An Introductory Overview of Legal Issues for IT Professionals in the UK
This knol provides an introductory overview of the main pieces of UK legislation that are relevant to IT professionals. It includes a brief discussion of some cross national issues, including the Gary McKinnon case, the US PATRIOT Act and the Council of Europe Convention on Cybercrime.
This knol provides an introductory overview of the main legal issues and pieces of legislation that are relevant to IT professionals in the UK. Three of the most significant ones - the Computer Misuse Act, the Data Protection Act and Intellectual Property Rights - are expanded more fully in their own independent knols.
Computer Misuse Act 1990
The Computer Misuse Act (CMA) [1] - the so-called "hacking law" - is designed to prevent unauthorised access to computer systems - these are the so called hacking laws. The Act creates three categories of offence.
1. Unauthorised access to computer material.
This deals with unauthorised access to computer systems without the intent to commit serious crime such as fraud. It is regarded as a relatively minor offence and can be dealt with in Magistrate's courts.
2. Unauthorised access with intent to commit or facilitate commission of further offences.
This deals with unauthorised access to computer systems with the specific intention of committing, or facilitating the commission, of a serious crime. This is a much more serious offence, and is dealt with at the Crown Court.
3. Unauthorised modification of Computer material.
This covers unauthorized modification of computerised information, and thus includes viruses, logic bombs, and trojans. This is also a very serious offense.
There is more detail about this Act in a separate knol - Computer Misuse Act 1990.
Data Protection Act 1998
The Data Protection Act 1998 (DPA) [2] replaces the earlier act of 1984, and is intended to implement the 1995 European Directive on Data Protection. It is designed to cover the collecting, storing, processing and distribution of personal data. The act places obligations on those who record and use personal data and it gives rights to individuals about whom information might be held. Most significantly, the Subject Access Right entitles any individual to ask for, and be given, details of any personal data about them that is being stored or processed.
The Information Commissioner [3] is an independent government authority, with responsibilities to provide information and advice in relation to the Act, and to enforce compliance with it.
There is more detail about this Act in a separate knol - Data Protection Act 1998.
Freedom of Information Act 2000
The Freedom of Information Act 2000 FOIA) [4] gives individuals the right to access information held by public authorities. It differs from the Data Protection Act in that, amongst other things, it is not restricted to personal data. It gives the individual to do two things.
* To ask any public organisation covered by the Act what information it has on any subject you specify.
* If the organisation has the information, to be given copies.
Providing the information is not legally exempt from disclosure the organisation must tell you what it has and give it you within twenty working days. In many cases, even if it withholds the information, it at least has to tell you what it has.
A private company may be affected by the Act if data on the private company is held by a public authority. This may happen when, for example, the company has had a contract to supply goods or services to the public authority. In such cases the data may be subject to the Act.
The Information Commissioner [3] is an independent government authority, with responsibilities to provide information and advice in relation to the Act, and to enforce compliance with it.
This list of BBC news stories made possible by the Freedom of Information Act is a vivid illustration of the impact that the Act has had.
Intellectual Property Rights
Intellectual property (IP) allows people to own their creativity and innovation in the same way that they can own physical property. The owner of IP can control how others use his ideas, in order to profit from them. This benefits wider society as, well as the owner, because it encourages further innovation and creativity.
There are a variety of legal rights that can be used to protect IP. These include: patents, copyright and database rights. The owner of an IP right may exploit, and benefit from, that right by a number of means.
* They may use it directly in the creation of products or services – either for their own use or for sale.
* They may license the IP right so that others may make use of it – and be paid for the license.
* They may sell the IP right to a third party.
The most common method of protecting computer software is copyright. The copyright holder sells the user a license to use the software. The user is allowed to use the software but never owns it.
The UK Intellectual Property Office [5] contains detailed information about a wide range of IP rights. The principal legislation on IP protection in the UK can be found in the Copyright, Designs and Patents Act 1988 [6].
There is more detail about intellectual property rights in a separate knol - Intellectual Property for IT Professionals.
Health and Safety at Work
The Health and Safety at Work Act 1974 [7], and related legislation, imposes rights and responsibilities in relation to safety in the workplace.
* It is an employer’s duty to protect the health, safety and welfare of their employees, and other people who might be affected by what they do.
* It is an employee’s responsibility to take reasonable care of their own health and safety, and that of others who may be affected by what they do or do not do.
The Act provides for protection against - e.g. - bullying and harrassment, as well as the more obvious physical aspects of health and safety.
The Health and Safety (Display Screen Equipment) Regulations 1992 [8] provide specific regulations relating to the use of display equipment and computer workstations. The Regulations require employers to minimise the risks in VDU work by ensuring that workplaces and jobs are well designed.
The Health and Safety Executive [9] is an independent body whose job is to protect people against risks to health or safety arising out of work activities.
Public Interest Disclosure Act 1998
The Public Interest Disclosure Act 1998 [10] - the so called whistle blowers law - protects workers who raise concerns over any of the following malpractices at work:
* a criminal offence
* the breach of a legal obligation
* a miscarriage of justice
* a danger to the health and safety of any individual
* damage to the environment
* deliberate covering up of information tending to show any of the above
The Act protects whistle blowers from being victimised or sacked as a result of their whistleblowing. Although the Act provides protection there are still risks for the wistleblower and this is not something that should be undertaken lightly. Martin (1999) [11] gives detailed information and advice to anyone who is considering becoming a whistleblower.
WorldWideWhistleBlowers [12] provides a "forum and informational source for those brave individuals who would like to go public with evidence of actions contrary to the public good".
Defamation Act 1996
The Defamation Act 1996 [13] makes it an offence in the U.K. to disseminate defamatory statements, including any via e-mail or on a bulletin board. The same act allows a defence of innocent dissemination, which recognises that there is no offence if you don't know that you're disseminating such statements. This means that, for example, an internet service provider may not be responsible for defamatory materials published on his server.
Consumer Protection (Distance Selling) Regulations 2000
A range of UK laws apply to the sale of goods, regardless of whether that sale is completed in person, by mail order, or via the internet. Most of them are only applicable to the UK. Internet-based sales are usually treated in the same way as ‘mail order’. If you are buying from companies based in the UK the Consumer Protection (Distance Selling) Regulations 2000 [14] apply. The key features of these regulations are:
* The consumer must be given clear information about the goods or services offered.
* After making a purchase the consumer must be sent confirmation.
* The consumer has a cooling-off period of 7 working days, during which time they may cancel their order.
A Cross National Perspective
Other nations have laws that parallel the UK legislation described above. They may not always have the same names and they may not be exactly equivalent in every detail, but there is frequently a lot of overlap. Due to the global nature of communication technologies, it is increasingly important to be aware of the situation beyond the UK.
Council of Europe Convention on Cybercrime
The Council of Europe Convention on Cybercrime [15] deals with crimes - involving infringements of copyright, computer-related fraud, child pornography and violations of network security - committed via computer networks. It aims to promote international co-operation towards a common criminal policy aimed at the protection of society against cybercrime.
The list of signatories [16] to the Convention includes France, Germany, UK, USA and Japan.
The United States PATRIOT Act 2001
The PATRIOT Act - Providing Appropriate Tools Required to Intercept and Obstruct Terrorism - was part of the United States' response to the 9/11 attacks. Amongst other things, this legislation strengthened the US computer misuse laws to include:
"a computer located outside the United States that is used in a manner that affects inter-state or foreign commerce or communication of the United States"
Worries have been expressed that this may be interpreted as applying to data that simply passes through the USA. Many of the Acts provisions had a sunset clause, which meant that they would have ceased to be law in 2005. In the months preceding the sunset date, supporters of the act pushed to make its sunsetting provisions permanent. They largely succeeded, and the Act was reauthorised in 2005.
The Gary McKinnon Case
In November 2002 Gary McKinnon, a UK citizen, was arrested on suspicion of hacking into US military computer networks the previous year. He had allegedly used computers loacted in the UK to hack into US computers, without physically visiting the US.
Mr McKinnon was originally arrested under the UK Computer Misuse Act, a crime for which he might reasonably have expected community service sentence. Unfortunately for him - as it turned out - the Crown Prosecution Service did not charge him.
In 2005 the United States government began extradition proceedings. If extradited to the US, Mr McKinnon faces up to seventy years in prison. He is contesting the extradition, arguing that the alleged crimes were committed in the UK and so he should face trial in the UK rather than the USA.
This knol provides an introductory overview of the main pieces of UK legislation that are relevant to IT professionals. It includes a brief discussion of some cross national issues, including the Gary McKinnon case, the US PATRIOT Act and the Council of Europe Convention on Cybercrime.
This knol provides an introductory overview of the main legal issues and pieces of legislation that are relevant to IT professionals in the UK. Three of the most significant ones - the Computer Misuse Act, the Data Protection Act and Intellectual Property Rights - are expanded more fully in their own independent knols.
Computer Misuse Act 1990
The Computer Misuse Act (CMA) [1] - the so-called "hacking law" - is designed to prevent unauthorised access to computer systems - these are the so called hacking laws. The Act creates three categories of offence.
1. Unauthorised access to computer material.
This deals with unauthorised access to computer systems without the intent to commit serious crime such as fraud. It is regarded as a relatively minor offence and can be dealt with in Magistrate's courts.
2. Unauthorised access with intent to commit or facilitate commission of further offences.
This deals with unauthorised access to computer systems with the specific intention of committing, or facilitating the commission, of a serious crime. This is a much more serious offence, and is dealt with at the Crown Court.
3. Unauthorised modification of Computer material.
This covers unauthorized modification of computerised information, and thus includes viruses, logic bombs, and trojans. This is also a very serious offense.
There is more detail about this Act in a separate knol - Computer Misuse Act 1990.
Data Protection Act 1998
The Data Protection Act 1998 (DPA) [2] replaces the earlier act of 1984, and is intended to implement the 1995 European Directive on Data Protection. It is designed to cover the collecting, storing, processing and distribution of personal data. The act places obligations on those who record and use personal data and it gives rights to individuals about whom information might be held. Most significantly, the Subject Access Right entitles any individual to ask for, and be given, details of any personal data about them that is being stored or processed.
The Information Commissioner [3] is an independent government authority, with responsibilities to provide information and advice in relation to the Act, and to enforce compliance with it.
There is more detail about this Act in a separate knol - Data Protection Act 1998.
Freedom of Information Act 2000
The Freedom of Information Act 2000 FOIA) [4] gives individuals the right to access information held by public authorities. It differs from the Data Protection Act in that, amongst other things, it is not restricted to personal data. It gives the individual to do two things.
* To ask any public organisation covered by the Act what information it has on any subject you specify.
* If the organisation has the information, to be given copies.
Providing the information is not legally exempt from disclosure the organisation must tell you what it has and give it you within twenty working days. In many cases, even if it withholds the information, it at least has to tell you what it has.
A private company may be affected by the Act if data on the private company is held by a public authority. This may happen when, for example, the company has had a contract to supply goods or services to the public authority. In such cases the data may be subject to the Act.
The Information Commissioner [3] is an independent government authority, with responsibilities to provide information and advice in relation to the Act, and to enforce compliance with it.
This list of BBC news stories made possible by the Freedom of Information Act is a vivid illustration of the impact that the Act has had.
Intellectual Property Rights
Intellectual property (IP) allows people to own their creativity and innovation in the same way that they can own physical property. The owner of IP can control how others use his ideas, in order to profit from them. This benefits wider society as, well as the owner, because it encourages further innovation and creativity.
There are a variety of legal rights that can be used to protect IP. These include: patents, copyright and database rights. The owner of an IP right may exploit, and benefit from, that right by a number of means.
* They may use it directly in the creation of products or services – either for their own use or for sale.
* They may license the IP right so that others may make use of it – and be paid for the license.
* They may sell the IP right to a third party.
The most common method of protecting computer software is copyright. The copyright holder sells the user a license to use the software. The user is allowed to use the software but never owns it.
The UK Intellectual Property Office [5] contains detailed information about a wide range of IP rights. The principal legislation on IP protection in the UK can be found in the Copyright, Designs and Patents Act 1988 [6].
There is more detail about intellectual property rights in a separate knol - Intellectual Property for IT Professionals.
Health and Safety at Work
The Health and Safety at Work Act 1974 [7], and related legislation, imposes rights and responsibilities in relation to safety in the workplace.
* It is an employer’s duty to protect the health, safety and welfare of their employees, and other people who might be affected by what they do.
