Ethics & Legal

From datarecoverywiki.com
Jump to navigation Jump to search

Data Recovery Resources

Background information

Disclaimer this is not legal advice, the writer not a lawyer please seek professional legal counsel

This page is about protecting your self against any possible legal issues that may occur when dealing with customers. As well as the ethical issues that maybe faced within this field
This advice is focused on the UK only!

Legal

To be expanded upon

  • Data protection laws (GDPR, DPA)

    • Data protection laws such as the General data protection regulations 2016 (GDPR) and the data protection act 2018(DPA) are two key pieces of legislation to keep in mine when working with other peoples data especially if its considered
    to be personally identifiable information(PII) such as names, address, pictures of people, as any data belongs to a resident of the UK or the EU is subject to these laws even if you are not within these places
    is heavily regulated and carries major fines if the regulations and acts aren't followed.
    The two key points of GDPR and the DPA that you need to watch out for are
    1. Consent is Key
    In order to work with the data on patient drives in any capacity, the owner of the data have given their consent for that particular part of the data to be accessed, and their consent must not have been withdrawn. (criminal cases function
    differently, but consent is still required.
    2. Un-consental access to date is considered to be the same as obtaining the data through methods such as stealing or hacking under UK law as per the computer misuse act 1990.
    This is why having documented consent for you to the data recovery technician to access the data that belongs to the client is so important to protect yourself legally.


  • Consent and Authorization requirements Templates

    • As mentioned above, the best way to obtain and prove you had consent to access data is through a well documented paper trail. In the references section of this page, you will find templates for such agreements.

  • Confidentiality obligations

    • This extends beyond simply not providing details of a customer's data without prior consent, you as a data handler are responsible for having the proper security measures and policies in place to ensure that customer's data
    remains confidential and the only people who can access it are the people required to, for the amount of time they're required too. Nobody should have access to data they do not need access too.

  • Intellectual property rights
    • This extends far beyond the scope of even this entire website, but is important to note, all the data on the device is considered the intellectual property of the owner (unless pre-existing agreements state otherwise)
    this means that even if you see an idea on someone's laptop, phone or desktop, you can not take it and pass it off as your own for any reason.
  • Contractual Obligations
    • Contracts are an important element as they state clearly and most importantly in a well documented fashion what both parties agreed upon and expect at the of the transaction, such as price, chance of recovery, what happens in the case of data loss, and expected time frame for the work, and any other factor that could be contested in a court of law.
    Without a contract there is no proving that you told the client it would be 500 pounds to complete the job, if the client refuses to pay for the work conducted or on time (without a payment plan worked out), this can lead to a lengthy,
    legal battle that is likely to cost well over the initial 500 pound fee, as well as the reputational damage that often occurs regardless of the legal outcome.
  • Liability for Data loss or damage
    • Responsible and risk management are two more key reasons why have a well documented contract in writing that clearly outlines and lists any and all risks that can occur when preforming data recovery procedures.
    and that the client understands and accepts these risks, as well as if data is lost then you as the person who preformed the procedure are not at fault.
    It should also detail which party is liable for damages should they occur. For example if a package is damaged in shipping after the procedure has been completed, who is responsible?,
    the device as not been packaged securely, then it could fall to you and not the shipping company or the client.
  • Data breach reporting obligations
    • By law in the UK you have 72 hours(3 days) to report any breach to the Information Commissioner office(ICO) once you become aware of a breach, also depending on the severity of the breach you maybe also require,
    to notify each individual that there as been a data breach, and they may have been affected.
  • Consumer protection Laws
    • These laws exist to try and prevent unethical practices such as fair treatment regardless of an individual's appearance, beliefs and or personal characteristics.
    They also prevent companies from presenting either false or misleading information to possible/actual clients. As well as taking advice of a client's situation.
    Such as a client needs data recovery services because they are desperate to recover images of a loved one, this does not include a client needing data recovery services
    quickly or within a certain time frame.
  • Legal obligation to report illegal material
    • This is where it starts to get complicated both legally and ethically, as the client's privacy is the top factor, unless you discover material such as child abuse, plans to commit illegal acts such as murders, robberies and or terrorism.
    if you do come across such things, you should stop immediately disconnect the drive and notify the police immediately of the situation, assuming you do not have a company policy in place for this.

Ethics

To be expanded upon

  • Privacy and Confidentiality
    • As well as there being Legal constraints on how personal data should be handled, there is also an ethical argument to be made
    that any information you as the person working with the data, should be kept private and confidential (unless it breaks the law),
    even if it appears unethical to you personally, for example if you discover that the client is having an affair and cheating on their partner
    You should not inform the partner of this affair, despite the fact that affairs are widely regarded as deeply unethical.
    It is not your place to act on anything or pass a judgement on another personal life (unless it breaks the law).
  • Data Ownership
    • Any information that you find on a clients drive is belongs to them in its absolute.
    For example, upon successful recovery of the data on a drive you become aware of a "million-dollar idea" that you stand to greatly financial gain from.
    Ethically, you should just ignore this and continue your job. However, if you were unethical could just as easily inform the client your data recovery attempts
    were unsuccessful and since you now have the only proof of the idea's existence, and they have no way to prove otherwise,
    you would get away with this and gain all the credit and finance rewards.

    However, as a person in a position of power, you have an ethical duty not use your position to take advance of people's work and take it for your gain.
  • Integrity and Honesty
    • As a person in a position of power and epically when dealing with desperate who will do anything to get their data back.
    it is important not to take advantage of vulnerable people simple to make a profit, such as increasing prices, those,
    who are desperate (wanting the data back at all not people who want it quickly), or who are technologically illiterate and simply do not understand the topic
    these are key elements to understand, that just because you can does not mean that you should.
  • Environmental considerations(E-waste)
    • Due to the nature of repair of any manner, there are just some things that simply can not be repaired and are broken. This is especially the case within data recovery,
    as a lot of electronics such as dead or damaged, hard drives, computers, smartphones are thrown into landfill, and can relax toxic fumes due to the rare earth metals they contain.
    instead of throwing them away, it is ethically correct to ensure to the best of your ability that these devices are recycled (e.g. putting it in an electrical recycling bin instead of the standard waste). As this processes less waste products that ultimately end up being buried in landfill.

    While ultimately nobody especially this page can force you to follow these ethical guidelines, you and the rest of the industry should aim to uphold them,
    as they promote fairness and equality that creates a trustworthy industry for both data recovery practitioners and their clients.

Templates

External references in wiki references can just be cited through the keyword link

  1. Reference 1: Template for permission to handle personal data (GDPR)
  2. Reference 2: Client commination log
  3. Reference 3: Data recovery report
  4. Reference 4: NDA
  5. Reference 5: Service agreement for data recovery

Retrieved from "https://datarecoverywiki.com/index.php?title=Ethics_%26_Legal&oldid=963"