• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Data Protection and Copyright Law

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Physical Security and Social Engineering

View previous topic :: View next topic  
Author Message
qu_est
Just Arrived
Just Arrived


Joined: 17 Feb 2004
Posts: 2


Offline

PostPosted: Wed Jul 06, 2005 11:43 am    Post subject: Data Protection and Copyright Law Reply with quote

Hi

Anyone good with this? I'm trying to find out

a) whether images on the net can be legally downloaded in general terms

b) whether an editor of a local community newspaper is entitled to sell the mailing list?

c) if a company needs to have permission from an individual to hold information about them?

Many thanks
Back to top
View user's profile Send private message
cpconstantine
Trusted SF Member
Trusted SF Member


Joined: 15 May 2004
Posts: 0
Location: Denver, CO

Offline

PostPosted: Wed Jul 06, 2005 1:07 pm    Post subject: Reply with quote

as a rough guide. here's a few answers.

basically, these are the ways you should act to follow the spriti of the law, you can get away with much more by following the letter of the law alone, but likely make a lot of enemies along the way.

#1 - Inless indicated otherwise, you should assume all images are copyrighted by the website you see them on, and are not free for re-use. Do the community a facour and indicate if any content you create is free for others to re-use by specify a Creative Commons license for it (www.creative commons). Obviousl if you see something massively used on every site, you can pretty much assume that creator is not enforcing their copyright however, or that it is indeed royalty-free to use, or public domain.

#2 - Current spam laws indicate that the legal practise is for all mailing lists to be private unless the individuals on them 'opt-in' to have their information resold. People get around this all the time with sneaky fine print in their contracts.

#3 - No, but it does need to follow certain regulations to ensure the safety of that data the company gathers. Note the various news articles about credit companies getting hacked and having their customer's details leaked everywhere, and facing some seriously massive fines over it.

good place to start on understanding the law as it relates to tech.

http://www.groklaw.com
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
qu_est
Just Arrived
Just Arrived


Joined: 17 Feb 2004
Posts: 2


Offline

PostPosted: Wed Jul 06, 2005 1:21 pm    Post subject: Reply with quote

That's excellent, exactly what I wanted to know. Many thanks! Smile
Back to top
View user's profile Send private message
AdamV
SF Mod
SF Mod


Joined: 06 Oct 2004
Posts: 24
Location: Leeds, UK

Offline

PostPosted: Wed Jul 06, 2005 7:16 pm    Post subject: Reply with quote

sorry CPC, but over here in the UK this stuff is much more strict and so your answers to 2 and 3 are basically wrong.
(PS I use the word "you" in the stuff below not to mean You personally, but it scans better than saying "a person", "a company" etc.):

1) basically what CPC said. Note that copyright exists in any written or 2D artistic work (drawings, photographs etc but not a vase for example) and belongs to the creator unless they have an agreement whereby they give that to someone else (eg if you are employed to do this, it is likely your contract says the employer will own the copyright). You can sell or licence copyright to allow someone else to use your work on your terms. Failing to prevent one person from breaching this does not prevent you from doing this with someone else. The onus is on the copyright holder to demonstrate that the other party has copied their work. Using copyright works without the author's permission for commercial purposes can constitute a criminal offence - ESPECIALLY easy to convict if what you steal is also for sale, notably software piracy (so using images on your company web site not a good plan as someone could get prosecuted and end up jailed, but on your own homepage they are less likely to sue). The internet is not "public domain" - there is an implied right to use the image to look at it and enjoy it in its original context, but that does not confer the additional right to copy it, anymore than borrowing a book from a library gives you the right to do anything other than read it.

