Laws on Information Technology in the UK - Report Example

?United Kingdom Information Technology related Laws Information Technology has become part and parcel of our lives that it is but prudent to ensure that the rights of every individual are protected while maximizing the use and optimizing its benefit. The laws discussed herein are enforced within the United Kingdom to ensure that its residents enjoy the use and wonder of Information Technology without the burden of being taken advantaged off by individuals with nefarious intent. These laws were crafted to protect the identity of individuals, safeguard a resident’s right to privacy of his communication and the recognition of a person’s electronic signature as a valid representation of his identity. The Data Protection Law in general was enforced in response to the ease in which information about an individual can be obtained that infringe upon his privacy if not his identity. Illegally obtained data, records or information about an individual are often used in crimes that involve identity theft. Other usage of data about a person includes blackmail, kidnapping and other crimes. Data Protection Act of 1998 The Data Protection Act of 1998 was in response to the European Directive of 1995 that required member states to protect the right to privacy of every citizen in the European Union. Recognizing the borderless nature of internet transactions, the need for this law to be passed in every state is of outmost importance to ensure that no European will be victimized within the European Union by fellow Europeans engaged in criminal activities. The Data Protection Act was very explicit in limiting the information to be gathered by organizations from an individual to ensure that only what is needed by the organization can be gathered. The Data Protection Act also mandates that the information gathered from an individual or generated for an individual by an establishment should not be kept longer than necessary. The provision cited herein has the intention of ensuring that no data or information can be obtained that can be used in stealing and replicating an identity. However, there are instances where problems still occur. In September 2010, Brighton General Hospital was robbed of Hard Drives that contained confidential information of patients of the said hospital. Although, the Chief Executive of Brighton and Sussex University Hospitals NHS Trusts stated that the Hard Drives have been released to a contractor who was paid to destroy the Hard Drives, unfortunately the contractor sold them on E-Bay. As soon as they have been informed of the theft, they were able to catch and recover the hard drives with the help of the local police. The Information Commissioner’s Office stated that the watchdog suggested that the fine of the hospital be 375,000 pounds. The 375,000 pound fine is the biggest fine that the Information Commissioner’s Office has issued. (OUT-LAW.com, 2012) Kent County Council has been named as the number one organization that loses private data of their clients in the United Kingdom. There had been 72 reports of theft between the years 2008 and 2011. One incident was mentioned in the article where a worker lost a USB drive that contained information regarding students somewhere. Most of the Kent County Council’s loss of data incidents includes the loss of laptops, documents that were misplaced or accidentally left outside a car. Another incident mentioned were parents receiving a report of a different child. Although the Kent County Council was not held liable for some incidents which is illustrated in an incident where one family posted case notes pictures on Facebook, making it accessible to anyone. However, it is no big surprise that they came out as Number One with respect to data loss since they are a big authority in the United Kingdom. (BBC, 2011) Zurich Insurance was issued a fine of 2,300,000 million pounds by the Financial Service Authority for the data loss incident in August 2008 involving 46,000 of its customers. The data loss occurred when they were transferring data to storage centre in South Africa. The Financial Service Authority stated that the Zurich Insurance did not take good care of the customer data because they did not see to it that the data would arrive safely to its destination. They failed to see the arrangement and lost control of the processing of data in Zurich South Africa. It did not help their case that they were not aware of the data loss until a year later. The Financial Service Authority said that the Organisations in the Financial Sector should learn from the mistakes of Zurich. (BBC, 2010) Another concrete example is the Police Force’s loss of a memory stick where the Investigation Data in Edinburgh were stored. The data contained sensitive data that would have helped the police force capture and/or apprehend criminals. The memory stick contained valuable information of about 750 ‘of interest’ cars. Again, valuable resources were spent as police both from the Lothian and the Borders have exhaustively investigated the case. (BBC, 2009) Another loss of data incident occurred in 2009 that involved 2000 staff member personal details. They were placed in a disk that was misplaced by TNT, a courier firm. Although the British government allayed fears by stating that the data would not be accessed since the disk was encrypted with protection. In this instance, TNT expended efforts to locate to the misplaced disk which could have been prevented if the necessary precautions are put in place. The Government took extensive measure to locate the disk since there were a lot of personal data within the disk although the data did not belong to council members. (BBC, 2009) In 2008, a loss of data incident caused a Tax Website to go down. They lost around 12,000,000 details of customers in a USB Drive that was found in Brewers Fayre pub a few weeks after the loss. Security experts advised that the website should be taken down since there is a risk of hackers got a hold of the data in the USB and use the information retrieved from the USB to access accounts in the USB Drive. The company responsible for the loss of the USB Drive issued a disclaimer stating that one of their employees was responsible and refused to further comment on the subject. (Boffey, 2008) Another incident occurred in one of NHS Hospital where a discharged patient brought home files of patients of the hospital. The files included names of patients and their current medical condition. Before the incident, another occurred in one of the Hospitals that had pictures, x-rays and other information found in the files scattered in the halls of the hospital. Police have conducted investigation regarding this matter. The hospital can only apologized to the families that have been affected by both incidents and issued a reassurance that measures are being undertaken to resolve the matter. (BBC, 2008) According to a new report made by the Big Brother Watch, only 55 cases of loss of data have