Two specific pieces of legislation are the basis for examination in CAT Paper 5, Managing People and Systems, and in ACCA Qualification Paper F1, Accountant in Business. These are the UK Data Protection Act and the UK Computer Misuse Act.
This article describes the depth of knowledge required by candidates for the relevant parts of the syllabus. The principles of the legislation are important, not the dates, the context (eg European Commission requirements) and the penalties. However, these are provided here for information.
During the 1970s, the increasing use of computers, and their perceived threat to privacy and the rights of individuals, led to a demand for data protection and privacy legislation. The original Data Protection Act received its Royal Assent on 12 July 1984.
It applied to automatically processed personal data, giving rights to individuals to access data held about them and to seek compensation for loss or damage caused by the misuse of personal data. The office of the Data Protection Registrar enforced the Act.
In 1998 the United Kingdom was required to pass a revised Data Protection Act as part of its European Union commitment under the Data Protection Directive.
The principle behind this directive was the harmonisation of data protection laws across the member states. The 1998 Act replaced the 1984 Act, modifying and extending the legislation to include manual records and virtually any form of data processing. It also banned, subject to certain exceptions, the transfer of data outside the European Economic Area.
This section briefly reviews the Act and its implications for information systems development.
In the context of the 1998 Act data means information that is recorded:
Accessible records are primarily concerned with health, education and other public records. This overall definition of data is much wider than the original Act, which only considered automatically processed information.
The Act defines:
The data controller is a person who determines the purposes for which, and the manner in which, any personal data are, or are to be, processed. The individual who is the subject of personal data is called the data subject.
The data controller registers the details of the data he wishes to hold with the Information Commissioner. The office of Commissioner replaces the Registrar defined in the original Act.
A data subject is, given certain exemptions and conditions, able to examine what personal data the data controller is holding about him or her.
The rights of individuals are specifically defined in the Act. A data subject is entitled, upon written request to the data controller to be informed whether personal data is being processed about them.
The data subject may be charged a nominal fee for this information and the data controller has a specified number of days to respond to the request. Where personal data is being processed the data subject is entitled to be given a description of:
In addition the data subject is entitled to have this information communicated to him or her in a form that can be understood. In most instances these requests for information are met by giving the data subject a copy of the information plus an explanation of any data fields that are not self-explanatory.
Any individual who suffers damage as a result of a contravention by the data controller is entitled to compensation for distress or damage this incorrect information has caused.
The Data Protection Act is framed within the spirit of the following principles. The United Kingdom Data Protection Act uses slightly different definitions at times, with reference to specific sections of the legislation, but the spirit is similar.
Principle one The information to be contained in personal data shall be obtained, and personal data shall be processed, fairly and lawfully.
Hence the information must be obtained fairly from the data subject. The data subject must be aware of what data is being collected and how it will be used. It cannot be obtained by coercion or by deception. For processing to be lawful it needs to meet at least one of the following conditions:
Further conditions apply in the UK legislation if the data is defined as sensitive. Sensitive data consists of information concerning:
Principle two Personal data shall be held only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.
So, for example, data cannot be stored for one purpose, such as the provision of a service (say providing electricity to a customer) and also used for marketing and offering other services (such as insurance), unless the data controller has specified these purposes.
This principle applies in most data protection legislation. The information cannot be collected for one purpose and then used (unknown to the data subject) for others.
Principle three Personal data shall be adequate, relevant and not excessive in relation to that purpose or purposes for which they are processed.
When collecting data, there is a temptation for data controllers to request more information than is actually required for the task at hand. This may contravene one of the principles of the Data Protection Act.
In the UK, a number people complained that the forms required for the payment of the ‘poll tax’ included questions that were irrelevant to the purpose of poll tax assessment and collection.
These questions were not relevant or were excessive given the purpose of the form. In general, the Data Protection Tribunal agreed with the complaints, finding that a substantial amount of property information requested was far more than necessary for the supposed purpose.
The role of the data dictionary in reinforcing this principle is worth stressing. The compilation of the dictionary should ensure that the role of every data item in the system could be explained and justified.
Principle four Personal data shall be accurate and, where necessary, kept up-to-date.
This principle will not be breached if the data subject has actually provided the incorrect information as long as the data controller has taken reasonable steps to ensure its accuracy. However, where the data subject has told the data controller that data is inaccurate, the stored data must indicate that fact.
In all cases the data controller is under an obligation to take reasonable steps to verify the accuracy of the data obtained. One of the best ways of ensuring accuracy is to ask the data subject to periodically confirm, or update, details about themselves.
Principle five Personal data held for any purpose or purposes shall not be kept for longer than is necessary for that purpose or purposes.
When the original purpose for collecting the personal data has passed the data should be destroyed. This may be implemented automatically by software programs or at least suggested by software prompts. For example, when a person leaves the organisation all his or her appraisal records could be automatically deleted or a user prompted to action such a deletion.
Principle six Personal data shall be processed in accordance with the rights of data subjects under this Act.
Data subjects have certain access rights and if these are contravened then this principle will be breached. A failure to comply with requests from the Information Commissioner also comes under this principle. All data protection legislation confers rights on the data subject and this principle reasserts these rights.
