Join Us!

UK-Are there rules ...
 
Notifications
Clear all

UK-Are there rules for dealing with unrelated personal info?  

  RSS
engdan
(@engdan)
New Member

Hello all,

Firstly I'd like to make absolutely no attempts to hide it and say up-front that this is a 'homework' question oops although it does only relate to a very small part of the task

I have a scenario and have been tasked to write about any legal+procedure issues surrounding the digital forensics. Very briefly, the scenario is that a Victim who happens to work in recruitment for a bank has been receiving threatening emails and SMS messages.

My thought process is that since the victim is in recruitment, when the police acquire or access her computer for emails or her phone for texts as evidence, they may encounter personal information of others (CV's from applicants etc.) unrelated to the case. I suppose it is also possible the victim could possess confidential info belonging to the bank? It is all a bit hypothetical but I'm trying to cover as much ground as possible.

Are there any specific guidelines or rules that must be followed if unrelated personal information is involved in a case? I am keen to understand any actions that can be performed to resolve any issues it could cause.

…Is this even a problem or am I thinking into it all too much?

Thanks in advance!

Dan

Quote
Posted : 01/01/2019 11:59 pm
minime2k9
(@minime2k9)
Active Member

I'm assuming as you have mentioned the police that your scenario relates to a criminal investigation.

If you check relevant legislation (DPA, GDPR etc) most of them have blanket exemptions for prevention and detection of crime and therefore the personal data on the devices would not affect the examination of the devices. You would probably need to know what power the devices were seized under as that will have some relevance.

Information that would affect processing of evidence would be Privileged material (mostly Legally Privileged) and you should probably read up on those types of material if relevant to your scenario.

Retention of such data should be under MOPI (Management of Police Information) and I would have a read at that to give you a better understanding.

ReplyQuote
Posted : 02/01/2019 7:07 am
trewmte
(@trewmte)
Community Legend

It doesn't automatically follow that all organisations call law enforcement first.

Major corporates have internal security who investigate first. They also have inhouse forensic tools and suites so they can conduct examinations.

You may want to consider the corp sifting data and only presenting harassment data in any proceedings.

ReplyQuote
Posted : 02/01/2019 8:09 am
engdan
(@engdan)
New Member

@minime2k9

This is exactly what I was looking for. Thanks for your help, I really appreciate it.

ReplyQuote
Posted : 02/01/2019 1:16 pm
engdan
(@engdan)
New Member

It doesn't automatically follow that all organisations call law enforcement first.

Major corporates have internal security who investigate first. They also have inhouse forensic tools and suites so they can conduct examinations.

You may want to consider the corp sifting data and only presenting harassment data in any proceedings.

I'm definitely going to include a bit about this, as an alternative option to avoid all the DPA stuff. Thanks for your suggestions

ReplyQuote
Posted : 02/01/2019 1:18 pm
jaclaz
(@jaclaz)
Community Legend

It doesn't automatically follow that all organisations call law enforcement first.

Major corporates have internal security who investigate first. They also have inhouse forensic tools and suites so they can conduct examinations.

You may want to consider the corp sifting data and only presenting harassment data in any proceedings.

So, basically, in theory an "evil" internal security officer can send (anonimously) a bunch of threatening messages to any employee in the company and thus have a valid reason to sift through all his/her personal data? 😯

This also - partially - belongs to the big questions/doubts about the BYOD approach
https://www.forensicfocus.com/Forums/viewtopic/t=15070/
https://www.forensicfocus.com/Forums/viewtopic/t=10567/

Where is the border between personal and professional? ?

jaclaz

ReplyQuote
Posted : 03/01/2019 11:22 am
trewmte
(@trewmte)
Community Legend

So, basically, in theory an "evil" internal security officer can send (anonimously) a bunch of threatening messages to any employee in the company and thus have a valid reason to sift through all his/her personal data?

Good point jaclaz and, yes, that could in theory be entirely possible. I haven't come across it, but this cannot be ruled out. Corps do have specific protocols in place to avoid internal (incl. of personnel) contamination being covered up.

ReplyQuote
Posted : 03/01/2019 5:45 pm
jaclaz
(@jaclaz)
Community Legend

Good point jaclaz and, yes, that could in theory be entirely possible. I haven't come across it, but this cannot be ruled out. Corps do have specific protocols in place to avoid internal (incl. of personnel) contamination being covered up.

Yep, strangely it is similar in some way in the (IMHO totally wrong) way cases of some (say) sexual violence/harassment offences are seemingly treated in some US campuses where the matter is investigated first by the internal security before the Police is called.

This specific case of threats/stalking (though more "virtual") is still a "criminal offence", so the victim should call the Police first thing, no but's, no if's, no "corps policies".

Even if the "internal security" handles the device/whatever with the uttermost care and with professional skills, I don't think that it is appropriate to have the device being in the hands of a non-sworn-LEO (but with the same or similar technical abilities) for any amount of time.

There could be contamination/alterations made either
1) intentionally, following some company/manager dictated procedures or direct orders (even if off the file)
2) accidentally. looking for some info on the device
3) a mix of the two above

jaclaz

ReplyQuote
Posted : 03/01/2019 8:09 pm
trewmte
(@trewmte)
Community Legend

Good point jaclaz and, yes, that could in theory be entirely possible. I haven't come across it, but this cannot be ruled out. Corps do have specific protocols in place to avoid internal (incl. of personnel) contamination being covered up.

Yep, strangely it is similar in some way in the (IMHO totally wrong) way cases of some (say) sexual violence/harassment offences are seemingly treated in some US campuses where the matter is investigated first by the internal security before the Police is called.

This specific case of threats/stalking (though more "virtual") is still a "criminal offence", so the victim should call the Police first thing, no but's, no if's, no "corps policies".

Even if the "internal security" handles the device/whatever with the uttermost care and with professional skills, I don't think that it is appropriate to have the device being in the hands of a non-sworn-LEO (but with the same or similar technical abilities) for any amount of time.

There could be contamination/alterations made either
1) intentionally, following some company/manager dictated procedures or direct orders (even if off the file)
2) accidentally. looking for some info on the device
3) a mix of the two above

jaclaz

Assuming of course Corp people do not know the difference between right and wrong?
Claims can be raised internally to deal with a range of issue. Depending upon the stage of progression of a matter of course.

ReplyQuote
Posted : 03/01/2019 9:16 pm
jaclaz
(@jaclaz)
Community Legend

Assuming of course Corp people do not know the difference between right and wrong?
Claims can be raised internally to deal with a range of issue. Depending upon the stage of progression of a matter of course.

Actually assuming that Corp people may know the difference between right and wrong BUT that they may be in a position to not care too much about that (in the case of a possible intentional manipulation) but I was actually more concerned about possible involuntary contaminations.

jaclaz

ReplyQuote
Posted : 04/01/2019 2:20 pm
Share: