In most countries there are laws relating to the use of data and to the usage of computers. Those laws are not there to be oppressive or regulatory but to protect the interests on individuals as opposed to organisations. Here we take a look at some of those laws, what they mean and how they can affect you.
We've looked at how law affects the world of computing and the Internet before in the article on Accessibility and the Law, but there other laws that affect the world of IT in the UK, US and other countries. In this article we'll take a look at some of the bigger laws and what it is they mean for individuals and organisations.
The Data Protection Act (1984 and 1998)
This regards the potential misuse of collected data and applies to any person or organisation that holds data about individuals. The act itself grew out of public concern about rapidly developing computer technology. The key points to remember are:
- The data should be obtained and processed fairly and lawfully,
- Personal data should be held only for the specified purposes, and
- Personal data should not be used or disclosed for any unstated purposes or sold to third-parties,
- Personal data should be adequate, relevant, and not excessive,
- Personal data should be accurate, and where necessary, kept up to date,
- Personal data should not be kept for longer than stated or than is necessary,
- A data subject should be entitled:
- at reasonable intervals, without unnecessary delay or expense:
- be informed if data is held on the subject, and
- to access any such data.
- to have data corrected or erased where appropriate.
- at reasonable intervals, without unnecessary delay or expense:
- Security measures should be taken to guard against unauthorised access, alteration, disclosure, or destruction of personal data. This should also cover the accidental loss or destruction of data.
You may have noticed that it states the "without unnecessary delay or expense" part and be thinking that this means they cannot be charged for requesting access to the data - this is not the case, what it means is that they shouldn't be overcharged and that an administration fee can be charged for supplying the data top cover any cost incurred.
It's interesting how this law was started before the advent of the internet but has been adapted to be appropriate to be applied to websites also. In privacy statements on a website you are basically stating the reasons and usage of data collected on the website as per what is stated in this Act. One thing that is not usually considered but should be is that websites nearly always log access to pages and/or files to a log file. This data if identifiable (i.e. it contains an IP address) then this also counts as being data held against the subject.
In the 1998 revision of this law there are additional caveats, such as that a data controller can withhold information from a data subject until sufficient proof is provided that their identity is that which they claim it to be. There is no obligation for a request for information to be completed without ample proof and such requests can now be denied. This does also extend to requests made to local authorities with the added fact that they are only expected to provide access to structured data about the subject as long as it does not exceed reasonable costs.
Under normal circumstances, if you wanted to see what personal data was being held about you then you'd be entitled to a copy of this data within 40 days of making a formal written request. Any infringement on this permits you to raise this with the Registrar or apply for a court order to obtain access.
In most cases, when holding or controlling personal data you have to register with the Data Registrar which you do so for a fee to cover three years.
Computer Misuse Act (1990)
This concerns the unauthorised access to a secure system with the intent of causing damage to the targeted system including the deliberate modification or deletion of data, or to force it to perform a function. Anyone who is tried and found guilty under this act can be sentenced for up to six months (although recently this changed to being two years) and can also be fined for up to £5,000 including damages.
The reason this law came about was that the first recorded case of unauthorised access to a system had to be tried as a Forgery & Counterfeiting trial which the defendants pleaded against as they had done neither - they had used login credentials observed from a BT engineer to enable themselves to log in with criminal intent. As a result of this case the Computer Misuse Act was created a couple of years later.
For the average computer user this should not affect you unless you are trying to illegally gain access to a system with the intent of causing the machine and/or software to perform a function not intended.
Freedom of Information Act (2000)
This more recently instated Act is in part an amendment to the DPA legislation last updated in 1998 to ensure the law governing the usage of data is kept current as our technology and usage of data changes. In the Act, the following is noted:
To make provision for the disclosure of information held by public authorities or by persons providing services for them and to amend the Data Protection Act 1998 and the Public Records Act 1958; and for connected purposes.
So, with this amendment it is an attempt by the government to open up data and to become more transparent in proceedings however due to the large number of exemptions in the name of national security this has cast some doubt onto just how worthwhile this Act is.
The problem that this Act has enlightened in recent times is the spending of MP's and their second homes leading to a large number of scandals. In 2009 there was a request that MP details be made exempt from this Act but it was denied. I think in them denying that request it shows that the government is trying to uphold the spirit of this law despite some if it's number disagreeing. What this means to computer users is that a lot of this information becomes available online for the public to see.
