Legislative framework for interception and monitoring

Legislative framework for interception and monitoring

The Computer Misuse Act 1990 [CMA] & the Regulation of Investigatory Powers Act 2000 [RIPA] provide the legislative framework, together with the University's own regulations, for the control of the use of IT equipment and the lawful interception of postal, telecommunications and digital communications.

Computer Misuse Act 1990

Key Points:

  • Section 1(1) makes unauthorised access, such as hacking, an offence;
  • Unauthorised access can be external to the University as such access is unlikely to be authorised;
  • Unauthorised access can be internal to the University as the user may be an authorised user, but accessing for an unauthorised purpose;
  • Levels of authorisation need to be clearly outlined to legitimate users - also a requirement of data protection legislation;
  • Unauthorised access can be quasi-internal by, for example, former students or staff;
  • Unauthorised modification includes virus authoring & dissemination;
  • Section 1(2) states that there need be no intention to cause harm;
  • Section 2 applies to unauthorised access with intention to commit, or aid the commission of, an offence;
  • The intent to commit a further offence is not dependent on whether the event takes place nor on whether it is even possible;
  • Section 3 concerns the unauthorised modification of the contents of any computer;
  • There is a consequential liability on the University for the failure to protect systems in the event of an attempt at a Distributed-Denial-of-Service attack;
  • Sections 4 & 5 state that if either the person committing the offence, or the computer against which it is committed, are in the UK, then the UK courts will have jurisdiction.

Regulation of Investigatory Powers Act 2000

Key Points:

  • Replaces the Interception of Communications Act 1985.
  • Provides the framework for the lawful interception of postal, telecommunications and digital communications.
  • To be read in conjunction with the Lawful Business Practice Regulations 2000.
  • Includes lawful interceptions within the University.
  • Interception on the University's own networks are unlawful unless authorised by RIPA and/or other related legislation.
  • Unlawful interception on the University's own network may lead to criminal sanctions against the individual operating without the University's authority.
  • Unlawful interception on the University's own network may lead to civil action against the University.
  • Interception is legitimate where the said interception is by, or on behalf of, a person running a service for purposes connected with the provision and management of that service. For example,
    • System Operators may monitor traffic to determine its source and efficiency;
    • E-mail Postmasters may examine mis-addressed messages in order to redirect them.
  • There is no requirement on the University to give warning of the possible loss of privacy over the legitimate interception for reasons of system management and efficiency.
  • The University may, subject to the user having been regularly informed that such interceptions may be made, monitor and record communications:
    • To establish compliance with regulatory practices & to demonstrate standards;
    • In the interest of national security & the prevention & detection of crime;
    • To investigate & detect unauthorised use of systems;
    • To secure, or as an inherent part of, the effective system operation.
  • The University may, subject to the user having been regularly informed that such interceptions may be made, monitor but not record:
    • Received communications to determine whether they are business or personal communications;
    • Communications made to anonymous telephone helplines.
  • The University must regularly inform its users, including at the initial employment stage, that interceptions may take place.
  • The University should inform its external users, where practical, that communications may be monitored or intercepted.
  • The University should ensure external outsourced communications suppliers comply with RIPA.
  • If the regulations do not justify interceptions then the University can only intercept communications on its own network with the consent of both the sender and the intended recipient.

Acknowledgement

The information and advice on this page is substantially taken, with permission, from a presentation given by Andrew Charlesworth, formerly the Director, Information Law and Technology Unit, University of Hull Law School. However, the responsibility for the information and advice remains with the University of Glasgow.