IT Regulatory Compliance in the UK

IT Regulatory Compliance in the UK

ALAN CALDER
Copyright Date: 2007
Published by: IT Governance Publishing
Pages: 46
https://www.jstor.org/stable/j.ctt5hh65n
  • Cite this Item
  • Book Info
    IT Regulatory Compliance in the UK
    Book Description:

    This pocket guide provides you with a concise and accessible guide to the relevant UK legislation, including the Data Protection Act 1998, the Freedom of Information Act 2000 and the Regulation of Investigatory Powers Act 2000. It explains the importance of keeping and preserving records, and outlines the type of records your organisation is obliged to retain. IT compliance represents a key challenge for information professionals.

    eISBN: 978-1-905356-31-7
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. 1-4)
  2. Table of Contents
    (pp. 5-6)
  3. CHAPTER 1: INTRODUCTION
    (pp. 7-9)

    A key challenge for all IT management teams is to ensure that the organization avoids breaches of any criminal or civil law, as well as any statutory, regulatory or contractual obligations, and of any security requirements.

    Control A.15.1.1 of ISO/IEC 27001:2005 provides guidance that is relevant to the IT governance of every organization. It says that the organization should explicitly define and document the statutory, regulatory and contractual requirements for each of its information systems, and that this documentation should be kept up-to-date to reflect any relevant changes in the legal environment.

    The specific controls and individual responsibilities to meet...

  4. CHAPTER 2: CORPORATE GOVERNANCE
    (pp. 10-11)

    The UK’s Combined Code is probably the most evolved corporate governance regime in the EU and companies listed on the UK Stock Exchange (not AIM) must comply with it. In addition, companies with listings in the US also have to comply with the Sarbanes-Oxley Act of 2002 (‘SOX’).

    The UK’s Combined Code is a principles-based governance regime which requires listed companies to comply with its provisions or to provide an explanation for not doing so. SOX, on the other hand, is a rules-based statutory regime, which requires adherence to its provisions on risk of penalty for both the corporation and...

  5. CHAPTER 3: FSA RULE BOOK
    (pp. 12-14)

    The 8,800 pages in the FSA’s current Handbook reflect the fact that it was created by amalgamating the rulebooks of all its predecessor UK financial regulators. Some 29,000 firms are regulated by the FSA, which takes a principles-based approach to regulation. This approach is:

    ‘underpinned by the principle that it is neither possible nor desirable to write a rule to cover every specific situation or need for decision that a regulated firm might encounter. Instead, we focus on the Principles set out in the FSMA’ [Financial Services and Markets Act 2000].’

    These, the High Level Standards, are set out in...

  6. CHAPTER 4: UK LEGISLATION
    (pp. 15-16)

    Intellectual property rights (‘IPR’), through the Copyright Designs and Patents Act 1988 (the ‘CDPA’), are one of the most obvious legal issues for most information processing systems.

    There is much other, relevant legislation, including:

    Data Protection Act 1998 (‘the DPA’)

    Human Rights Act 1998 (the ‘HRA’)

    Regulation of Investigatory Powers Act 2000 (the ‘RIPA’),

    Computer Misuse Act 1990, as amended by the Police and Justice Act 2006

    Electronic Communications Act 2000

    Privacy and Electronic Communications Regulations 2003

    Freedom of Information Act (the ‘FOIA’) 2000

    Disability Discrimination Act 1995 (the ‘DDA’)

    In the UK there is also a complex array of...

  7. CHAPTER 5: DATA PROTECTION ACT 1998 (THE ‘DPA’)
    (pp. 17-21)

    The DPA requires any organization that processes personal data to comply with eight enforceable principles of what it identifies as good practice. The eight principles are that personal data must be:

    1. fairly and lawfully processed;

    2. processed for the specified purposes;

    3. adequate, relevant and not excessive;

    4. accurate and up-to-date;

    5. kept no longer than necessary;

    6. processed in accordance with the data subject’s rights;

    7. secure (‘appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’); and

    8. not transferred to countries that do not provide adequate...

  8. CHAPTER 6: PRIVACY AND ELECTRONIC COMMUNICATIONS REGULATIONS 2003
    (pp. 22-24)

    These regulations came into force on 11 December 2003 and superseded the earlier Telecommunications (Data Protection and Privacy) Regulations 1999. The Information Commissioner is responsible for enforcing them and there is a section on his website⁷ dealing with these regulations.

    The regulations cover use, by telecommunication network and service providers, and individuals, of any publicly available electronic communications network for direct marketing purposes, and any unsolicited direct marketing activity by telephone, fax, electronic mail (which includes text/video/picture messaging, SMS and email) and by automated telephone calling systems.

    The key right conferred both on individuals and on corporate entities is the...

  9. CHAPTER 7: FREEDOM OF INFORMATION ACT 2000 (THE ‘FOIA’)
    (pp. 25-26)

    The Information Commissioner enforces both the Freedom of Information Act and the Data Protection Act.

