The Data Protection Act contains eight basic principles. These eight basis principles form the backbone of the Act:
Personal data must:
- …be processed fairly and lawfully
- …be obtained for specified and lawful purposes
- …be adequate, relevant and not excessive for the purpose
- …be accurate and up-to-date
- …not be kept longer than necessary
- …be processed within the rights of data subjects
- …be kept secure against loss, damage and unauthorised and unlawful processing
- …not be transferred to countries outside the European Economic Area
Looking at the eight principles mentioned above, the first five of them establishes the general standards of data quality.
The sixth principle states that the personal data must be processed in accordance with the rights of data subjects. Some of theses rights include the data subject’s right to:
- find out what data is being processed about them, in what manner and why
- find out if data is being passed to third parties and who those third parties likely to be
- find out where the data about them came from
-
prevent processing about them which is likely to, “cause damage or stress”
- prevent the processing of data for the purpose of direct marketing
- ensure the removal or correction of any inaccurate data about them
The seventh principle requires data controllers to make sure that they have in place, ‘adequate security and technical measure’ to protect personal data from abuse, loss, destruction or damage. The purpose of the principle is to make sure that the protection of personal data given in the Act is not invalidated by the actions of a computer hacker or from other activities.
The eighth principle requires data controllers to make sure that no data is transferred to any country outside the European Economic Area (EEA), unless the country can provide a similar level of legal protection to that provided for in the EEA.
Computer Misuse Act 1990
The Computer Misuse Act 1990 deals with the following offences:
-
Hackers- unauthorised access to any program or data held in a computer. Penalty is a maximum fine of £2000 and a six month prison sentence
-
Computer fraud and blackmail- unauthorised access with a further criminal intent. The penalty is an unlimited fine and a maximum of five year prison sentence
-
Viruses- unauthorised modification of computer material (e.g. programs or data). The penalty is an unlimited fine a maximum of five year prison sentence
Copyright, Design and Patent Act 1989
The Copyright, Design and Patent Act 1989 deals with a wide range of intellectual property, such as music, literature and software. The Act covers stealing software, using illegally copied software and manuals, and running purchased software on two or more machines at the same time, without a suitable licence. The legal penalties for violating the copyright law include unlimited fines and up to two years prison.
Although the Act prevents offenders copying software, more and more people are violating the law and are getting away with it. As a result, there are two organisations that aim to stop software being copied. The two organisations are:
-
The Federation Against Software Theft (FAST)- this is a non-profit organisation which aim to promote the legal use of software
-
The Business Software Alliance (BSA)- this organisation exists to make organisations and their employers aware of the law and encourage its carrying out
Health and Safety at Work Act 1974
The Health and Safety at Work Act 1974 (the short form is HASWA), provides the general duties and responsibilities that employers have to their employees and to members of the public, and to those that employees have to themselves and each other.
Under the Health and Safety Act 1974, all employers have to:
- ensure the health, safety and welfare at work of their employees, particularly regarding to the following:
- safe entry and exist routes
- safe working environment
- well-maintained, safe equipment
- safe storage of articles and substances
- provision of protective clothing
- information on safety
- suitable training and supervision
- prepare and continually update a written policy of the company and pass this to all employees
- allow for the appointment of safety representatives selected by a recognised trade union
Under the Health and Safety Act 1974, all employees have to:
- take reasonable care of their own health and safety and that of others who may be affected by their activities
- co-operate wit their employer and anyone acting on his or her behalf to meet the health and safety requirements
I have included a copy of IKEA Health and Safety policy in the Appendix section.
Health and Safety (Visual Display Screen Equipment) Regulations 1992
The health and safety regulations have an effect on employed workers, who regularly use Visual Display Units (VDU), for a significant part of their normal work. These regulations were introduced to prevent repetitive strain injury (RSI), fatigue and eye problems in the use of technological equipment.
Under the Health and Safety (Visual Display Screen Equipment) Regulations 1992, employers have to:
- analysis the workstations of employees covered by the Regulation and assess and reduce any risks
- look at the hardware, the environment and factors specific to the individuals using the equipment. If any risk found, the employer must take action to reduce them
- make sure that the workstations meet the minimum requirements
- make sure that there are good features in employees’ workstation. For example, the screen should have adjustable brightness and contrast controls. This allows employees to fin a comfortable level of their eyes, helping to prevent the problem of tired eyes and eyestrain
- plan work, so there are short, frequent breaks or changes of activity
- arrange and pay for eye and eyesight tests and provide employees with spectacles. Employers are responsible for providing further eye tests at regular intervals
- provide health and safety training, so employees can able to use all aspects of their workstation equipment, safely, and know hw to make best use of it to prevent health problems, e.g. by adjusting the chair
Employees also have a responsibility to:
- use workstations and equipment correctly, in accordance with training provided by the employers
- bring any problems to the attention of their employer immediately and co-operate in the correction of these problems
I have included a copy of IKEA Health and Safety policy in the Appendix section.
