Legal Aspects of Using Information Technology

Unit 15: ICT in Business

E6/C3:

The widespread use of information technology has brought us a number of benefits and problems, too. As information technology has spread, so have computer crime and abuse. For example, the internet is not only used by the innocent members of the public, but also by fraudulent traders, paedophiles, software pirates, hackers and terrorists. Their activities would include: placing computer viruses, software bootlegging, credit card fraud and money laundering schemes.

Hackers

A hacker is an individual who break codes and passwords to gain unauthorised access to data held on computer systems. When hackers gain unauthorised access to computer systems, they can do a huge amount of damage. Stand-alone computers are safe because, there is no connection for the hackers to break into. However, computers which are connected to networks or modems are at more risk from hacking. The only way of protecting the computer systems from being broken into, is by changing the passwords at regular intervals.

Computer Fraud

Computer fraud is when computer operators use the computer to their own advantage. It is difficult to track down these offenders for the following possible reasons:

They are often clever
They might be young with no previous criminal records
When fraud is discovered in a business, it is often not publicised, because the news of fraud may damage the image and reputation of the business

An example of computer fraud involves a computer operator who found a blank payroll form. The computer operator will complete the form by making up the details of an imaginary person working in the Company. Each month, when the pay cheques are produced from the Company computer, the computer operator will slip the cheque into his pocket, without anyone noticing.

Computer Viruses

A computer virus is a small computer program, which usually sabotage files or programs. Viruses may be passed onto the computer in various ways. It may be passed onto the user’s computer through the Internet, e.g. downloading an e-mail attachment and saving it to the user’s hard disk. It may be passed onto the user’s computer through the sharing of floppy disks from one computer to another.

There are number of different viruses which are activated in various ways. Some may be activated by the internal clock and may start on a particular day, e.g. Friday 13th. Others may be activated when a series of conditions becomes true, e.g. when a certain combinations of keys are pressed on the keyboard.

The most damaging viruses were recently found in innocent e-mail attachments, and are designed in such a way that makes sure recipients will open them. This well-known practice is known as, Social Engineering. Some of the examples include:

“Click here to receive a picture of Brad Pitt”
“I love you”- this is often referred as The Love Bug
Christmas cards, jokes, screensavers

Laws relating to IT

There are number of laws which are designed to govern any aspects of using the information technology within organisations, such as IKEA. The most common laws that IKEA needs to consider are as follows:

Data Protection Act 1984
Computer Misuse Act 1990
Copyright, Design and Patent Act 1989
Health and Safety at Work Act 1974
Health and Safety (Visual Display Screen Equipment) Regulations 1992

Data Protection Act 1984

The Data Protection Act 1984 aims to help protect the privacy of individuals, by regulating and controlling the processing of the personal data. The first Act became law in 1984, but this was replaced by the 1998 Act, that also incorporates the European Commission Directive.

To fully understand the Act, businesses such as IKEA need to understand the meaning of the following definitions:

Data controller- this is a party that determines the purposes for and the way in which personal data are processed
Data processor- this is a person, other than an employee of the data controller, who process the data on behalf of the data controller
Data subject- this is the living person who is the subject of the personal data
Personal data- this is information held on any living person, which on its own or in conjunction with other information held by the data controller, identifies that individual
Processing- this includes obtaining, recording or holding personal data or carrying out any operation on personal data, including organising, altering, disclosing or destroying it
Sensitive personal data- this is a sub-category of personal data consisting of information on the data subject, relating to racial origin, ethnic origin, political opinion, religious beliefs, membership of a trade union, physical/mental health or condition, sexual life or criminal record/history

The Data Protection Act contains eight basic principles. These eight basis principles form the backbone of the Act:

Personal data must:

…be processed fairly and lawfully
…be obtained for specified and lawful purposes
…be adequate, relevant and not excessive for the purpose
…be accurate and up-to-date
…not be kept longer than necessary
…be processed within the rights of data subjects
…be kept secure against loss, damage and unauthorised and unlawful processing
…not be transferred to countries outside the European Economic Area

Looking at the eight principles mentioned above, the first five of them ...

This is a preview of the whole essay

The Data Protection Act contains eight basic principles. These eight basis principles form the backbone of the Act:

Personal data must:

…be processed fairly and lawfully
…be obtained for specified and lawful purposes
…be adequate, relevant and not excessive for the purpose
…be accurate and up-to-date
…not be kept longer than necessary
…be processed within the rights of data subjects
…be kept secure against loss, damage and unauthorised and unlawful processing
…not be transferred to countries outside the European Economic Area

Looking at the eight principles mentioned above, the first five of them establishes the general standards of data quality.