    The FOIA provides a general right of access to all types of information held by public authorities and those providing services for them. The FOIA, it says, is:

    ‘intended to promote a culture of openness and accountability amongst public sector bodies, and therefore facilitate better public understanding of how public bodies carry out their duties, why they make the decisions they do, and how they spend public money’.

    Only public authorities are covered by the Act and there is a long list, at Schedule 1...

  10. CHAPTER 8: COMPUTER MISUSE ACT 1990 (THE ‘CMA’)
    (pp. 27-28)

    The Computer Misuse Act 1990 was designed to provide for securing computer material against unauthorized access or modification. It created three offences:

    1. to knowingly use a computer to obtain unauthorized access to any program or data held in the computer;

    2. to use this unauthorized access to commit one or more offences; and

    3. to carry out an unauthorized modification of any computer material.

    The Act allows for penalties in the form of both fines and imprisonment.

    The Act basically outlaws, within the UK, hacking and the introduction of computer viruses. It hasn’t been entirely successful in doing so. It initially had...

  11. CHAPTER 9: COPYRIGHT DESIGNS AND PATENTS ACT 1988 (THE ‘CDPA’)
    (pp. 29-32)

    The Internet starting point for organizations that want detailed advice on intellectual property is the website of the UK Patent Office (which, since April 2007, has been operating as the UK Intellectual Property Office):www.ipo.gov.uk. The principal legislation on copyright can be found in the Copyright Designs and Patents Act 1988. It has been amended a number of times and there is no official consolidation of it. A list of the most important pieces of legislation that have amended the 1988 Act and some other information about the legislation can be obtained from the UK Intellectual Property Office. This is...

  12. CHAPTER 10: ELECTRONIC COMMUNICATIONS ACT 2000
    (pp. 33-34)

    This Act, along with the Electronic Signatures Regulations 2002 and the Electronic Commerce Regulations 2002, is designed to regulate the usage, within the UK, of cryptography and to make provision for the use of electronic signatures. Essentially, there are fall-back powers (not yet exercised) to create a central, statutory but voluntary register of approved providers of cryptography services in the UK and there are a number of regulations affecting how these approvals are given. It also provides for appropriately authenticated electronic signatures to be used in electronic commerce and allows for them to be admitted as evidence in court.

    Organizations...

  13. CHAPTER 11: REGULATION OF INVESTIGATORY POWERS ACT 2000 (THE ‘RIPA’)
    (pp. 35-36)

    Section 1 of the RIPA makes it unlawful to intentionally intercept communications over a public or private telecommunications network without lawful authority. Section 3 allows a defence if it can be reasonably believed that both parties consented to the interception. The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (‘the Regulations’) were issued under the powers of the RIPA and these allow employers to monitor employee communications where the employee has not given express consent, provided that the monitoring is to:

    record evidence of business transactions;

    ensure compliance with regulatory or self-regulatory guidelines;

    maintain the effective operation of the...

  14. CHAPTER 12: HUMAN RIGHTS ACT 1998 (THE ‘HRA’)
    (pp. 37-37)

    The HRA was enacted in October 2000. It incorporates into UK law the principles of the European Convention for the Protection of Human Rights and Fundamental Freedoms (‘the Convention’). Most of the rights within the Convention are qualified, insofar as they are subject to limitations if the employer can show necessity to protect the rights and freedom of others. In particular, an employee could argue in a court or tribunal that the employer monitoring or tapping the employee’s work telephone or email or Internet activity was a breach of her/his rights under the Convention.

    While there will certainly be a...

  15. CHAPTER 13: DISABILITY DISCRIMINATION ACT 1995 (THE ‘DDA’)
    (pp. 38-39)

    The DDA made it unlawful to discriminate against any person in connection with employment, the provision of goods, facilities and services, or the disposal and management of premises. Specifically, it is illegal to discriminate against any person in respect of :

    access to, or use of, means of communication;

    access to, or use of, information services; or

    the services of any profession or trade, or any local or other public authority.

    Clearly, the DDA includes websites and on-screen or browser-based communication methodologies within its scope.

    The Act does not require a service provider to adopt one way of meeting its...

  16. CHAPTER 14: SAFEGUARDING OF ORGANIZATIONAL RECORDS
    (pp. 40-42)

    Every organization must protect its important records from loss, destruction or falsification. Some records must be retained to meet statutory or regulatory requirements, while others may be needed to provide adequate defence against potential civil or criminal action or to prove the financial status of the organization to the range of potential interested parties, including shareholders, tax authorities and auditors, or to meet contractual liabilities. Records do not (and should not) be kept for ever – this can make it difficult to find what is required as and when it is required.

    An organization’s record retention matrix should deal with...

  17. ITG RESOURCES
    (pp. 43-45)