Information systems legislation

Two specific pieces of legislation are the basis for examination in CAT Paper 5, Managing People and Systems, and in ACCA Qualification Paper F1, Accountant in Business. These are the UK Data Protection Act and the UK Computer Misuse Act.

This article describes the depth of knowledge required by candidates for the relevant parts of the syllabus. The principles of the legislation are important, not the dates, the context (eg European Commission requirements) and the penalties. However, these are provided here for information.

The Data Protection Act

During the 1970s, the increasing use of computers, and their perceived threat to privacy and the rights of individuals, led to a demand for data protection and privacy legislation. The original Data Protection Act received its Royal Assent on 12 July 1984.

It applied to automatically processed personal data, giving rights to individuals to access data held about them and to seek compensation for loss or damage caused by the misuse of personal data. The office of the Data Protection Registrar enforced the Act.

In 1998 the United Kingdom was required to pass a revised Data Protection Act as part of its European Union commitment under the Data Protection Directive.

The principle behind this directive was the harmonisation of data protection laws across the member states. The 1998 Act replaced the 1984 Act, modifying and extending the legislation to include manual records and virtually any form of data processing. It also banned, subject to certain exceptions, the transfer of data outside the European Economic Area.

This section briefly reviews the Act and its implications for information systems development.

Definitions

In the context of the 1998 Act data means information that is recorded:

• in a form in which it can be processed by equipment operating automatically in response to instructions given for that purpose
• with the intention that it should be processed by means of such equipment
• as part of a relevant filing system or with the intention that it should form part of a relevant filing system
• but does not fall within the first three statements but still forms part of an accessible record.

Accessible records are primarily concerned with health, education and other public records. This overall definition of data is much wider than the original Act, which only considered automatically processed information.

The Act defines:

• Personal Data as data relating to a living individual who can be identified from that information, or from other information, which is in the possession of, or is likely to come into the possession of, the data controller. This includes any expression of opinion about the individual, but not any indication of the intentions of the data controller in respect of that individual. Hence a manager’s opinions about an employee are within the scope of the Act.

The data controller is a person who determines the purposes for which, and the manner in which, any personal data are, or are to be, processed. The individual who is the subject of personal data is called the data subject.

The data controller registers the details of the data he wishes to hold with the Information Commissioner. The office of Commissioner replaces the Registrar defined in the original Act.

A data subject is, given certain exemptions and conditions, able to examine what personal data the data controller is holding about him or her.

The rights of individuals are specifically defined in the Act. A data subject is entitled, upon written request to the data controller to be informed whether personal data is being processed about them.

The data subject may be charged a nominal fee for this information and the data controller has a specified number of days to respond to the request. Where personal data is being processed the data subject is entitled to be given a description of:

• The personal data held about the individual.
• The purposes for which this information is being processed.
• The recipients or classes of recipients to whom this information may be disclosed.

In addition the data subject is entitled to have this information communicated to him or her in a form that can be understood. In most instances these requests for information are met by giving the data subject a copy of the information plus an explanation of any data fields that are not self-explanatory.

Any individual who suffers damage as a result of a contravention by the data controller is entitled to compensation for distress or damage this incorrect information has caused.

Principles

The Data Protection Act is framed within the spirit of the following principles. The United Kingdom Data Protection Act uses slightly different definitions at times, with reference to specific sections of the legislation, but the spirit is similar.

Principle one The information to be contained in personal data shall be obtained, and personal data shall be processed, fairly and lawfully.

Hence the information must be obtained fairly from the data subject. The data subject must be aware of what data is being collected and how it will be used. It cannot be obtained by coercion or by deception. For processing to be lawful it needs to meet at least one of the following conditions:

• The data subject has given his consent to the processing.
• Processing is necessary for the performance of a contract to which the data subject is a party, or for the taking of steps at the request of the data subject with a view to entering into a contract.
• The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.
• The processing is necessary in order to protect the vital interest of the data subject.
• The processing is necessary for the administration of justice and for other functions of a public nature exercised in the public interest by any person.
• Processing is necessary for the purposes of legitimate interest pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interest of the data subject.

Further conditions apply in the UK legislation if the data is defined as sensitive. Sensitive data consists of information concerning:

• the racial or ethnic origin of the data subject
• his political opinions
• his religious beliefs or other beliefs of a similar nature
• his membership of a trade union
• his physical or mental health or condition
• his sexual life
• the commission or alleged commission by him of any offence
• any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Principle two Personal data shall be held only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.