Legal aspects of using the Internet
There are number of laws that IKEA needs to be aware of, when using the Internet as a source of information within the organisation. Some of these laws are mentioned below:
-
Data Protection Act 1984- see pages 140 to 141
-
Computer Misuse Act 1990- see page 141
-
Copyright, Design and Patent Act 1989- see page 142
- Internet Code of Practice
- Regulations of Investigatory Powers Act 2000
Internet Code of Practice (ICOP)
The Internet Code of Practice is not a law, but it is an agreement which aims to protect Internet users. Many businesses, such as IKEA have registered on the Internet Content Register () for a small fee. Once IKEA have registered they can display the ICR seal. The ICR seal shows that the site conforms to the code of practice.
A summary of the ICOP is given, below:
-
Audience- the information must be suitable for viewing by its target audience. Any offensive material should have a security mechanism to avoid any accidental access, i.e. particularly by young children. Links to any external sites should be checked for any offensive material
-
Advertising- any unwanted e-mails and Spam should not be used as an advertising method. According to the Advertising Standards Authority (ASA), advertisement should be, ‘legal, decent, honest, truthful and not misleading’. Prices and delivery-date information should be clear and accurate. All advertisement must show the identify of the advertiser and the full contact postal address
-
Contracts- any standard terms and conditions used should be clearly drawn to the attention of the customer. According to Supply of Goods Act 1979 and 1995, all goods must be, of satisfactory quality’, at all time of delivery to the customer
-
Copyright and information ownership- the international rights to all site content must be secured or owned by the publisher, before its release on the internet. Copyright should be obtained in all countries concerned as the internet go beyond the national boundaries. Links to other pages should have the permission of the target-link site. All trade and similar marks should be clearly displayed and identified by the customer
-
Information- all images, audio and video clips should be compressed to keep download times and bandwidth requirements to a minimum. Private data (this includes e-mail, network and postal addresses, telephone numbers, payment card details, etc) should not be disclosed to third parties, without the permission of the data subject. The information should also not promote illegal acts
-
Applets, browser script and CGI usage- no program should consume system resources or network bandwidth, unnecessary. No program should destroy or damage any data held on the viewer’s computer or network. Also, no program should try to access information about the viewer or the viewer’s computer system
-
Mail and news- when sending e-mail to more than on individual, it is cheaper than using ordinary mail. When sending an advertising mail through the post, it is very costly to the sender. Any kind of unwanted communication is often considered unwelcome to the recipient. As a result, the ICR members should agree not to send, encourage, or contribute to chain letter, or Spam
Regulations of Investigatory Powers Act 2000
The regulations of Investigatory Powers Act 2000, defines the powers the government has with regard to access to information and the security of the information. The act provides the government the right to perform intelligence surveillance and to spy on electronic communications and data.
Legal aspects of using the e-mail
IKEA must be aware of the legal aspects of e-mail usage and guidelines for good practice. I have gone onto the Internet and have found some information on how to use the e-mail in an appropriate way in the organisation. A copy of the E-mail Usage Guideline is in the Appendix section.
Laws to consider when using the e-mail
There are two main laws that IKEA co-workers need to become aware of when using the e-mail within the organisation. They are:
-
Data Protection Act 1984- see pages 140 to 141
-
Directive on Privacy and Electronic Communications 2002- this Act of Parliament focuses on the specific information on e-mail marketing
Legal aspects of using e-commerce
There are two main laws that IKEA needs to consider, when they launch their new e-commerce website in the UK, later this year (see article in Appendix section). They are:
- Regulations on e-commercial activities
- European Directive
Regulations on e-commercial activities
Before IKEA can launch its new e-commerce website (see article in Appendix section), they need to be aware of the regulations, which contains a set of legal requirements for commercial web sites covering all aspects of usability and commercial communication. These regulations are aim to cover purchases of goods on-line, as well as commercial services offered on the web, in order to protect consumers. For example, if IKEA were to sell products online, which they will start doing soon, whatever the price would be online must be the same as in the shop, so it does not confuse the customer. Selling products online is a good way of advertising products to IKEA customers.
A most recent regulation wants businesses to provide customers clear descriptions of the different ways, in which online transactions can be completed. If something goes wrong with the transaction, the company may loose most of its customers. More importantly, the Company website must be effective and accessible, and the means of correcting input errors prior to completion of the order when place online.
European Directive
The European Directive aims to establish a common standard for e-commerce within the European Union. The European Directive provides protection to customer, when they purchase goods on the web. This will help IKEA satisfy its customers, as they will be aware that they will be protected, if they are entitled to purchase any product from IKEA.
IKEA IT policies
All IKEA co-workers have to obey the following four IT policies, when using the information technology function within the organisation:
- IT Policy
- IT Network Policy
- IT Information Security Policy
- Internet Policy
IT Policy
The IT Policy states that IKEA uses the information technology to support the business operations with appropriate and cost-effective solutions, to help the business operations to achieve increased customer benefits and to maximise business opportunities.
