UK Data Protection Act 1998 Computer Misuse Act
- Slides: 25
UK Data Protection Act 1998 & Computer Misuse Act 1990 Issued 2016 Doc Ref: 65 TRGINT 021541 Version: 4. 0 Effective Date: 27 -July-2016 Owner: UK Information Governance Page 1 of 25 © Cerner Corporation and Cerner Limited (collectively “Cerner”). All rights reserved. This document contains confidential and/or proprietary information belonging to Cerner Corporation, Cerner Limited and/or their related affiliates around the world which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner. 1
The purpose of the Data Protection Act The Data Protection Act 1998 was passed by Parliament in March 2000 to control the way information is processed and to give legal rights to people who have information processed about them. All (European Economic Area) countries who have business dealings with the UK are affected. Anyone who processes personal information must comply with the eight principles. © Cerner Corporation and Cerner Limited (collectively “Cerner”). All rights reserved. This document contains confidential and/or proprietary information belonging to Cerner Corporation, Cerner Limited and/or their related affiliates around the world which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner. 2
How the Data Protection Act works The Data Protection Act 1998 was developed to give protection and lay down rules about how data about people can be used. The Act covers data stored on a computer or an organised paper filing system about living people. The basic way it works is by: setting up rules that people have to follow having an Information Commissioner to enforce the rules It does not stop companies storing information about people. It just makes them follow rules. © Cerner Corporation and Cerner Limited (collectively “Cerner”). All rights reserved. This document contains confidential and/or proprietary information belonging to Cerner Corporation, Cerner Limited and/or their related affiliates around the world which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner. 3
The roles of those involved The Information Commissioner is the person (and his/her office) who has powers to enforce the Act. A data controller is a person or company that collects and keeps data about people. A data processor is any person, other than an employee of the data controller who processes data on behalf of the data controller. A data subject is someone who has data about them stored somewhere, outside of their direct control. This makes us all data subjects as there can be few people in the UK who do not feature in computer records somewhere. A data user is an employee whose work involves using personal data. Data users have a duty to protect the information they handle by following our data protection and security policies at all times. © Cerner Corporation and Cerner Limited (collectively “Cerner”). All rights reserved. This document contains confidential and/or proprietary information belonging to Cerner Corporation, Cerner Limited and/or their related affiliates around the world which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner. 4
The role of Cerner is both a data controller and a data processor. Example 1: Where we use other companies to process personal data on our behalf they are the data processors but we remain the data controller. If you access protected employment data of a European associate while carrying out an HR function, then you are acting as a Data Controller. Example 2: Where we process personal data on another company's behalf, we are the data processors. If you access protected data (i. e. patient data) when on a client site or when using Intelli. Net or N 3, then you are acting as a Data Processor. In cases where we are the data processors, we must comply with obligations equivalent to those imposed on the respective data controller. © Cerner Corporation and Cerner Limited (collectively “Cerner”). All rights reserved. This document contains confidential and/or proprietary information belonging to Cerner Corporation, Cerner Limited and/or their related affiliates around the world which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner. 5
Registration with the Information Commissioner Any organisation or person who processes (including storage) personal information must apply to register with the Information Commissioner. Data controllers must declare what information will be stored and how it will be used in advance. This is recorded in the register. Each entry in the register contains: The data controller's name and address. A description of the information to be processed and stored. What they are going to use the information for. Whether the data controller plans to pass on the information to other people or organisations. Whether the data controller will transfer the information outside the UK. Details of how the data controller will keep the information safe and secure. © Cerner Corporation and Cerner Limited (collectively “Cerner”). All rights reserved. This document contains confidential and/or proprietary information belonging to Cerner Corporation, Cerner Limited and/or their related affiliates around the world which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner. 6
