Legislation
There are three main areas of legislation impose duties on an organisation that uses an Information System. They are
- Data Protection Act
- Copyright Designs and Patents Act 1988 and the Computer Misuse Act 1990
- Health and Safety at Work regulations relating to computer equipment
In some cases the law will directly affect the organisational structure. An example of this is the requirement to appoint a health and safety advisor to ensure the organisation is complying with Health and Safety regulation.
Generally however, the law imposes a duty but leaves it to the individual organisation to set up procedures and structures to ensure compliance. There are a variety of methods available to employers to help ensure that their employees are aware of and comply with the law. Whatever methods are used, it will be important to put some form of monitoring in place to ensure that the law is being complied with and to identify and remedy any breaches. Appointing a co-ordinator who, besides monitoring compliance can also take on a staff training or awareness-raising role best does this.
Data Protection
Personal data must be processed in compliance with the Data Protection Act 1984. In order to ensure that this is so, an organisation will need to make employees aware of the requirements of the act - for example that personal information must not be disclosed to unauthorised individuals or used for unauthorised purposes. It will need to set up a mechanism for handling data subject access requests and for dealing with disputes over the accuracy of stored data.
Management might consider appointing a data protection co-ordinator who would be responsible monitoring compliance and who might also be responsible for ensuring that the organisation's registered entry with the Data Protection Registrar is kept up to date.
The need for proper compliance with the act can be built into employee's contracts of employment or code of conduct and failure to comply could be made a disciplinary offence. In addition staff training sessions, memos and posters could be used to ensure that all employees were aware of their duties and responsibilities under the act. In larger organisations staff awareness can be raised by articles in 'in house' magazines or newsletters.
Copyright
Software is counted as a literary work for the purposes of the Copyright, Designs and Patents Act 1988. It is therefore an offence to store or adapt computer software without the copyright owner's permission under the provisions of the act. If the copying has been done by means of unauthorised access to a computer system then an offence has also been committed under the Computer Misuse Act 1990. In this situation an employee with normal access to the organisation's computer system would be committing an offence if they used the computer for an unauthorised purpose.
The main problems within an organisation are to ensure that employees are neither making illegal copies of software to use at home nor bringing illegal copies from home to use at work.
In order to ensure compliance with the law an organisation can carry out a software audit of each computer, ensuring that only licensed copies are installed. As with data protection legislation, the employer needs to raise staff awareness which can be done highlighting the problem in the employee's code of conduct and making illegal copying an disciplinary offence.
Many packages can only be installed from the original disks. In this case the organisation should make sure that these disks are kept securely and that any installation is authorised and logged. Procedures will need to be set up to ensure this.
The problem can be reduced by making sure that the organisation is purchasing the correct type of licence. It might be possible to extend the licence agreement to cover the use of software on the employee's home computer. This then reduces the risk that the law will be broken.
© LEV