So, for example, data cannot be stored for one purpose, such as the provision of a service (say providing electricity to a customer) and also used for marketing and offering other services (such as insurance), unless the data controller has specified these purposes.

This principle applies in most data protection legislation. The information cannot be collected for one purpose and then used (unknown to the data subject) for others.

Principle three Personal data shall be adequate, relevant and not excessive in relation to that purpose or purposes for which they are processed.

When collecting data, there is a temptation for data controllers to request more information than is actually required for the task at hand. This may contravene one of the principles of the Data Protection Act.

In the UK, a number people complained that the forms required for the payment of the ‘poll tax’ included questions that were irrelevant to the purpose of poll tax assessment and collection.

These questions were not relevant or were excessive given the purpose of the form. In general, the Data Protection Tribunal agreed with the complaints, finding that a substantial amount of property information requested was far more than necessary for the supposed purpose.

The role of the data dictionary in reinforcing this principle is worth stressing. The compilation of the dictionary should ensure that the role of every data item in the system could be explained and justified.

Principle four Personal data shall be accurate and, where necessary, kept up-to-date.

This principle will not be breached if the data subject has actually provided the incorrect information as long as the data controller has taken reasonable steps to ensure its accuracy. However, where the data subject has told the data controller that data is inaccurate, the stored data must indicate that fact.

In all cases the data controller is under an obligation to take reasonable steps to verify the accuracy of the data obtained. One of the best ways of ensuring accuracy is to ask the data subject to periodically confirm, or update, details about themselves.

Principle five Personal data held for any purpose or purposes shall not be kept for longer than is necessary for that purpose or purposes.

When the original purpose for collecting the personal data has passed the data should be destroyed. This may be implemented automatically by software programs or at least suggested by software prompts. For example, when a person leaves the organisation all his or her appraisal records could be automatically deleted or a user prompted to action such a deletion.

Principle six Personal data shall be processed in accordance with the rights of data subjects under this Act.

Data subjects have certain access rights and if these are contravened then this principle will be breached. A failure to comply with requests from the Information Commissioner also comes under this principle. All data protection legislation confers rights on the data subject and this principle reasserts these rights.

Principle seven Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Most data protection legislation demands that the data controllers apply appropriate security measures to take care of personal data. Such measures should be in place to prevent internal and external access by unauthorised users. This will include hardware (card access to rooms, firewall computers, CCTV) software (passwords, virus checkers) and organisational arrangements (internal audit, division of duties) that reduce the chance of unauthorised or unlawful use of personal data.

Principle eight Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

This geographical restriction is specifically stated in the UK Legislation, where it is also acknowledged that there is no restriction of movement of personal data within the European Economic Area.

However, there clearly has to be an agreement and statement defining which other countries provide an adequate level of protection. The UK Act appears to state that the European Commission will make such decisions and announcements.

The UK law is typical of Data Protection legislation in that it defines the geographical territory of the legislation and constraints on importing or exporting data outside that defined territory.

After all, without these constraints the legislation would be less potent. Sensitive data could be held in ‘data havens’, countries with little or no legislation, and manipulated from there. From a systems development perspective it is important that controls are in place to prevent unwitting transfer of data across international boundaries, leading to possible prosecution under the Data Protection Act.

Exemptions and offences

Data protection legislation normally also defines exemptions and offences. These exemptions may be from the Act altogether, or they may be from certain sub-sections, for example, the data controller may be exempted from providing subject access. Typical exemption areas are:

• information to uphold national security
• information about crime and taxation
• data held for health, education and social work
• payroll and accounting applications
• domestic use of computers
• unincorporated clubs and societies.

Similarly, the offences will be defined in the Act. This will include such offences as failing to register for the Act and failing to notify changes as well as the more obvious misuse of personal data.

Computer hacking is concerned with accessing and perhaps modifying the contents of a computer system without the express or implied permission of the owners of that system. The experience of the Duke of Edinburgh hackers suggested that hacking was a nuisance rather than a criminal activity.

In the UK this led to a Law Commission Working Paper No. 110, Computer Misuse (1988), which examined the scope of the computer misuse law and proposed alternative suggestions for appropriate legal changes. The Computer Misuse Act was enacted in 1990. It did not restrict itself to computer hacking but also dealt with issues of attempts and modification.

The Act is not specifically aimed at external hackers but is also applicable to inappropriate use of systems by internal employees.

The Computer Misuse Act distinguishes between three types of offence:

• unauthorised access to the computer
• unauthorised access with intent to commit or facilitate commission of further offences
• unauthorised modification of computer material.

