Tim, Re point 1. The Police would need to obtain a Court production Order under the relevant legislation to require you to trace account usage etc if the university did not feel justified in co-operating with any police request for assistance. You need to be aware of the Regulation of Investigatory Powers Bill which was introduced to Parliament on the 9th February. The 'interception' of communications and access to communications data will for the first time be expanded to include 'private networks'. The RIP takes into account obligations under the ECHR. See: http://www.homeoffice.gov.uk/oicd/ripbill.htm As for using shared logons - I doubt the DPC would views this as compliant with principal 7 of the DPA 98 and BS7799 principles. Kind regards, Pat Walshe -----Original Message----- From: Tim Chown [mailto:[log in to unmask]] Sent: 18 February 2000 14:23 To: [log in to unmask] Subject: Re: anonymous email (authentication) I think there are two issues there: 1. Shared logons, e.g. a "tempsec" account for temporary secretarial staff to use. CERT (and the police) would frown on this. The police are telling us (or more accurately our Computing Services) that if we don't track who is using a system which is used in an offence, the University is liable (is this true?) 2. Non-authenticated network access. Perhaps via a docking station with IP served by DHCP - relatively untraceable if the user chooses to just browse or send email from the (laptop) machine. Or perhaps via non-authenticated dialup (a modem in a staff office), though in that case there may be a way to trace the call origin. The Internet is heading towards a more pervasive framework where authentication may not be required in many scenarios. Tim On Fri, 18 Feb 2000, Ricky Rankin wrote: > How does this conflict with the information from CERT that we should > try not to have anonymous logons. > > We have had cases of defamatory messages being sent from such > accounts, which fortunately have not led to litigation - but this > cannot be guaranteed in the future. > > Ricky > > > On 17 Feb 2000 11:08:10 +0000 [log in to unmask] wrote: > > > Anonymous e-mail does not constitute Personal Data unless the > pseudonym is > held by the Data User in a separate place and the person > can be identified > fully from that information. > > If you retain anonymous information (for some reason?) then this is > still > not Personal Data.. Obviously if an enquirer gives all the > necessary > identification details, then this is Personal Data and will > need to be > processed under the Act, with all considerations of > security, length of > retention etc. Hope members agree? > > > Roy Candy > > DPO > Northampton General Hospital NHS Trust > > > > ---------------------- > Ricky Rankin > Principal Analyst > Computing Services > tel +44 28 90 273819 > fax +44 28 90 230592 > > This communication contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any distribution, copying or use of this communication or the information in it is strictly prohibited. If you have received this communication in error, please notify the sender immediately and then destroy any copies of it. -- MCI WorldCom Year 2000 information http://www.wcom.co.uk/2000 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%