The original Data Protection Act (DPA) became law in 1984. Organisations were legally obliged to act responsibly with respect to personal information, which relates to data on any living individual, held in computer databases.
It was replaced by the Data Protection Act 1998 which was implemented in two stages in 2000 and 2003. This change was needed to reflect the changes in technology that had passed since the original DPA. The 1998 Act is currently in force and will be for the foreseeable future.
The Information Commissioner’s Office is an independent supervisory authority appointed by the government to oversee and enforce compliance with the Act in all dealings with personal information and to ensure access is freely available to recorded information held by public authorities. The Office reports directly to the UK Parliament. Note that the Scottish Information Commissioner’s Office promotes and enforces freedom of information in Scotland.
The DPA enforces strict rules on the storage and processing of electronic data that can uniquely identify a living person. It is designed to stop data being obtained or stored unnecessarily, to prevent it from being exchanged without good reason, to ensure it is held under secure conditions and to give individuals redress if they feel their personal data has been misused.
So, all organisations that store information on living individuals must comply with the Data Protection Act. The Information Commissioner maintains a public register of these organisations called the Data Protection Register.
Before you look at the Act in more depth, let’s define what is meant by ‘information’ and ‘data’ and how are they different?
data is a representation of information so that it can be conveyed, manipulated or stored
information is the meaning that we give to data in particular contexts.
So data cannot really be considered as information until it is given meaning and is interpreted by us. Opinion polls, where members of the public are asked their opinion on particular subjects, are good examples of where data is collected, stored and manipulated to show the resulting information as statistics They may demonstrate how we might vote in the next parliamentary election, or whether one brand of food is preferred to another.
In terms of the DPA, data controllers are people who are employed by any organisation that stores, manipulates and retrieves personal information held on computers.
The DPA is based around eight fundamental principles of good information handling. Data controllers are legally required to act in accordance with these rules, the details of which are explained in the Principles of the DPA (PDF). The case study below describes an example of the data protection act being used.
Case study: The British Pregnancy Advisory Service
The British Pregnancy Advisory Service is a charity offering confidential advice to pregnant women, including information about abortion and sterilisation.
In early 2012, a hacker defaced the charity’s site, claiming to have obtained records of nearly 10,000 people who had contacted BPAS and threatening to post their details online. Police were able to determine the IP number of the attacker’s computer and James Jeffery was arrested the next day in the West Midlands. No confidential data was released, although copies of the BPAS data were found on Jeffery’s computer.
BPAS had initially acquired the names through a ‘call back’ form where people could leave details so they could be contacted later, but had chosen to not continue with the ‘call back’ because of security concerns. However, unbeknownst to BPAS, the data was retained on the site and inadequately secured from attacks.
BPAS was fined £200,000 for the breach, although at the time of writing it was contesting the fine. In April 2012, James Jeffery, was sentenced to 32 months in prison under the Computer Misuse Act.
Inadvertent breaches of the Data Protection Act may be prosecuted although no harm was intended.
Case study: Hertfordshire County Council
In June 2010, Hertfordshire County Council breached the DPA on two occasions when its childcare department accidentally sent faxes to incorrect numbers.
On the first occasion, documents intended for lawyers were sent to members of the public, and on the second occasion, information including personal information about two children in council care, criminal convictions of two people and domestic violence records were sent to a legal practice unconnected to their case.
The council correctly alerted the Information Commissioner to the two breaches, but was fined £100,000 because of the seriousness of their mistake which could have had serious consequences for the safety of children in the council’s care.
The Computer Misuse Act 1990 (CMA)
The Computer Misuse Act 1990 (CMA) is one of the most influential pieces of legislation relating to computers. It has been the inspiration for similar laws being introduced in other countries.
It came about, in part, because of a 1988 case where two hackers broke in to the British Telecom Prestel network and obtained access to user accounts including that of Prince Philip.
Prestel was a text-based interactive information system developed by the UK Post Office in the late 1970s. Users could browse numbered pages of text (similar to the contemporaneous Ceefax and Teletext information services) on their television as well as send electronic messages to other Prestel users. Prestel services were expensive and the system did not become widely used, although Prestel technology was sold to many other telecom companies. Prestel was gradually sold off in the early 1990s as the internet became available to domestic users.
The two hackers were originally tried and convicted under a law concerned with forgery and counterfeiting, but the conviction was overturned by higher courts who concluded that the Forgery and Counterfeiting Act 1981 had never been intended to be used for this purpose. This led the majority of legal experts to conclude that hacking was not actually illegal in Britain at the time.
The CMA was drawn up hurriedly and was criticised at the time for not being adequately scrutinised, but its central aims have stood the test of time. The original Act introduced three new criminal offences:
- unauthorised access to computer materials
- unauthorised access with intent of committing or aiding further offences
- unauthorised modification of computer material.
The CMA has been amended a number of times, including through the Police and Justice Act 2006, to cover new offences including denial of access or denial of service to legitimate users (making denial of service attacks a criminal offence in the UK), and criminalising the creation and supply of software and hardware that might aid an attack on a computer. This not only criminalises the development of programs designed to break passwords or the development of certain types of malware, but it could potentially criminalise tools used by forensics experts to investigate computer systems which can be abused by attackers.
The CMA has been successfully used in a wide range of criminal cases including denial of service attacks against Kent Police, Oxford University, the United States Air Force, the CIA, Sony and Nintendo; fraudulent activities in online games; illegal access and disclosure of confidential emails and personal information; theft from online banks; stalking; hoax calls to emergency telephone numbers and piracy.
The Fraud Act 2006
The Fraud Act 2006 was introduced to simplify a notoriously complex Act of Parliament called the Theft Act.
The previous law defined a large number of types of fraud, often tied to specific circumstances, that made for complex cases that were difficult to prosecute and for juries to understand. In fact, it wasn’t until 1996 that obtaining money from a fraudulent bank transfer was specifically illegal in the UK!The Fraud Act defines fraud in three ways:
- false representation
- failing to disclose information
- abusing power.
The Fraud Act can be used against anyone attempting to perform fraud whether or not it takes place over the internet. However, Section 11 of the Act makes specific reference to electronic fraud and can be used to prosecute in response to:
- dishonestly obtaining electronic communications services such as a telephone, ISP or satellite television subscription
- cloning mobile phones so that calls made on one handset are billed to another
- reprogramming mobile phones to interfere with their operation or change their unique identifier information
- breaking encryption on encrypted communications services such as subscription television services or telephone conversations.
No comments:
Post a Comment