The IT Policy focuses on IKEA IT systems and ensuring that they are user-friendly and cost-effective. The IT contingency planning is concerned with the preventive measures to ensure continuous business operation. The IT contingency planning is also concern in creating a cost-effective balance between the level of IT Security and the cost of a business operations’ breakdown, or the value of the information, taking both internal and external demand into account.
IT Network Policy
The Corporate IT Network Policy states that IKEA has an Integrated Services Digital Network (ISDN). The advantages of having an ISDN are: it can transmit video and voice signals in digitised format; there is no need for modems; there is no need to transform the computer’s information into sound; and information transfer is faster and more reliable.
The Corporate IT Network Policy is concerned with the efficiency of using the Integrated Service Digital Network within IKEA.
IT Information Security Policy
The IT Information Security Policy is focuses on all preventive measures to reduce security risks and threats relating to the disclosure of information. Such threats can be internal or external, intentional or unintentional.
The IT Information Security Policy is also concern in creating a risk and cost-effective balance between the level of IT Security and the value of the information, taking both internal and external demands into account.
Internet Policy
The Internet Policy focuses on the risk of unauthorised people breaking into the IKEA Group IT Network and the misuse of the Internet.
The misuse of the Internet is when employees do not use the IT facilities to help the business operations. There are number of ways that IKEA co-workers can abuse such resources, e.g.:
- wasting time playing games, when they should be working
- installing
One of the ways in which IKEA can prevent the misuse of the Internet is, by getting their co-workers to sign a code of conduct of conduct. It is important that IKEA to get its co-workers to sign a computer code of conduct, to make it clear what the co-workers are allowed to do and what is not permitted.
A copy of all IKEA IT policies is in the Appendix section.
Protecting data
Computers are vulnerable to crime and abuse, natural disaster and human error. This can make it difficult for businesses, such as IKEA to protect their data. However, there are some procedures that IKEA currently follows, to ensure that data is not lost or damaged, under any circumstances:
- Use appropriate filenames and locations
- Save work regularly
- Make backup of data
- Use login names and passwords
- Write-protection disks
- Access rights
- Securing against fraudulent use or malicious damage
- Protection against viruses
Using appropriate filenames and locations
IKEA co-workers can loose their valuable time looking for a particular file which was saved some time ago. For example, a filename called Letter1 will tell co-workers nothing about the content and the recipient. It is good practice to set up a structure of folders and subfolders with sensible and meaningful names in which to save different types of files.
Save work regularly
While working on the computer, it is important to save your work every five minutes, to ensure that in the event of a power cut or some other unexpected occurrence, you do not lose mare than a few minutes’ work.
Make backup of data
It is important for IKEA co-workers to backup their work, by copying it onto another disk or into another folder with a different filename. If IKEA co-workers were to use a floppy disk, a Universal Serial Bus (USB) or a CD to backup their data, they should label it carefully and store it in a different place from the computer.
Users IDs and passwords
Each user within IKEA, who is permitted to access the company database, is issued with a used ID and a password. The user ID and the password will provide IKEA users a certain level of access rights set by the database manager. These are the common rules issued by businesses, such as IKEA about passwords:
- Password should contain a minimum of 6 characters
- Password display should be automatically hidden on the screen or printed output
- Files containing passwords should be encrypted
- All users must ensure that their password is kept confidential, not written down, not made up of easily guessed words and is changed at least every three months
Write-protection disks
All floppy disks and tapes have a write-protect mechanism, which is designed to protect data being accidentally overwritten by a user.
Access rights
Access rights to a particular collection of data can be set to Read-Only, Read/Write or No Access. This ensures that users within IKEA can only gain access to data which are permitted to see, and can only alter data on the database, if they are authorised to do so.
Securing against fraudulent use or malicious damage
Businesses, such as IKEA are often exposed to the possibility of fraud, deliberate corruption of data by disgruntled employees or theft of software or data which may fall into the hands of competitors. There are number of ways to reduce the effect of these risks, e.g.
- Immediately remove employees, who have been sacked or who hand in their resignation, and cancel all their passwords and authorisations
- Stop unauthorised access by employees and other to secure areas, such as computer operation rooms, by means of machine readable cards or badges or other types of locks
- Use passwords to gain access to the computer system from terminals
- Educate staff to be aware of the possible breach of security and to be alert in stopping them or reporting them
Protection against viruses
These are the basic steps which can be taken to reduce the risk of suffering damage from different viruses:
- Ensure that all purchased software comes in sealed, and tamper-proof packaging
- Do not permit floppy disks, USBs or CDs containing software or data to be removed from or brought into the office
- Use anti-virus software to check all floppy disks, USBs and CDs before use. This is often called the sheep dip station
Created by Baljinder Duhra -