2Learning outcomes Explain difference between patent and copyright Computer Miss use ActList 8 principles of Data protection 1998Explain what rights you have as a data subject in relation to persons or organisations holding you detailsExplain what companies must do to keep within the law if they keep records of individuals on manual or electronic fileExplain the legal implication of computer hacking
3Intellectual property Internet is not a zone copyright free zone.Varying national laws affecting sites and the ease of downloading data make it harder for Internet publisherBut these rights still exists
4Copyright vs patent Copyright Patent Rights to make copies, automatically belongs to the author of any original or creative work.No one else may derive revenue from the work without the copyright holder’s permissionCopyrights, designs and patent Act 1988Covers moral rights:Even if the author has assigned copyright to another party and no longer drives revenue from a work, they still have the right to be recognised as the original author.PatentProtects the right to exploit inventions,i.e. innovative computer hardwareIt does not exist automatically but it has to be granted by a government patent office.
5Copyright in computer software Copyright exists in works with are:Original literary, dramatic, musical or artistic workSound recordings, films, broadcastsTypographical arrangements of published editionsUnder the 1988 Act, computer programs are classified as literary work.Copyrights protection includes the design material and any documents provided with program
6The Copyright, Designs and Patents Act 1989 covers: Illegal copying of software.Illegal running of copyright software on more than one machine unless covered by the licence.Illegal for an organisation to encourage or pressure its employees to copy of distribute illegal software.
7Copyright (cont’d) Complications related to the Internet Files containing text and images or sound recording can be rapidly transmitted through the Internet.Hard to monitorCopies, pirate or even perfect reproduction of the originalComputer processing documents creates transient copies in the cache memory.Although it occurs outside the user’s direct controlThis could be a technical breach of copyrightTransient copies have been excluded from copyright liability under European Copyright Directive 2001 and the UK copyrights and related right regulations 2003
8Software PiracySoftware piracy can be defined as "copying and using commercial software purchased by someone else".Software piracy is illegal.Each pirated piece of software takes away from company profits, reducing funds for further software development initiatives.
10According to SIIAMost of the software on ebay and other auction sites are illegal.In 2008SIIA has managed to shut down auction and classified ad site offering products worth a combined $25 million dollars.
11Software patentComputer programs are not in general recognised as innovations. Hence, they fall under copyright rather than patent lawUK and EU patents officesExceptions for programs which makes technical contributions. Or provide an improvement of existing technology.Improved program for translating between Japanese and English is not patentable as linguistics is a mental process.Image enhancement is patentable as it produces a technical improvement in a technical area.Can I patent computer softwareSee study guide pages for more details
12Defamation Defamation: Consists of publishing a statement which harms or is likely to harm someone’s reputation.A defamation which is untrue falls under the law of either libel or slander.Libel: defamation made in a permanent form (written or printed)Slander: defamation made in a temporary form, e.g., spoken
13Defamation via electronic communication Is generally classed as libel:NewsgroupsWeb-pagesInternet service providers may be liable for the content of newsgroups or web-pages which they hostEmployers may be liable for the content of messages sent by employees.In 1997, the Norwich Union company paid £450,000 to a health insurance, as result of libellous s that have been circulated among the Norwich Union staff. (Internet law, p-28)See study guide page 54 for more information.
14Learning activityThe fact that employers could be prosecuted following defamatory s has cited as one the justifications for the practice of monitoring employee’s use the Internet. Do you think this is reasonable?
15The Computer Misuse Act 1990 The widespread use of computers and computer systems and the misuse of them in the 1980’s led to a law making it a criminal offence to do certain things.The Act covers a variety of misuses that couldn’t be covered by the existing laws of the time. These include:Deliberate damage by planting virusesUsing computers to carry out unauthorised workCopying computer programsHacking into a system to view private informationVarious frauds including stealing money from banks
16The Computer Misuse Act Covers: Unauthorised access to computer programs or data;Unauthorised access with a further criminal intent;Unauthorised modification of computer material (programs or data).
17Three Specific Offences Section 1 (unauthorised access)Access a program or data stored on a computerKnowing the access is unauthorisedThis is why login screens often carry a message saying that access is limited to authorised persons:This may not prevent a determined hacker getting access to the system.The maximum prison sentence is 6 months.
18Offences Section 2: (unauthorised + further offence) Unauthorised access and intent of committing a further offence,Access private data, company records in order to commit fraud, blackmail.The maximum prison sentence is 5 years.
19Offences Section 3: (unauthorised access + modification) Unauthorised access plusModification of the computers contentsAltering data:A nurse might use doctor’s password to alter patient’s drug dosages and treatments recordsRemoving data,e.g. to cover up evidence of wrong doingAdding data:e.g. sending under a false name results in unauthorised modifications to the content of the mail server.The maximum prison sentence is 5 years.
20What the CMA does not cover? Denial of service attacks, (see next chapter)Sponsored links on websitesA company pays on for advertising only if a user click on the linkThe advertiser’s competitors can click many times causing the advertiser to run up a bill which does not bring them new business.
21What Data is Held on Individuals? By institutions:Criminal information,Educational information;Medical Information;Financial information;Employment information;Marketing information;Other: consider: mobile phones, ATM’s, city centre cameras, store loyalty cards, credit cards, the Internet.
