Unauthorised access to computer material

What is unauthorised access?

Unauthorised access to computer material can occur, for example, when a person gains access to a computer through a telecommunications network, or when an employee accesses information on their employer’s computer which they are not entitled to access. The basic offence is contained in s 1 of the Computer Misuse Act 1990 (CMA 1990). This states that a person is guilty of an offence if:

  • they cause a computer to perform any function with intent to secure access to any program or data held in any computer, or to enable any such access to be secured;
  • the access they intend to secure, or to enable to be secured, is unauthorised; and
  • they know at the time when they cause the computer to perform the function that that is the case.

The intent need not be directed at any particular program or data or computer. Although s 17 of the Act provides interpretation guidelines it does not define ‘computer’, ‘program’ or data’. A broad definition of securing access is given under s 17(2). Any data or programs on any removable storage medium which is in the computer at the material time is considered to be held on the computer (s 17(6)).

The offence occurs if a person intends to gain unauthorised access and knows that this is the case. Whether this is actually achieved is irrelevant. Reckless or careless access is insufficient. The offence can be committed through physical or remote access to a computer (operation of any computer) as long as it causes the performance to give unauthorised access.

Unauthorised access by employees

Employees can be guilty of the s 1 offence if they are using their own computers at work to access any program or data which they are not authorised to access. Under s 17(5) of CMA 1990, access by a person is unauthorised if:

  • they are not themselves entitled to control access of the kind in question to the program or data; and
  • they do not have consent to access by themselves of the kind in question to the program or data from any person who is so entitled.

The provisions also apply to school pupils and students. A person must know that they are not entitled to access the data or program and that they do not have consent. As a matter of prudence an employer should set out in unambiguous terms which programs and data employees have access to.

Elements of employment law can also apply to employees who access their employer’s information and data without permission (in addition to the criminal consequences of committing the offence). In Denco Ltd v Joinson [1991], the court held that an employee was guilty of gross misconduct and his employers were entitled to summarily dismiss him after he used an unauthorised password to access information on a computer which he knew he was not entitled to see.

Authorised access, unauthorised purpose

When an employee who has authorised access to a computer uses it for an unauthorised purpose, such as doing private work or research not connected to their employment, the question arises as to whether this is unauthorised access.

A 1998 report by the Audit Commission (Ghost in the Machine: An Analysis of IT Fraud and Abuse) highlighted the case of a nurse who had authorised access to patient information and used this access to search for the medical records of family and friends. The nurse was not prosecuted under CMA 1990, but she was given a written warning for breaching patient confidentiality.

In DPP v Bignell [1998] two police officers used the police computer to check details of motor cars they wanted for private purposes. They were charged with unauthorised access under s 1 of CMA 1990. The question to be decided was whether their access was authorised. The court held that the police officers were entitled to control access to the material under s 17(5) and so their access was authorised. Accessing the information was part of their normal duties. The decision has been heavily criticised, not least because being entitled to access computer material is not the same as being entitled to control access to that material.

Indeed, the House of Lords in R v Bow Street Metropolitan Stipendiary Magistrate, ex parte Government of the USA [2000] also criticised DPP v Bignell as regards the interpretation of the concept of authorisation and stated that the judge had erred when considering authorisation to data of a particular kind as opposed to authorisation to a particular program or data (as required by CMA 1990).

Penalties

A person guilty of an offence under s 1 of CMA 1990 faces up to 12 months prison and/or a fine on summary conviction or two years imprisonment and/or a fine if they are found guilty in the Crown Court.

A serious crime prevention order (SCPO) can also be made against an individual or organisation if they breach CMA 1990, s 1. A SCPO is a civil order used to protect the public by preventing, restricting or disrupting a person’s involvement in serious crime by imposing conditions on their activities, such as who they can associate with, where they can travel to, or obliging them to report their financial affairs to the police.

Exemptions

Under CMA 1990, s 10, enforcing officers who would otherwise be guilty of an offence s 1 during investigations they are conducting, are protected from prosecution. The exemption applies to an officer carrying out of powers of investigation, powers of search and seizure or any other investigatory powers granted by statute. This would include police officers, officers of the Serious Fraud Office, National Crime Agency and HM Revenue and Customs.