Unauthorised Access to Computer Material

What is unauthorised access?

Unauthorised access to computer material can occur, for example, when a person gains access to a computer through a telecommunications network, or when an employee accesses information on their employer’s computer which they are not entitled to access.  The basic offence is contained in s1 of the Computer Misuse Act 1990, but it is worth noting that elements of employment law can apply to employees who access their employer’s information and data without permission (in addition to the criminal consequences of committing the offence).  Denco Ltd v Joinson [1991] held that an employee was guilty of gross misconduct after using an unauthorised password to gain access to information on a computer which he knew he was not entitled to see.  Having said that, there are provisions under the Employment Rights Act 1996 to protect, in certain circumstances, employees who act as whistle-blowers, but that is outside the scope of this article. 

The offence of unauthorised access

Under s1 of the Computer Misuse Act 1990 a person is guilty of an offence if:

  • he causes a computer to perform any function with intent to secure access to any program or data held in any computer

  • the access he intends to secure is unauthorised, and

  • he knows at the time when he causes the computer to perform the function that this is the case.

The intent need not be directed at any particular program or data or computer.  Although s17 of the Act provides interpretation guidelines it does not define ‘computer’, ‘program’ or data’.  A broad definition of securing access is given under s17(2).  Any data or programs on any removable storage medium which is in the computer at the material time is considered to be held on the computer (s17(6)).

The offence occurs if a person intends to gain unauthorised access and knows that this is the case.  Whether this is actually achieved is irrelevant.  Reckless or careless access is also insufficient.  Additionally, the offence is made out even if only one computer is used, that is, it is not necessary for a person to be using one computer to gain access to programs or data held on another computer (see Attorney-General’s Reference (No. 1 of 1991) [1992]. 

Unauthorised access by employees

Employees can be guilty of the s1 offence if they are using their own computers at work to access any program or data which they are not authorised to access.  Under s17(5) of the Act access by a person is unauthorised if

  • he is not himself entitled to control access of the kind in question to the program or data; and

  • he does not have consent to access by him of the kind in question to the program or data from any person who is so entitled.

The provisions also apply to school pupils and students.  A person must know that they are not entitled to access the data or program and that they do not have consent.  As a matter of prudence an employer should set out in unambiguous terms which programs and data employees have access to.

Authorised access, unauthorised purpose

A point of interest is when an employee who has authorised access to a computer uses that computer for an unauthorised purpose, such as doing private work or research not connected to their employment.  The question is whether this is unauthorised access.  A 1998 report by the Audit Commission (Ghost in the Machine: An Analysis of IT Fraud and Abuse) highlighted the case of a nurse who had authorised access to patient information and used this access to search for the medical records of family and friends.  The nurse was not prosecuted under the 1990 Act but she was given a written warning for breaching patient confidentiality.  In DPP v Bignell [1998] two police officers used the police computer to check details of motor cars they wanted for private purposes.  They were charged with unauthorised access under s1 of the Computer Misuse Act 1990.  The question to be decided was whether their access was authorised.  The Queen’s Bench Division of the Divisional Court held that the police officers were entitled to control access to the material under s17(5) and so their access was authorised.  Accessing the information was part of their normal duties.  The decision has been heavily criticised, not least because being entitled to access computer material is not the same as being entitled to control access to that material.  Indeed, the House of Lords in R v Bow Street Metropolitan Stipendiary Magistrate, ex parte Government of the USA [2000] also criticised DPP v Bignell as regards the interpretation of the concept of authorisation and stated that the judge had erred when considering authorisation to data of a particular kind as opposed to authorisation to a particular program or data (as required by the Computer Misuse Act).

Law Commission report

The Law Commission Working Paper on Computer Misuse also considered the s1 offence.  The Commission thought that the offence should not apply, for example, to an office secretary using their employer’s computer to write private correspondence.  The Commission did not see this as the type of conduct that the s1 offence was directed at, though employees can still be liable for the basic hacking offence if they consciously and deliberately misbehave.

Changes to the offence of unauthorised access

Section 35 of the Police and Justice Act 2006, which took effect on 1 October 2008, amended the offence under s1 of the Computer Misuse Act 1990.  The amendment extended the offence to include an intention to enable access to be secured (previously the intention was only to secure access).  However, this section has itself been repealed by s61 of the Serious Crime Act 2007.  Other amendments under the Police and Justice Act 2006 make the offence triable either way and deal with sentencing.