The implication of legislation for ICT policies and organisational procedures

Organisations are not free to do what they like using ICT. There are lots of laws which govern what can and cannot be done, and it is important that organisations are aware of all the laws applicable to their particular bisoness and they take suitable steps to ensure that they operate inside these laws. 

These revision cards will look at the main pieces of legislation and the policies and procedures that need to be put in place to ensure that the organisation is compliant with the legislation


The implications of legislation for ICT policies

  • In large organisations someone is appointed to the post of compliance officer
  • ICT policies have to be drawn up to ensure that all proposed developments and all activities involved in day-to-day ICT use are within the law 
1 of 9

What is the Copyright Designs and Patents Act 1988

Protects intellectual property such as the following from being copied: 

  • software/ hardware
  • books and mnuals 

Policies would need to be set out to prevent staff from: 

  • copying images or text or sections of websites without permission
  • sharing digital music illegally
  • running more copies of software than the license allows
  • forcing employees to copy software illegally.

Usually such policies would be laid out in either the ICT code of practice for ICT users or an acceptable use policy. 

2 of 9

What does the Computer Misuse Act 1990 cover?

  1. Unauthorised access to computer material
  2. Unauthorised access with intent to commit or facilitate a crime
  3. Unauthorised modification of computer material.

1) This offence carries the risk of being sentenced to six months in prison and/or a hefty fine

2) Anyone caught doing this risks up to a five year prison sentence and/or a hefty fine.

3) This offence carries a penalty of up to five years in prison and/or a fine.

Unfortunately, very few cases are actually prosecuted under the Computer Misuse Act and even if they are, sentences tend to be lenient.

3 of 9

What preventative measures could be put in place t

  • A ban on the downloading by staff of any program without the permission in writing of the network manager
  • A ban on the use of another persons username and password, so that it is always possinle to identify the person who has logged on
  • Regular audits to check that money isn't going missing into bogus accounts. 
4 of 9

What is the data protection act what policies does

The data protection Act is used to protect personal data from misuse and in order to comply with the Act, organisations have to adopt a number of policies such as: 

  • Appointing a senior member of staff to the data controller role
  • Notyfind the Information Commissioners Office that the organisation is processing personal data
  • Putting mechnaisms in place to enable data subjects to be able to see the information held about them 
  • Ensuring data security is not compromised on portable devices; usually there will be a policy involving encryption
  • Ensuring all staff undertand the DPA principles as laid out in the DPA
5 of 9

Name the three main policies affected by the Data

1) The training policy will ensure that all employees who deal with personal data are aware of how they have to deal with the personal data

2) The security policy will deal with making sure that personal data is kept secure and not comprimised by storing on insecure media such as flash memory 

3) The ICT code of practice for ICT users or an acceptable use policy can deal with confidentiality of data and things staff must do when working with personal data. 

6 of 9

What is the Freedom of Information Act? (2000)

  • Covers public authorities 
  • A member of the public can apply for information 
  • Public organisations therefore need policies and procedures to provide such information when requested. 
7 of 9

What is the Telecommunications Regulations 2000?

Allows the interception and monitoring of communications in certain circumstances by an organisation without the consent of the sender and the revipient. Only allowed in certain circumstances;

  • Keeping transaction logs for the purposes of performance monitoring & quality control
  • Access and activity logs maintained to allow investigation or detection of computer misues or unauthorised use of systems
  • Monitoring to ensure the effective operation of the systems 
  • Inspection of file contents to detect misuse

It is therefore possible for organisations to check the emails sent by a particular person or the phone calls made by that person. 

An organisation needs to have policies stating under what circumstances this will happen and they need to make staff aware that such monitoring make take place.

8 of 9

What health and safety policies must be in place t

Health and safety policies must be in place to protect employees and these would include: 

  • Inspections of chairs, workstations, desks, keyboards etc 
  • Putting in working practices and procedures to prevent against injury and RSI
  • Ensuring staff are properly trained to minimise risk to their health
  • Paying for eye tests and any glasses needed for those staff that use computer screens
  • Ensuring that any software created is not stressful or frustrating to use. 
9 of 9




rubbish reading so hard t understand but compromises by the depth of info 



Thank You so MUCH!

Similar ICT resources:

See all ICT resources »See all Policies, Security and Legislation resources »