Explain the current ethical, legal and environmental impacts and risks of digital technology on society. Where data privacy issues arise these should be considered.
Exam questions will be taken from the following areas:
Students will be expected to understand and explain the general principles behind the issues rather than have detailed knowledge on specific issues.
Students should be aware that ordinary citizens normally value their privacy and may not like it when governments or security services have too much access.
Students should be aware that governments and security services often argue that they cannot keep their citizens safe from terrorism and other attacks unless they have access to private data.
More Important Acts
The Data Protection Act 1998 (DPA) - will prevent people's information getting spread around the world, preventing the likeliness of crimes toward said person. (more...)
The Freedom of information Act 2000 (FOI) - covers the right to access information on activities carried out by public bodies. (more...)
The Computer Misuse Act 1990 (CMA)- covers hacking. (more...)
The Copyright, Designs and Patents Act 1988 - covers copyright. (more...)
Less Important Acts
The Regulation of Investigatory Powers Act 2000 (RIPA)- covers central and local government looking at workers' email security etc. (more...)
The Proection of Freedoms Act 2012 - strengthens the FOI Act with respect to DNA, fingerprints and footprints. (more...)
The Privacy and Electronic Communications Regilations 2003 (amended 2011) - covers unsolicited phone calls and emails. (more...)
The Information Commissioner's Office (ICO) code of practice - covers how an organisation should behave. (more...)
The Equality Act 2011 (EQA) - is a consolidation act that covers protecting UK citizens from discrimination. (more...)
The Communications Act 2003 - is often used when people send offensive emails etc. (more...)
The Digital Economy Act 2010 - covers software piracy. (more...)
The Malicious Communication Act 1988 (MCA) - covers Internet trolls and other formas of digital and non-digital harrassment. (more...)
The DPA governs the way in which organisations collect, process and store private data. There are 8 key principles. The Information Commisioner's Office (ICO) in its own summary of the act uses key phrases that you can use to remind yourself of the various provisions.
- 1. (fair and lawful) Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 is met, and in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
- 2. (purposes) Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- 3. (adequacy) Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- 4. (accuracy) Personal data shall be accurate and, where necessary, kept up to date.
- 5. (retention) Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- 6. (rights) Personal data shall be processed in accordance with the rights of data subjects under this Act.
- 7. (security) Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- 8. (international) Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
This act can apply (or not) in interesting ways that at first sight might not seem important. There are a number of "personality tests" (such as are you a cat or a dog person) that ask questions and automatically produce a response. Under principle 6 (rights) the subject would have the right to ask for the reasoning behind such decisions; however as neither the results nor indeed the answers to the various questions are stored such a request would fail. However what would be the case if the answers were being stored and used for other purposes?
There are exemptions to the act. For example: The police process an individual’s personal data because they suspect him of involvement in a serious crime. If telling the individual they are processing his personal data for this purpose would be likely to prejudice the investigation (perhaps because he might abscond or destroy evidence) then the police do not need to do so.
In 1998, the European Court of Human Rights stated that UK surveillance laws were unclear and that there was nothing in place to prevent abuses of power by organisations regarding the interception of electronic communications. It was decided that UK surveillance laws and practice must be tighter in order to protect the individual's rights to privacy. As a result, the Regulation of Investigatory Powers Act was passed in 2000.
This Act was passed to provide a legal framework for organisations such as the security services and the police to carry out surveillance and to access electronic, postal and digital communications on individuals. It also makes it a crime for anyone who is not authorised under the Act to carry out surveillance and monitoring of communications. The aim of allowing certain organisations to intercept communications is to:
- Prevent or detect crimes
- Prevent public disorder from occurring
- To ensure national security and the safety of the general public
- To investigate or detect any abnormal or illegal use of telecommunication systems.
When the Act was originally passed in 2000 only nine organisations such as MI5 and the police were allowed to invoke the ability to intercept and monitor our electronic communications. However by 2008 the number of organisations has risen to almost 1,000. There are a number of people who regard the RIPA regulations as excessive and a threat to privacy and civil liberties in the UK. They are becoming increasingly concerned that the RIPA is being used to monitor things that were not within the original remit of the Act.
See the various links for information regarding the misuse of RIPA.
This act strengthens and develops the FOI Act with respect to DNA, fingerprints and footprints. Here, is a brief overview of the changes:
Part 1: Biometric Data. The Act removes existing police powers to retain biometric data from suspects who are not or convicted of any offence. It also reduces the length of time for which data can be retained, with only the data of those convicted of the most serious offences being subject to ‘indefinite’ retention.
