Under DPA 1998, any organisation which obtains, records or stores personal data must notify the Information Commissioner, who is responsible for the operation of the Act. To comply with the Act, the data controller – the person who decides what the data is to be used for – must comply with eight data protection principles:
1 Data must be obtained and processed fairly and legally.
2 Data must be processed for specified purposes.
3 Personal data must be adequate, relevant and not excessive in relation to the purpose for which it is to be used.
4 Personal data should be accurate and kept up to date.
5 Data should be kept for no longer than is necessary.
6 Personal data should be processed in accordance with the rights of the individuals concerned, for example, rights of access.
7 Data should be processed in a secure environment.
8 Personal data should not be transferred to a country that does not offer an adequate level of protection for the individual.
Failure to comply with the DPA 1998 can lead to the issue of an enforcement notice, or prosecution and the imposition of a fine – not to mention damage to reputation.
Sample Website privacy policy 5.1
This privacy statement sets out the practice of XYZ Company Ltd in relation to the information that it collects on this website. This privacy statement intends to inform you of the following matters.
1 Who collects information from you through this website.
2 What information they collect.
3 For what purposes they use that information.
4 When the information is collected.
5 With whom they share that information.
6 Your rights in relation to the collection, use, distribution and correction of that information.
7 The kind of security procedures that are in place to protect against the loss, misuse or alteration of information under the control of XYZ Company Ltd.
If you are not happy, either with the contents of this privacy statement or with the practices of XYZ Company Ltd in relation to this statement, you should first contact us by email at the address set out below. If you do not receive acknowledgement of your enquiry or feel that it has not been properly
addressed, you should then contact the Office of the Information Commissioner
(www.informationcommissioner.gov.uk).
The application of data protection legislation to communication channels such as the internet is clear. Most websites will want or need to process personal data on
individuals visiting the site, sometimes by requesting visitors to register their details to access certain site areas or when conducting an e-commerce transaction. For this reason, most sites now post a privacy policy which explains who is collecting the data and what it will be used for. Sample 5.1 gives an example of an introduction to a standard website privacy policy.
3.2 Intellectual property
Intellectual property rights prevent the unauthorised use or exploitation of intangible assetssuch as inventions, brand names, original literary works or computer software.
The four key intellectual property rights are:
1 patents: which protect industrial inventions 2 trade marks: which protect brand identity
3 design rights: protection for the aesthetic appearance of articles
4 copyright: protection against the unauthorised copying of original literary, musical or artistic works.
The ease with which information and images can be accessed electronically does not mean that they are not subject to these rights. For example, displaying another person’s content on a website without their explicit permission would be a breach of copyright.
Equally, the unauthorised use of a logo associated with a well known brand which carries a registered trademark would be an infringement of that trade mark.
3.3 Computer security
Communication channels based on computers are subject to disruption caused by breaches of security.
Viruses, worms or Trojan horses
Viruses, worms and Trojan horses are all malicious programs that can cause damage to computers, but there are differences between the three.
A computer virus attaches itself to a program or file so it can spread from one
computer to another, leaving infections as it travels. A virus may exist on your computer but it cannot infect your computer unless you run or open the malicious program, i.e. it needs human action to keep it going. People continue the spread of a computer virus, mostly unknowingly, by sharing infecting files or sending emails with viruses as attachments in the email.
A worm is similar to a virus by its design, and is considered to be a sub-class of a virus.
A worm spreads from computer to computer, but unlike a virus, it has the ability to travel without any help from a person. The biggest danger with a worm is its ability to replicate itself on your system, so rather than your computer sending out a single worm, it could send out hundreds or thousands of copies of itself, creating a huge, devastating effect. One example would be for a worm to send a copy of itself to everyone listed in your email address book. The worm then replicates and sends itself out to everyone listed in each of the receivers’ address books.
A Trojan horse is full of as much trickery as the mythological Trojan Horse it was named after. Those on the receiving end of Trojan horses are usually tricked into opening them because they appear to be receiving legitimate software or files from a legitimate source. Some Trojans are designed to be more annoying than malicious but they can also cause serious damage by deleting files and destroying information on your system. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate.
PART TWO Communication in the workplace 58
intangible assets Assets which do not take a physical form, such as development costs, goodwill or intellectual property rights.
Combating viruses, worms and Trojan horses
Anti-virus software that can search out and destroy a virus is essential and should be updated regularly to ensure the software has the latest fixes for new viruses, worms and Trojan horses. The anti-virus program should also be able to scan email and files as they are downloaded from the internet. This will help prevent malicious programs from even reaching computers. Additional protection can be provided by installing a firewall, a system which prevents unauthorised computer use and access.
Hacking
‘Hacker’ is a slang term for a computer enthusiast, i.e. a person who enjoys learning programming languages and computer systems and can often be considered an expert on the subject(s). The term is mostly recognised as a pejorative one because it is used to describe individuals who gain unauthorised access to computer systems for the purpose of stealing and corrupting data.
Fraud
The biggest single threat to computer security is not related to the technical or hardware aspects of a computer system, but comes from deliberate fraud. For example, an individual might call a user supposedly from an IT helpdesk to secure a user’s password and gain access to a particular application and, therefore, potentially valuable
information. This can be exacerbated if a user tends to use a generic password for a variety of applications (such as websites, emails, voicemail).
CHAPTER 5 Communication and IT 59
firewall
Phishing is an increasingly common form of identity theft carried out using email and the internet.
Messages are sent to a user supposedly from an established and legitimate organisation (such as a bank or retailer) in an attempt to defraud the user into surrendering private information that will be used for identity theft. The email directs the user to visit a website where they are asked to update personal information, such as passwords and credit card, social security and bank account numbers that the legitimate organisation already has. The website, however, is bogus and has been set up only to steal the user’s information. Increasingly, the bogus website will be a clone of the legitimate organisation’s actual website, and will look both familiar and authentic to the user.
Phishing emails often use software failures, data loss or system updates as the means of encouraging users to re-enter their personal information. Ironically, some pretend to be anti-fraud measures. Despite increased publicity about the dangers of phishing, it remains a potentially serious problem, as the following facts attest:
● The UK’s National Hi-Tech Crime Unit claims that internet-based identity theft is now a favoured tactic of organised criminals.
● Victims of phishing include some the biggest and well-known online brands, such as eBay, Yahoo and Amazon.com.
● A 2005 report by internet service provider AOL claimed that up to half of all internet users had received spam emails designed to trick them into handing over personal information.
3.4 Human resources issues
Individuals in most organisations now need access to email and the internet. This brings with it the inherent risk that these communication channels will be abused. Offences range from the unauthorised personal use of the internet during working hours, which wastes time and resources, to the more serious issues of email harassment or the downloading and circulating of pornographic images.
To try to combat such abuse – or to support any necessary legal action following abuse – organisations are advised to develop a clear internet and email use policy, which should be communicated to employees to:
● clarify the organisation’s position concerning what constitutes acceptable use of the internet and email
● protect the organisation against potential liability
● promote awareness and good practice
● encourage the effective use of resources.
Such a policy might include:
● specified authorised and unauthorised use
● expressly prohibited use, such as the downloading or distribution of improper material
● details of access and rules of conduct during use
● details of any sanctions which might be applied for breach of the policy.
The policy might also include a statement that the employer will exercise its right to monitor electronic communications.
PART TWO Communication in the workplace 60
Identify what is included in:
a) a standard website privacy policy.
b) an acceptable email and internet use policy