Computer and IT Laws
The body of law that regulates a country’s long term and day-to-day operations is often as old as the country itself. But as new technology is developed, it becomes necessary to develop new fields of law at the same time, to ensure that technology is used fairly, and is not used to commit crimes. Computer law and IT-related laws are an example of a field of law that is only a few decades old, and which has had to grow rapidly to keep up with the rapid pace of advancement of digital technology.
Managing Data Legally and Securely
Computer and IT law is all about controlling and securing digital information, whether it’s stored on a computer or transferred between two or more computers on a network or over the internet. Vast amounts of private data are stored on computers, computer networks, and digital servers, including people’s personal and financial information, and medical and health information. As well as this, sensitive information such as proprietary information, trade secrets, and government data are held on secure private servers. All of this information is held in digital form, but ultimately also exists in a physical location. Under the Computer Misuse Act (1990) and the Data Protection Acts of 1998 and 2018 it’s illegal to gain unauthorised access to such data, or to use or modify the data without the proper authorisation.
Computer Misuse Act (1990)
This act concerns unauthorised access to, or unauthorised modification of, material stored on a computer. It covers a very wide range of situations, including virtually any attempt to modify or impair a computer, a computer program, or computer data, without the necessary authority. It also includes unauthorised access that is gained with the intent to commit future unauthorised access-related offences in the future.
In 2006, the act was modified to cover remote hacking attempts, including denial of service attacks. At the same time the creation, supply, and obtaining of tools used to commit computer misuse crimes—such as hacking software or computer viruses—was also added.
Note that for the Computer Misuse Act to apply in any given situation, the offender must have been aware, when they committed the unauthorised action, that their access to the computer, software, or data was unauthorised.
Data Protection Acts and General Data Protection Regulations
In May 2018, new legislation came into effect that pertains to all businesses that collect and handle people’s personal data. These are the General Data Protection Regulations (GDPR). The GDPR is a European-wide law. In the UK, it replaces the Data Protection Act (1998). This act was developed when the internet and IT were still in their infancy, and legislation has struggled to keep pace with the speed at which computer and digital technology has advanced. The GDPR is intended to update older legislation to give people more control over their personal information.
Much of the GDPR is similar to the Data Protection Act, but the GDPR serves to broaden the scope of the protection provided to people’s personal data, and makes it easier for people to find out what personal data a business has about them. It also increases the penalties for breaches of the regulations.
The GDPR applies to all data handling and processing carried out within the European Union. It also applies to data handling within the EU carried out by organisations outside of the EU. The UK’s updated Data Protection Act (2018) is largely the same as the GDPR, with some minor alterations. This means that UK organisations must still comply with GDPR after Brexit if they offer goods or services to customers in EU countries.
Updating Legislation to Reflect the New Digital Reality
In addition to creating new acts and regulations, some laws must also be updated with language that covers crimes committed with the aid of a computer or the internet.
For instance, the Malicious Communications Act (1988)—which makes it an offence to send messages with the intent of causing anxiety or distress—was updated with new language to include the sending of messages via email.
A similar update was made to the Regulation of Investigatory Powers Act (2000), which defines rules for intercepting traffic on postal and telecommunications networks. This act now applies to network and internet traffic as well as other kinds of communication methods.