Part 2: Surveillance. This Part requires a new Code of Practice on surveillance technologies and the appointment of a Surveillance Camera Commissioner to oversee and review the operation of the Code.
Part 3: Protecting property. This Part repeals a number of existing powers for authorities to enter private property and, interestingly, provides a discretionary power to repeal any power of entry or associated power that a national authority deems inappropriate or unnecessary. It also introduces an offence for clamping without lawful authority (private clampers beware!).
Part 4: Counter-terrorism. This Part alters the law relating to stop and search for suspected terrorists and reduces the maximum period of detention without charge from 28 to 14 days.
Part 5: Safeguarding the vulnerable and criminal records. Criminal records disclosure is required for anyone working or involved in activities with vulnerable groups. This Part takes some activities completely outside the scope of the regime, and changes the rules relating to disclosure, giving applicants, rather than the Criminal Records Bureau, greater control over who is provided with their information.
Part 6: Data protection and freedom of information. This part gives the right to have certain data provided in an electronic form suitable for re-use, and clarifies the meaning of “publicly-owned company” (to which the Freedom of Information Act applies). It also amends provisions relating to the appointment, role and tenure of the Information Commissioner.
Part 7: Miscellaneous. This part introduces offences of trafficking people for sexual exploitation and labour, and new offences relating to stalking (included in this Act, one presumes, because both infringe upon the personal freedoms of others).
PECR covers unsolicited phone calls and emails.
The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act. They give people specific privacy rights in relation to electronic communications.
There are specific rules on:
- marketing calls, emails, texts and faxes;
- cookies (and similar technologies);
- keeping communications services secure; and
- customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.
The ICO aims to help organisations comply with PECR and promote good practice by offering advice and guidance. The ICO will take enforcement action against organisations that persistently ignore their obligations, starting with those that generate the most complaints.
Privacy and Electronic Communications Regulations (PECR) is an implementation of the European Union (EU) e-Privacy Directive in the United Kingdom.
PECR regulations restrict the processing and sharing of personal traffic data and location data and provide for access to users’ personal data in the interest of national security. The information commissioner has the power to audit the measures taken by a provider of public electronic communications services to comply with personal data breach notification and recording requirements.
The main changes for the 2012 revision relate to new rules for websites using cookies, or similar technologies, as well as new powers that allow the information commissioner to fine organizations up to £500,000 for serious breaches of the regulations. The PECR cookie rules now demand website owners get consent from visitors before using cookies. This is in addition to the existing requirement for websites to provide information about their cookie usage. The cookie rules apply to any means of storing information or gaining access to information stored on a user’s device, except for where the storage or access is vital for a service requested by the user. The latest PECR rules also require communications providers to set up procedures for responding to requests for access to users’ personal data for national security and law enforcement purposes.
The FOI covers the right to access information on activities carried out by public bodies.
The Freedom of Information Act 2000 provides public access to information held by public authorities. It does this in two ways:
- public authorities are obliged to publish certain information about their activities; and
- members of the public are entitled to request information from public authorities.
The Act covers any recorded information that is held by a public authority in England, Wales and Northern Ireland, and by UK-wide public authorities based in Scotland. Information held by Scottish public authorities is covered by Scotland’s own Freedom of Information (Scotland) Act 2002.
Public authorities include government departments, local authorities, the NHS, state schools and police forces. However, the Act does not necessarily cover every organisation that receives public money. For example, it does not cover some charities that receive grants and certain private sector organisations that perform public functions.
Recorded information includes printed documents, computer files, letters, emails, photographs, and sound or video recordings.
The Act does not give people access to their own personal data (information about themselves) such as their health records or credit reference file. If a member of the public wants to see information that a public authority holds about them, they should make a subject access request under the Data Protection Act 1998.
The Computer Misuse Act covers hacking and associated unauthorised access very badly. It has to be one of the most toothless worthless pieces of legislation ever written.
The Computer Misuse Act is divided into three offences:
- 1. Unauthorised access to computer material.
- 2. Unauthorised access with intent to commit or facilitate commission of further offences.
- 3. Unauthorised modification of computer material.
The Computer Misuse Act 1990 (CMA) is an act of the UK Parliament passed in 1990. CMA is designed to frame legislation and controls over computer crime and Internet fraud. The legislation was created to criminalize unauthorized access to computer systems and to deter serious criminals from using a computer in the commission of a criminal offence or seek to hinder or impair access to data stored in a computer.
