Cambridge Technical Introductory Diploma in IT

(Unit 2 - LO4)

Understand the legal and regulatory framework governing the storage and use of global information.


Part - - -

4.1 UK legislation and regulation relating to the storage and use of information.

How aware are you of legislation and other restrictions on the use of information? Your digital footprint is the trail you leave behind when you use the Internet and other digital services, and which others can follow.

As a group, discuss steps you have taken to reduce (or sanitise) our digital footprint. How has legislation affected your digital footprint?

Current UK Legislation and regulation.

A growing number of UK Acts of Parliament impact on the storage and use of global information.

The Data Protection Act 1998 (DPA)

The DPA governs the way in which organisations collect, process and store private data. There are 8 key principles. The ICO in its own summary of the act uses key phrases that you can use to remind yourself of the various provisions.

  1. 1. (fair and lawful) Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 is met, and in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

  2. 2. (purposes) Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

  3. 3. (adequacy) Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

  4. 4. (accuracy) Personal data shall be accurate and, where necessary, kept up to date.

  5. 5. (retention) Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

  6. 6. (rights) Personal data shall be processed in accordance with the rights of data subjects under this Act.

  7. 7. (security) Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

  8. 8. (international) Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

This act can apply (or not) in interesting ways that at first sight might not seem important. There are a number of "personality tests" (such as are you a cat or a dog person) that ask questions and automatically produce a response. Under principle 6 (rights) the subject would have the right to ask for the reasoning behind such decisions; however as neither the results nor indeed the answers to the various questions are stored such a request would fail. However what would be the case if the answers were being stored and used for other purposes?

There are exemptions to the act. For example: The police process an individual’s personal data because they suspect him of involvement in a serious crime. If telling the individual they are processing his personal data for this purpose would be likely to prejudice the investigation (perhaps because he might abscond or destroy evidence) then the police do not need to do so.

The Regulation of Investigatory Powers Act 2000 (RIPA)

In 1998, the European Court of Human Rights stated that UK surveillance laws were unclear and that there was nothing in place to prevent abuses of power by organisations regarding the interception of electronic communications. It was decided that UK surveillance laws and practice must be tighter in order to protect the individual's rights to privacy. As a result, the Regulation of Investigatory Powers Act was passed in 2000.

This Act was passed to provide a legal framework for organisations such as the security services and the police to carry out surveillance and to access electronic, postal and digital communications on individuals.  It also makes it a crime for anyone who is not authorised under the Act to carry out surveillance and monitoring of communications. The aim of allowing certain organisations to intercept communications is to:

  • Prevent or detect crimes
  • Prevent public disorder from occurring
  • To ensure national security and the safety of the general public
  • To investigate or detect any abnormal or illegal use of telecommunication systems.

When the Act was originally passed in 2000 only nine organisations such as MI5 and the police were allowed to invoke the ability to intercept and monitor our electronic communications.  However by 2008 the number of organisations has risen to almost 1,000. There are a number of people who regard the RIPA regulations as excessive and a threat to privacy and civil liberties in the UK.  They are becoming increasingly concerned that the RIPA is being used to monitor things that were not within the original remit of the Act. 

See the various links for information regarding the misuse of RIPA.

The Protection of Freedoms Act 2012

This act strengthens and develops the FOI Act with respect to DNA, fingerprints and footprints. Here, is a brief overview of the changes:

Part 1: Biometric Data. The Act removes existing police powers to retain biometric data from suspects who are not or convicted of any offence. It also reduces the length of time for which data can be retained, with only the data of those convicted of the most serious offences being subject to ‘indefinite’ retention.

Part 2: Surveillance. This Part requires a new Code of Practice on surveillance technologies and the appointment of a Surveillance Camera Commissioner to oversee and review the operation of the Code.

Part 3: Protecting property. This Part repeals a number of existing powers for authorities to enter private property and, interestingly, provides a discretionary power to repeal any power of entry or associated power that a national authority deems inappropriate or unnecessary. It also introduces an offence for clamping without lawful authority (private clampers beware!).

Part 4:  Counter-terrorism. This Part alters the law relating to stop and search for suspected terrorists and reduces the maximum period of detention without charge from 28 to 14 days.

Part 5: Safeguarding the vulnerable and criminal records. Criminal records disclosure is required for anyone working or involved in activities with vulnerable groups. This Part takes some activities completely outside the scope of the regime, and changes the rules relating to disclosure, giving applicants, rather than the Criminal Records Bureau, greater control over who is provided with their information.

Part 6: Data protection and freedom of information. This part gives the right to have certain data provided in an electronic form suitable for re-use, and clarifies the meaning of “publicly-owned company” (to which the Freedom of Information Act applies). It also amends provisions relating to the appointment, role and tenure of the Information Commissioner.

Part 7: Miscellaneous. This part introduces offences of trafficking people for sexual exploitation and labour, and new offences relating to stalking (included in this Act, one presumes, because both infringe upon the personal freedoms of others).

The Privacy and Electronic Communications Regulations 2003 (PECR) (amended 2011)

PECR covers unsolicited phone calls and emails.

The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act. They give people specific privacy rights in relation to electronic communications.

There are specific rules on:

  • marketing calls, emails, texts and faxes;
  • cookies (and similar technologies);
  • keeping communications services secure; and
  • customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.

The ICO aims to help organisations comply with PECR and promote good practice by offering advice and guidance. The ICO will take enforcement action against organisations that persistently ignore their obligations, starting with those that generate the most complaints.

Privacy and Electronic Communications Regulations (PECR) is an implementation of the European Union (EU) e-Privacy Directive in the United Kingdom.

PECR regulations restrict the processing and sharing of personal traffic data and location data and provide for access to users’ personal data in the interest of national security. The information commissioner has the power to audit the measures taken by a provider of public electronic communications services to comply with personal data breach notification and recording requirements.

The main changes for the 2012 revision relate to new rules for websites using cookies, or similar technologies, as well as new powers that allow the information commissioner to fine organizations up to £500,000 for serious breaches of the regulations. The PECR cookie rules now demand website owners get consent from visitors before using cookies. This is in addition to the existing requirement for websites to provide information about their cookie usage. The cookie rules apply to any means of storing information or gaining access to information stored on a user’s device, except for where the storage or access is vital for a service requested by the user. The latest PECR rules also require communications providers to set up procedures for responding to requests for access to users’ personal data for national security and law enforcement purposes.

The Freedom of information Act 2000 (FOI)

The FOI covers the right to access information on activities carried out by public bodies.

The Freedom of Information Act 2000 provides public access to information held by public authorities. It does this in two ways:

  • public authorities are obliged to publish certain information about their activities; and
  • members of the public are entitled to request information from public authorities.

The Act covers any recorded information that is held by a public authority in England, Wales and Northern Ireland, and by UK-wide public authorities based in Scotland. Information held by Scottish public authorities is covered by Scotland’s own Freedom of Information (Scotland) Act 2002.

Public authorities include government departments, local authorities, the NHS, state schools and police forces. However, the Act does not necessarily cover every organisation that receives public money. For example, it does not cover some charities that receive grants and certain private sector organisations that perform public functions.

Recorded information includes printed documents, computer files, letters, emails, photographs, and sound or video recordings.

The Act does not give people access to their own personal data (information about themselves) such as their health records or credit reference file. If a member of the public wants to see information that a public authority holds about them, they should make a subject access request under the Data Protection Act 1998.

The Computer Misuse Act 1990 (CMA)

The Computer Misuse Act covers hacking and associated unauthorised access very badly. It has to be one of the most toothless worthless pieces of legislation ever written.

The Computer Misuse Act is divided into three offences:

  1. 1. Unauthorised access to computer material.
  2. 2. Unauthorised access with intent to commit or facilitate commission of further offences.
  3. 3. Unauthorised modification of computer material.

The Computer Misuse Act 1990 (CMA) is an act of the UK Parliament passed in 1990. CMA is designed to frame legislation and controls over computer crime and Internet fraud. The legislation was created to criminalize unauthorized access to computer systems and to deter serious criminals from using a computer in the commission of a criminal offence or seek to hinder or impair access to data stored in a computer.

The CMA is broad and sweeping, but has also been broadly and liberally applied in the courts. This has raised concerns among privacy advocates and those who believe in circumscribing government influence on daily life and behaviour. Nevertheless, the CMA has served as a model for computer crime legislation in other Commonwealth countries.

However it cannot be regarded as successful legislation. The National Fraud Intelligence Bureau showed that for the UK as a whole, more than £670m was lost to the ten most common online frauds between 1 September 2013 and 31 August 2014. The Government does not know the actual loss to both business and people because cyber crime is vastly under-reported. The FBI says it is now more lucrative than drug trafficking worldwide. But between 1990 to 2006 only 183 defendants were proceeded against and 134 found guilty under the Computer Misuse Act. Over this period there were five years when there were no prosecutions, and a further ten with fewer than 20. A parliamentary answer to Elfyn Llwyd MP showed that from 2007 to 2013 there were 156 prosecutions with 128 leading to a finding of guilt which is only 1.5 per month.

The Information Commissioner's Office (ICO) code of practice

The ICO provides a number of its "Codes of Practice" on various data issues that cover how an organisation should behave. These documents reflect current thinking on the legal aspects if data sharing and privacy for example.

The Copyright, Designs and Patents Act 1988

The Copyright, Designs and Patents Act has two main purposes to ensure that people are rewarded for their endeavours (intellectual copyright) and to give protection to the copyright holder if someone tries to steal or copy their work.

The Equality Act 2011 (EQA)

EQA is a consolidation act that covers protecting UK citizens from discrimination. At the moment, there are several different laws to protect people from discrimination on grounds of:

  • • race
  • • sex
  • • sexual orientation (whether being lesbian, gay, bisexual or heterosexual)
  • • disability (or because of something connected with their disability)
  • • religion or belief
  • • being a transsexual person (transsexuality is where someone has changed, is changing or has proposed changing their sex – called ‘gender reassignment’ in law)
  • • having just had a baby or being pregnant
  • • being married or in a civil partnership (this applies only at work or if someone is being trained for work), and
  • • age (this applies only at work or if someone is being trained for work).

The Equality Act 2010 simplifies the current laws and puts them all together in one piece of legislation. Also, it makes the law stronger in some areas. So depending on your circumstances, the new Act may protect you more.

The Communications Act 2003

The Communications Act is a huge piece of complex legislation pertaining to the ownership of television, the creation of Ofcom and the de-regulation of the electromagnetic spectrum (radio and television) that contains section 127 that is often used when people send offensive emails or other communications. This has been used in relation to some rather outrageous jokes and there is a perceived threat to freedom of expression when some of the cases brought under section 127 have been considered in the press.

The Digital Economy Act 2010

The Digital Economy Act was a hastily written and carelessly reviewed piece of legislation enacted in the "wash-up" phase of the outgoing administration that in part covers software piracy and many other digital issues. Passed in 2010, the Digital Economy Act is intended to tackle copyright infringement. It proposes to do this through letters and sanctions against alleged individual infringers and by blocking access to websites. But it is so badly conceived that it threatens to disconnect innocent people from the internet if they are accused of infringement, and could undermine the availability of public Wi-fi. 

The Malicious Communication Act 1988 (MCA)

This originally covered printed material but now includes electronic material; the right not to be harassed. Under the Malicious Communications Act 1988 it is an offence to “send or deliver letters or other articles for the purpose of causing distress or anxiety”. Or more simply it is an offence to send messages to another person which are “indecent or grossly offensive”, threatening or false.

This means that any message sent, such as a letter, text message (SMS) and Tweets on Twitter or Facebook messages etc. that could be considered indecent or grossly offensive can be an offence under this act. The message does not have to reach the intended recipient for an offence to occur.

Impact and consequences of UK legislation and regulation on organisations operating in the UK and the way they handle information and individuals' personal data.

The impact has been huge. For example the DPA has meant that organisations have had to review and necessarily improve their security (although the breaches still occur!) The PECR has meant that organisations have had to change their working practices and in the case of cookies (the reflection of an EU data security directive enacted as part of the law) warn visitors when websites use them. (This site uses sessions instead.)

Actions that can be taken by organisations to comply with the legislation and regulatory requirements.

At it most simple data holders need to do exactly what the Laws and regulations require; failure to do so would most likely result in a significant fine or in the most recent legislation, incarceration. many organisations have decided to keep all their personal data within the EU (although there may be changes in the future regarding Brexit). On the other hand many call centres for example operate outside the EU and do not fall under the provisions of any of these acts or regulations. There is a significant issue to consider when looking at the effect of the Internet; where does the law apply? A victim in the UK cannot ask a court to apply UK legislation to a business outside of its jurisdiction. Trade agreements between countries also sometimes include mutual respect for existing legislation; for example India has much the same law for data protection as the UK.


Create a presentation on the impact of these laws on information holders.

4.2 Global information protection legislation and regulation.

How aware are you of legislation and other restrictions on the use of information? Your digital footprint is the trail you leave behind when you use the Internet and other digital services, and which others can follow.

Regulation relating to data protection outside the UK.

