this document) remain the same. 12. The Data Protection Act 1998 requires all personal data to be held under a reasonable level of security. That may include data encryption but also the selective blocking of access to certain network servers or subnetworks. It is a site's responsibility to decide what information needs protecting, and to what level the site will protect that information. 13. Many police forces throughout the UK are now addressing IT issues. The popular press tends to cover the more sensational pornography-related cases. While these may be a cause of embarrassment to a site, there is also a corporate liability under which sites should be able to identify individuals carrying out illegal acts over a network. This is difficult from nonauthenticated access points. While in some cases no law may have been broken by the site from which an incident originated, if the site can be shown to have acted negligently in a civil court it may be liable for a fine or compensation. Thus some method of outbound authentication may be required. Recommendations for institutions and the JISC can be found at the conclusion of the report.