not need to know what your grandmother's name is, nor do they need to know your grandmother's name is, nor do they need to know your eye colour. eye colour. They should not ask, nor should they store such details They should not ask, nor should they store such details since this would be excessive and would not be required since this would be excessive and would not be required to help with your education.to help with your education.

The personal data should be The personal data should be accurate and kept up-to-date.accurate and kept up-to-date.

Companies should do their best to make sure Companies should do their best to make sure that they do not record the wrong facts about a that they do not record the wrong facts about a data subject. data subject. Your school probably asks your parents to check Your school probably asks your parents to check a form once a year to make sure that the phone a form once a year to make sure that the phone number and address on the school system is still number and address on the school system is still correct.correct.If a person asks for the information to be If a person asks for the information to be changed, the company should comply if it can be changed, the company should comply if it can be proved that the information is indeed incorrect.proved that the information is indeed incorrect.

The personal data should not be The personal data should not be kept for longer than is necessary kept for longer than is necessary

for the purpose for which it is for the purpose for which it is collected.collected.

Organisations should only keep personal data Organisations should only keep personal data for a reasonable length of time. for a reasonable length of time. Hospitals might need to keep patient records for Hospitals might need to keep patient records for 25 years or more, that is acceptable since they 25 years or more, that is acceptable since they may need that information to treat an illness later may need that information to treat an illness later on. on. However, there is no need for a personnel However, there is no need for a personnel department to keep the application forms of department to keep the application forms of unsuccessful job applicants. unsuccessful job applicants.

Data must be processed in Data must be processed in accordance with the rights of the accordance with the rights of the

data subjects.data subjects.

People have the right to inspect the People have the right to inspect the information held on them (except in certain information held on them (except in certain circumstance - see later). circumstance - see later). If the data being held on them is incorrect, If the data being held on them is incorrect, they have the right to have it changed.they have the right to have it changed.

Appropriate security measures Appropriate security measures must be taken against unauthorised must be taken against unauthorised

access. access.

This means information has to be kept This means information has to be kept safe from hackers and employees who safe from hackers and employees who don't have rights to see it. don't have rights to see it. Data must also be safeguarded against Data must also be safeguarded against accidental loss.accidental loss.

Personal data cannot be Personal data cannot be transferred to countries outside the transferred to countries outside the European Union unless the country European Union unless the country

provides an adequate level of provides an adequate level of protection.protection.

This means that if a company wishes to This means that if a company wishes to share data with an organisation in a share data with an organisation in a different country, that country must have different country, that country must have similar laws to our Data Protection Act in similar laws to our Data Protection Act in place.place.

ExemptionsExemptionsNational SecurityNational SecurityCrimeCrimeTaxation Taxation Heath, Education and Social WorkHeath, Education and Social Work Personal data about the physical or mental health of Personal data about the physical or mental health of

the data subject. the data subject. Personal data Personal data being processed by government departments or local being processed by government departments or local

authorities which is being used in the course of any authorities which is being used in the course of any investigation or monitoring.investigation or monitoring.

That could form part of a confidential reference That could form part of a confidential reference (application for employment or a college course etc) (application for employment or a college course etc)

Computer Misuse Act 1990 Computer Misuse Act 1990

This law was devised to reduce the This law was devised to reduce the activity of hackers, with these 3 main activity of hackers, with these 3 main points:points: It is illegal to access unauthorised data. It is illegal to access unauthorised data. It is illegal to access unauthorised data and It is illegal to access unauthorised data and

intend to do it again.intend to do it again. It is illegal to access unauthorised data and It is illegal to access unauthorised data and

amend it.amend it.

How to protect against HackingHow to protect against HackingPhysical methods:Physical methods: Keeping important Keeping important

computers in locked computers in locked rooms.rooms.

Posting security guards. Posting security guards. Security locks, smart Security locks, smart

cards. cards. Keeping sensitive data Keeping sensitive data

on stand-alone on stand-alone machines instead of machines instead of networks.networks.

Using alarm systems Using alarm systems and video camerasand video cameras

Software methods:Software methods: Data encryption Data encryption

data is 'scrambled' data is 'scrambled' before being before being transmitted through a transmitted through a network. network. Only the authorised Only the authorised recipient has the 'key'. recipient has the 'key'.

Firewalls - software to Firewalls - software to block access from block access from outside. outside.

Activity logs, passwords Activity logs, passwords and levels of security.and levels of security.

PlenaryPlenary

What measures must be taken in order to What measures must be taken in order to protect against hacking (physical and protect against hacking (physical and software)?software)?

How to protect against HackingHow to protect against HackingPhysical methods:Physical methods: Keeping important Keeping important

computers in locked computers in locked rooms.rooms.

Posting security guards. Posting security guards. Security locks, smart Security locks, smart

cards. cards. Keeping sensitive data Keeping sensitive data

on stand-alone on stand-alone machines instead of machines instead of networks.networks.

Using alarm systems Using alarm systems and video camerasand video cameras

Software methods:Software methods: Data encryption Data encryption

data is 'scrambled' data is 'scrambled' before being transmitted before being transmitted through a network. Only through a network. Only the authorised recipient the authorised recipient has the 'key'. has the 'key'.

Firewalls - software to Firewalls - software to block access from block access from outside. outside.

Activity logs, passwords Activity logs, passwords and levels of security.and levels of security.

PlenaryPlenaryWhy do we need data protection legislation and protect confidentiality of Data?

Concerns:

Who will be able to access this data? Who will be able to access this data? Will information about me be available over the Will information about me be available over the Internet, and therefore vulnerable to hackers? Internet, and therefore vulnerable to hackers? Can my records be sold on to someone else? Can my records be sold on to someone else? Is the data accurate? Is the data accurate? If it is stored, processed and transmitted by If it is stored, processed and transmitted by computer, who will check that it is accurate? computer, who will check that it is accurate? Will data about me be stored even if it is not Will data about me be stored even if it is not needed?needed?

PlenaryPlenary

How did the government address these concerns? It brought out the Data Protection Act 1998.