* It is an employee’s responsibility to take reasonable care of their own health and safety, and that of others who may be affected by what they do or do not do.
The Act provides for protection against - e.g. - bullying and harrassment, as well as the more obvious physical aspects of health and safety.
The Health and Safety (Display Screen Equipment) Regulations 1992 [8] provide specific regulations relating to the use of display equipment and computer workstations. The Regulations require employers to minimise the risks in VDU work by ensuring that workplaces and jobs are well designed.
The Health and Safety Executive [9] is an independent body whose job is to protect people against risks to health or safety arising out of work activities.
Public Interest Disclosure Act 1998
The Public Interest Disclosure Act 1998 [10] - the so called whistle blowers law - protects workers who raise concerns over any of the following malpractices at work:
* a criminal offence
* the breach of a legal obligation
* a miscarriage of justice
* a danger to the health and safety of any individual
* damage to the environment
* deliberate covering up of information tending to show any of the above
The Act protects whistle blowers from being victimised or sacked as a result of their whistleblowing. Although the Act provides protection there are still risks for the wistleblower and this is not something that should be undertaken lightly. Martin (1999) [11] gives detailed information and advice to anyone who is considering becoming a whistleblower.
WorldWideWhistleBlowers [12] provides a "forum and informational source for those brave individuals who would like to go public with evidence of actions contrary to the public good".
Defamation Act 1996
The Defamation Act 1996 [13] makes it an offence in the U.K. to disseminate defamatory statements, including any via e-mail or on a bulletin board. The same act allows a defence of innocent dissemination, which recognises that there is no offence if you don't know that you're disseminating such statements. This means that, for example, an internet service provider may not be responsible for defamatory materials published on his server.
Consumer Protection (Distance Selling) Regulations 2000
A range of UK laws apply to the sale of goods, regardless of whether that sale is completed in person, by mail order, or via the internet. Most of them are only applicable to the UK. Internet-based sales are usually treated in the same way as ‘mail order’. If you are buying from companies based in the UK the Consumer Protection (Distance Selling) Regulations 2000 [14] apply. The key features of these regulations are:
* The consumer must be given clear information about the goods or services offered.
* After making a purchase the consumer must be sent confirmation.
* The consumer has a cooling-off period of 7 working days, during which time they may cancel their order.
A Cross National Perspective
Other nations have laws that parallel the UK legislation described above. They may not always have the same names and they may not be exactly equivalent in every detail, but there is frequently a lot of overlap. Due to the global nature of communication technologies, it is increasingly important to be aware of the situation beyond the UK.
Council of Europe Convention on Cybercrime
The Council of Europe Convention on Cybercrime [15] deals with crimes - involving infringements of copyright, computer-related fraud, child pornography and violations of network security - committed via computer networks. It aims to promote international co-operation towards a common criminal policy aimed at the protection of society against cybercrime.
The list of signatories [16] to the Convention includes France, Germany, UK, USA and Japan.
The United States PATRIOT Act 2001
The PATRIOT Act - Providing Appropriate Tools Required to Intercept and Obstruct Terrorism - was part of the United States' response to the 9/11 attacks. Amongst other things, this legislation strengthened the US computer misuse laws to include:
"a computer located outside the United States that is used in a manner that affects inter-state or foreign commerce or communication of the United States"
Worries have been expressed that this may be interpreted as applying to data that simply passes through the USA. Many of the Acts provisions had a sunset clause, which meant that they would have ceased to be law in 2005. In the months preceding the sunset date, supporters of the act pushed to make its sunsetting provisions permanent. They largely succeeded, and the Act was reauthorised in 2005.
The Gary McKinnon Case
In November 2002 Gary McKinnon, a UK citizen, was arrested on suspicion of hacking into US military computer networks the previous year. He had allegedly used computers loacted in the UK to hack into US computers, without physically visiting the US.
Mr McKinnon was originally arrested under the UK Computer Misuse Act, a crime for which he might reasonably have expected community service sentence. Unfortunately for him - as it turned out - the Crown Prosecution Service did not charge him.
In 2005 the United States government began extradition proceedings. If extradited to the US, Mr McKinnon faces up to seventy years in prison. He is contesting the extradition, arguing that the alleged crimes were committed in the UK and so he should face trial in the UK rather than the USA.
No comments:
Post a Comment