Last week saw the rare occurrence of a prosecution under the Computer Misuse Act after an NHS IT manager pleaded guilty to accessing the medical records of hundreds of friends, family and colleagues. The manager in question was sentenced to a six month suspended prison sentence.
The NHS Manager in question - Dale Trever - was employed by NHS Hull Primary Care Trust as a data quality manager, a position which gave him access to the medical records of thousands of patients held on NHS computers. He used this position to access more than 400 records of family, friends, and colleagues and was caught after a colleague reported his activity. Despite pleading guilty, the Judge in the case imposed a penalty of a six month suspended prison sentence.
The Computer Misuse Act 1990 ("the Act") was brought into force primarily to stop the hacking and accessing of computer data and networks. The Act makes it an offence to access data held on a computer where the person knows that access is unauthorised. There does not have to be intention to access specific data or programs, only that the data has been accessed and the access is unauthorised. This means that general 'fact-finding' and snooping for data on computers, as in this case, will constitute an offence.
In addition, it is not a defence to say that you were accessing the data simply out of curiosity or without malice. These factors are not defences under the Act.
However, despite the seemingly wide scope of the Act, there have been comparatively few prosecutions under the Computer Misuse Act. Reasons for this are that it is often difficult to prove that a person has accessed data without authorisation, and that the Act is now comparatively out of date in relation to modern computing practices. Government consultations on updating the Act are ongoing.
What to Note
That said, despite the fact that there are relatively few prosecutions under the Act, this case should serve as a timely reminder that accessing data on computers where you know the access to be unauthorised is a criminal offence. In this case the data being accessed were medical records, however, accessing many other types of data - including, for example, personal records at work - without authorisation could also constitute an offence. The severity of the sentence in this case should also serve as a reminder that the courts will not look upon unauthorised access of data leniently.
So if you are ever in doubt as to whether you should be accessing data on a computer, consider the implications of this case and check whether you have authorisation! Otherwise you may find yourself on the receiving end of a hefty criminal penalty.