Offences under the Computer Misuse Act
Amongst other provisions, the Act covers four criminal offences:
- unauthorised access to a computer system with intent to commit or facilitate the commission of further offences (for example, theft, blackmail or fraud)
- unauthorised acts with intent to impair, or recklessness as to impairing, the operation of a computer system
- unauthorised acts in relation to causing, or creating a significant risk of, serious damage of a material kind to a computer system
- making, supplying or obtaining articles for use or to assist in the commission of any of the above offences.
The Act’s provisions are expansive: they do not draw a distinction between ‘data’ and ‘personal data’ as does the GDPR. The key factor in determining whether an offence has been committed is the misuse of a computer system in itself. This contrasts with the GDPR where the key factor is the type of data that has been accessed.
Traditionally, the Act was used to criminalise plainly criminal acts relating to the misuse of computer systems. More recently, however, it has been used to criminalise the unauthorised access of personal data by a business with a view to furthering its commercial interests.
In R. (on the application of Pensions Regulator) v Workchain Limited  EWCA Crim 1422, the Pensions Regulator succeeded in bringing criminal proceedings against employment agency Workchain and its directors under the Act. The proceedings concerned Workchain’s unauthorised obtaining of confidential pensions data held by the National Employment Saving Trust relating to its work force with the aim of opting its workers out of workplace pensions, thereby saving Workchain the requirement to make pension contributions.
Whilst it is likely that the GDPR could have been relied upon in taking action against Workplace, the Pensions Regulator’s use of the Act led to custodial sentences for Workplace’s directors. This serves as a clear sign to companies and their directors that, in addition to potential fines under the GDPR, the misuse of data can lead to custodial sentences.
The Pensions Regulator’s actions may signal the start of a new approach with regulators using additional legal tools to combat the misuse of data rather than simply taking action under the GDPR. Whilst the Act and GDPR overlap in some respects, they apply in slightly different circumstances, thereby providing regulators with options depending on the facts of a case. In particular, the Act applies to unauthorised acts relating to computer systems regardless of whether personal data has been accessed. As mentioned above, the GDPR only applies to the misuse of personal data. In addition, the CMA only applies to specified acts relating to computer systems whereas the GDPR applies more broadly.