I am regularly asked by clients, training course attendees and contacts in non-Irish companies looking to expaned into Ireland what is the most relevant legislation relating to information security for organisations in Ireland. So here is my top list of legislation that you should be concerned about regarding information security and your business in Ireland; I hasten to point out that I am no legal expert and that the information below is purely for guidance and should be verified with your own legal team. If anyone else I have forgotten any items then please let me know ;
- The Criminal Damage Act 1991
- The Criminal Evidence Act 1992.
- Section 9 of the Criminal Justice (Theft and Fraud Offences) Act, 2001.
- The Data Protection Act, 1988.
- Data Protection (Amendment) Act 2003.
- European Convention on Human Rights
- Child Trafficking and Pornography Act 1998.
- Offences against the State (Amendment) Act 1998.
- The Copyright and Related Rights Act 2000.
- Postal and telecommunications Services Act 1983.
- Post Office (Amendment) ACT 1951.
- Electronic Commerce Act 2000
- The Defamation Act 1961.
- Section 23 (Defamation) of the Electronic Commerce Act, 2000.
- Employment Equality Act 1998.
- The Equal Status Act 2000
- Article 40.3.2 of the Irish Constitution regarding defamation.
- Approved EU directives.
- Third party litigation
The ones of concern to most companies would be The Data Protection Act, 1988 & Data Protection (Amendment) Act 2003. Under the above an organisation is obliged to ensure the confidentiality of personal information of customers and staff. This means ensuring that information is available only to those who need it and only for the purposes gathered.
So for example if you buy something of a shop and they ask for your mobile number to facilitate delivery this is all they are allowed to use that data for. If you then get a SMS message from them advertising new services they are in breach of the Data Protection Act and could face fines of up to €3,000 per message.
Similarly if your organisation was to misuse personal information in a similar manner you could face the same fines. You can also face fines for not securing the information properly. The Data Protection Commissioner have a good video on their site outlining the obligations
You also need to be aware of the European Convention on Human Rights
Under the above everyone has the right to privacy in all their communications. This means that a company cannot read employee’s emails or monitor their phone calls or their Internet usage. In order to do so you need to make staff aware of this in an Acceptable Usage Policy so that in effect waive this right.
The Employment Equality Act 1998 obliges you to provide a safe working environment for all without fear of discrimination. An area that could be of issue is if a member of staff feels they are being sexually harassed due to the content other members’ of staff view on their computer. It is important that all staff are aware of what they are allowed and not allowed to do when using organisational resources such as computers and what type behaviour is acceptable. This would be outlined in an Acceptable usage Policy. Ideally this should then be managed and monitored to ensure people are not breaching the policy and disciplinary action taken where appropriate.
Under this act any copyrighted material found on your systems could result in a prosecution against the directors of the company and NOT the individual who violated the agreement. So if a member of staff copies the latest Spiderman movie onto their PC it is the board of directors that could face prosecution and not the individual.
Finally you are also obliged to protect credit card data in accordance with the PCI DSS Credit Card standard. This is a standard produced by the credit card companies to ensure retailers secure credit card information belonging to customers. If you are found to be in violation of this standard which resulted in credit card information being compromised the organisation will face increased credit card charges, possible fines and will have sanctions such as annual third party audits enforced on the organisation.
UPDATE – 22/05/08
For those of you based in the United States the following post on “10 ways you might be breaking the law with your computer” may be of interest.