The sixth principle states that the personal data must be processed in accordance with the rights of data subjects. Some of theses rights include the data subject’s right to:

find out what data is being processed about them, in what manner and why
find out if data is being passed to third parties and who those third parties likely to be
find out where the data about them came from
prevent processing about them which is likely to, “cause damage or stress”
prevent the processing of data for the purpose of direct marketing
ensure the removal or correction of any inaccurate data about them

The seventh principle requires data controllers to make sure that they have in place, ‘adequate security and technical measure’ to protect personal data from abuse, loss, destruction or damage. The purpose of the principle is to make sure that the protection of personal data given in the Act is not invalidated by the actions of a computer hacker or from other activities.

The eighth principle requires data controllers to make sure that no data is transferred to any country outside the European Economic Area (EEA), unless the country can provide a similar level of legal protection to that provided for in the EEA.

Computer Misuse Act 1990

The Computer Misuse Act 1990 deals with the following offences:

Hackers- unauthorised access to any program or data held in a computer. Penalty is a maximum fine of £2000 and a six month prison sentence
Computer fraud and blackmail- unauthorised access with a further criminal intent. The penalty is an unlimited fine and a maximum of five year prison sentence
Viruses- unauthorised modification of computer material (e.g. programs or data). The penalty is an unlimited fine a maximum of five year prison sentence

The Copyright, Design and Patent Act 1989 deals with a wide range of intellectual property, such as music, literature and software. The Act covers stealing software, using illegally copied software and manuals, and running purchased software on two or more machines at the same time, without a suitable licence. The legal penalties for violating the copyright law include unlimited fines and up to two years prison.

Although the Act prevents offenders copying software, more and more people are violating the law and are getting away with it. As a result, there are two organisations that aim to stop software being copied. The two organisations are:

The Federation Against Software Theft (FAST)- this is a non-profit organisation which aim to promote the legal use of software
The Business Software Alliance (BSA)- this organisation exists to make organisations and their employers aware of the law and encourage its carrying out

Health and Safety at Work Act 1974

The Health and Safety at Work Act 1974 (the short form is HASWA), provides the general duties and responsibilities that employers have to their employees and to members of the public, and to those that employees have to themselves and each other.

Under the Health and Safety Act 1974, all employers have to:

ensure the health, safety and welfare at work of their employees, particularly regarding to the following:

safe entry and exist routes
safe working environment
well-maintained, safe equipment
safe storage of articles and substances
provision of protective clothing
information on safety
suitable training and supervision

prepare and continually update a written policy of the company and pass this to all employees
allow for the appointment of safety representatives selected by a recognised trade union

Under the Health and Safety Act 1974, all employees have to:

take reasonable care of their own health and safety and that of others who may be affected by their activities
co-operate wit their employer and anyone acting on his or her behalf to meet the health and safety requirements

I have included a copy of IKEA Health and Safety policy in the Appendix section.

Health and Safety (Visual Display Screen Equipment) Regulations 1992

The health and safety regulations have an effect on employed workers, who regularly use Visual Display Units (VDU), for a significant part of their normal work. These regulations were introduced to prevent repetitive strain injury (RSI), fatigue and eye problems in the use of technological equipment.

Under the Health and Safety (Visual Display Screen Equipment) Regulations 1992, employers have to:

analysis the workstations of employees covered by the Regulation and assess and reduce any risks
look at the hardware, the environment and factors specific to the individuals using the equipment. If any risk found, the employer must take action to reduce them
make sure that the workstations meet the minimum requirements
make sure that there are good features in employees’ workstation. For example, the screen should have adjustable brightness and contrast controls. This allows employees to fin a comfortable level of their eyes, helping to prevent the problem of tired eyes and eyestrain
plan work, so there are short, frequent breaks or changes of activity
arrange and pay for eye and eyesight tests and provide employees with spectacles. Employers are responsible for providing further eye tests at regular intervals
provide health and safety training, so employees can able to use all aspects of their workstation equipment, safely, and know hw to make best use of it to prevent health problems, e.g. by adjusting the chair

Employees also have a responsibility to:

use workstations and equipment correctly, in accordance with training provided by the employers
bring any problems to the attention of their employer immediately and co-operate in the correction of these problems

I have included a copy of IKEA Health and Safety policy in the Appendix section.

