Thursday, 10 April 2008

Data Protection

In December 2000, the Privacy Amendment (Private Sector) Act 2000[1] modified the Privacy Act[2] in Australia making it apply to various private sector organisations. The Australian legislation was updated to reflect the EU[3] and is based on the Organisation for Economic Cooperation and Development’s (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980). The National Privacy Principles[4] (the NPPs) in the Privacy Act detail the methods that the private sector should use to “collect, use, keep secure and disclose personal information”.[5]

These principles provide individuals with a statutory right to discern the extent of information held concerning them by an organisation. It further introduces a right to correct information that is incorrect. An ISP or ICH in Australia would be covered by the amended Privacy Act. The State and Territory privacy legislation also needs to be considered.[6] Likewise, an ISP or ICP in the UK would be covered under the principles laid out in European Union Directive 95/46/EC.
An ISP or ICH that hosts sites for other parties could be held liable if they fail to maintain a reasonable level of system security and a breach of this leads to a compromise of an individuals private data.

Criminally, the UK has no legislation specifically focussed to dishonest acquisition of pure information[7]. The law holds that information is not property capable of being stolen such as was decided in Oxford v Moss[8], where a university student broke into the Examination Committee’s premises, studied and made a copy of the exam paper and departed, leaving the original exam paper behind. The student’s actions were held not to be theft[9].
In the event that improperly obtained credit card numbers are published on a website facilitating the enacting of fraudulent purchases using those card numbers, if the intermediary operator knows or ought to known of this action, liability may exist. It is possible that the ISP or ICP could also be a secondary participant in the crime[10]. There is also the possibility of a charge of conspiracy, if the necessary agreement between the intermediary and subscriber could be demonstrated (such as through a contract to not conduct standard checks).
Criminal liability may occur in instances where the subscriber of an ICP publishes passwords allowing unauthorised entry into a computer system. The intermediary may be liable for an offence under the Computer Misuse Act[11] that is committed using those passwords. The precise nature of any liability will be dependant on the facts of the case. In the event that the intermediary had advertised to a category of persons who are expected to execute an attack against a computer system using those passwords made available on the web server, this could amount to incitement to commit an offence under the Computer Misuse Act[12]. To establish incitement, it must be demonstrated that the defendant knew or believed that the individual so incited had the required mens rea to commit the offence. As the mens rea for an offence under Section 1 of the Computer Misuse Act is simply that the defendant intends to gain access to a computer system and knows that such access is not authorised it should be a simple fact to establish.

Alternatively the intermediary could be charged with aiding, abetting, counselling or procuring commission of an offence. In all cases, the defendant must have the intention to do the acts which he knows to be capable of assisting or encouraging the commission of a crime, but does not actually need to have the intent that such crime be committed. There must be a causal link for procurement, aiding requires support but not consensus nor causation, while abetting and counselling necessitate consensus but not causation.

[1] This Act came into effect from 21 December 2001.
[2] Australia has an informational privacy regime at the federal level based on the Privacy Act 1988 which initially applied mainly to Commonwealth and ACT Government public sector agencies.
[3] European Union Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
[4] The National Privacy Principles are extracted from the compilation of Act No. 155 of 2000 Act No. 119 of 1988 that was prepared on 10 January 2001
[5] The Australian Office of the Privacy Commissioner has released “INFORMATION SHEET 2 -2001 Preparing for 21 December 2001” which is available from http://www.privacy.gov.au/publications/IS2_01.doc
[6] See further, The Office of the Federal Privacy Commissioner, Privacy in Australia
[7] There have been a number of cases in the United States, which involve the publication of stolen proprietary information. For example, United State v Riggs and Neidorf, 741 F.Supp.556 (N.D II 1990), the defendants had between them hacked into a Bell Telephone Company computer, obtained highly confidential information about that computer company’s emergency telephone number system, and had published it in a magazine. They were prosecuted under the 1986 Computer Fraud and Abuse Act, and also under federal statutes dealing with wire fraud and interstate transfer of stolen property.
[8] (1978) 68 Cr. App. R. 183
[9] In the UK, placing stolen Government confidential information on a bulletin board is likely to fall foul of the Official Secrets Act. However, catching the culprit is the main problem; the UK Government has been unable to prevent Sinn Fein putting information about police and army facilities and security on its Web page based in Texas.
[10] US Cases involve Defense Department information (United States-v-Morrison, 859 F.2d.151 (4th Circuit 1988)), law enforcement record (United States-v-Girard, (2nd Circuit 1979)), banking information (United States-v-Cherif, 943 F.2d.692 (7th Circuit 1991)) and stock market information (Carpenter-v-United States, 484 U.S. 19(1987). Besides these federal statutes, which only apply where there has been a transfer across State lines, a number of States have laws, which make criminal the theft of confidential information.
[11] Computer Misuse Act (1990) UK
[12] In a case involving police radar detectors, it was held that advertising an article for sale, representing its virtue to be that it may be used to do an act which is an offence, is an incitement to commit that offence-even if the advertisement is accompanied by a warning that the act is an offence.

No comments: