Legal Framework

Chapter 5

Learning outcomes

Explain difference between patent and copyrightComputer Miss use ActList 8 principles of Data protection 1998Explain what rights you have as a data subject in relation to persons or organisations holding you detailsExplain what companies must do to keep within the law if they keep records of individuals on manual or electronic fileExplain the legal implication of computer hacking

Intellectual property

Internet is not a zone copyright free zone.

Varying national laws affecting sites and the ease of downloading data make it harder for Internet publisher

But these rights still exists

Copyright vs patent

Copyright Rights to make copies, automatically belongs to the

author of any original or creative work. No one else may derive revenue from the work without

the copyright holder’s permission Copyrights, designs and patent Act 1988

• Covers moral rights:• Even if the author has assigned copyright to another party

and no longer drives revenue from a work, they still have the right to be recognised as the original author.

Patent Protects the right to exploit inventions, i.e. innovative computer hardware It does not exist automatically but it has to be granted

by a government patent office.

Copyright in computer software Copyright exists in works with are:

Original literary, dramatic, musical or artistic work

Sound recordings, films, broadcasts Typographical arrangements of published

editions Under the 1988 Act, computer programs are

classified as literary work. Copyrights protection includes the design

material and any documents provided with program

The Copyright, Designs and Patents Act 1989 covers:

Illegal copying of software. Illegal running of copyright software on more

than one machine unless covered by the licence.

Illegal for an organisation to encourage or pressure its employees to copy of distribute illegal software.

Copyright (cont’d)

Complications related to the Internet Files containing text and images or sound recording

can be rapidly transmitted through the Internet.• Hard to monitor

• Copies, pirate or even perfect reproduction of the original Computer processing documents creates transient

copies in the cache memory.• Although it occurs outside the user’s direct control• This could be a technical breach of copyright• Transient copies have been excluded from copyright

liability under European Copyright Directive 2001 and the UK copyrights and related right regulations 2003

Software Piracy

Software piracy can be defined as "copying and using commercial software purchased by someone else".

Software piracy is illegal.

Each pirated piece of software takes away from company profits, reducing funds for further software development initiatives.

Software information industry association (SIIA)

According to SIIA

Most of the software on ebay and other auction sites are illegal.

In 2008SIIA has managed to shut down

auction and classified ad site offering products worth a combined $25 million dollars.

Software patent

Computer programs are not in general recognised as innovations. Hence, they fall under copyright rather than patent law

UK and EU patents offices

Exceptions for programs which makes technical contributions. Or provide an improvement of existing technology.

• Improved program for translating between Japanese and English is not patentable as linguistics is a mental process.

• Image enhancement is patentable as it produces a technical improvement in a technical area.

• Can I patent computer software

http://www.intellectual-property.gov.uk/

See study guide pages 51-52-53 for more details

Defamation

Defamation: Consists of publishing a statement which

harms or is likely to harm someone’s reputation.

A defamation which is untrue falls under the law of either libel or slander.

• Libel: defamation made in a permanent form (written or printed)

• Slander: defamation made in a temporary form, e.g., spoken

Defamation via electronic communication Is generally classed as libel:

Email Newsgroups Web-pages

Internet service providers may be liable for the content of newsgroups or web-pages which they host

Employers may be liable for the content of email messages sent by employees. In 1997, the Norwich Union company paid £450,000 to a

health insurance, as result of libellous emails that have been circulated among the Norwich Union staff. (Internet law, p-28)

See study guide page 54 for more information.

Learning activity

The fact that employers could be prosecuted following defamatory emails has cited as one the justifications for the practice of monitoring employee’s use the Internet. Do you think this is reasonable?

The Computer Misuse Act 1990

The widespread use of computers and computer systems and the misuse of them in the 1980’s led to a law making it a criminal offence to do certain things.

The Act covers a variety of misuses that couldn’t be covered by the existing laws of the time. These include:

Deliberate damage by planting viruses Using computers to carry out unauthorised work Copying computer programs Hacking into a system to view private information Various frauds including stealing money from banks

The Computer Misuse Act Covers:

Unauthorised access to computer programs or data;

Unauthorised access with a further criminal intent;

Unauthorised modification of computer material (programs or data).

Three Specific Offences

Section 1 (unauthorised access)Access a program or data stored on a computer

• Knowing the access is unauthorised• This is why login screens often carry a message

saying that access is limited to authorised persons:• This may not prevent a determined hacker getting

access to the system.

The maximum prison sentence is 6 months.

Offences

Section 2: (unauthorised + further offence)Unauthorised access and intent of

committing a further offence,• Access private data, company records in

order to commit fraud, blackmail.

The maximum prison sentence is 5 years.

Offences Section 3: (unauthorised access + modification)

Unauthorised access plus Modification of the computers contents

• Altering data:• A nurse might use doctor’s password to alter patient’s drug

dosages and treatments records

• Removing data,• e.g. to cover up evidence of wrong doing

• Adding data:• e.g. sending email under a false name results in unauthorised

modifications to the content of the mail server.

The maximum prison sentence is 5 years.

What the CMA does not cover? Denial of service attacks, (see next

chapter) Sponsored links on websites

A company pays on for advertising only if a user click on the link

The advertiser’s competitors can click many times causing the advertiser to run up a bill which does not bring them new business.

What Data is Held on Individuals?

By institutions:

Criminal information, Educational information; Medical Information; Financial information; Employment information; Marketing information; Other: consider: mobile phones, ATM’s, city centre

cameras, store loyalty cards, credit cards, the Internet.

The Data Protection Act 1998 overview

General overview of the act• What is the act?• Definitions• Changes since 1984 act• Principles of the act

Transitional Relief Implications for Colleges and Departments Things to keep in mind Resources

What is the Data Protection Act?

