Winchester Vacancies

SPOTLIGHT

A zero sum game?

The number of SEND tribunal cases is rising and the proportion of appeals ‘lost’ by local authorities is at a record high. Lottie Winson talks to education lawyers to understand the reasons why, and sets out the results of Local Government Lawyer’s exclusive survey.

A sleeping giant lying in wait

The criminal sanctions of the Computer Misuse Act 1990 represent a significant danger to public sector employees who routinely access data stored on their computers, writes Valerie Surgenor.

The advent in recent years of a number of pieces of Data/Information Technology legislation in the UK has meant that public sector workers are now subject to an increasing number of legal obligations. For example, freedom of information requests under the Freedom of Information Act 2000 must be responded to timeously and satisfactorily, whilst a number of stringent obligations exist under the Data Protection Act 1998 in relation to the handling and releasing of personal information.

Yet even in the face of the above-mentioned legislation it may come as a surprise to many that the little-known Computer Misuse Act 1990 ("the Act") – a piece of legislation which has been in existence for 20 years – could be of danger to many public sector workers who routinely access data stored on computers in their day-to-day employment.

The Law

The Act was brought into force in 1990 primarily to stop the hacking and accessing of computer data and networks. Section 1 of the Act makes it an offence to access data held on a computer where the person knows that access is unauthorised. There does not have to be intention to access specific data or programs, nor does there have to be any sort of malice involved. The s.1 offence is perpetrated simply by the data being accessed; that access being unauthorised; and the accused knowing that such access is unauthorised.

Sections 2, 3 and 3A of the Act go further and lay down the offences of using the unauthorised access to commit a serious criminal offence; carrying out an unauthorised act which impairs the operation of a computer; and making/supplying any articles which can be used to commit one of the offences in sections 1-3. In the context of public sector workers, whilst sections 2-3A are important to bear in mind, they are likely to be of less importance in practice than the provisions of s.1. The focus of this article is therefore the offence under s.1 of unauthorisedly accessing data.

Interpretation of "Access"

Where a person is accused of carrying out a s.1 offence under the Act there is little scope to argue that the data was not actually accessed. "Access" is defined broadly under s.17(2) of the Act as: (a) altering or erasing a program or data; (b) copying or moving the program or data to a different storage medium; (c) using the program/data; or (d) having the data output from the computer (whether by displaying it or otherwise). The scope for the accused to argue that they were not actually accessing data is therefore limited almost to nil.

Interpretation of "Unauthorised"

A common defence used where a person is accused of carrying out a s.1 offence is that the data/program was accessed, but that the access was authorised. This raises questions of what types of access are "unauthorised".

Section 17(5) of the Act defines access as unauthorised if: (a) the accused is not entitled to control access to the data/program; and (b) the accused does not have consent to access the data/program from a person who is entitled to give consent.

Unfortunately this area of the law has suffered from a severe lack of judicial consideration (despite its 20 years of existence) to interpret the terms of s.17(5), and the case law which does exist is contradictory. There is therefore some uncertainty as to when access will be "unauthorised". Nonetheless, some general principles can be derived.

The issue was first considered in the case of DPP v Bignall [1998] 1 Cr. App. R.1 where two police officers received consent from the police commissioner to access the Police National Computer ("PNC") for policing purposes. The two accused, however, instructed a PNC operator to use the PNC to obtain details of car registrations for their personal use (such use clearly not being for the authorised 'policing purposes'). The court in this case held that, whilst the accused did not have authority for the particular purpose actually accessed, they nonetheless had authority from the controller of the data (the police commissioner) to control access to the data (i.e. they could control access by requesting the data operator to obtain specific data). The two accused were therefore not guilty of an offence under the Act.

This decision has, however, been largely overruled by the decision in R v Bow Street Metropolitan Stipendiary Magistrate [2000] 2 A.C. 216 and the position now appears to be that where authorisation is given to a person to access data, the actual access must not go beyond the authorisation given. (There appears to be a narrow exception to this where the accused – as in DPP v Bignall – instructed a person with authorisation, i.e. the computer operator, to access the data for them; the accused will in this situation potentially not be guilty of an offence under s.1. Whether this exception would still be upheld by the courts, however, is not clear.)

Punishment

If found guilty of unauthorised access of data/programs under s.1 of the Act, the convicted person faces up to two years in prison and/or a fine of up to £5,000 (or £10,000 in Scotland).

Specific Issues for the Public Sector

Whilst the dangers to public sector workers posed by the Computer Misuse Act may not be immediately clear, a number of cases have been raised in the past in relation to public sector workers.  The fact that the vast majority of cases under the Act have been unreported makes analysis of the decisions somewhat difficult, however some areas of danger can be highlighted.

Using Authorised Access for the Authorised Purpose

As stated above, access to data is now likely to be considered authorised only where the actual use of the data is the purpose for which authorisation was given. In the case of R v Scott Gelsthorpe and Jeremy Young (unreported, Southwark Crown Court, 2007) police officers were given authorisation to access the PNC in the course of their duties as police officers, for the purposes of policing. Yet in this case the police officers accessed the PNC to provide information to a private detective agency with which they were affiliated. So whilst the access was authorised for policing purposes, it was not authorised for the purposes of their private detection business. Although the actual decision in this case turned upon s.3 of the Act, it is likely that the accessing of the data in this case would also have been unauthorised in terms of s.1.