Legal aspects of using the Internet

There are number of laws that IKEA needs to be aware of, when using the Internet as a source of information within the organisation. Some of these laws are mentioned below:

Data Protection Act 1984- see pages 140 to 141
Computer Misuse Act 1990- see page 141
Copyright, Design and Patent Act 1989- see page 142
Internet Code of Practice
Regulations of Investigatory Powers Act 2000

Internet Code of Practice (ICOP)

The Internet Code of Practice is not a law, but it is an agreement which aims to protect Internet users. Many businesses, such as IKEA have registered on the Internet Content Register () for a small fee. Once IKEA have registered they can display the ICR seal. The ICR seal shows that the site conforms to the code of practice.

A summary of the ICOP is given, below:

Audience- the information must be suitable for viewing by its target audience. Any offensive material should have a security mechanism to avoid any accidental access, i.e. particularly by young children. Links to any external sites should be checked for any offensive material
Advertising- any unwanted e-mails and Spam should not be used as an advertising method. According to the Advertising Standards Authority (ASA), advertisement should be, ‘legal, decent, honest, truthful and not misleading’. Prices and delivery-date information should be clear and accurate. All advertisement must show the identify of the advertiser and the full contact postal address
Contracts- any standard terms and conditions used should be clearly drawn to the attention of the customer. According to Supply of Goods Act 1979 and 1995, all goods must be, of satisfactory quality’, at all time of delivery to the customer
Copyright and information ownership- the international rights to all site content must be secured or owned by the publisher, before its release on the internet. Copyright should be obtained in all countries concerned as the internet go beyond the national boundaries. Links to other pages should have the permission of the target-link site. All trade and similar marks should be clearly displayed and identified by the customer
Information- all images, audio and video clips should be compressed to keep download times and bandwidth requirements to a minimum. Private data (this includes e-mail, network and postal addresses, telephone numbers, payment card details, etc) should not be disclosed to third parties, without the permission of the data subject. The information should also not promote illegal acts
Applets, browser script and CGI usage- no program should consume system resources or network bandwidth, unnecessary. No program should destroy or damage any data held on the viewer’s computer or network. Also, no program should try to access information about the viewer or the viewer’s computer system
Mail and news- when sending e-mail to more than on individual, it is cheaper than using ordinary mail. When sending an advertising mail through the post, it is very costly to the sender. Any kind of unwanted communication is often considered unwelcome to the recipient. As a result, the ICR members should agree not to send, encourage, or contribute to chain letter, or Spam

Regulations of Investigatory Powers Act 2000

The regulations of Investigatory Powers Act 2000, defines the powers the government has with regard to access to information and the security of the information. The act provides the government the right to perform intelligence surveillance and to spy on electronic communications and data.

Legal aspects of using the e-mail

IKEA must be aware of the legal aspects of e-mail usage and guidelines for good practice. I have gone onto the Internet and have found some information on how to use the e-mail in an appropriate way in the organisation. A copy of the E-mail Usage Guideline is in the Appendix section.

Laws to consider when using the e-mail

There are two main laws that IKEA co-workers need to become aware of when using the e-mail within the organisation. They are:

Data Protection Act 1984- see pages 140 to 141
Directive on Privacy and Electronic Communications 2002- this Act of Parliament focuses on the specific information on e-mail marketing

Legal aspects of using e-commerce

There are two main laws that IKEA needs to consider, when they launch their new e-commerce website in the UK, later this year (see article in Appendix section). They are:

Regulations on e-commercial activities
European Directive

Regulations on e-commercial activities

Before IKEA can launch its new e-commerce website (see article in Appendix section), they need to be aware of the regulations, which contains a set of legal requirements for commercial web sites covering all aspects of usability and commercial communication. These regulations are aim to cover purchases of goods on-line, as well as commercial services offered on the web, in order to protect consumers. For example, if IKEA were to sell products online, which they will start doing soon, whatever the price would be online must be the same as in the shop, so it does not confuse the customer. Selling products online is a good way of advertising products to IKEA customers.

A most recent regulation wants businesses to provide customers clear descriptions of the different ways, in which online transactions can be completed. If something goes wrong with the transaction, the company may loose most of its customers. More importantly, the Company website must be effective and accessible, and the means of correcting input errors prior to completion of the order when place online.

European Directive

The European Directive aims to establish a common standard for e-commerce within the European Union. The European Directive provides protection to customer, when they purchase goods on the web. This will help IKEA satisfy its customers, as they will be aware that they will be protected, if they are entitled to purchase any product from IKEA.

IKEA IT policies

All IKEA co-workers have to obey the following four IT policies, when using the information technology function within the organisation:

IT Policy
IT Network Policy
IT Information Security Policy
Internet Policy

IT Policy

The IT Policy states that IKEA uses the information technology to support the business operations with appropriate and cost-effective solutions, to help the business operations to achieve increased customer benefits and to maximise business opportunities.

