BTEC ICT Legal Issues Data Protection Act (1998) Computer Misuse Act (1990) Freedom of Information Act (2000)

DPA 1998 Main aspects of the Data Protection Act (1998) – Data must be: Fairly and lawfully processed Processed for limited purposes Adequate, relevant and not excessive Accurate Not kept for longer than is necessary Processed in line with your rights Secure Not transferred to countries outside the EU without adequate protection or permission from end user

DPA Terminology Personal Data – The 1998 Act applies to data relating to any identifiable living individual. – It is not restricted to facts but includes expressions of opinion about the individual or other peoples intentions regarding them. The intention to promote or make an employee redundant would be covered by the act. Data – In order to be covered by the act the data must fall into one of the following categories being processed automatically recorded in preparation for automatic processing stored in a structured way (not necessarily within a computer system) so that specific information about an individual can be accessed. Accessible records that do not necessarily fall into the first three categories (health, school, social services records) – The last two categories means that the act covers written records, not just those intended for automatic processing.

DPA Terminology Processing – The Act applies to any operation carried out on the data. – This includes: data collection, Storage access and use Editing deletion – From the moment it is collected until it is finally erased, all aspects of the data's storage and use are covered by the act. Data Subject – The data subject is any identifiable living individual about whom personal data is stored.

DPA Terminology Data Controller – A data controller is anyone (person or organisation) who is responsible for deciding how and for what purpose the data is processed. – In simple terms, the Data Controller will be the person or organisation that owns the data. Commissioner – The Information Commissioner is the person responsible for overseeing the working of the act and maintaining a register of data controllers. – They are also responsible for making people aware of the act. – The Commissioner has the power to issue enforcement notices if they consider that a data controller is breaching any of the data protection principles. – They also have the power to obtain a search warrant if necessary to investigate suspected breaches of the act.

Data Subject Rights Right of Subject Access – This requires the data controller tell the subject if their personal data is being processed (if they request) and to give them a copy of the data in printed form – This requires the data controller tell the subject if their personal data is being processed and to be given a copy of the data in printed form. – This must include a key to any codes used that would otherwise be unintelligible. – A reasonable fee can be charged for this service to cover administrative costs. Prevention of Processing – The data subject can give the data controller written notice to halt or prevent processing that would cause damage or distress to them. Prevention of Direct Marketing – The data subject can give the data controller written notice to halt or prevent the sending of advertising or marketing material to them.

Data Subject Rights Prevention of Automated Decision Taking – The data subject can give written notice to prevent decisions affecting them being made on the basis of automatic processing Compensation – The data subject can claim compensation where they have suffered damage and distress when the act has been contravened Correction – The data subject can obtain a court order to have inaccurate data corrected or erased Assessment – Anyone can ask the Commissioner to assess whether or not personal data is being processed in accordance with the act

Exemptions There are a number of exemptions to the act, this is a brief and incomplete summary Exemptions are not absolute but only from certain principles – National Security – Crime and Taxation – Special Purpose exemptions Some professions, such as Journalism – Available by Law If information is made available to the public by law then it is exempt – Domestic Purposes Personal data processed by an individual and relating to family or household affairs are exempt from the Data Protection Principles

Legal Rights of Individuals Purpose of the DPA – To set out access rights to data held by a company from the individual – To set out requirements for the control of data stored about individuals on computer and paper systems. – To protect individuals from companies – To comply with European legislation Implications of the Data Protection Acts (1998) – Responsibility of companies to ensure data is secure etc – Appointment of individuals within companies for Data Protection responsibility – Legal rights of data subjects made clear and enforceable

Computer Misuse Act 1990 Purpose of the Act – Computer misuse is defined as the unauthorised use of computer systems and relates both to hardware (using a particular computer without permission) and software (accessing parts of the system without authorisation). – Under this law, the following four offences were introduced: unauthorised access to computer material unauthorised access with intent to commit or facilitate the commission of further crimes unauthorised acts with intent to impair, or with recklessness as to impairing, operation of a computer Making, supplying or obtaining articles for use in computer misuse offences (amended by Police and Justice Act 2006)

Computer Misuse Act 1990 Problems with prosecution: – Intent has to be proven Accidental intrusion is not a crime. – Who is responsible? There may be more than one person in the house General problems – CMA is only enforced once the crime has been committed Only AFTER the confidential information has been found and possibly disseminated – What does authorised mean and who can authorise?

Freedom of Information Act (2000) Main Provision – The Act deals with access to official information – Being able to find out information on any topic from any public authority The Act applies to all public authorities – includes government, health service (hospitals and doctor’s surgeries), schools and police The Act allows anyone to make a request – How? A letter to the public authority that you think has the information you want – Include your name, address and a description of what you want – Public authorities have 20 working days to comply with your request

Freedom of Information Act (2000) – Benefits and Problems Benefits – Information which was not accessible to the general public is now available – Increases accountability from the public authority to the individual Problems – It is possible to ask for any information at all Does not mean that you will receive it May come under exemption – The Act is part of a set - requesting information under the wrong Act will delay the information being received – The public authority does not have to confirm/deny the existence of the information or provide it: if an exemption applies the request is too vague for information to be found similar to a request previously received if the cost of collating and producing it exceeds an appropriate limit

Task Based on the act you have been given you need to produce the resources to allow a teacher to deliver a lesson about the given act to a class of year 9 students You should create a PowerPoint for the teacher (needs things like a keyword and learning objective) An activity sheet for the students A plan for the teacher to follow: – A starter – something short (2-3 minutes) to engage the students and get them thinking as soon as they enter the class – Middle – a prompt to the teacher to stop the class to gauge how well they have understood the topic e.g. a short Q&A – End – Another short activity (5mins) to determine the students have understood the task e.g. feeding back answers to the class. Resources for Teaching Ltd 2008