New rules cut porn risks

IT managers worried about the repercussions of discovering paedophile content on company systems have been advised by online watchdog the Internet Watch Foundation (IWF) that they can report such material without fear of prosecution.

The advice follows a survey by the IWF which found that most IT managers would not know how to proceed if they found such illegal material on company systems.

Under current legislation, it is a criminal offence simply to possess an indecent image of a child, but malware is increasingly responsible for surreptitiously depositing offensive images on corporate systems.

In a survey of 1,000 IT Week readers, the IWF found that 87 percent of IT professionals were unaware of the rules on inadvertent possession of child pornography. The IWF said the regulations have now been clarified and IT managers are allowed to identify and secure such images without suffering legal consequences.

According to an imminent memorandum of understanding (MoU) between the police and the Crown Prosecution Service relating to the Sexual Offences Act 2003, IT managers can preserve suspect images on company systems, but only if they do so in order to provide access to a law enforcement agency or other relevant body.

"The law [previously] did not help IT managers who wanted to report incidents; they were frightened," said Peter Robbins, chief executive of the IWF. "But recent changes protect those who have been legitimately exposed, meaning that they can report it to either us or the police. [Before the MoU] it would have been illegal to look at those images, even as a systems administrator. Most companies do not want direct involvement with the police."

The IWF research found that just 27 percent of respondents said they would report incidents of child porn externally.

Robbins added that thanks to the MoU, companies will not always have to report suspect images to the police. Instead firms can ask the IWF to examine the content, and if it deems the images illegal the IWF will take responsibility for reporting it to the police. Offensive but not illegal content can be dealt with internally.

George Gardiner, an IT law expert, said, "This is good news. There was ambiguity, leaving people uncertain about whether they would be prosecuted [and] this has been removed. But clearly, the IT manager must not go looking for more evidence - just one incident will be sufficient."

IT crime expert Neil Barrett said, "Under current laws when corporates find child porn they delete it, and the evidence is gone. The memo aims to encourage corporates to retain evidence, but the firm must do a risk assessment first - no company wants its name associated with child porn."

For the latest news for IT professionals, visit ITWeek.co.uk