Tim,
Re point 1. The Police would need to obtain a Court production Order under
the relevant legislation to require you to trace account usage etc if the
university did not feel justified in co-operating with any police request
for assistance.
You need to be aware of the Regulation of Investigatory Powers Bill which
was introduced to Parliament on the 9th February. The 'interception' of
communications and access to communications data will for the first time be
expanded to include 'private networks'. The RIP takes into account
obligations under the ECHR. See:
http://www.homeoffice.gov.uk/oicd/ripbill.htm
As for using shared logons - I doubt the DPC would views this as compliant
with principal 7 of the DPA 98 and BS7799 principles.
Kind regards,
Pat Walshe
-----Original Message-----
From: Tim Chown [mailto:[log in to unmask]]
Sent: 18 February 2000 14:23
To: [log in to unmask]
Subject: Re: anonymous email (authentication)
I think there are two issues there:
1. Shared logons, e.g. a "tempsec" account for temporary secretarial
staff to use. CERT (and the police) would frown on this. The police
are telling us (or more accurately our Computing Services) that if
we don't track who is using a system which is used in an offence, the
University is liable (is this true?)
2. Non-authenticated network access. Perhaps via a docking station with
IP served by DHCP - relatively untraceable if the user chooses to
just browse or send email from the (laptop) machine. Or perhaps via
non-authenticated dialup (a modem in a staff office), though in that
case there may be a way to trace the call origin. The Internet is
heading towards a more pervasive framework where authentication may
not be required in many scenarios.
Tim
On Fri, 18 Feb 2000, Ricky Rankin wrote:
> How does this conflict with the information from CERT that we should
> try not to have anonymous logons.
>
> We have had cases of defamatory messages being sent from such
> accounts, which fortunately have not led to litigation - but this
> cannot be guaranteed in the future.
>
> Ricky
>
>
> On 17 Feb 2000 11:08:10 +0000 [log in to unmask] wrote:
>
> > Anonymous e-mail does not constitute Personal Data unless the
> pseudonym is > held by the Data User in a separate place and the person
> can be identified > fully from that information.
> > If you retain anonymous information (for some reason?) then this is
> still > not Personal Data.. Obviously if an enquirer gives all the
> necessary > identification details, then this is Personal Data and will
> need to be > processed under the Act, with all considerations of
> security, length of > retention etc. Hope members agree?
> > > Roy Candy
> > DPO > Northampton General Hospital NHS Trust
> >
>
> ----------------------
> Ricky Rankin
> Principal Analyst
> Computing Services
> tel +44 28 90 273819
> fax +44 28 90 230592
>
>
This communication contains information which is confidential and
may also be privileged. It is for the exclusive use of the
intended recipient(s). If you are not the intended recipient(s),
please note that any distribution, copying or use of this
communication or the information in it is strictly prohibited.
If you have received this communication in error, please notify
the sender immediately and then destroy any copies of it.
--
MCI WorldCom Year 2000 information http://www.wcom.co.uk/2000
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|