The Information Commissioner’s Responsibilities The Information Commissioner has responsibility for: monitoring and enforcing both the Data Protection Act 1998 issuing guidance on good practice and encouraging trade associations to produce Codes of Practice carrying out assessments of good data protection practice (however this can only be done with the consent of the company concerned) promoting good practice in handling personal data, and giving advice and guidance on data protection keeping a register of organisations that are required to notify him about their information-processing activities; and helping to resolve disputes by deciding whether it is likely or unlikely that an organisation had complied with the Act when processing personal data. © Cerner Corporation and Cerner Limited (collectively “Cerner”). All rights reserved. This document contains confidential and/or proprietary information belonging to Cerner Corporation, Cerner Limited and/or their related affiliates around the world which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner. 7
Types of personal data Some data and information stored on a computer is personal and needs to be kept confidential. If someone who is not entitled to see these details can obtain access without permission it is unauthorised access. The Data Protection Act sets up rules to prevent this happening. Personal data is defined as: Information which relates to a living person. Who can be identified from that data alone or from that data and other information in the possession of, or likely to come into the possession of, the data controller. And is about that living person (whether in his personal or family life, business or professional capacity). For example, it may impact on the person, affect that person's privacy or have the person as its focus. Personal data includes any expression of opinion about the individual. © Cerner Corporation and Cerner Limited (collectively “Cerner”). All rights reserved. This document contains confidential and/or proprietary information belonging to Cerner Corporation, Cerner Limited and/or their related affiliates around the world which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner. 8
Two types of personal data Personal data is about living people and could identify them: their name address medical identifiers (such as NHS number, MRN) Sensitive personal data is also about living people, but it includes one or more details of a data subject's: racial or ethnic origin political opinions religion membership of a trade union health (clinical data) sex life criminal activity There are fewer safeguards for personal data than there are for sensitive personal data. In most cases a person must be asked specifically if sensitive data can be kept about them. © Cerner Corporation and Cerner Limited (collectively “Cerner”). All rights reserved. This document contains confidential and/or proprietary information belonging to Cerner Corporation, Cerner Limited and/or their related affiliates around the world which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner. 9
Responsibilities of data controllers: The Eight Principles of Data Protection 1. 2. 3. 4. 5. 6. 7. 8. Personal Data must be processed fairly and inside the law. Personal Data must only be held and used for the specified purpose. Personal Data must be adequate, relevant and not excessive when compared with the purpose for which they are processed. Personal Data must be accurate and be kept up to date. Personal Data processed for any purpose must not be kept longer than is necessary for that purpose. Personal Data must be processed in accordance with the rights of the data subject. There must be appropriate technical and organisational measures in place to protect the personal data. Personal Data shall not be transferred outside of the European Economic Area unless the country that the data is being sent to has a suitable data protection law. © Cerner Corporation and Cerner Limited (collectively “Cerner”). All rights reserved. This document contains confidential and/or proprietary information belonging to Cerner Corporation, Cerner Limited and/or their related affiliates around the world which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner. 10
Appropriate technical and organisational measures Seventh Principle: Organisations that process personal data must take "appropriate technical and organisational measures" to protect that data against unauthorised or unlawful processing and against accidental loss or destruction of, or damage to, personal data. The Data Protection Act only refers to the general data security obligations and does not contain any specific security requirements. However, the Information Commissioner has issued a range of guidance which, amongst other things, recommends the use of encryption (especially on mobile devices such as laptops) and highlights the following key areas for organisations to take into account: Security should be designed to fit the type of personal data held and the harm that may result from a security breach. individuals should be identified within the organisation who are responsible for ensuring data security. Ensure that the correct physical and technical security, supported by data security policies and procedures and well-trained staff, are in place. Be able to respond to any data security breach swiftly and effectively. © Cerner Corporation and Cerner Limited (collectively “Cerner”). All rights reserved. This document contains confidential and/or proprietary information belonging to Cerner Corporation, Cerner Limited and/or their related affiliates around the world which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner. 11
