After a great deal of debate, the Computer Misuse Act finally received the Royal Assent on 29 June 1990 and came into force on 29 August 1990. It places no additional burdens on bona fide computer users, but introduces powers to prosecute those that deliberately, and without authority, misuse their computer systems. This legislation is not restricted to any particular type of data or application and there is no Registrar or other supervisory body to enforce it.
Enforcement is the responsibility of the police and crown prosecution service. A prosecution under the Act is more likely to be successful, if a computer user has carefully defined responsibilities and generally good security in place.
The Act defines three offences:
Unauthorized access means any use of or access to the computer system without the consent of the computer user. This covers hacking and authorized users that deliberately exceed their authority. The offence lies in using the computer to perform any function without authority. The prosecution has to establish what function was performed, what the limits of authority were and whether the person accused knew those limits. The penalties permitted for this offence are fines of up to £2000 and/or imprisonment of up to six months.
The other offences are regarded as much more serious and accordingly attract much higher penalties: up to five years' imprisonment or an unlimited fine or both.
Ulterior intent refers to people who make unauthorized access to a computer system with the intention to carry out a serious crime. For example, access could be made to a number of computers in preparation for a computer fraud, or access could be made to personal information as a step toward attempting blackmail.
Unauthorized modification refers to carrying out any modification to any computer without the authority of the computer user and with the intention to impair its use in some way. It covers, among other things, the introduction of vinxses and time-bombs. For example, it includes a virus creator who releases his product hoping to do maximum damage.
Before this Act came into force, the only criminal offence committed by someone who broke into a computer system was the theft of electricity. This Act provides the means to prosecute those that deliberately interfere with a system, whether they do actual damage or not. However, the difficult part will be in catching the miscreant and then demonstrating that he did not have authority to access or modify the system. This can be aided by having an IT Security Policy, known to all staff, that states the limits on authority of system usage. Those breaking in from outside should be told before they can do any damage that they must not proceed further. The more barriers that can be placed in the way of any interloper, the better. Anyone who is forced ingeniously to bypass a number of security checks, will be unable to claim afterwards that he did not intend to do so. This Act will enable victims to take legal action against their attackers (assuming that they know they have been attacked and that they can prove that their attackers knew that what they were doing was unauthorized). However, it does not excuse computer users from taking all reasonable precautions to prevent an attack in the first place.
The concept of intellectual property applies. However, only some IT products (both hardware and software) are treated as belonging to one particular individual. Others are deemed to be incapable of ownership and thus are available to all.
This Act provides the same rights to authors of computer programs as to those of literary, dramatic and musical works. It permits the author to charge a fee for the publication or performance of the work in question; copyright is normally assigned to the company that employs the author(s). Copying, publishing or adaptation of software is a civil offence without the authority of the copyright holder and is a criminal offence if done in the course of trade.
The copyright owner's permission is needed, for example, to translate a program written in one computer language into an equivalent program in another language. The process of reverse engineering by decomposition is only permitted to facilitate error correction, if the machine code version of a program fails when executing.
The Act applies criminal punishments to unauthorized copiers or distributors of computer software for gain, of fines up to £2000 or 3 months' imprisonment on conviction in a Magistrates Court, or unlimited fines and/or 2 years' imprisonment on conviction in a Crown Court (i.e. before a jury).
Many of its clauses make it clear that this Act is intended to hit those who pirate software "by way of trade", but it is also an offence to have in one's possession an unauthorized copy of a program, knowing it to be an infringing copy. Thus it is definitely an offence to copy a program for several users in a company without gaining specific authority from the copyright holders.
FAST, the Federation Against Software Theft, and BSA, the Business Software Alliance, are organizations that act against illegal use of software. They use Anton Piller orders (which enable surprise searches of premises) to gain entry to organizations' premises to see if their staff are in breach of the law. Company directors face imprisonment and fines if unlicensed software is being used within their company.
The following points are related to the legal implications of computerised data processing:
Legislation with direct influence on the use and security of computers includes:
The Acts with the greatest impact on computing are the Health and Safety at Work Act, the Data Protection Acts, the Police and Criminal Evidence Act, the Companies Act, the Copyright, Designs and Patents Act, and the Computer Misuse Act.
The Data Protection Acts regulate the use of personal data held on a computer and brings the UK into line with most of Europe on the issue of holding and using personal data. "Personal data" is defined as data that refers to any living individual. The Acts discriminate between data users, who control the use and content of the data, computer bureaux, who process data on behalf of the data user, and data subjects, who are referenced by the data.
Data users must:
Data users must register their use of personal data. The registration document requires the following details:
Data subjects have the right to apply to the data user in order to see the information held about them. The data user may require a fee and will normally be expected to respond with a copy of the relevant data within forty days.
A computer bureau may only disclose data with the consent of the data user and must provide appropriate security measures for the data in its charge. A computer bureau that handles personal data is expected to register.
There are a number of exemptions, all very narrowly drawn and best ignored by the data user. Reliance can be placed on only two types of exemption; those to do with national security and the use of personal data for personal, family or household affairs.
The European Commission has applied a Directive that imposes standard Data Protection Legislation throughout the Community. Among other provisions are the extension of Data Protection regulations to manual data and a restriction on the sending of personal data to countries without any such legislation. Some of this has been implemented in the 1998 Act.
The Data Protection Act is not applicable in the following situations:
Employers have a duty under the Act to ensure the health, safety and welfare of employees. Among other provisions are the requirements to ensure:
An individual is entitled to: