Welcome to the May 2012 JISC Legal Monthly Newsletter (No 82). This month's news includes items on YouTube, social networking and unencrypted devices.
Our Cloud Computing and the Law webcast is on 30 May 2012 at 2pm. It will examine in some detail the legal challenges for colleges and universities that are considering the use of cloud computing services. Our short video introduction illustrates the content of the upcoming webcast and outlines the significance of legal issues in cloud computing. Please do forward the link to the webcast promotion video to anyone at your institution who is likely to be involved in making decisions about using cloud services. It can help them assess the value of the upcoming webcast.
The recordings of our Mobile Technologies and the Law webcast are now available at jiscleg.al/MobileRecordings
JISC Legal was delighted to sponsor the ‘Bringing Fun to Learning Award’ at the ‘Celebration of e-Learning’ held by RSC Northern on 22 March 2012. The winner was Bob Metcalfe of the TTE Technical Training Group and the award was one of twelve won by ‘inspirational teams and individuals from all over the North East’. We congratulate Bob on his award and the contribution he and TTE make to the sector.
JISC Legal Plus continues to offer great value expert in-house training on FOI, copyright, data protection and e-safety to colleges and universities. If your institution is looking for relevant sector-specific expertise in these significant areas then our on-site staff development packages are for you. Find out the details of JISC Legal Plus at – http://jiscleg.al/JISCLegalPlus
Fair's Fair in Fines Issued Says the ICO
The Information Commissioner’s Office has defended statistics released under FOI showing that private companies were fined on fewer occasions than public sector organisations over an eleven month period. Within that time, one fine of £1000 was issued to a private firm whereas eight local councils were fined a total of £790,000 over data protection breaches. In response, the ICO said fines would be imposed only where a data breach caused substantial damage or distress or where it had the potential to do so, and where the organisation was or should have been aware of a risk of a breach and failed to take reasonable steps to prevent it. The guidance issued by the ICO on potential fines also states that any penalty must be ‘appropriate’ and at a ‘reasonable and proportionate’ level taking into account the relevant facts of the case and the ‘objective in imposing the penalty’. Under the statistics released, final penalties imposed were lower than originally sought in five cases and the most common data breach was disclosure of personal information in error. The Out-Law article provides institutions with a helpful reminder of what is required to meet data protection obligations and thus prevent monetary penalties being imposed. For more information on data protection law, please visit the JISC Legal website.
New Legal Opinion on Resale of Software
A recent Opinion for the European Court of Justice (ECJ) has taken a pragmatic approach to the law surrounding the resale of unwanted computer programs. A German company, usedSoft, buys and sells second hand software licences where the applications have become redundant following e.g. bankruptcy or merger or where excessive software licences are purchased by a business. Universities and colleges may have such licences e.g. where purchased for a particular project. The EU Directive 2009/24/EC on the legal protection of computer programs states that the first sale in the EEA area of a copy of a program by the rightsholder or with his consent ‘exhausts’ the distribution right within the EEA of that copy (Article 4.2) . The aim of this exhaustion rule is to strike a balance between the rights of the author and first copyright owner to get economic value from exploiting his work and the interest and need for free movement of goods and services once the rightsholder has had fair recompense for his endeavours. The Advocate General's Opinion for the ECJ clearly concluded that in view of how technology works, the Directive must be interpreted as meaning that the right to distribute a copy of a computer program is exhausted if the rightsholder (Oracle in this case) allowed a copy to be downloaded to a data carrier and also granted for payment a right to use that copy for an unlimited period of time. However if the data carrier sells a licence independently of the copy (e.g. where the program itself has been deleted) , thus requiring a new copy to be downloaded, the exhaustion principle would not apply and downloading and use of this new copy would need the permission of the rightsholder i.e. Oracle could object to the resale where, the computer program had to be downloaded from the internet again so as to allow the resale to take place. In addition the opinion stated that it was no longer practical to restrict the exhaustion principle to tangible items as software downloads were now the norm and should be treated in the same way. The full news item is available from the 1709 blog and the Opinion of the Advocate General is available from the Court of Justice website.
YouTube Contributes to Copyright Infringement Court Rules
A district court in Hamburg, in a provisional ruling, found YouTube contributed to copyright infringement by its users by providing the platform for infringement and failing to act quickly to remove unlawful music videos after it was notified by rights holders. The site was ordered to use the Content-ID software it currently operates to prevent the distribution of content it knows is infringing and also to install a word filter system to identify newly uploaded material that infringes on the rights of copyright holders. The court confirmed that a website hosting materials uploaded by users does not have an obligation to perform general monitoring of content. Under the EU Ecommerce Directive (implemented in the UK by the Ecommerce Regulations 2002) an internet service provider is not responsible for copyright infringing content provided by third parties unless it has actual knowledge of the illegal content and fails to act expeditiously to remove or disable access to such content when informed that the content is unlawful. The Ecommerce Directive restricts member states from imposing a general duty on a website owner to monitor content. This case is a reminder to FE and HE institutions that whilst they may not be liable for hosting copyright infringing materials uploaded by students for example, they should have in place a Notice & Take Down Policy and act expeditiously to remove content they are notified is infringing. The news story is available on the Out-Law website. Further information on ISP liability is provided in JISC Legal’s Guidance Paper. Guidance for FE and HE on copyright is available at jiscleg.al/IPR
Names of Junior Staff Investigating Complaints not Personal Data
The Information Rights Tribunal recently ruled that the names of three junior members of staff who dealt with complaints made to the Financial Services Authority (FSA) should have been disclosed as part of a Freedom of Information (FOI) request. In its decision the Tribunal held that the employee names were not personal data because disclosure of the employee names alone did not necessarily 'affect the individuals' privacy, whether in their personal or family life, business or professional capacity'. However, the Tribunal did go on to say that this would not always be the case. 'There are a number of organisations, the nature of whose activities are such that a particular individual was employed by them, might well amount to personal data'. This case highlights to colleges and universities the circumstances where disclosure of junior members of staff names would be required as part of an FOI request and reflects how the law is being applied and developed in this area. For more information on this news story and access to the decision, please refer to the Out-Law website. JISC Legal considers the issue of personal data in our briefing paper available at:
http://jiscleg.al/DPBriefingPaper05 JISC Legal has published a law watch article on this topic.
