I think there are two issues there:
1. Shared logons, e.g. a "tempsec" account for temporary secretarial
staff to use. CERT (and the police) would frown on this. The police
are telling us (or more accurately our Computing Services) that if
we don't track who is using a system which is used in an offence, the
University is liable (is this true?)
2. Non-authenticated network access. Perhaps via a docking station with
IP served by DHCP - relatively untraceable if the user chooses to
just browse or send email from the (laptop) machine. Or perhaps via
non-authenticated dialup (a modem in a staff office), though in that
case there may be a way to trace the call origin. The Internet is
heading towards a more pervasive framework where authentication may
not be required in many scenarios.
Tim
On Fri, 18 Feb 2000, Ricky Rankin wrote:
> How does this conflict with the information from CERT that we should
> try not to have anonymous logons.
>
> We have had cases of defamatory messages being sent from such
> accounts, which fortunately have not led to litigation - but this
> cannot be guaranteed in the future.
>
> Ricky
>
>
> On 17 Feb 2000 11:08:10 +0000 [log in to unmask] wrote:
>
> > Anonymous e-mail does not constitute Personal Data unless the
> pseudonym is > held by the Data User in a separate place and the person
> can be identified > fully from that information.
> > If you retain anonymous information (for some reason?) then this is
> still > not Personal Data.. Obviously if an enquirer gives all the
> necessary > identification details, then this is Personal Data and will
> need to be > processed under the Act, with all considerations of
> security, length of > retention etc. Hope members agree?
> > > Roy Candy
> > DPO > Northampton General Hospital NHS Trust
> >
>
> ----------------------
> Ricky Rankin
> Principal Analyst
> Computing Services
> tel +44 28 90 273819
> fax +44 28 90 230592
>
>
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|