UK ISPA Give Police Secret Briefing and new CR&CL(UK) report

[Yaman Akdeniz]

Pete-

> In principle yes; but in practice? I take the DPA to be next to
> useless as a means of discouraging official intrusion into private
> data. Has anyone ever been prosecuted, or sued, under the Act in
> such circumstances? Has such a complaint ever even been logged by
> the Registrar? I actually asked this question of the DPR's office a
> few months ago, but never got a reply.

There are a few cases resulting from the data protection act and 
normally the Registrar's annual reports do refer to these cases.

One well known case reached the House of Lords. - R. v Brown (Gregory 
Michael) Court: (HL) House of Lords, Reported: [1996] 1 A.C. 543

The Crown appealed against the quashing of B's conviction for improper
use of personal data under the Data Protection Act 1984 s.5. B, a
former police officer, was alleged to have misused data contained in
the police national computer, whilst collaborating with a debt
collection agency. B had retrieved the data and observed its contents,
but had taken no other steps in relation to it. The Crown argued that,
as information constituted data only when it appeared on the screen,
B's actions were the only way that the information could be used.

Held, dismissing the appeal, that (1) use of the information did not
have to occur while the information was in a computer readable form
and (2) "use" had to be given its natural and ordinary meaning as the
1984 Act contained no definition. To display and read data on screen
could not, without any further act, constitute "use" contrary to
s.5(2)(b).

Another police related case is DPP v Bignall
Court: (QBD) Queens Bench Division
Reported: [1998] 1 Cr. App. R. 1

Police officers with authorised access to computer information were
not convicted under the Computer Misuse Act 1990 for unauthorised use
of that information as the Act was concerned only with preventing
unauthorised access. Unauthorised use should be dealt with under the
Data Protection Act 1984. The DPP appealed by way of case stated
against the overturning of the respondent police officers' convictions
of offences under the Computer Misuse Act 1990 s.1. The respondents
had, for private purposes, obtained details relating to two motor cars
from the Police National Computer. The DPP maintained that the
Commissioner of Police, who controlled access to the computer, gave
authority to police officers to access information only for police
purposes and the respondents' use of the computer to gain material for
non-police purposes was therefore unauthorised. The respondents
distinguished between the gaining of access, which was said to be
authorised, and the admittedly unauthorised purpose of their
excursion.

Held, dismissing the appeal, that the Act was concerned with the
protection of computer systems and criminalised the "hacking" or
unauthorised access to computer material. It was not designed to
protect the integrity of information stored on computers, which was
the purpose behind the Data Protection Act 1984. Whether or not the
Commissioner alone was entitled to control access to the computer, the
respondents' access was not unauthorised in terms of s.17(5) or
s.17(2) and they were not therefore in breach of s.1. There was not a
gap in the law since police officers were open to prosecution for use
of the computer for improper purposes under s.5(2)(b) of the 1984 Act.

There is one case involving the Data Protection Registrar v Amnesty 
International (British Section) but I do not have the details for 
that case and again I believe the information should be obtained from 
the DPR's annual reports.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Yaman Akdeniz <lawya@leeds.ac.uk>
Cyber-Rights & Cyber-Liberties (UK) at: http://www.cyber-rights.org

Read the new CR&CL (UK) Report, Who Watches the Watchmen, Part:II
Accountability & Effective Self-Regulation in the Information Age,
August 1998 at http://www.cyber-rights.org/watchmen-ii.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~