Principle seven Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Most data protection legislation demands that the data controllers apply appropriate security measures to take care of personal data. Such measures should be in place to prevent internal and external access by unauthorised users. This will include hardware (card access to rooms, firewall computers, CCTV) software (passwords, virus checkers) and organisational arrangements (internal audit, division of duties) that reduce the chance of unauthorised or unlawful use of personal data.
Principle eight Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
This geographical restriction is specifically stated in the UK Legislation, where it is also acknowledged that there is no restriction of movement of personal data within the European Economic Area.
However, there clearly has to be an agreement and statement defining which other countries provide an adequate level of protection. The UK Act appears to state that the European Commission will make such decisions and announcements.
The UK law is typical of Data Protection legislation in that it defines the geographical territory of the legislation and constraints on importing or exporting data outside that defined territory.
After all, without these constraints the legislation would be less potent. Sensitive data could be held in ‘data havens’, countries with little or no legislation, and manipulated from there. From a systems development perspective it is important that controls are in place to prevent unwitting transfer of data across international boundaries, leading to possible prosecution under the Data Protection Act.
Data protection legislation normally also defines exemptions and offences. These exemptions may be from the Act altogether, or they may be from certain sub-sections, for example, the data controller may be exempted from providing subject access. Typical exemption areas are:
Similarly, the offences will be defined in the Act. This will include such offences as failing to register for the Act and failing to notify changes as well as the more obvious misuse of personal data.
Computer hacking is concerned with accessing and perhaps modifying the contents of a computer system without the express or implied permission of the owners of that system. The experience of the Duke of Edinburgh hackers suggested that hacking was a nuisance rather than a criminal activity.
In the UK this led to a Law Commission Working Paper No. 110, Computer Misuse (1988), which examined the scope of the computer misuse law and proposed alternative suggestions for appropriate legal changes. The Computer Misuse Act was enacted in 1990. It did not restrict itself to computer hacking but also dealt with issues of attempts and modification.
The Act is not specifically aimed at external hackers but is also applicable to inappropriate use of systems by internal employees.
The Computer Misuse Act distinguishes between three types of offence:
Unauthorised access to the computer Under Section 1 of the Computer Misuse Act 1990, a person is guilty of an offence if:
The intent a person must have to commit an offence under this section need not be directed at:
The Act specifies that a person found guilty of this offence shall be liable, on summary conviction, to a maximum prison sentence of six months or to a fine not exceeding level 5 on the standard scale or both.
This section is concerned with circumstances where unauthorised access is the ultimate motive. The offender wishes to see data they are not authorised to see, but they do not wish to change this data or to use it to commit further offences. They may wish to see the data out of curiosity or to use it in a way that is not illegal. This unauthorised access is an offence whether the motives for access were well meaning or malicious.
For example: An employee has used an authorised user's password to secure unauthorised access to the payroll records, so that he can see how much one of the firm’s Directors earns.
A person is guilty of an offence under this section if they commit an offence under Section 1 (above) with the intent:
It is immaterial for the purpose of this section whether the further offence is to be committed on the same occasion as the unauthorised access offence or on any future occasion. A person may be guilty of such an offence even though the facts are such that the commission of any further offence is impossible.
A person guilty of an offence under this section shall on conviction be liable to imprisonment for a term not exceeding five years or to a fine or to both. This section is concerned with offences that are committed in order to commit (or attempt to commit) further offences, which are subject to other legislation (such as fraud and blackmail).
For example: An employee has used an authorised user’s password to secure unauthorised access to the payroll records to find information that can be used to blackmail one of the Directors of the company.
a person is guilty of an offence if:
In the statement above the requisite intent is an intention to cause a modification of the contents of any computer and in so doing:
Again, the intent a person must have to commit an offence under this section need not be directed at:
The Act specifies that a person found guilty of this offence shall be liable on conviction to a maximum prison sentence of five years or to a fine or both.
This section of the Act is concerned with accessing and altering data. Examples of offences under this section would be deleting and modifying system files and records, introducing viruses, or deliberately generating information to cause a complete system malfunction. Modifications refer to both programs and data.
This section of the Act covers the following example:
An employee has used an authorised user’s password to secure unauthorised access to the payroll records, so that he can access his own records. He alters these records so that, in subsequent months, he will be paid twice his current agreed salary.
Comments
From 1990 – 1995 there were at least 20 documented prosecutions under the Computer Misuse Act. Here are three examples.
Case: R versus Pearlstone
Result: Guilty
Commentary: Used ex-employer’s account to defraud computer-administered telephone system.
Case: R versus Hardy
Result: Guilty
Commentary: IT manager added a program that encrypted incoming data and decrypted it when accessed. On a pre-set date (a month after he had left) it stopped decrypting data.
Case: R versus Strickland and Woods
Result: Guilty
Commentary: The defendants were reported to have broken into a European Commission computer system and browsed expense accounts, caused damage to the Swedish telephone system and to the Polytechnic of Central London’s computer.
The text of the UK Computer Misuse Act may be viewed at legislation.gov.ukl
Candidates should be aware of the scope, principles and terms of the UK Data Protection and Computer Misuse Act or similar legislation in other countries. This article has focused on three of the main objectives in this area and candidates should now be in a good position to:
However it is also important that candidates should reflect on two further objectives. They should be able to briefly explain: