Police officers who accessed the Police National Computer at an authorised level, but for an unauthorised purpose, were not guilty of securing unauthorised access contrary to section 1 of the Computer Misuse Act 1990.
The Divisional Court dismissed the appeal by way of case stated by the Director Public Prosecutions against the Crown Court's decision, allowing the respondent's appeals against conviction by a stipendiary magistrate of offences contrary to section 1 of the Computer Misuse Act 1990.
The respondents were serving officers in the Metropolitan Police. They had instructed police computer operators to extract from the Police National Computer details of the registration and ownership of two motor cars, for private purposes.
Michael Bowes (CPS) for the Director of Public Prosecutions; Peter Doyle (Russell Jones & Walker) for the respondents.
Mr Justice Astill said that the question for the court was whether the Crown Court had been right to conclude that the primary purpose of the Computer Misuse Act 1990 was to protect the integrity of computer systems rather than the the integity of information stored on computers, even though that might leave a lacuna in the law; and that a person who secured access to any material held in a computer at a level at which he was entitled to access, but for unauthorised purposes, did not commit an offence under section 1.
The appellant had contended that access to the Police National Computer by a police officer for a non-police purpose was unauthorised. *A police officer's authority to secure access to the computer had been limited or restricted to access for police purposes by the Commissioner of Police, who was entitled to control access.**
The respondents submitted that they were authorised to control access to the computer. *Controlling access was different from defining or restricting authority to access.** *The Computer Misuse Act 1990 was concerned with the unauthorised access to computer material, not with unauthorised access to computer material for an unauthorised purpose.**
*The use of the National Police Computer by officers was subject to directions given by the Commissioner of Police.** Access to the computer for a non- police purpose involved giving a false Reason Code in contravention of instructions. The respondents submitted that that was not securing unauthorised access to the computer, but was securing access at an authorised level for an unauthorised purpose.
They further submitted that section 5(2)(b) of the Data Protection Act 1984 made adequate provision for the prosecution of police officers who used the computer for non-police purposes: see R v Brown (Law Report, 13 February 1996)  1 All ER 545.
The starting point was to consider the purpose of the 1990 Act. It was common ground that it had been enacted to criminalise the breaking into or "hacking" of computer systems. It was also common ground that the Data Protection Act 1984 had been enacted with the purpose of criminalising the improper use of data.
Regard must be had to the wording of section 17(5) of the 1990 Act. Access was stated to be unauthorised if:
(a) a person is not himself entitled to control access of the kind in question to the program or data; and (b) he does not have consent to access by him of the kind in question to the program or data from any person who is so entitled".
Access "of the kind in question" was set out in section 17(2)(a) to (d).
The respondents did have authority to secure access by reference to section 17(2)(c) and (d) at least. They therefore had authority to access the data even though they did it for an unauthorised purpose, and thus did not commit an offence contrary to section 1 of the Act.
*The authority of the Commissioner was not thereby undermined, because the respondents remained subject to internal discipline. They could also have been prosecuted under the Data Protection Act 1984.**
If, as the appellant had submitted, the Commissioner alone had control access, the consent given by him to the respondents to access the computer at the point of entry for any of the kinds of access set out in section 17(2) provided them with a defence by virtue of section 17(5)(b) even if the access was for an unlawful purpose.
The Crown Court had, accordingly, been right to conclude that the primary purpose of the Computer Misuse Act 1990 was to protect the integrity of computer systems rather than programmes or data, but there was no lacuna in the law because the respondents could have been prosecuted under the Data Protection Act 1984.
Kate O'Hanlon, Barrister