Upload
jaden-hensley
View
220
Download
0
Tags:
Embed Size (px)
Citation preview
Legal Framework
Chapter 5
Learning outcomes
Explain difference between patent and copyrightComputer Miss use ActList 8 principles of Data protection 1998Explain what rights you have as a data subject in relation to persons or organisations holding you detailsExplain what companies must do to keep within the law if they keep records of individuals on manual or electronic fileExplain the legal implication of computer hacking
Intellectual property
Internet is not a zone copyright free zone.
Varying national laws affecting sites and the ease of downloading data make it harder for Internet publisher
But these rights still exists
Copyright vs patent
Copyright Rights to make copies, automatically belongs to the
author of any original or creative work. No one else may derive revenue from the work without
the copyright holder’s permission Copyrights, designs and patent Act 1988
• Covers moral rights:• Even if the author has assigned copyright to another party
and no longer drives revenue from a work, they still have the right to be recognised as the original author.
Patent Protects the right to exploit inventions, i.e. innovative computer hardware It does not exist automatically but it has to be granted
by a government patent office.
Copyright in computer software Copyright exists in works with are:
Original literary, dramatic, musical or artistic work
Sound recordings, films, broadcasts Typographical arrangements of published
editions Under the 1988 Act, computer programs are
classified as literary work. Copyrights protection includes the design
material and any documents provided with program
The Copyright, Designs and Patents Act 1989 covers:
Illegal copying of software. Illegal running of copyright software on more
than one machine unless covered by the licence.
Illegal for an organisation to encourage or pressure its employees to copy of distribute illegal software.
Copyright (cont’d)
Complications related to the Internet Files containing text and images or sound recording
can be rapidly transmitted through the Internet.• Hard to monitor
• Copies, pirate or even perfect reproduction of the original Computer processing documents creates transient
copies in the cache memory.• Although it occurs outside the user’s direct control• This could be a technical breach of copyright• Transient copies have been excluded from copyright
liability under European Copyright Directive 2001 and the UK copyrights and related right regulations 2003
Software Piracy
Software piracy can be defined as "copying and using commercial software purchased by someone else".
Software piracy is illegal.
Each pirated piece of software takes away from company profits, reducing funds for further software development initiatives.
Software information industry association (SIIA)
According to SIIA
Most of the software on ebay and other auction sites are illegal.
In 2008SIIA has managed to shut down
auction and classified ad site offering products worth a combined $25 million dollars.
Software patent
Computer programs are not in general recognised as innovations. Hence, they fall under copyright rather than patent law
UK and EU patents offices
Exceptions for programs which makes technical contributions. Or provide an improvement of existing technology.
• Improved program for translating between Japanese and English is not patentable as linguistics is a mental process.
• Image enhancement is patentable as it produces a technical improvement in a technical area.
• Can I patent computer software
http://www.intellectual-property.gov.uk/
See study guide pages 51-52-53 for more details
Defamation
Defamation: Consists of publishing a statement which
harms or is likely to harm someone’s reputation.
A defamation which is untrue falls under the law of either libel or slander.
• Libel: defamation made in a permanent form (written or printed)
• Slander: defamation made in a temporary form, e.g., spoken
Defamation via electronic communication Is generally classed as libel:
Email Newsgroups Web-pages
Internet service providers may be liable for the content of newsgroups or web-pages which they host
Employers may be liable for the content of email messages sent by employees. In 1997, the Norwich Union company paid £450,000 to a
health insurance, as result of libellous emails that have been circulated among the Norwich Union staff. (Internet law, p-28)
See study guide page 54 for more information.
Learning activity
The fact that employers could be prosecuted following defamatory emails has cited as one the justifications for the practice of monitoring employee’s use the Internet. Do you think this is reasonable?
The Computer Misuse Act 1990
The widespread use of computers and computer systems and the misuse of them in the 1980’s led to a law making it a criminal offence to do certain things.
The Act covers a variety of misuses that couldn’t be covered by the existing laws of the time. These include:
Deliberate damage by planting viruses Using computers to carry out unauthorised work Copying computer programs Hacking into a system to view private information Various frauds including stealing money from banks
The Computer Misuse Act Covers:
Unauthorised access to computer programs or data;
Unauthorised access with a further criminal intent;
Unauthorised modification of computer material (programs or data).
Three Specific Offences
Section 1 (unauthorised access)Access a program or data stored on a computer
• Knowing the access is unauthorised• This is why login screens often carry a message
saying that access is limited to authorised persons:• This may not prevent a determined hacker getting
access to the system.
The maximum prison sentence is 6 months.
Offences
Section 2: (unauthorised + further offence)Unauthorised access and intent of
committing a further offence,• Access private data, company records in
order to commit fraud, blackmail.
The maximum prison sentence is 5 years.
Offences Section 3: (unauthorised access + modification)
Unauthorised access plus Modification of the computers contents
• Altering data:• A nurse might use doctor’s password to alter patient’s drug
dosages and treatments records
• Removing data,• e.g. to cover up evidence of wrong doing
• Adding data:• e.g. sending email under a false name results in unauthorised
modifications to the content of the mail server.
The maximum prison sentence is 5 years.
What the CMA does not cover? Denial of service attacks, (see next
chapter) Sponsored links on websites
A company pays on for advertising only if a user click on the link
The advertiser’s competitors can click many times causing the advertiser to run up a bill which does not bring them new business.
What Data is Held on Individuals?
By institutions:
Criminal information, Educational information; Medical Information; Financial information; Employment information; Marketing information; Other: consider: mobile phones, ATM’s, city centre
cameras, store loyalty cards, credit cards, the Internet.
The Data Protection Act 1998 overview
General overview of the act• What is the act?• Definitions• Changes since 1984 act• Principles of the act
Transitional Relief Implications for Colleges and Departments Things to keep in mind Resources
What is the Data Protection Act?
