In the News
@cybercrimeuk on Twitter

UK Law and Legislations

There are several laws in the UK used to distinguish what is considered computer crime, and what isn't, including the Computer Misuse Act, as well as the Data Protection Act. It is worth having a basic knowledge of what is included in these pieces of legislation, so that one can know that what they are doing is within the boundaries of the law. It may also be helpful for employers when asking employees to carry out functions on a computer, knowing that what they are doing is completely legal.

Computer Misuse:

The Computer Misuse Act of 1990 is seen as an attempt for a flexible piece of legislation in terms of dealing with cybercrime. However, it can be considered difficult to determine whether a person carries out an action with a certain 'intent'. The repercussions of breaking the law through this act can lead to a fine of £5000, or even 6 months on summary conviction, or 5 years on indictment.

Three criminal offences were introduced with the Computer Misuse Act. These were unauthorised access to computer material, unauthorised access with intent to commit or facilitate commission of further offences, and unauthorised modification of computer material. The last two of those are really intended to deter more serious criminals from using a computer to help them perform a different crime, such as gaining access to information holding the security measures for a building. Meanwhile the basic offence exists to attempt to prevent people from simply accessing unauthorised information with the intent to secure access.

It should be noted that people attempting to crack a password simply for access to an account which doesn't belong to them, and without permission, are breaking the law through this act. Also, even if the initial access was authorised, any further exploration through higher privileges on the system are still unlawful. The second and third offences may also include unexpected results. For example, if a hacker obtains access to a bank computer in order to transfer funds back to their own account, they are breaking into the computer with the intent to later commit theft, and so can be held liable for a more serious punishment. The third offence is more specifically aimed at those that create and circulate computer viruses.

Data Protection Act 1998

This act governs the protection of personal data in the UK. Its aim is to prevent the misuse of personal data and ensure that there is sufficient protection on the data. The Data Protection Act defines "data" as information that is stored on a computer or information that is intended to be stored on a computer. This means that information held on paper which are going to be typed up onto computer is also covered. Information has to be part of a relevant filing system to be considered "data", this can be interpreted as where personnel records are stored in a systematic way such that it is easily accessible.

There are different entities described in the act:

In order to combat piracy, many software vendors adopts a Digital Rights Management (DRM) system of some sort. Some systems are more effective than others though they can also at times hinder paying customers. It is sometimes suggested that instead of imposing strict DRM, it can be more effective to add give an incentive to purchase the media (e.g. bundle a poster with a music album). Here are some of the most common DRM techniques that are used:

  • Data Subject - An individual who is the subject of personal data.
  • Data Controller - A person who decides what the data will be used for and what data is collected. A "person" by law is an individual, a collection of individuals or an organisation. They are responsible that data is used in accordance with the Data Protection Act, they are liable to legal action if they mishandle the data.
  • Data Processor - Any individual other than an employee of the data controller. For example if a third party was asked to provide analysis on the data, then they would be a data processor.

Key Principles of Data Protection Act:

  • Data may only be used for the purpose of which it had been collected for.
  • Without consent from the individual who's information is stored, it cannot be disclosed other parties.
  • Individuals have right of access to information stored about themselves (there are certain exceptions to this).
  • Personal information must be up to date and not kept longer than necessary.
  • Data must not be transferred outside the European Economic Area without expressed permission from individual that the data concerns or there is adequate protection in place.
  • All organisations that process personal data must be registered with the Information Commissioner's Office with the exception of some small organisations that do simple processing.
  • Adequate security measures must me put in place such as firewalls and personnel training to ensure the safety of the data.
  • Incorrect information can be requested to be corrected by the data subject, with the exception of opinions given.

Freedom of Information Act 2000

Any information held by a public authority is also considered data in relation to the Data Protection Act. This is to include information that would otherwise not be considered "data" by the definition provided in the Data Protection Act.

Quiz