Transfer of data Eighth Principle: Personal data shall not be transferred outside of the European Economic Area unless the country that the data is being sent to has a suitable data protection law. An example of a country that is deemed to have inadequate data protection at the moment is one which is not covered by the following: Export of personal data from EEA only if: (EEA = EU member states + Norway, Iceland & Lichtenstein) ‘Adequate’ protection in importing country (approved countries by the EU): Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland Uruguay ‘Privacy Shield’ for USA – http: //europa. eu/rapid/press-release_IP-16216_en. htm Example: Transferring data to India, who are not included above, could therefore be a problem and it must be remembered that even if someone from India accessed a database in the UK and read the information, this would constitute a transfer. © Cerner Corporation and Cerner Limited (collectively “Cerner”). All rights reserved. This document contains confidential and/or proprietary information belonging to Cerner Corporation, Cerner Limited and/or their related affiliates around the world which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner. 12
Transfer of data - Exceptions There also some important exceptions to the eighth principle. The rule does not apply where, for example: The data subjects have given consent § Contractual controls provide sufficient safeguards, such as model contract clauses or Binding Corporate Rules § Note: In some circumstances Cerner may not be permitted to transfer data outside of England or the EEA. This will be based on client contractual obligations. © Cerner Corporation and Cerner Limited (collectively “Cerner”). All rights reserved. This document contains confidential and/or proprietary information belonging to Cerner Corporation, Cerner Limited and/or their related affiliates around the world which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner. 13
Individual rights Right of access • individuals have a right to know what information organisations hold about them on a computer or in certain filing systems. Individuals can submit a Subject Access Request to see or have a copy of this information. This could include their medical record, files kept by public bodies, or financial information held by credit reference agencies. An organisation has the right to charge a fee for providing this information. Right to prevent direct marketing • individuals have the right to object to their personal information being used to target them with unwanted marketing (explicit consent required). © Cerner Corporation and Cerner Limited (collectively “Cerner”). All rights reserved. This document contains confidential and/or proprietary information belonging to Cerner Corporation, Cerner Limited and/or their related affiliates around the world which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner. 14
Enforcement - Penalties An associate found guilty of an offence under the Data Protection Act 1998 can be liable for: (a) upon summary conviction, to a fine not exceeding the statutory maximum; or (b) upon conviction on indictment, to a fine. Where an offence against the DPA Act has been committed by a company and is proved to have been committed with the consent or involvement or neglect of any director, manager, secretary or similar officer of the corporation he as well as the company shall be guilty of that offence and be liable to be proceeded against and punished accordingly. Examples: unlawfully obtaining, disclosing, or procuring the disclosure of personal data; failing to comply with an enforcement notice or an information notice, or knowingly or recklessly making a false statement in compliance with an information notice. The ICO's new power to issue monetary penalties came into force on 6 th April 2010, allowing the ICO to serve notices requiring organisations to pay up to £ 500, 000 for serious breaches of the Data Protection Act 1998. © Cerner Corporation and Cerner Limited (collectively “Cerner”). All rights reserved. This document contains confidential and/or proprietary information belonging to Cerner Corporation, Cerner Limited and/or their related affiliates around the world which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner. 15
