IT policies - relevant legislation

Updated on 1 May 2020

High level summaries of various points that might be relevant to users and system administrators as it pertains to the creation, processing, storage, and transmitting of information. These sections also provide the governance underpinning University of Dundee information and cyber security policies, standards, and other guidance.

On this page

Computer Misuse Act 1990

Defines offences in relation to the misuse of computers as:

  1. unauthorised access to computer material
  2. unauthorised access with intent to commit or facilitate commission of further offences
  3. unauthorised modification of computer material

The Data Protection Act

The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).

Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’. They must make sure the information is:

  • used fairly, lawfully and transparently
  • used for specified, explicit purposes
  • used in a way that is adequate, relevant and limited to only what is necessary
  • accurate and, where necessary, kept up to date
  • kept for no longer than is necessary
  • handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction, or damage

There is stronger legal protection for more sensitive information, such as:

  • race
  • ethnic background
  • political opinions
  • religious beliefs
  • trade union membership
  • genetics
  • biometrics (where used for identification)
  • health
  • sex life or orientation

There are separate safeguards for personal data relating to criminal convictions and offences..

Freedom of Information (Scotland) Act 2002

The Freedom of Information (Scotland) Act 2002 is a general right of public access to all types

of recorded information held by public authorities in order to promote a culture of openness and accountability.

Regulation of Investigatory Powers Act 2000

The Regulation of Investigatory Powers Act 2000 regulates the powers of public bodies to carry out surveillance and investigation. It covers the interception and use of communications data and can be invoked in the cases of national security, and for the purposes of detecting crime, preventing disorder, public safety and protecting public health.

Defamation Act 1996

“Defamation is a false accusation of an offence or a malicious misrepresentation of someone's words or actions. The defamation laws exist to protect a person or an organisation’s reputation from harm.”

Obscene Publications Act 1959 and 1964

The law makes it an offence to publish, whether for gain or not, any content whose effect will tend to "deprave and corrupt" those likely to read, see or hear the matter contained or embodied in it. This could include images of extreme sexual activity such as bestiality, necrophilia, rape or torture.

PREVENT Duty Guidance Documentation

“The Prevent strategy, published by the UK Government in 2011, is part of [the UK’s] overall counter-terrorism strategy, CONTEST. The aim of the Prevent strategy is to reduce the threat to the UK from terrorism by stopping people becoming terrorists or supporting terrorism. In the Act this has simply been expressed as “prevent people from being drawn into terrorism”. The Prevent strategy has three specific strategic objectives:

  • Respond to the ideological challenge of terrorism and the threat we face from those who promote it
  • Prevent people from being drawn into terrorism and ensure that they are given appropriate advice and support and
  • Work with sectors and institutions where there are risks of radicalisation that we need to address…[.]”

[Excerpted from ‘Revised Prevent Duty Guidance: for Scotland’: 2015]

Additional documentation may be found at gov.uk

Protection of Children Act 1978, Criminal Justice Act 1988, Criminal Justice and Immigration Act 2008

The Protection of Children Act 1978 prevents the exploitation of children by making indecent photographs of them and penalises the distribution and showing of such indecent photographs. Organisations must take appropriate steps to prevent such illegal activities by their workers using their digital systems and networks.

The definition of ‘photographs’ include data stored on a computer disc or by other electronic means which is capable of conversion into an image.

It is an offence for a person to […] distribute or show such indecent photographs or to possess such indecent photographs, with a view to their being distributed or shown by himself or others.

Section 160 of the Criminal Justice Act 1988 made the simple possession of indecent photographs of children an offence. Making an indecent image of a child is a serious arrestable offence carrying a maximum sentence of 10 years imprisonment. The term "make" includes downloading images from the Internet and storing or printing them out.

Corporate information category IT