The CMA is broad and sweeping, but has also been broadly and liberally applied in the courts. This has raised concerns among privacy advocates and those who believe in circumscribing government influence on daily life and behaviour. Nevertheless, the CMA has served as a model for computer crime legislation in other Commonwealth countries.
However it cannot be regarded as successful legislation. The National Fraud Intelligence Bureau showed that for the UK as a whole, more than £670m was lost to the ten most common online frauds between 1 September 2013 and 31 August 2014. The Government does not know the actual loss to both business and people because cyber crime is vastly under-reported. The FBI says it is now more lucrative than drug trafficking worldwide. But between 1990 to 2006 only 183 defendants were proceeded against and 134 found guilty under the Computer Misuse Act. Over this period there were five years when there were no prosecutions, and a further ten with fewer than 20. A parliamentary answer to Elfyn Llwyd MP showed that from 2007 to 2013 there were 156 prosecutions with 128 leading to a finding of guilt which is only 1.5 per month.
The ICO provides a number of its "Codes of Practice" on various data issues that cover how an organisation should behave. These documents reflect current thinking on the legal aspects if data sharing and privacy for example.
The Copyright, Designs and Patents Act has two main purposes to ensure that people are rewarded for their endeavours (intellectual copyright) and to give protection to the copyright holder if someone tries to steal or copy their work.
EQA is a consolidation act that covers protecting UK citizens from discrimination. At the moment, there are several different laws to protect people from discrimination on grounds of:
- • race
- • sex
- • sexual orientation (whether being lesbian, gay, bisexual or heterosexual)
- • disability (or because of something connected with their disability)
- • religion or belief
- • being a transsexual person (transsexuality is where someone has changed, is changing or has proposed changing their sex – called ‘gender reassignment’ in law)
- • having just had a baby or being pregnant
- • being married or in a civil partnership (this applies only at work or if someone is being trained for work), and
- • age (this applies only at work or if someone is being trained for work).
The Equality Act 2010 simplifies the current laws and puts them all together in one piece of legislation. Also, it makes the law stronger in some areas. So depending on your circumstances, the new Act may protect you more.
The Communications Act is a huge piece of complex legislation pertaining to the ownership of television, the creation of Ofcom and the de-regulation of the electromagnetic spectrum (radio and television) that contains section 127 that is often used when people send offensive emails or other communications. This has been used in relation to some rather outrageous jokes and there is a perceived threat to freedom of expression when some of the cases brought under section 127 have been considered in the press.
The Digital Economy Act was a hastily written and carelessly reviewed piece of legislation enacted in the "wash-up" phase of the outgoing administration that in part covers software piracy and many other digital issues. Passed in 2010, the Digital Economy Act is intended to tackle copyright infringement. It proposes to do this through letters and sanctions against alleged individual infringers and by blocking access to websites. But it is so badly conceived that it threatens to disconnect innocent people from the internet if they are accused of infringement, and could undermine the availability of public Wi-fi.
This originally covered printed material but now includes electronic material; the right not to be harassed. Under the Malicious Communications Act 1988 it is an offence to “send or deliver letters or other articles for the purpose of causing distress or anxiety”. Or more simply it is an offence to send messages to another person which are “indecent or grossly offensive”, threatening or false.
This means that any message sent, such as a letter, text message (SMS) and Tweets on Twitter or Facebook messages etc. that could be considered indecent or grossly offensive can be an offence under this act. The message does not have to reach the intended recipient for an offence to occur.
Given the multitude of security and privacy laws within the EU, knowing which ones have bearing on a business can be confusing.
Compliance Regulation and Standard Requirements
The number of laws and regulations that have an impact on organisations operating within the EU can be bewildering. Many of these European privacy laws have a direct bearing on how organisations must operate, which, in turn, can influence or determine the type of information security controls those organisations need to put in place. For example, businesses need to be familiar with relevant regulations and UK security laws, such as the Data Protection Act, which prescribes how personal or sensitive information has to be processed and protected, to ensure their operations are compliant.
From a hacker perspective, many organisations are still leaving the front door open and the windows unlocked. Failure to protect and handle data correctly can also result in punitive actions for companies participating in the digital economy.
There is an entire section of ISO 27001 Information Security Management dedicated to compliance. The objective of control A.15.1 in ISO 27001 Annex A is to avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements. "A.15.1.1 Identification of applicable legislation" states that all relevant statutory, regulatory and contractual requirements should be explicitly defined and documented and kept up to date for each information system and for the organisation as a whole.