Computer Misuse Act 1990 • Anti-hacking legislation. • No laws specifically to deal with computer crime prior to 1990. • This is the most significant item of UK legislation relevant to Computer Software Viruses and hacking. • The Computer Misuse Act was designed to avoid the "tangible evidence" difficulties associated with computer crime. • Sections 1 -3 of the Act introduces three criminal offences. A person is guilty of an offence under the Act if he/she: Unauthorised access to computer material • Unauthorised access with intent to commit further offence • Unauthorised modification of computer material • © Cerner Corporation and Cerner Limited (collectively “Cerner”). All rights reserved. This document contains confidential and/or proprietary information belonging to Cerner Corporation, Cerner Limited and/or their related affiliates around the world which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner. 16
New offenses defined Three new offenses were created under the Computer Misuse Act in 2006: • Unauthorised access to computer material This deals with the offence of hacking without the intent to commit serious crime such as fraud. It is regarded as a relatively minor offence. • Unauthorised access with intent to commit or facilitate commission of further offenses This deals with unauthorized access to computer systems with the specific intention of committing, or facilitating the commission, of a serious crime. This is a much more serious offence. • Unauthorised modification of computer material This covers unauthorised modification of computerised information, and thus includes viruses, logic bombs, and trojans. © Cerner Corporation and Cerner Limited (collectively “Cerner”). All rights reserved. This document contains confidential and/or proprietary information belonging to Cerner Corporation, Cerner Limited and/or their related affiliates around the world which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner. 17
Section 1 Unauthorised access to computer material: In this first category, a person is guilty of an offence if he causes a computer to perform any function with intent to secure access to any program or data held in any computer AND the access or intended access is unauthorised AND he knows at the time when he causes the computer to perform that function that is the case. This section clearly makes hacking an offence, regardless of whether or not there was intention to cause harm. Penalties: A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding twelve months or to a maximum fine of not exceeding the statutory minimum or both. © Cerner Corporation and Cerner Limited (collectively “Cerner”). All rights reserved. This document contains confidential and/or proprietary information belonging to Cerner Corporation, Cerner Limited and/or their related affiliates around the world which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner. 18
Unauthorized access to computer material Have you ever found, guessed or used someone’s password or smartcard to log onto their user area? If you do this and then look at their files, even if you don't change, delete or damage anything, you are still guilty of accessing materials without authorisation - and this is illegal. Next time you decide to log onto your mate's user area - think again - you are actually breaking the law! © Cerner Corporation and Cerner Limited (collectively “Cerner”). All rights reserved. This document contains confidential and/or proprietary information belonging to Cerner Corporation, Cerner Limited and/or their related affiliates around the world which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner. 19
Section 2 Unauthorised access with intent to commit or facilitate commission of further offenses: A person is guilty under Section 2 of the Act if he gains unauthorised access (as proscribed under Section 1) with intent to commit or facilitate commission of further offences. It is immaterial for the purposes of this section whether the further offence is to be committed on the same occasion as the unauthorised access offence or on any future occasion. Penalties: On summary conviction, to imprisonment for a term not exceeding 12 months or to a fine not exceeding the statutory maximum (currently £ 5000) or to both; Or on conviction on indictment, to imprisonment for a term not exceeding 5 years or to a fine or to both. © Cerner Corporation and Cerner Limited (collectively “Cerner”). All rights reserved. This document contains confidential and/or proprietary information belonging to Cerner Corporation, Cerner Limited and/or their related affiliates around the world which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner. 20
Section 3 Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer: A person is guilty of an offence if he does any act which causes an unauthorised modification of the contents of any computer which impairs the operation of any computer; and at the time when he does the act he has the requisite intent and the requisite knowledge. The copying of any data not specifically authorised, even into your own files is an offence in this category. Penalties: • On summary conviction, to imprisonment for a term not exceeding 12 months or to a fine not exceeding the statutory maximum (currently £ 5000) or to both; or • On conviction on indictment, to imprisonment for a term not exceeding 10 years or to a fine or to both. You should assume that anyone else using your user ID, whether registered or not, and you using anyone else's user ID, will commit an offence at least under the section 1. This applies equally to accesses to and from any other computer, whether in this country or abroad. Any security incident must be reported to igrc-enterprisesecurity@cerner. com without delay and a Security Incident Report Form (on the Security Incidents Share. Point) provided within 48 hours of the incident being identified. © Cerner Corporation and Cerner Limited (collectively “Cerner”). All rights reserved. This document contains confidential and/or proprietary information belonging to Cerner Corporation, Cerner Limited and/or their related affiliates around the world which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner. 21