Unauthorised access to the computer Under Section 1 of the Computer Misuse Act 1990, a person is guilty of an offence if:

• they cause a computer to perform any function with intent to secure access to any program or data held in any computer
• the access they intend to secure is unauthorised
• they know at the time when they cause the computer to perform the function that this is the case

The intent a person must have to commit an offence under this section need not be directed at:

• any particular program or data
• a program or data of any particular kind or
• a program or data in any particular computer

The Act specifies that a person found guilty of this offence shall be liable, on summary conviction, to a maximum prison sentence of six months or to a fine not exceeding level 5 on the standard scale or both.

This section is concerned with circumstances where unauthorised access is the ultimate motive. The offender wishes to see data they are not authorised to see, but they do not wish to change this data or to use it to commit further offences. They may wish to see the data out of curiosity or to use it in a way that is not illegal. This unauthorised access is an offence whether the motives for access were well meaning or malicious.

For example: An employee has used an authorised user's password to secure unauthorised access to the payroll records, so that he can see how much one of the firm’s Directors earns.

Unauthorised access with intent to commit or facilitate commission of further offences

A person is guilty of an offence under this section if they commit an offence under Section 1 (above) with the intent:

• to commit an offence to which this section applies or
• to facilitate the commission of such an offence (whether by himself or by any other person)

It is immaterial for the purpose of this section whether the further offence is to be committed on the same occasion as the unauthorised access offence or on any future occasion. A person may be guilty of such an offence even though the facts are such that the commission of any further offence is impossible.

A person guilty of an offence under this section shall on conviction be liable to imprisonment for a term not exceeding five years or to a fine or to both. This section is concerned with offences that are committed in order to commit (or attempt to commit) further offences, which are subject to other legislation (such as fraud and blackmail).

For example: An employee has used an authorised user’s password to secure unauthorised access to the payroll records to find information that can be used to blackmail one of the Directors of the company.

Unauthorised modification of program or data In Section 3 of the Computer Misuse Act

a person is guilty of an offence if:

• they perform an act which causes an unauthorised modification of the contents of any computer; and
• at the time when they do this act they have the requisite intent and the requisite knowledge

In the statement above the requisite intent is an intention to cause a modification of the contents of any computer and in so doing:

• impair the operation of any computer
• prevent or hinder access to any program or data held in any computer
• impair the operation of any such program or the reliability of any such data

Again, the intent a person must have to commit an offence under this section need not be directed at:

• any particular program or data
• a program or data of any particular kind or
• a program or data in any particular computer

The Act specifies that a person found guilty of this offence shall be liable on conviction to a maximum prison sentence of five years or to a fine or both.

This section of the Act is concerned with accessing and altering data. Examples of offences under this section would be deleting and modifying system files and records, introducing viruses, or deliberately generating information to cause a complete system malfunction. Modifications refer to both programs and data.

This section of the Act covers the following example:
An employee has used an authorised user’s password to secure unauthorised access to the payroll records, so that he can access his own records. He alters these records so that, in subsequent months, he will be paid twice his current agreed salary.

Comments
From 1990 – 1995 there were at least 20 documented prosecutions under the Computer Misuse Act. Here are three examples.
Case: R versus Pearlstone
Result: Guilty
Commentary: Used ex-employer’s account to defraud computer-administered telephone system.

Case: R versus Hardy
Result: Guilty
Commentary: IT manager added a program that encrypted incoming data and decrypted it when accessed. On a pre-set date (a month after he had left) it stopped decrypting data.

Case: R versus Strickland and Woods
Result: Guilty
Commentary: The defendants were reported to have broken into a European Commission computer system and browsed expense accounts, caused damage to the Swedish telephone system and to the Polytechnic of Central London’s computer.

The text of the UK Computer Misuse Act may be viewed at legislation.gov.ukl

Conclusion

Candidates should be aware of the scope, principles and terms of the UK Data Protection and Computer Misuse Act or similar legislation in other countries. This article has focused on three of the main objectives in this area and candidates should now be in a good position to:

• explain why legislation is needed
• explain the principles of the legislation
• explain the offences defined under the legislation

However it is also important that candidates should reflect on two further objectives. They should be able to briefly explain:

• How these principles might be enforced. For example, how can the data protection principle. Personal data held for any purpose or purposes shall not be kept for longer than is necessary for that purpose or purposes, be enforced within an organisation?
• How such offences might be prevented and discovered? For example, how might unauthorised access to a computer system be prevented and, if it cannot be prevented (and 100% prevention is unlikely), how the offenders might be discovered and apprehended?