www.ICT-Teacher.com

Objectives Legislation: Understand that implementation of legislation will

impact on procedures within an organisation. Describe the methods of enforcing and controlling

data protection legislation within an organisation. Describe the methods of enforcing and controlling

software misuse legislation within an organisation. Describe the methods of enforcing and controlling

health and safety legislation within an organisation.

Discuss the implications of the various types of legislation.

Objectives Audit requirements: Understand that many information systems are

subject to audit. Understand the impact of audit on data and

information control. Describe the need for audit and the role of audit

management/software tools in information systems.

Understand the function of audit trails and describe applications of use, e.g. ordering systems; student tracking; police vehicle enquiries.

Regulations1. Data Protection Act 1984 & 1998.2. Computer Misuse Act 1990.3. Copyright Designs & Patents Act 1988.4. Health and Safety Regulations 1992.

Data Protection Act 1998 Consists of eight data protection principals. Applies to organisations that hold personal

data. Personal data must be kept secure, should be

accurate, and must not be misused. Employees with access need to understand

the implications of the Act. A security manager or administrator put in

control of access to the data. Operating procedures to ensure privacy.

Data Protection Policy Customer service:

Company policy available to interested parties;Data subject told what data is kept and why;Data to be accurate, and errors corrected;Data only used for the purpose it was collected;Data only sold on if the subject has consented;Data only collected with consent in general;Data subject allowed access and their concerns

listened to.

Data Protection Policy Organisation:

Company policy publicised for all staff concerned;Staff to be held accountable over privacy issues and

could be liable under the Act if they leak data;Issues of privacy to be part of the information system,

including security, accuracy and up-dating;A security policy adopted with an administrator;The security policy to deal with accidental as well as

malicious damage and theft;Staff to be aware of policy on passwords, physical

security, back-up of files, with regular checks performed on security by the administrator.

Buying and Selling Personal Data A company may be in business just to

collect private data to sell to other companies.

The data subject has to have given permission for it to be traded.

This may have been granted unknowingly by a tick box not being ticked etc.

Enforcing Data Protection Data protection controller in the

organisation to advise staff and enforce rules.

Employees aware of their responsibilities.

Follow up any incidents to ensure no breaches have taken place.

Hardware kept in secure areas. Staff must not keep a personal copy of

the database.

Enforcing Data Protection Staff to be trained properly in the use of personal

data in a database, and aware of the obligations of the organisation under the Act.

Passwords must be hard to break, and changed regularly.

Staff must not bring in personal software. A log of all access should be kept as a record of

individual access. Levels of access should be differentiated for

different job users.

Software Misuse Act 1990 Employees need to be aware of: Have a clear job description of what they are

allowed to do, and not allowed to do. Not to introduce unauthorised software. No unauthorised work done on the system. Data disks have to be scanned for viruses if used

outside the system. Separation of duties whereby no one person is

responsible for everything, different parts have different managers.

Controllers to do regular audit checks of who has used the database and what have they accessed.

Software Copyright It is illegal to copy software or run software that is

not licensed for the purpose. The company information systems administrator is

responsible for the licence. He must run an audit of what and how many of each

software is used and delete any that is used over the licence agreement.

Ensure there is enough licences for the company work to be done.

Educate the staff of the consequences to them and the company.

Ensure that staff are aware of the legalities and sign a written agreement.

Health and Safety Each organisation should have a Health and

safety officer to check and report to management the state of the environment, the furniture and the equipment that is used by staff.

Good staff training and proper use of computers in the working environment, including the correct posture, breaks to stop eye strain and RSI, etc.

Eye tests should be offered regularly and glasses supplied if needed.

Faulty equipment should be changed promptly. Regular evaluation of work space should be

done to protect the workforce and minimise claims made against the organisation.

Audit Requirements A systematic assessment of the entire

computer system including the hardware and software.

There is special software that does an audit trail e.g.:

A trail can track the progress of an item ordered by ‘phone until its despatch.

The payment can be checked against the order in case of any queries, and for stocktaking purposes.

Fraud An audit check will uncover fraud. It will check any irregularities in orders

and payments and report back to the administrator.

Staff are to be made aware of these procedures to deter the possibility of fraud.

Staff logging in bogus customers etc will be detected during an audit check and a customer tracking system.