22The Data Protection Act 1998 overviewGeneral overview of the actWhat is the act?DefinitionsChanges since 1984 actPrinciples of the actTransitional ReliefImplications for Colleges and DepartmentsThings to keep in mindResources
23What is the Data Protection Act? Intended to balance interests of data subjects with data controllers.Freedom to process data vs. privacy of individuals.1984 act was updated by the 1998 act.On 24th on October 1998.Came into force on the 1st of March 2000.
24Changes Since the 1984 Act DPA 1998 Much broader than the old act. More rights for data subjects.Covers relevant manual filing systems.New category of data – sensitive data.Transitional relief:If data processing has been in effect before 24th of October thenFor automated dataData controller has till 23rd of October to comply with the actFor manual dataData controller has till 23rd of October 2007 to comply with the act.Rules about export of data to non-EEA countries.
25Definitions Personal Data: Data Subject: Processing: is about a person who is alive and can be identified by that data.Data Subject:is the individual that the data is about.Processing:retrieving, holding, sorting, deletingThe Data Controller:is the person who is responsible for the control of the data in a business or organisation.Relevant Filing System:Readily accessible information about living individualsThe Commissioner:is the person responsible for enforcing the law, including ensuring the owners of the data use good practice, and the individuals are aware of their rights.
26Data Protection Act 1998PDA 1998 has 8 principles
27Principles of the act – 1.Non-sensitive Personal data must be processed fairly and lawfully and shall not be processed unless one of the below is met (schedule 2).Consent – the most importantContractLegal ObligationVital interests of subject (life or death!)Public functionsBalance of interest
28Sensitive Personal Data Racial or ethnic originPolitical opinionsReligious/similar beliefs (note food!)Trade Union MembershipHealthSexual LifeOffences
29Sensitive Personal Data May only be held if one of the below is met:Explicit and informed consentEmployment LawVital Interests of SubjectLegal ProceedingsMedical Purposes (by medical professionals)Equal opportunities monitoring
30Principles of the act – 2.Data must be obtained only for one or more specified lawful purposes.Must not use data for a new incompatible purpose without subject’s consent.Have a data protection statement explaining what data will be held and why and get consent from new students/staff as they arrive.
31Principles of the act – 3 & 4. Personal data must be adequate, relevant and not excessive.Must not stock up on data without a reason that can be justified – consent!Personal data shall be accurate and up-to-date.This is an ongoing requirement and means data needs to be kept under constant review.
32Principles of the act – 5.Personal data may not be kept for any longer than is necessary for its stated purpose(s).This potentially creates a problem with old staff/members data.Consent from all new staff/members to keep their data after they have left as this is a different purpose to keeping it while they are here.
33Principles of the act – 6.Personal data must be processed in accordance with the rights of data subjectsThis means that you cannot do things that violate the rights given to data subjects under the new act, especially denying access to data.
34Rights of data subjects Must be informed if personal data are being processed and given a description of the personal data and for what purpose it is being held for.May prevent processing for purposes of direct marketing.Right to see algorithms used in automated decision making (credit scoring etc.).Compensation, rectification, blocking, destruction.
35Access rightsRight to have communicated to him/her in an intelligible form the information constituting the data.No right to rifle through filing systems, computers etc.Right to be informed of logic involved in automated processing.Request must be in writing, fee up to £10 may be charged and identity may be thoroughly checked.
36Enforced AccessIt is an offence to force subjects to exercise their access rights to data held by othersIncludes data about cautions, criminal convictions and certain social security records
37Right to prevent processing Unwarranted substantial damage or distress to subject.21 days to comply with request.Exemption if processing is necessary forperformance of contract with subject, orthere is a legal obligation, orthe vital interests of the subject are at stake.
38Exemptions to access rights Prevention and detection of crimeApprehension or prosecution of offendersCollection of tax or other dutyResearch, history, statistics.Exam marks – 40 days after date of announcement or 5 months of access request.Confidential references.
39Principles of the act – 7.Technical or organisational measures must be taken to prevent unauthorised or unlawful processing of data and accidental loss, damage or destruction of data.First is related to IT support staff (backups, password security etc.) but everyone can help.Second is about being careful with keys, having access controls
40Principles of the act – 8.Personal data may not be transferred overseas unless the receiving country has an adequate level of protection for it.US does not.Transfer is OK if contract is in place with the abroad party or the subject has consented.Data Protection Commissioner is preparing standard contracts.
41International data transfer Principle 8 puts restrictions on the transfer of data from EU to non-EU countries.For companies holding their call centre in Asia.For this transfer to be lawful an adequate
42International data transfer (cont’d) For a transfer of data to non EU countries to be lawful, an adequate an adequate level of data protection has achieved:Some countries are recognised by EU to having a DPA to the same standard as EU countriesThe transfer may be lawful if the subject has given their consent orOf standard contractual clauses are in force.Or the non EU country has a voluntary scheme recognised by EUSafe-Harbor: a voluntary scheme by the US dept of commerce. Under this scheme a set of principle broadly similar to the 8 principle of the EU DPA
43ExerciseGive an example of common business activity involving transfer of data from one country to anotherState all the measures that needs to be taken for a transfer of from EU to non EU to be lawful.
44ActivityRun through some scenarios where the Computer Misuse Act can be used to decide whether the activity is legal or illegal.Good examples are found on page 59, in Understanding ICT by Stephen Doyle (Nelson Thornes).Run through some scenarios to determine whether the Data Protection Act has been breached or not.Good examples are found on page 67, in Understanding ICT by Stephen Doyle (Nelson Thornes).