The IT Policy focuses on IKEA IT systems and ensuring that they are user-friendly and cost-effective. The IT contingency planning is concerned with the preventive measures to ensure continuous business operation. The IT contingency planning is also concern in creating a cost-effective balance between the level of IT Security and the cost of a business operations’ breakdown, or the value of the information, taking both internal and external demand into account.

IT Network Policy

The Corporate IT Network Policy states that IKEA has an Integrated Services Digital Network (ISDN). The advantages of having an ISDN are: it can transmit video and voice signals in digitised format; there is no need for modems; there is no need to transform the computer’s information into sound; and information transfer is faster and more reliable.

The Corporate IT Network Policy is concerned with the efficiency of using the Integrated Service Digital Network within IKEA.

IT Information Security Policy

The IT Information Security Policy is focuses on all preventive measures to reduce security risks and threats relating to the disclosure of information. Such threats can be internal or external, intentional or unintentional.

The IT Information Security Policy is also concern in creating a risk and cost-effective balance between the level of IT Security and the value of the information, taking both internal and external demands into account.

Internet Policy

The Internet Policy focuses on the risk of unauthorised people breaking into the IKEA Group IT Network and the misuse of the Internet.

The misuse of the Internet is when employees do not use the IT facilities to help the business operations. There are number of ways that IKEA co-workers can abuse such resources, e.g.:

wasting time playing games, when they should be working
installing

One of the ways in which IKEA can prevent the misuse of the Internet is, by getting their co-workers to sign a code of conduct of conduct. It is important that IKEA to get its co-workers to sign a computer code of conduct, to make it clear what the co-workers are allowed to do and what is not permitted.

A copy of all IKEA IT policies is in the Appendix section.

Protecting data

Computers are vulnerable to crime and abuse, natural disaster and human error. This can make it difficult for businesses, such as IKEA to protect their data. However, there are some procedures that IKEA currently follows, to ensure that data is not lost or damaged, under any circumstances:

Use appropriate filenames and locations
Save work regularly
Make backup of data
Use login names and passwords
Write-protection disks
Access rights
Securing against fraudulent use or malicious damage
Protection against viruses

Using appropriate filenames and locations

IKEA co-workers can loose their valuable time looking for a particular file which was saved some time ago. For example, a filename called Letter1 will tell co-workers nothing about the content and the recipient. It is good practice to set up a structure of folders and subfolders with sensible and meaningful names in which to save different types of files.

Save work regularly

While working on the computer, it is important to save your work every five minutes, to ensure that in the event of a power cut or some other unexpected occurrence, you do not lose mare than a few minutes’ work.

Make backup of data

It is important for IKEA co-workers to backup their work, by copying it onto another disk or into another folder with a different filename. If IKEA co-workers were to use a floppy disk, a Universal Serial Bus (USB) or a CD to backup their data, they should label it carefully and store it in a different place from the computer.

Users IDs and passwords

Each user within IKEA, who is permitted to access the company database, is issued with a used ID and a password. The user ID and the password will provide IKEA users a certain level of access rights set by the database manager. These are the common rules issued by businesses, such as IKEA about passwords:

Password should contain a minimum of 6 characters
Password display should be automatically hidden on the screen or printed output
Files containing passwords should be encrypted
All users must ensure that their password is kept confidential, not written down, not made up of easily guessed words and is changed at least every three months

Write-protection disks

All floppy disks and tapes have a write-protect mechanism, which is designed to protect data being accidentally overwritten by a user.

Access rights

Access rights to a particular collection of data can be set to Read-Only, Read/Write or No Access. This ensures that users within IKEA can only gain access to data which are permitted to see, and can only alter data on the database, if they are authorised to do so.

Securing against fraudulent use or malicious damage

Businesses, such as IKEA are often exposed to the possibility of fraud, deliberate corruption of data by disgruntled employees or theft of software or data which may fall into the hands of competitors. There are number of ways to reduce the effect of these risks, e.g.

Immediately remove employees, who have been sacked or who hand in their resignation, and cancel all their passwords and authorisations
Stop unauthorised access by employees and other to secure areas, such as computer operation rooms, by means of machine readable cards or badges or other types of locks
Use passwords to gain access to the computer system from terminals
Educate staff to be aware of the possible breach of security and to be alert in stopping them or reporting them

Protection against viruses

These are the basic steps which can be taken to reduce the risk of suffering damage from different viruses:

Ensure that all purchased software comes in sealed, and tamper-proof packaging
Do not permit floppy disks, USBs or CDs containing software or data to be removed from or brought into the office
Use anti-virus software to check all floppy disks, USBs and CDs before use. This is often called the sheep dip station

Created by Baljinder Duhra -