Professor Dan Hyde

This Practice Note explains the offences that can be committed under the Computer Misuse Act 1990 (CMA 1990). These include the offence of causing a computer to give unauthorised access to data or programmes (computer hacking), the offence of unauthorised access with intent to commit further offences and the offence of committing unauthorised acts with intent to impair the operation of a computer. It also explains the offence of unauthorised acts committed in relation to a computer which cause or create a risk of serious damage of a material kind introduced by the Serious Crime Act 2015. This note also covers the offence of making, supplying or obtaining articles for use in offences under the CMA 1990, ss 1, 2, 3, 3A or 3ZA, as well as the elements of all offences and the sentences which may be imposed on conviction. The territorial extent of the computer hacking and computer misuse offences are also explained.

ARCHIVED: This Practice Note has been archived and is not maintained. It examined the data protection and personal data sharing issues arising in a cross-border investigations involving US and EU companies before the decision in the case of Facebook Ireland and Schrems and IP completion day. It included information on the types of investigators may be involved, the types of interviews conducted and what issues of legal privilege may arise. It also explained what counts as personal data and how personal data can be transferred for the purposes of an investigation from the European Economic Area (EEA) to a territory outside the EEA, the changing position on the safe harbor framework and the introduction of the EU-US Privacy Shield.

This Practice Note explains the notification offences under the Data Protection Act 1998 (DPA 1998). These offences were repealed by the Data Protection Act 2018 (DPA 2018) and cannot be committed after 25 May 2018. However prosecutions can still be brought where the offence was committed before 25 May 2018. There are no equivalent notification offences under the DPA 2018. This Practice Note includes what notification was required under the DPA 1998 together with exemptions from notification. It deals with the offence of processing without an entry on the register, including the elements of the offence of processing without an entry on the register. It covers the offence of failing to notify changes including the elements of the offence required as well as the offence of failing to make particulars available including the elements of the offence required. Finally, it covers the meaning of ‘unauthorised assessable processing’ under the DPA 1998, corporate liability under the DPA 1998 and sentencing for all of the notification offences under the DPA 1998.

This Practice Note explains the offences relating to the misuse or mishandling of personal data under the Data Protection Act 2018 (DPA 2018), which implements the requirements of the General Data Protection Regulation (EU) 2016/679 (GDPR). It covers the data protection offence of unlawfully obtaining of data, re-identification of de-identified data, the alteration of personal data to prevent disclosure, the prohibition of requirement to produce relevant records as well as the offences which can be committed during an investigation by the Information Commissioners Office (ICO) of obstruction, making a false statement in response to information notices and destroying or falsifying information. The Practice Note also explains the scope of these data protection offences, the available defences as well as the maximum sentences which can be imposed on conviction.

This Practice Note provides an introduction to how law enforcement and intelligence agencies may process personal data in accordance with data protection laws and specifically with the requirements of the police and criminal justice sector Directive 2016/680/EU, known as the Law Enforcement Directive, and its implementation into UK law in Part 3 of the Data Protection Act 2018 (DPA 2018). It explains what amounts to law enforcement processing of personal data (including processing for the prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties and the safeguarding against and the prevention of threats to public security), who are competent authorities for the purpose of the Law Enforcement Directive as well as highlighting the data processing principles for law enforcement. The rights of data subjects, such as the right to be informed, the right of access, the right to rectification, the right to erasure or restrict processing and the right not to be subject to automated decision-making within a law enforcement context are also explained.

This Practice Note deals with the offence of unlawfully obtaining personal data under section 55 of the Data Protection Act 1998 (DPA 1998). This offence was repealed by the Data Protection Act 2018 (DPA 2018) and cannot be committed after 25 May 2018. However prosecutions can still be brought where the offence was committed before 25 May 2018. Data protection offences which occur on or after 25 May 2018 should be prosecuted under the DPA 2018 not the DPA 1998. This Practice Note explains the elements of the offence of unlawfully obtaining data under the DPA 1998 which the prosecution has to prove, including the mental elements required, corporate liability, statutory defences and sentencing if convicted of the offence. It also explains the offence under the DPA 1998, s 56 of unlawfully requiring the production of data obtained under DPA 1998 s 56, when this prohibition applies and the penalties which will apply upon conviction.