The eighth principle of the DPA governs whether data can be transferred between countries. As we have seen, the data protection laws in India are sufficient for the data and information to be covered by the UK Data Protection ACT and so data may be stored and processed there. However, other countries of the world do not have the same level of data security and so data may not be transferred to that country. That said, India does not meet EU adequacy but does have data protection legislation.

Data may be transferred anywhere within the EU as each country's level of data protection is the same as or equivalent to that in the UK.

The United States department of Commerce has set up a "Safe Harbour Scheme" that if complied with gives sufficient protection for UK data to be stored and processed in the United States. (Editors note: With regard to "EU adequacy" Forrester Research finds the United States data protection legislation to be...

" The country is recognized as a EU "third country" with substantial (not just PNR) protections, has specialized Safe Harbor status (currently US-only), or has been recommended for "adequacy" status under Article 29."

In addition when the UK tax authorities attempted to outsource tax calculations to EDS, a US company, it fell foul of the UK legislation as the data protection was not regarded as sufficient to let UK tax data out of the country.) However if the receiving company has not signed up to the scheme data cannot be transferred unless it forms part of a passenger name record in relation to an airline reservation for example. If data needs to be transferred outside of the EU then the sender has to make a judgment regarding the various data protection safeguards are of a sufficient standard to ensure that the data remains safe.


Comparison between data protection legislation and regulation in different countries.

Here is a list of countries, for each compare the data protection legislation available in that country with the data protection in the UK.

  • USA
  • France
  • Indonesia
  • Australia
  • Canada
  • South Africa
  • Pakistan.

UN Convention on the Rights of Persons with Disabilities (UNCRPD)

The UN Convention on the Rights of Persons with Disabilities includes a specific recognition of the right of access to information systems (article 9) as well as the right to use digital means to express opinions (article 21). For example, websites have to be planned so that they can be used by those with disabilities. The use of ALT tags so that website reading software can say what an image is has allowed people with visual impairments to access sites more easily.

4.3 Green IT.

How aware are you of legislation and other restrictions on the use of information? Your digital footprint is the trail you leave behind when you use the Internet and other digital services, and which others can follow.

Global requirements on organisations and individuals.

Green IT is an attempt to make computing more eco-friendly. This can influence the materials that make computers, the manner in which they are manufactured, how they are transported and how they are eventually disposed of. Many local initiatives recycle computers for use by others. This is an example of organisations taking s global awareness viewpoint in an attempt to extend the working life of computers beyond the relatively short one that businesses dictate.

"Green IT (green information technology) is the practice of environmentally sustainable computing. Green IT aims to minimize the negative impact of IT operations on the environment by designing, manufacturing, operating and disposing of computers and computer-related products in an environmentally-friendly manner. The motives behind green IT practices include reducing the use of hazardous materials, maximizing energy efficiency during the product's lifetime and promoting the biodegradability of unused and outdated products."

Issues with e-Waste.

Most of the computer equipment sent to be recycled ends up in piles in small villages in rural India where the poor of the villages, children and the elderly will pick away with hammers and chisels at the circuit boards to reduce them to their individual components. Most of this is in unventilated rooms or near fires where the waste is burnt giving off toxic smoke as they recover the copper in the circuit boards. Cadmium, mercury, lead and other heavy metals are all present in the hardware being dismantled with little or no thought for anyone's safety.

But harvesting e-waste, as discarded electronics are called, can be dangerous. Toxins in a discarded laptop, for instance, include cancer-causing heavy metals and hormone-disrupting flame retardants.

To get copper out of tangled wire, workers simply burn it and try to dodge the dangerous fumes. Circuit boards, meanwhile, are bathed in cyanide to release gold, with the poisonous residue dumped in drains and rivers.

United Nations Climate Change Summits.

These annual meetings discuss climate change and ways in which the threat can be reduced and managed. Their focus has been on the reduction of carbon footprints across the world and in doing so they have considered the use and disposal of computers and computing equipment.

UK Government Policy.

In 2011 the Greening Government ICT strategy made a commitment to adopt more green policies across government departments. The use of cloud storage and shared services were identified as areas in which government could reduce its carbon footprint. By adopting the use of cloud storage it was hoped that computers would be used more efficiently, because the need for each section of government to have its own storage facilities would be replaced by the use of online storage which would because of the reduction in the number of individual computers and storage required, be a cheaper and more efficient use of resources.


Research and create a presentation showing how one named event and one named organisation have taken action to reduce their carbon footprint through the use of "green IT".

Reducing carbon footprint



  • 1. Questions for later...