The Data Protection Act 1998: Brief Background and Overview
The Data Protection Act 1988 creates a serious of rights for people in relation to data which is held about them, and also a mechanism (the Information Commissioner) to enforce those rights. It sets out a series of data protection principles which have now stood the test of time.
The eight data protection principles are set out in schedule 1 of the Act. These eight principles are that personal data should be processed fairly and lawfully (principle 1), that data must be obtained and processed for a specified and lawful purpose (principle 2), it must be adequate, relevant and not excessive (principle 3), it must be accurate and kept up to data (principle 4), it must be kept no longer than necessary (principle 5), the rights of data subjects must be respected (principle 6), it must be appropriately protected (principle 7) and it must not be transferred outside the EU unless it is to a country that also requires data to be protected (principle 8).
Data under the Act is given a wide definition and includes not only electronic data but, where it is held by a government department, includes absolutely any data that they held. Personal data, which the Act primarily relates to, is a subset of this and includes data linked to an individual. It is this data which is the subject of the data protection principles.
When personal data is processed a number of conditions apply, which are set out in schedule 2 to the Act. The first condition is that the data subject (the person the data is about) must consent. The second condition is that the processing is necessary. The schedule provides a number of different ways in which the processing may be necessary. The most common one is that it is necessary for a legitimate interest of the data controller (i.e. the person holding the data).
If the data is sensitive personal data then further rules apply which are set out in schedule 3. Sensitive personal data is relating to a person’s race, politics, religion, union activities, physical or mental health, sexual activity or criminal offending. Schedule 3 requires that if any of these apply then there must be explicit consent from the data subject. It also has a much more limited set of criteria which can satisfy the necessity test, they must ensure that the rights and interests of the data subject are protected, and there are restrictions on the disclosure of the information.
Although the rules summarised above are the general principles there are a number of exceptions to these. These are set out in part 1V of the Act. There are exceptions (of varying degrees) in the interests of national security, crime, health, journalism, research and parliamentary privilege (amongst others). For national security and law and orders matters the exemption is absolute, but for others such as journalism the exemption is much more limited and requires the journalist to be satisfied that there is a public interest in the publication.
A key way that the Act goes about ensuring compliance with the principles is by giving individuals the right to access data which is held about them. This right is found in section 7 of the Act. Any person may submit a written request to any data handlers, and once they do they are entitled to be told what data is held about them and how it is being processed. The data controller is entitled to charge a fee for providing this information (subject to a maximum amount allowed by parliament) and they do not have to provide the information where to do so would be to breach some other person’s privacy. The basic principle however is that a person should have the right to know exactly what information is held about them. Further the Act also gives a person the power to insist that their personal data is not processed if to do so would cause them unjustified distress.
The ultimate method of ensuring compliance with the data protection principles rests with the Information Commissioner. The role was originally entitled the Data Protection Commissioner but it was renamed in 2010 to ensure a more accurate description of the role. The Commissioner employs a staff of advisors, lawyers and enforcement officers and produces regular reports about compliance. They have a number of powers that they can use to enforce compliance. These include serving information notices requiring the provision of information, imposing undertakings on organisations to compel them to amend offending behaviour, serve enforcement or stop notices, impose fines or bring criminal prosecutions.
B. The Computer Misuse Act 1990
The Computer Misuse Act 1990 shows the difficulties that any legislature has in providing a comprehensive set of rules for a technology which is developing at pace. When the Act was passed personal computers were basically calculating machines, and most homes did not have one. They bore very little resemblance to the machines which are commonplace today. Nevertheless, because of problems with the existing law it was felt that a comprehensive computer misuse Act was required. The limitations of the existing law were already being felt in fraud offences. Under the Theft Act 1968 and 1978 a fraud had to deceive a person and where processes were being carried out entirely by computer then a lacuna developed. (Under the Fraud Act 2006 this is no longer an issue as it is the intention of the actor rather than the impact on the victim which is determinative of a crime.)
The Computer Misuse Act 1990 has its genesis in a working paper published by the Law Commission in 1988. This was primarily concerned with the offence of hacking, although that particular phrase was not in use at that time. The question that the Law Commission posed was whether behaviour which would not otherwise be an offence should become an offence simply if it was done using a computer. For instance, in other areas of life the gaining of confidential information or industrial espionage would not be treated as criminal offences. The question that the Law Commission had posed was whether or not a special case could be made out for computers. Their conclusion was that it could, and this formed the basis of their proposed legislation.
The Law Commission publish their proposals in 1989, and their general approach was extremely well received. However, they were extensively lobbied by groups on behalf of banking and commerce, and by computer and software manufacturers. As a result, they also proposed two further offences which were also included in the 1990 Act. These have proved much more problematic. Unfortunately, the technology advanced at a rate of notes and left the legislation well behind. There have been various attempts to amend the sections but they have been of only limited success. For instance, denial of service attacks are not easily caught within the computer misuse Act, and yet these are one of the most common forms of computer misuse that now exists. The problem is that the World Wide Web had not yet been invented at the time that the Act was passed, and no one appreciated the life changing impact that this would have for all communities.
It should be noted that the Act does not at any stage attempt to define a computer. This is undoubtedly a very sensible approach as any definition would very rapidly risk being overtaken by fast moving technological developments.
Section 1 of the Act seeks to make hacking an offence. This makes it illegal for anyone to operate a computer with intent to secure access to the data on it, and where he knows that he is not permitted to have access. Since the Act was passed the trend has continued for more and more material to be stored on computer, and yet such attacks continue.
The Act does not require that the defendant has any particular motive in hacking into a computer. The mens rea is simply that they knew that their entry was unauthorised and that they were intending to gain access. This can be justified because of the expense that the owner of the system might be put to protecting their system. It is worth noting that accessing equipment recklessly would not amount to an offence. An offence under this section carries a maximum of two years imprisonment.
Section 2 of the Act creates an aggravated version of the basic offence, where the unlawful access was with a view to carrying out any further offence which can carry a maximum prison sentence of five years or more. That further offence does not need to be carried out using a computer.
Section 3 of the Act, as it now stands, creates an offence of carrying out an unauthorised act with intent to impair the operation of a computer. There is an alternative offence under the same section of carrying out the act recklessly. This section was developed as criminal damage only really applies to physical damage, and electronic destruction or obstruction would not be covered by that. Section 3ZA, which was inserted by the Serious Crime Act 2015, creates an aggravated version of the offence where there is a risk of serious damage.
Finally, in terms of offences under the Act s3A, which was inserted in 2006, makes it an offence to make, supply or obtain items to use in committing the other offences under the Act.
Computer Misuse Act 1990
Data Protection Act 1998
Fraud Act 2006
Police and Justice Act 2006
Serious Crime Act 2007
Serious Crime Act 2015
Theft Act 1968 c60
Theft Act 1978
DPP v Lennon  EWHC 1201 (Admin)
Hull J, ‘Stealing Secrets: A Review Of The Law Commissions Consultation Paper On The Stealing Of Trade Secrets’  Criminal Law Review 246 Law Commission, Computer Misuse: Working Paper 110 (1988)
–––, Computer Misuse: Cmnd 819 (1989)
Ormerod D and Laird K, Smith and Hogan's Criminal Law (14th edn, Oxford University Press 2015)
Farrell S, ‘Nearly 157,000 had data breached in TalkTalk cyber-attack’ (The Guardian, 2015) <> accessed 22nd February 2016
Information Commissioner, ‘Taking Action - Data Protection’ (Information Commissioner, 2016) <>
World Wide Web Foundation, ‘History Of The Web’ <> accessed 22nd February 2016