Computer Misuse Act 1990
This act is concerned with unauthorised access to computer systems and any subsequent crimes or changes to data/programs. It has three levels or sections of offence:-
Section 1
A person is guilty of an offence if:
- he/she causes a computer to perform any function with intent to secure access to any program or data held in any computer and
- the access he/she intends to secure is unauthorised and
- he/she knows at the time that it is unauthorised.
Section 2
A person is guilty of an offence under section 2 if:
- They commit an offence under section 1 and
- They have the intent to commit a further offence or do carry out a further offence. Such offences may include blackmail, theft or any other offence which has a penalty of at least five years imprisonment.
Section 3
A person is guilty of an offence under section 3 if:
- He/she commits any act which causes an unauthorised modification of the contents of any computer and
- he/she knows that the modification is unauthorised and
- he/she has the requisite intent. The requisite intent is intent to cause a modification and by so doing:
- to impair the operation of any computer
- to prevent of hinder access to any program or data
- to impair the operation of any program or reliability of any data.
Prosecutions under the Computer Misuse Act must always show intent. The court must show that the accused knew what they were doing. Incompetence is a defence against a prosecution under the Computer Misuse Act.
Also many potential prosecutions are blocked by the victims, the organisations whose security systems are breached, because they wish to avoid the bad publicity.
The Data Protection Act 1998
Designed to protect the individual and to discourage the dissemination of personal information which identifies individuals.
Definitions under the act
Personal data – data that concerns a living person who can be identified from the data.
Data subject – the individual who is the subject of the personal data.
Data user – the company of organisation who use the data.
Data controller – the person/persons within a company/organisation who are responsible for controlling the way that the personal data is processed.
The Information Commissioner – the person responsible for enforcing the act.
The Act places obligations on those people who record and use personal data. They must register with the office of the Information Commissioner and state:-
- about whom they collect personal data,
- the items of data held,
- the purpose(s) of holding the data,
- the sources of the data (how it is collected),
- the types of organisation to whom the information may be disclosed,
- the overseas countries or territories to which the data may be transferred.
The Principles of the DPA 1998
First principle – states that the data must be “fairly and lawfully processed” and that the processing must be “necessary”.
Second principle – states that “personal data shall be obtained for only one or more specified purposes”. The data may not be processed for any further purposes incompatible with that purpose(s).
Third principle – states that “data shall be adequate, relevant and not excessive” in relation to the stated purpose(s).
Fourth principle – states that “personal data shall be accurate and, where necessary, kept up to date”.
Fifth principle – states that data shall not be kept longer than necessary.
Sixth principle – states that “personal data shall be processed in accordance with the rights of data subjects under this act”. These include:-
- The data subject being entitled to ask (in writing) the data controller for a copy of the personal data pertaining to them. A small charge may be levied but the data must be supplied, in a form that the data subject can understand, within 21 days,
- The data subject may challenge data’s accuracy and ask for it to be deleted or changed. If inaccurate data has caused them damage, they may claim compensation through the courts.
- The data controller having to state the purpose of collecting the data and to whom it is disclosed.
Seventh principle – states that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. In other words, the data must be kept secure.
Eight principle – says that data must not be transferred to a country or territory outside the European Economic Area, unless that country or territory has similar protections, rights and freedoms of data subjects.
Exemptions from the DPA 1998
Personal data is exempt from the act if the data is involved in:-
- the prevention or detection of crime,
- the apprehension or prosecution of offenders,
- the assessment or collection of any tax or duty (including payroll, pensions, accounts),
- issues related to national security,
- personal, family, household or recreational use.