JISC Advance Publishes e-Annual Report
JISC Advance has published its e-Annual Report for 2010-11 which presents the key achievements for JISC Advance over this academic year. One of the highlights of the video report is JISC Legal's Cloud Computing and the Law toolkit which has been accessed more than three thousand times. You can view the video at: http://www.youtube.com/watch?feature=player_embedded&v=3c2lUNZodkc.
EC Consultation on Regulating the Internet of Things
Staff at HE and FE institutions using mobile devices in teaching and learning may be interested to learn that the European Commission is asking the public for their views on how to regulate wireless networked devices, also known as the Internet of Things as the current data protection regime is viewed as failing to adequately address emerging technologies. Wireless connected devices such as smart phones gather, exchange, process and store information therefore their use has implications for privacy and security. The deadline for responding to the consultation documents is July 10th 2012. For guidance on mobile technologies and the law for FE and HE, a recording of JISC Legal’s Mobile Technologies and the Law Webcast can be accessed in captioned bite-sized segments.
UK and US Collaboration Improves Patent Examination Efficiency
A joint report published by the UK Intellectual Property Office (UKIPO) and the US Patent and Trademark Office (USPTO) concludes that both offices have been making efficient use of each other's work, which has resulted in an improvement in the quality of patents being granted. In an aim to boost quality and efficiency savings via work-sharing, examiners on both sides of the Atlantic routinely look at work from other offices and as a result can reduce the cost of doing business and help innovators move their product to market faster. This report will be of particular interest to institutions involved in spin-out companies, and also those that have a keen interest in knowledge exchange. For more details on this news story then please refer to the UKIPO website.
Unencrypted Devices Pose 'Unnecessary Risk' for Sensitive Data
Two unencrypted memory sticks containing sensitive patient information were lost by South London healthcare trust. One employee took work home on an unencrypted memory stick containing data relating to 600 maternity patients. The other contained names and dates of birth of 30 children as well as audiology reports of 3 children. Both sticks have since been found. The trust has signed an undertaking to encrypt mobile devices and other mobile media that contain personal data as well as provide staff with appropriate training and awareness of relevant policies. The Guardian article is yet another reminder to institutions to encrypt devices containing sensitive and personal data as necessary. For more information on the protection of data within mobile devices, please refer to our recent webcast.
ICC UK Cookie Guidance for Website Operators
Social Networking Sites used to Threaten Teachers
According to the Teachers' Union NASUWT, social networking websites are increasingly being used to threaten teachers. Furthermore, pupils as well as their parents have carried out such on-line abuse. According to the research, teachers have even faced death threats from pupils commenting on websites. Facebook was identified as the social networking website most used by pupils to comment about staff. This news story highlights again the need for colleges and universities to take their safeguarding responsibilities seriously with regard to appropriate use of their own computing facilities. It also reinforces the important role that their e-safety policies and practice play with regard to promotion and education of their students on responsible use of social networking sites whilst at college. More details on this story are available from the BBC website. JISC Legal has numerous guidance on e-Safety and Web 2.0 available from our website.
SCORE Library OER Survey Report
SCORE is a HEFCE funded three year project set up to support institutions across HE in England as they engage with creating and sharing Open Educational Resources (OER). More details are available from their website: http://www8.open.ac.uk/score/ SCORE identified librarians as a target group to engage in OER and accordingly, in October 2011, sent out a survey to get a national perspective on institutional engagement in OER through their librarians. It also sought to identify library staff engagement with OER, their understanding of licensing and OER, and their experience in using and finding OER. The full survey is available to download at: http://www8.open.ac.uk/score/news/score-library-survey-report JISC Legal has a range of materials on OER available from our website: http://www.jisclegal.ac.uk/Projects/OpenEducationalResources.aspx.
ICO Decision on Use of Private Email Goes to Appeal
The Department for Education is to appeal the ICO decision of 01 March 2012 which ordered Michael Gove to release information contained in private emails unless there is an exemption under the FOI Act to release. The ICO decided that the emails comprised information relating to official government business and therefore fell under the auspices of the FOI regime. The story is available on the guardian website. The JISC Legal FAQ on Staff Private Email Accounts and FOI provides more detail on what the ICO decision means for colleges and universities.