Example 1 A student hacks into a college database to impress his friends: Section 1 - Unauthorised access Later he decides to go in again & alter his grades, but cannot find the correct file: Section 2 - Unauthorised access with intent A week later he succeeds and alters his grades: Section 3 - Unauthorised modification of data © Cerner Corporation and Cerner Limited (collectively “Cerner”). All rights reserved. This document contains confidential and/or proprietary information belonging to Cerner Corporation, Cerner Limited and/or their related affiliates around the world which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner. 22
Example 2 An employee who is about to be made redundant finds the Managing Director’s password; logs into the computer system and looks at some confidential files: Section 1 - Unauthorised access. Having received his redundancy notice he goes back in to try and cause some damage but fails to do so: Section 2 - Unauthorised access with intent. After asking a friend, he finds out how to delete files and wipes the main customer database: Section 3 - Unauthorised modification. © Cerner Corporation and Cerner Limited (collectively “Cerner”). All rights reserved. This document contains confidential and/or proprietary information belonging to Cerner Corporation, Cerner Limited and/or their related affiliates around the world which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner. 23
Prosecutions and Monetary Penalties Prosecutions January 2016 - A former medical centre practice director has been prosecuted at Bury & Rochdale Magistrates’ Court for accessing the medical records of colleagues and members of their family without consent. She was fined £ 300, ordered to pay costs of £ 434. 73 and a victim surcharge of £ 20. April 2015 - A recruitment company has been prosecuted at Ealing Magistrates Court for failing to notify with the ICO. Lismore Recruitment Limited pleaded guilty and was fined £ 375 and ordered to pay costs of £ 774. 20 and a victim surcharge of £ 38. November 2014 - A former pharmacist working for West Sussex Primary Care Trust has been prosecuted for unlawfully accessing the medical records of family members, work colleagues and local health professionals. Harkanwarjit Dhanju was fined £ 1000, ordered to pay a £ 100 victim surcharge and £ 608. 30 prosecution costs. Monetary Penalties May 2016 - The ICO issued a NHS Foundation Trust with a £ 185, 000 fine for inadvertently publishing the private details of 6, 574 members of staff, including their National Insurance number, date of birth, religious belief and sexual orientation in March 2014. May 2015 - The ICO has issued South Wales Police with a £ 160, 000 fine for losing a video recording which formed part of the evidence in a sexual abuse case. December 2014 - The Information Commissioner’s Office (ICO) has fined a marketing company based in London £ 90, 000 for continually making nuisance calls targeting vulnerable victims. Additional examples - https: //ico. org. uk/action-weve-taken/enforcement © Cerner Corporation and Cerner Limited (collectively “Cerner”). All rights reserved. This document contains confidential and/or proprietary information belonging to Cerner Corporation, Cerner Limited and/or their related affiliates around the world which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner. 24
Links to further information The Legislation Service • http: //www. legislation. gov. uk/ Data Protection Act 1998 • http: //www. legislation. gov. uk/ukpga/1998/29/contents Computer Misuse Act 1990 • http: //www. legislation. gov. uk/ukpga/1990/18/contents European Directive 95/46/EC • http: //eur-lex. europa. eu/Lex. Uri. Serv. do? uri=CELEX: 31995 L 0046: en: HTML Information Commissioner’s Office • http: //www. ico. org. uk/ Privacy Shield • http: //europa. eu/rapid/press-release_IP-16 -216_en. htm Security Incident Share. Point • https: //my. cerner. com/team/UKInformation. Governance. Security. Management/Form. Server. Templates/Security %20 Incidents. aspx Information Governance & Security u. Cern Group • https: //connect. ucern. com/community/cerner/associates/groups/uk-information-governance-security Cerner UK Contact • igrc-enterprisesecurity@cerner. com © Cerner Corporation and Cerner Limited (collectively “Cerner”). All rights reserved. This document contains confidential and/or proprietary information belonging to Cerner Corporation, Cerner Limited and/or their related affiliates around the world which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner. 25