2, 3) Permission is required, selling info a more tricky question but generally no. UK Data Protection Act 1998 (DPA) is very specific - see under the new name of the Data Protection Commisioner as "Information Commisioner" at http://www.informationcommissioner.gov.uk/ .
You can only process (includes gather, store, refer to, send, read, copy, talk about)
personal information (=any information about a living individual who can be identified from the data or when the data is combined with other data in your possession or trivial to get eg public domain)
with consent of the individual
for stated purposes (eg to send them mailshots, process their bank account, deliver their order)
which must be lawful
and the data must be accurate and kept securely (includes that you must correct it if they tell you it is wrong)
and kept for an appropriate length of time(eg personnel records should not be kept forever for no reason)
or else!

Firms which process personal data for any commercial purpose (ie not an individual keeping info solely for personal use) must register with the information commisioner, stating what sort of data will be kept for what purposes. There are a few exceptional cases where you may be exempt from registration (eg if the only personal information you have is for internal running of your business eg accounting, employment) but are still bound by everything else in the Act. So you save 35 quid a year or whatever it is these days.

When you gather personal data it must be clear to the data subject what this will be used for, and they must consent to that purpose. If you will be giving away or selling the information this must be clear and the person should have a real choice whether they give you their data or not (but you can make it an all or nothing choice). For example telling a potential employee they will sell your data is not a real choice. signing up to a website for free stuff on the condition that you will get spam because that's how they fund the content is probably more reasonable - you can choose not to have the free stuff more easily than turning down a job. You can't just change the purpose after gathering it without getting new consent, eg getting an address in order to send a newsletter then later selling it or using it to send junk mail of your own. Consent can be implied if it's really obvious - when you give a bank your details you are implying that you consent to them storing them, using them to check you are really you, sending you statements etc, but not necessarily consenting to junk mail. They don't have to say all of that specifically, it's obvious those things are needed to run their business on your behalf as a customer.

Note: data must be accurate. The data that "this person is happy getting junk mail" must be true, and must be corrected if they tell you it is wrong.

Certain kinds of data are even more strictly dealt with such as anything to do with race, religion, sexuality, health / sickness, union membership, criminal records.
(Aside: there is a perverse situation that if a potential employer gets your consent they can get a copy of your police records but they are not allowed to let you know what's in it under any circumstances, so you might get refused a job because you are known to frequent a pub which has been under surveillance for drug-dealing and you might be a suspect, but you can't know that. Freedom of information may help but seems unlikely to change things as there is no "public interest" involved, purely private. </soapbox>)

Failure to comply with DPA may be a criminal offence for the person breaching it, as well as for the responsible company (usually the directors effectively).

Also, if electronic communications including email or SMS are involved then the EU directive on Electronic Marketing applies - people can only be sent things they have opted in to (SpamHaus' definition of opt in, not spammers' - ie real actual deliberate consent, 'please send me stuff'), and they must be given an opportunity to opt out and stop future marketing info every single time you send something.
So, an email footer with instructions is good. Ideally an automated process via a reply address or URL, or one that generates a manual response at your end. Must not be onerous to the recipient (eg not requesting them to write a letter to you - if you can benefit from the ease of the electronic world, so can they).

so chances are that to sell a mailing list would be completely in breach of DPA if people had not originally consented to you doing this. also might be in breach of electronic marketing directive if people were emailed things they had not opted in for.

Telephone marketing is also regulated but other than full opt out via the telephone preference service there's not much that can be done.

so in short:
1) no
2) no
3) yes

if you really need to know about this stuff I can probably recommend a lawyer who specalises in this field (not me - IANAL), PM me and let me know where in the country you are.
Back to top
View user's profile Send private message Visit poster's website
qu_est
Just Arrived
Just Arrived


Joined: 17 Feb 2004
Posts: 2


Offline

PostPosted: Thu Jul 07, 2005 2:06 pm    Post subject: Reply with quote

Many thanks for this excellent information Smile I have printed it out for future reference. I'm in the UK as it happens, and grateful to have the differences explained in the law.

I don't need to go into it from a legal point of view, ie I'm not contesting a breach of either copyright or data protection, just trying to learn a bit more about both subjects as I've recently taken on the job of tutoring and marking online IT courses.

Again, thanks to the people who invested their time to give such great replies.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Physical Security and Social Engineering All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register