Intended to balance interests of data subjects with data controllers.
Freedom to process data vs. privacy of individuals.
1984 act was updated by the 1998 act.On 24th on October 1998.Came into force on the 1st of March
2000.
Changes Since the 1984 Act
DPA 1998 Much broader than the old act. More rights for data subjects. Covers relevant manual filing systems. New category of data – sensitive data. Transitional relief:
• If data processing has been in effect before 24th of October then
• For automated data• Data controller has till 23rd of October to comply with the
act • For manual data
• Data controller has till 23rd of October 2007 to comply with the act.
Rules about export of data to non-EEA countries.
Definitions
Personal Data: is about a person who is alive and can be identified by that data.
Data Subject: is the individual that the data is about.
Processing: retrieving, holding, sorting, deleting
The Data Controller: is the person who is responsible for the control of the data in a
business or organisation. Relevant Filing System:
Readily accessible information about living individuals The Commissioner:
is the person responsible for enforcing the law, including ensuring the owners of the data use good practice, and the individuals are aware of their rights.
Data Protection Act 1998
PDA 1998 has 8 principles
Principles of the act – 1.
Non-sensitive Personal data must be processed fairly and lawfully and shall not be processed unless one of the below is met (schedule 2). Consent – the most important Contract Legal Obligation Vital interests of subject (life or death!) Public functions Balance of interest
Sensitive Personal Data
Racial or ethnic origin Political opinions Religious/similar beliefs (note food!) Trade Union Membership Health Sexual Life Offences
Sensitive Personal Data
May only be held if one of the below is met: Explicit and informed consent Employment Law Vital Interests of Subject Legal Proceedings Medical Purposes (by medical professionals) Equal opportunities monitoring
Principles of the act – 2.
Data must be obtained only for one or more specified lawful purposes.Must not use data for a new
incompatible purpose without subject’s consent.
Have a data protection statement explaining what data will be held and why and get consent from new students/staff as they arrive.
Principles of the act – 3 & 4.
Personal data must be adequate, relevant and not excessive.Must not stock up on data without a
reason that can be justified – consent! Personal data shall be accurate and
up-to-date.This is an ongoing requirement and
means data needs to be kept under constant review.
Principles of the act – 5.
Personal data may not be kept for any longer than is necessary for its stated purpose(s). This potentially creates a problem with old
staff/members data. Consent from all new staff/members to keep
their data after they have left as this is a different purpose to keeping it while they are here.
Principles of the act – 6.
Personal data must be processed in accordance with the rights of data subjectsThis means that you cannot do things that
violate the rights given to data subjects under the new act, especially denying access to data.
Rights of data subjects
Must be informed if personal data are being processed and given a description of the personal data and for what purpose it is being held for.
May prevent processing for purposes of direct marketing.
Right to see algorithms used in automated decision making (credit scoring etc.).
Compensation, rectification, blocking, destruction.
Access rights
Right to have communicated to him/her in an intelligible form the information constituting the data.
No right to rifle through filing systems, computers etc.
Right to be informed of logic involved in automated processing.
Request must be in writing, fee up to £10 may be charged and identity may be thoroughly checked.
Enforced Access
It is an offence to force subjects to exercise their access rights to data held by othersIncludes data about cautions, criminal
convictions and certain social security records
Right to prevent processing
Unwarranted substantial damage or distress to subject.
21 days to comply with request. Exemption if processing is necessary for
performance of contract with subject, or there is a legal obligation, or the vital interests of the subject are at stake.
Exemptions to access rights
Prevention and detection of crime Apprehension or prosecution of offenders Collection of tax or other duty Research, history, statistics. Exam marks – 40 days after date of
announcement or 5 months of access request.
Confidential references.
Principles of the act – 7.
Technical or organisational measures must be taken to prevent unauthorised or unlawful processing of data and accidental loss, damage or destruction of data.First is related to IT support staff
(backups, password security etc.) but everyone can help.
Second is about being careful with keys, having access controls
Principles of the act – 8.
Personal data may not be transferred overseas unless the receiving country has an adequate level of protection for it. US does not.
Transfer is OK if contract is in place with the abroad party or the subject has consented. Data Protection Commissioner is preparing
standard contracts.
International data transfer
Principle 8 puts restrictions on the transfer of data from EU to non-EU countries.For companies holding their call
centre in Asia. For this transfer to be lawful an
adequate
International data transfer (cont’d) For a transfer of data to non EU countries to be lawful,
an adequate an adequate level of data protection has achieved: Some countries are recognised by EU to having a
DPA to the same standard as EU countries The transfer may be lawful if the subject has given
their consent or Of standard contractual clauses are in force. Or the non EU country has a voluntary scheme
recognised by EU• Safe-Harbor: a voluntary scheme by the US dept of
commerce. Under this scheme a set of principle broadly similar to the 8 principle of the EU DPA
http://www.actnow.org.uk/media/articles/Data_Protection_Act_1998_Transitional_Provisions.pdf
Exercise
Give an example of common business activity involving transfer of data from one country to another
State all the measures that needs to be taken for a transfer of from EU to non EU to be lawful.
Activity
Run through some scenarios where the Computer Misuse Act can be used to decide whether the activity is legal or illegal.
Good examples are found on page 59, in Understanding ICT by Stephen Doyle (Nelson Thornes).
Run through some scenarios to determine whether the Data Protection Act has been breached or not.
Good examples are found on page 67, in Understanding ICT by Stephen Doyle (Nelson Thornes).
Resources
http://www.dataprotection.gov.uk/
http://www.admin.ox.ac.uk/oxonly/dp/
http://users.ox.ac.uk/~aesb/dpa.ppt