Workers in the public sector should therefore be sure that, where they have authorised access to any computers which hold data, they are only accessing the data for the authorised purpose. In practice this is likely to be accessing the data in the course of their employment only (i.e. for the purposes of their employment) – accessing for any form of personal use will put public sector workers at risk of committing an offence under s.1 of the Act.

Using Authorised Access for Personal Purposes

Going hand-in-hand with the rule that the authorised access must be used for the authorised purpose is a rule that the authorised access must not be used for personal purposes. The case of R v Scott Gelsthorpe and Jeremy Young, above, was an example of where public sector workers went beyond the remit of their authorised access and used the accessed data for their private business. In the context of s.1 of the Act this is likely to constitute use for personal purposes.

In the case of R v Michelle Begley (unreported, Coventry Magistrates Court) a police officer was given authorised access to the PNC (such access was given, again, for policing purposes). The police officer, however, used the access to the PNC to track electoral records and car registrations of a female who had been conducting an affair with her boyfriend. The accused was convicted of a s.1 offence and sentenced to three months’ imprisonment.

A similar case arose in R v Bennett (unreported) where an ex-police superintendent used the PNC to track details of his ex-wife's new partner. In this case the accused pleaded guilty to a s.1 offence and was fined £150 plus costs. (A caveat to this case is that it may have been overturned on appeal.  However due to the fact that the original case itself was unreported, no further details exist to confirm this. We must therefore work on the basis of the original decision.)

Although none of these cases turned specifically on whether the access was for personal use, such personal use is – by virtue of the fact it is not the authorised use – likely to constitute an offence under s.1. The principle to bear in mind is therefore that to avoid conviction under the Act public sector workers should ensure that where they have been authorised to access data held on a computer, they should not use this data for personal purposes. The indications are that the courts will simply not consider accessing data for personal use to be authorised access; however one would have thought it should not require the courts to interpret this in the first place.

Access to Medical Records

A number of cases under the Act have also arisen in relation to hospital/NHS staff accessing patient databases.

In a recent case from September 2010 – R v Dale Trever (unreported, Hull Crown Court) – an NHS data quality manager accessed more than 400 records of family, friends, and colleagues and was caught after a colleague reported his activity. Despite pleading guilty, the Judge in the case imposed a penalty of a six month suspended prison sentence.

In addition, an older case from 1993 – R v Rymer (unreported, Liverpool Crown Court) – highlights the danger that can arise with accessing data without authorisation. In this case the accused, nurse Dominic Rymer, obtained a computer password by looking over the shoulder over a doctor colleague. The nurse then used this password to obtain access to the hospital database and alter the prescription and treatment records for a patient. Quite aside from the danger this could have caused to the patient, this also constituted an offence under the Act. In this case the offence was under s.3 of the Act, although the principle still holds true that the access in this case was unauthorised.

What to Note

As discussed above, it is difficult to interpret the Act due to the lack of reported case law and the conflicting existing case law. That said, a number of cautionary principles can be taken from the case law which should help public sector workers to minimise their risk of prosecution under the Act.

Public sector workers should, if not already, be aware that such obvious acts as that seen in the Rymer case to access data held on computers, or using access to such data for business/personal purposes, are likely to constitute an offence under the Act. However, the recent case of R v Dale Trever should also serve as a reminder that using authorised access to simply "fact-find" and read data – even where the use of the data goes no further than this – will still constitute an offence under the Act.

A final point to note is that these principles will hold true whatever the area of the public sector – whether police officers accessing the PNC or social workers accessing social work databases, etc.

How can the Public Sector Avoid Offences under the Act?

It should be clear that the onus is on the individual accessing the data to ensure that they are not committing an offence under the Act. Public sector workers should therefore be certain that they are only accessing data for the purpose authorised and that they are not accessing it for business or personal purposes. This includes accessing the data simply for informational purposes, or to obtain information on family/friends.

A further caveat to deter workers from accessing data which they are not authorised to access is that such access – even if it does not constitute an offence under the Act – could still constitute an offence under the Data Protection Act 1998. In addition, accessing data without authorisation could also result in internal disciplinary procedures which, at worst, could result in workers being dismissed.

Public sector bodies can also help to minimise the potential of any prosecutions under the Act. Bodies should ensure that they have a clear Computer Misuse Act policy in place, setting out what data is confidential and which data cannot be accessed without authorisation. They should also ensure that they have a clear scheme of authorisation in place – i.e. a clear indication of who is authorised to control the data, and who can give authorisation to others to access the data. This, coupled with a high level of responsibility from workers, should ensure that prosecutions under the Act are kept to a minimum.

Valerie Surgenor is a senior associate at MacRoberts. She can be contacted on 0141 303 1241 or by email at This email address is being protected from spambots. You need JavaScript enabled to view it..