IT staff need audit trails to protect them from child pornography law

Police have urged IT departments to ensure they have proper audit systems in place when they are investigating whether illegal...

Police have urged IT departments to ensure they have proper audit systems in place when they are investigating whether illegal obscene material may have been downloaded onto company networks.

The warning follows the government's decision last month to withdraw an amendment to the Sexual Offences Bill that would have given IT staff legal protection from prosecution if they encountered child pornography during their work.

Stuart Hyde, assistant chief constable with West Midlands Police, who is leading work on the bill for the Association of Chief Police Officers, said IT departments needed to be able to show their staff were acting legitimately to stay on the right side of the law.

"IT departments should have some sort of audit trail on the work they have carried out. What they have done should be proportionate to the problem they were facing," he said.

Hyde also advised IT departments to seek advice from an independent expert who, if necessary, could act as a witness in court to show that staff followed proper procedures.

"If you have a systems administrator digging things out of a server, maybe somebody else ought to be involved," Hyde said. "At the very least, if people do view images, they may need some sort of counselling."

Security specialist Brian Collins, former international IT director with Clifford Chance and now vice-president of the British Computer Society, said the risks posed by child pornography should be a matter for the board.

"Businesses needs to manage risk from the top. Systems should be developed that are appropriate in the context of business procedures," he said.

Collins advised businesses to ensure they employ qualified professionals as systems admin-istrators and to ensure that procedures are in place for dealing with obscene material.

Staff should be given written authorisation by the senior risk manager, whether that is the chief operating officer or the chief executive, before they investigate anything, he said.

Andrew Rigby, lawyer with law firm Addleshaw Goddard, advised firms to obtain written authorisation from the police before they investigate possible abuse on their networks.

IT professionals are concerned there is currently no statutory legal defence for staff who may encounter child pornography on their company networks, or in the case of internet service providers, on customer websites.

Although the government is looking for a way of wording the law that would protect IT staff but close any loopholes that could be exploited by paedophiles, it is not clear whether Home Office officials will be able to find a satisfactory solution.

What to do if you receive child porn

Immediately close the file. Do not copy it

Report the discovery to the police or to the Internet Watch Foundation

Do not send copies of the material to anyone, not even the human resources department

Seek advice from a security professional or the police

Have an audit trial in place

Consider counselling IT staff if they have viewed obscene material.

Source: Addleshaw Goddard and Acpo

Read more on IT risk management