been filed out of more than 1000 cases. Most cases involve the social care records and criminal records of people. The personal information of children and/or students had been exposed to the public due to the loss of laptops, memory sticks, phone and other gadgets that could hold data. People have lost their jobs over these breaches of security but only 55 were reported. The response made by the Information Commission’s Office required them to have a greater evaluating power and to create a format of reporting the loss of data incidents. Simple loss of data incidents would not be expected to be reported but it is advised that the local government report the loss to the Information Commission’s Office. The Information Commission’s did not require local government to use a format in submitting the reports (Espiner, 2011). There is a need to mention other laws that necessitates the protection of data or information of clients. The Electronic Commerce of 2002 recognizes the validity of electronic transactions. In order for this law to be effective and efficacious, the mode of transmission and integrity of information protected by the Data Protection Act of 1998 should be absolute and strictly enforced. The same is true for the Electronic Comminication Act of 2000 recognizes the validity of electronic signatures in commercial, private and public transactions as legally binding. It should be noted however, that the Data Protection Act of 1998 also derive help through the enforcement of the Computer Misuse Act of 1990. While the Data Protection Act details the enforcement process in protecting the data of citizens, the Computer Misuse Act of 1990 punishes the perpetrators of violators. Weaknesses of Each Laws Any law no matter how well it has been crafted has inherent weaknesses that prevent it from exacting its actual intent. The laws’ weaknesses may not come from the limited vision or precognition of its crafters but in the landscape where it will be enforced. The transnational nature of crimes most especially those committed over the internet make laws enforced in one country inutile if the perpetrators are outside the reach of its laws. More often than not the weakness can also stem from the utter lack of technology that will ensure its efficient enforcement. What is lamentable is the insufficient mechanism to enforce the law thus leading to the failure of the law to actually satisfying its intent. Another challenge that translates to the weakness of Information Technology laws is the level of technology used by companies and the level of technology used by criminals in getting private data from companies. Such deficiencies are the monitoring of the lack or the sufficiency of protection given by companies to protect the personal data of their clients. It should be noted however that the sufficiency of protection is often defined by the level of technology used by organizations to protect their client’s data. Given that criminals are always one step ahead in terms of technology it is difficult to ascertain what is sufficient in terms of standard security protection. Adequate protection or its definition thereof is another weakness that is common to all types of laws governing information technology. A weak set of penalty also allow the proliferation of institutionalized hacking such as those done by large corporation engaged in corporate espionage. The need for international treaties to be formulated to ensure that trans-border hacking is also prosecuted wherever they are. The protection of the law as it exists in every member states within the European Union is only enforceable within the member states. Thus the need for an international treaty that will make the same version of the law enforceable in every nation of the world is needed. Only then would the individual private information can be protected. Impact of Information Technology laws of the United Kingdom to professionals The need to comply with Information Technology laws have created another branch if not another skill set in the Information Technology industry that have defined a career path with the onus of governance and compliance. The primary responsibility of an Information Technology Professional specializing in Governance and Compliance is to ensure that Information Technology Infrastructure including applicable policies and procedures is compliant to the requirements of the law. To illustrate: Information Technology Governance and Compliance professional should ensure that adequate protection is provided to secure computer records, data or information in compliance to the Data Protection Act of 1998. The laws not only legitimize the need for an information security system in every information technology infrastructure through a legislated fresh mandate to secure data from hackers, identity thieves and persons with criminal intent. The new laws also gave awareness to the existence of unseen threats that made the public more vigilant in protecting information about them and their privacy. All of a sudden information security is not only about protection against malicious viruses and other malwares it is about real threats and crimes. The overall perception with regard to the information technology profession has also changed with the landscape. Renewed demand for better service in accordance to agreed service level is also exacted from the industry. More accountability with regards to security and system performance is not only expected but is made an integral part of the performance of information technology practitioners. Bibliography BBC, 2008. Patient data breach at hospital. [Online] Available at: http://news.bbc.co.uk/2/hi/uk_news/scotland/glasgow_and_west/7700075.stm [Accessed 12 May 2012]. BBC, 2009. British Council staff data lost. [Online] Available at: http://news.bbc.co.uk/2/hi/uk_news/7850173.stm [Accessed 12 May 2012]. BBC, 2009. Police force loses memory stick. [Online] Available at: http://news.bbc.co.uk/2/hi/uk_news/scotland/edinburgh_and_east/7932228.stm [Accessed 12 May 2012]. BBC, 2010. Zurich Insurance fined ?2.3m over customers' data loss. [Online] Available at: http://www.bbc.co.uk/news/business-11070217 [Accessed 12 May 2012]. BBC, 2011. Kent County Council is top of data loss list. [Online] Available at: http://www.bbc.co.uk/news/uk-15856775 [Accessed 12 May 2012]. Boffey, D., 2008. Tax website shut down as memory stick with secret personal data of 12million is found in a pub car park. [Online] Available at: http://www.mailonsunday.co.uk/news/article-1082402/Tax-website-shut-memory-stick-secret-personal-data-12million-pub-car-park.html [Accessed 12 May 2012]. Espiner, T., 2011. Local councils report only 55 of 1,035 data losses. [Online] Available at: http://www.zdnet.co.uk/news/security-threats/2011/11/23/local-councils-report-only-55-of-1035-data-losses-40094491/ [Accessed 12 May 2012]. OUT-LAW.com, 2012. The A register. [Online] Available at: http://www.theregister.co.uk/2012/01/13/nhs_fined_stolen_data/ [Accessed 12 May 2012]. Read More