Want to keep learning?

This content is taken from the Coventry University & Institute of Coding's online course, Cyber Security in the Software Development Life Cycle. Join the course to learn more.

Skip to 0 minutes and 17 seconds The need for legislation in the area of computer misuse was originally identified by the actions of two hobbies hackers, Robert Schifreen and Stephen Gold, who used their home computers to gain access without authorization to the British telecoms Prestel system during the 1980s. By using a technique known as shoulder surfing they observed a BT engineer enter a username of ‘1234’ and a password ‘2222222222’, at an ICT fair and were later able to gain access to the system and even managed to get access to Prince Philip’s personal mailbox, the pair were charged in 1988 under the forgery and counterfeiting Act 1981 and subsequently the computer misuse Act was drawn up in 1998.

Skip to 0 minutes and 56 seconds The Act introduces offences including hacking, unauthorised access to computer systems and purposefully spreading malicious and damaging software such as malware and viruses. There are three main offenses covered within the act. Unauthorised access to a computer material, Unauthorised access with intent to commit or facilitate Commission of further offenses and the Unauthorised modification of computer material Covered under the unauthorised access to computer material, person is guilty of an

Skip to 1 minute and 27 seconds offense if: One, they cause a computer to perform any function with the intent to

Skip to 1 minute and 32 seconds secure access to any program or data held in the computer, Two: the access they

Skip to 1 minute and 37 seconds intend secures is unauthorised and Three: they know at the time that they cause the computer to perform the function that this is the case. The intent a person has to commit an offense under this section need not be directed to any particular program or data of any kind, or program or data held on any particular computer. Person can be found guilty under the unauthorised access with intent to commit or facilitate Commission of further offenses section of the Act, if they commit an offense under the unauthorised access offense section with the intention of committing an offense or to facilitate the commission of an offense. Person guilty of an offense under this section could be liable to imprisonment fine or both.

Skip to 2 minutes and 17 seconds Under the unauthorised modification of the computer material section of the Act a person can be found

Skip to 2 minutes and 22 seconds guilty of an offense if: ‘They perform an act which causes the unauthorised modification of the components of any computer.’ and ‘At the time when the acts is performed they have the requisite intent and the requisite knowledge.’ Requisite intent is an intent to cause a modification of the contents of any computer and by doing so they impair the operation of a computer. They prevent or hinder access to any program or data held in a computer or if they impair the operation of any such program all the reliability of any such data. Requisite knowledge is knowledge that any intended multiplication is unauthorised.

Skip to 2 minutes and 59 seconds It is immaterial for the purposes of this section whether an unauthorized modification or any intended effect of it is or is intended to be permanent or merely temporary. So, if the CMA protects their systems from attack then how is our personal data stored on these systems dependent. The 1998 Data Protection Act provides a legal framework upon which to protect the privacy of personal data when within computer systems. It is legislation that places legal constraints against the use and processing of personal data and it gives people the right to protect themselves against the misuse of any data held about them. Data protection law was first implemented in 1984 but this was before the use of the internet was widely adopted.

Skip to 3 minutes and 39 seconds The rapid growth network systems meant that information could be easily shared between systems internationally, between many countries that do not have basic laws in place. So the act was revised in 1998 to bring it in line with European laws. The updated act now covers any personal data held on paper as well as within a computer system and it makes it illegal to transfer any data to countries who do not have appropriate data protection laws and rights in place. the DPA has two general purposes, it provides rights to individuals which have data held about them and advises what they can do regarding their held data. It also outlines the responsibilities of both data users and processes.

Skip to 4 minutes and 13 seconds Within the DPA there are eight general principles of good information handling, they state

Skip to 4 minutes and 21 seconds the data must be: fairly and lawfully processed, processed for limited purposes, adequate relevant and not excessive, accurate, not kept for longer than is necessary, processed in line with your rights, secure and not transferred to other countries then adequate protection. There are three groups referred to in the Act. Data subjects, this is a term used to describe individuals but which data is held and this covers everyone. To apply for one or all of these rights a date subject is required to pay a single administration fee. Once this payment is processed, the data subject can apply to the data protection commissioner to prevent the processing of data, to correct it or even to delete it.

Skip to 5 minutes and 5 seconds Data users: This is defined as a person who makes use of personal information for a certain purpose. When carrying out their work a data user must abide by all areas of the DPA.

Skip to 5 minutes and 21 seconds Data controllers: A data controller is classified as the person or persons in an organization who is in charge of the collection and use of personal data.

Skip to 5 minutes and 33 seconds Personal data is becoming increasingly more valuable and the collectors and users of this data have responsibilities under the Act they must abide to, such as asking a data subject permission to use the data. There are however certain exceptions to the DPA which include areas of national security, crime and taxation, or within domestic use where data may be held for a family or for household reasons.

National (UK) legislation

Computer Misuse Act 1990

This act identifies four criminal offences:

  • Unauthorised access to computer material
  • Unauthorised access with intent to commit or facilitate commission of further offences
  • Unauthorised modification of computer material
  • Making, supplying or obtaining material that could be used in computer misuse offences

Data Protection Act

This act aims to control how your personal data or information is used by organisations, businesses or the government. Everyone responsible for using data needs to follow strict rules called ‘data protection principles’. There is stronger legal protection for more sensitive information. The principles that should be followed to protect the data dictate that it should be:

  • Used fairly and lawfully
  • Used for limited, specifically stated purposes
  • Used in a way that is adequate, relevant and not excessive
  • Accurate
  • Kept for no longer than is absolutely necessary
  • Handled according to people’s data protection rights
  • Kept safe and secure
  • Not transferred outside the European Economic Area without adequate protection

But what is considered as sensitive data or information?

Your task

Regarding the Computer Misuse Act, what challenges can you see?

Regarding the Data Protection Act, what is considered as sensitive data or information?

Add your comments below.

Share this video:

This video is from the free online course:

Cyber Security in the Software Development Life Cycle

Coventry University