Intended to balance interests of data subjects with data controllers.

Freedom to process data vs. privacy of individuals.

1984 act was updated by the 1998 act.On 24th on October 1998.Came into force on the 1st of March

2000.

Changes Since the 1984 Act

DPA 1998 Much broader than the old act. More rights for data subjects. Covers relevant manual filing systems. New category of data – sensitive data. Transitional relief:

• If data processing has been in effect before 24th of October then

• For automated data• Data controller has till 23rd of October to comply with the

act • For manual data

• Data controller has till 23rd of October 2007 to comply with the act.

Rules about export of data to non-EEA countries.

Definitions

Personal Data: is about a person who is alive and can be identified by that data.

Data Subject: is the individual that the data is about.

Processing: retrieving, holding, sorting, deleting

The Data Controller: is the person who is responsible for the control of the data in a

business or organisation. Relevant Filing System:

Readily accessible information about living individuals The Commissioner:

is the person responsible for enforcing the law, including ensuring the owners of the data use good practice, and the individuals are aware of their rights.

Data Protection Act 1998

PDA 1998 has 8 principles

Principles of the act – 1.

Non-sensitive Personal data must be processed fairly and lawfully and shall not be processed unless one of the below is met (schedule 2). Consent – the most important Contract Legal Obligation Vital interests of subject (life or death!) Public functions Balance of interest

Sensitive Personal Data

Racial or ethnic origin Political opinions Religious/similar beliefs (note food!) Trade Union Membership Health Sexual Life Offences

Sensitive Personal Data

May only be held if one of the below is met: Explicit and informed consent Employment Law Vital Interests of Subject Legal Proceedings Medical Purposes (by medical professionals) Equal opportunities monitoring

Principles of the act – 2.

Data must be obtained only for one or more specified lawful purposes.Must not use data for a new

incompatible purpose without subject’s consent.

Have a data protection statement explaining what data will be held and why and get consent from new students/staff as they arrive.

Principles of the act – 3 & 4.

Personal data must be adequate, relevant and not excessive.Must not stock up on data without a

reason that can be justified – consent! Personal data shall be accurate and

up-to-date.This is an ongoing requirement and

means data needs to be kept under constant review.

Principles of the act – 5.

Personal data may not be kept for any longer than is necessary for its stated purpose(s). This potentially creates a problem with old

staff/members data. Consent from all new staff/members to keep

their data after they have left as this is a different purpose to keeping it while they are here.

Principles of the act – 6.

Personal data must be processed in accordance with the rights of data subjectsThis means that you cannot do things that

violate the rights given to data subjects under the new act, especially denying access to data.

Rights of data subjects

Must be informed if personal data are being processed and given a description of the personal data and for what purpose it is being held for.

May prevent processing for purposes of direct marketing.

Right to see algorithms used in automated decision making (credit scoring etc.).

Compensation, rectification, blocking, destruction.

Access rights

Right to have communicated to him/her in an intelligible form the information constituting the data.

No right to rifle through filing systems, computers etc.

Right to be informed of logic involved in automated processing.

Request must be in writing, fee up to £10 may be charged and identity may be thoroughly checked.

Enforced Access

It is an offence to force subjects to exercise their access rights to data held by othersIncludes data about cautions, criminal

convictions and certain social security records

Right to prevent processing

Unwarranted substantial damage or distress to subject.

21 days to comply with request. Exemption if processing is necessary for

performance of contract with subject, or there is a legal obligation, or the vital interests of the subject are at stake.

Exemptions to access rights

Prevention and detection of crime Apprehension or prosecution of offenders Collection of tax or other duty Research, history, statistics. Exam marks – 40 days after date of

announcement or 5 months of access request.

Confidential references.

Principles of the act – 7.

Technical or organisational measures must be taken to prevent unauthorised or unlawful processing of data and accidental loss, damage or destruction of data.First is related to IT support staff

(backups, password security etc.) but everyone can help.

Second is about being careful with keys, having access controls

Principles of the act – 8.

Personal data may not be transferred overseas unless the receiving country has an adequate level of protection for it. US does not.

Transfer is OK if contract is in place with the abroad party or the subject has consented. Data Protection Commissioner is preparing

standard contracts.

International data transfer

Principle 8 puts restrictions on the transfer of data from EU to non-EU countries.For companies holding their call

centre in Asia. For this transfer to be lawful an

adequate

International data transfer (cont’d) For a transfer of data to non EU countries to be lawful,

an adequate an adequate level of data protection has achieved: Some countries are recognised by EU to having a

DPA to the same standard as EU countries The transfer may be lawful if the subject has given

their consent or Of standard contractual clauses are in force. Or the non EU country has a voluntary scheme

recognised by EU• Safe-Harbor: a voluntary scheme by the US dept of

commerce. Under this scheme a set of principle broadly similar to the 8 principle of the EU DPA

http://www.actnow.org.uk/media/articles/Data_Protection_Act_1998_Transitional_Provisions.pdf

Exercise

Give an example of common business activity involving transfer of data from one country to another

State all the measures that needs to be taken for a transfer of from EU to non EU to be lawful.

Activity

Run through some scenarios where the Computer Misuse Act can be used to decide whether the activity is legal or illegal.

Good examples are found on page 59, in Understanding ICT by Stephen Doyle (Nelson Thornes).

Run through some scenarios to determine whether the Data Protection Act has been breached or not.

Good examples are found on page 67, in Understanding ICT by Stephen Doyle (Nelson Thornes).

Resources

http://www.dataprotection.gov.uk/

http://www.admin.ox.ac.uk/oxonly/dp/

http://users.ox.ac.uk/~aesb/dpa.ppt

data.protection@admin.ox.ac.uk