With some laws, it is easy to see the impact they have on security posture, policies and procedures. Section 221 of the Companies Act 1985, for example, clearly states that accounting records must be kept. Section 222 of the same act states that private companies must keep these accounting records for three years from the date on which they are made, and public companies must keep them for six years. The requirements of section 222 can be easily included in a document retention policy and data classification policy to ensure the necessary documents and data are kept secure with controlled access for the legally required period of time. These measures will satisfy control A.15.1.3 of ISO 27001, as well, which requires important organisational records be protected from loss, destruction and falsification, in accordance with statutory, regulatory, contractual and business requirements.
The purpose of the Computer Misuse Act 1990 is common sense; it makes the unauthorised access to computer material an offence. However, an employer is vicariously liable for the wrongful or negligent acts of employees committed within the general scope of their employment. That means the company's acceptable usage policy should cover unauthorised access to computer material in order to strengthen their position, should an employee be charged under the act. Since using an open wireless network without permission has been deemed an offence under the act, this should be covered, too.
Other acts can be more difficult to enforce. The Copyright, Designs and Patents Act 1988 is a good example. It clearly states computer software is protected by copyright and using it without a licence is a copyright infringement. Your intellectual property rights policy, control of software procedure and network user agreement will cover this area in some detail. However, new technologies and services like Twitter are challenging because they blur the line between public domain and copyrighted material, often making it more difficult to recognise whether material is copyrighted. In fact, the laws relating to copyright are being fiercely debated and reviewed, and legal guidance should be sought to ensure your organisation is up to date with how information collected via the Internet can and can’t be used.
There are other acts that, at first glance, may appear to have no relevance to your business at all, but in reality can have a major impact if they’re not fully understood and appreciated.
The Freedom of Information Act 2000 is a good example. This legislation guarantees access to data held by the state by establishing a "right-to-know" legal process by which requests may be made for government-held information. Anyone of any nationality, living anywhere in the world, can make a written request for information, and expect a response within 20 working days. (Someone requesting his or her personal data is handled as a Subject Access Request under the Data Protection Act.)
The Freedom of Information Act 2000 applies to most public authorities, which are obliged to meet requests, subject to a number of specified exemptions and certain practical and financial constraints. It also applies to companies that are wholly owned by public authorities.
However, other companies may also be affected. If your organisation has a contract with a public authority or company directly covered by the act, the reports presented as part of your contract’s deliverables may contain sensitive information you would not want to be made public. But, as this information is now government-held data, it is accessible by anyone requesting it -- a member of the public or a competitor. Even a failed tender bid document, revealing your pricing and propriety processes, may potentially end up being disclosed.
Trying to circumvent this law with a blanket confidentiality clause is unlikely to be accepted by public authorities or by the Information Commissioner. The best approach is to consider whether particularly sensitive data really needs to be included in any documents submitted to government agencies. It is a good idea to segregate confidential and non-confidential material to reduce the risk of inadvertent disclosure and to increase the likelihood that a limited-confidentiality exemption applies.
A business should also negotiate a clause in the contract that provides a right to be notified about, and make submissions in relation to an information request that may contain your commercially sensitive information. This must be backed up by a procedure to ensure that, if a request for comments is received from a public authority, you can deal with it promptly and your views are put forward and considered in good time.
A law firm currently use a Local Area Network (LAN) linked to a Wide Area Network (WAN). They
want to upgrade their system to utilise cloud storage.
(a) Define what is meant by a Wide Area Network. [1 mark]
(b) Explain two advantages to the law firm of storing their data in the cloud. [4 marks]
(c) Explain two disadvantages to the law firm of storing their data in the cloud. [4 marks]
(d) Fig. 3 lists some actions that may take place in the law firm’s office. Tick () one box in each row to show which legislation applies to each action. [6 marks]
Patents Act 1988
|Using a picture for the law firm’s new logo without the original creators permission.|
|A secretary accessing a lawyer’s personal email account without permission.|
|Making a copy of the latest Hollywood blockbuster movie and sharing it with a client.|
|Storing customer data insecurely.|
|A lawyer installing a key logger on the secretary’s computer.|
|Selling clients personal legal data to a marketing company without their permission.|
9 * Even though the computer devices they own still work, people often want to buy the most up-todate
models, such as the latest smartphone.
Discuss the impact of people wanting to upgrade to the latest smartphone.
In your answer you might consider the impact on:
- ethical issues
- environmental issues [8 marks]
Useful links for Green IT