Site Map
Privacy Statement
Copyright Policy
Accessibility
Feedback
Search Site:

Legal Guidance for ICT Use in Education, Research and External Engagement

 

Content

Computer Misuse Essentials

Please note: this guidance has been prepared by JISC Legal for information purposes only and is not, nor is intended to be, legal advice. This information is not intended to constitute, and receipt of it does not constitute, a contract for legal advice or the establishment of a solicitor-client relationship.

1 February 2007

If you have Adobe Acrobat Reader installed on your computer, you may download a pdf version here - Computer Misuse Essentials. (Recommended for printing.) Acrobat Reader is available free from Adobe's web site.

Table of Contents

  1. The Risks for FE & HE Institutions
  2. Legislation - The Computer Misuse Act 1990
  3. Fraud and Theft
  4. Harmful Content - Pornography
  5. Extreme Material
  6. Sexual Offences involving the Internet, and 'grooming'
  7. Intellectual Property Offences - Copyright Crime
  8. Responsibilities for FE and HE institutions
  9. Conclusion

1. The Risks for FE & HE Institutions

The prevalence of computer related crime means that FE and HE institutions are affected in many of the same ways as other businesses, organisations and individuals.

  • For institutions serious incidents might involve illegal materials in particular the viewing, possession, making and distribution of indecent images of children or serious stalking or harassment facilitated by communication technologies.
  • Where individual students or staff engage in illegal activity it is unlikely that the institution would be held liable except where it had actual knowledge of unlawful activity or unlawful materials (or its suspicions should have been raised) and it took no action to prevent it.
  • Although it is the offenders, as individuals, that would face criminal prosecution an institution could suffer reputational damage if it is not seen to be acting responsibly.
  • Discovery of illegal materials within an institution's computer network, whether pornographic in nature or racist in nature, is a serious situation and should always be reported to the police. Incident handling guidance is available on the UKERNA JANET website in a document entitled ' Dealing with Computer Crime - FACTSHEET - http://www.ja.net/services/publications/factsheets/index.html.
  • FE and HE Institutions must ensure that they have appropriate strategies in place for responding to crime which takes places by means of their computer systems. 'Effective Incident Response - Guidance Notes' are available on the JANET website at - http://www.ja.net/services/publications/technical-guides/index.html.

Security

In terms of external threats FE and HE institutions should adopt technology security appropriate to the current risk level. From an infrastructure perspective this involves well established practice:

  • build it secure
  • educate users to operate it securely
  • and encourage high risk users to invest in matching preventative measures where appropriate

The UCISA Information Security Toolkit is intended to support UK Further and Higher Education institutions in producing information security policies to address (and to demonstrate that they are addressing) threats to the

  • confidentiality,
  • integrity and
  • availability of information systems for which they are responsible,

and to help meet audit requirements. Details of the Toolkit can be found on the UCISA website at - http://www.ucisa.ac.uk/ist.

Separate detailed information on 'Inappropriate use of computers - the technical investigation process' is available on the JISC Legal website at - Inappropriate Use of Computers - the Technical Investigation Process - HEIDS.

Hacking

Virtually all hacking activities are offences under the CMA 1990. Hacking can cause serious disruption to institutions who, in addition to suffering financially (e.g. through system downtime), have to deal with the security breach which may expose individual users to further crime. It is also possible that such a breach of security could result in the unlawful disclosure of the personal data of individuals in breach of an institution's obligations under the Data Protection Act 1998.

Denial of Service attacks

Usually directed at the institution 'Denial of Service' (DoS) is the name given to attacks involving hackers preventing the normal flow of internet traffic to a web site or e-Business. Denial-of-Service attacks, where hackers overload networks with data in an effort to disable them, have risen 50%, a March 2006 security report says - http://news.bbc.co.uk/1/hi/technology/4787474.stm.

Assistance with handling 'Denial of Service' attacks can be found in 'Guidance Note' on 'Investigating a denial-of-service attack' on the UKERNA JANET website at - http://www.ja.net/services/publications/technical-guides/index.html.

2. Legislation - The Computer Misuse Act 1990 - What it Says.

The Computer Misuse Act 1990 (CMA) (and now amended by the Police And Justice Act 2006) was introduced primarily to deal with computer hacking. It contains three main offences to do with unauthorised acts relating to computers:

  • Section 1 contains the basic 'hacking' offence of gaining unauthorised access to any program or data held in a computer.
  • Section 2 makes it an offence to commit a Section 1 offence with a view to commit, or facilitate the commission of, a further offence.
  • Section 3 contains the offence of doing any unauthorised act in relation to a computer with intent:
    • to impair the operation of any computer; or
    • to prevent or hinder access to any program or data held in any computer; or
    • to impair the operation of any such program or the reliability of such data;
    • to enable any of the things to be done.

knowing that any modification intended to be caused is unauthorised. The intent need not be directed at any particular computer or any particular program or data.

Maximum sentences for these offences range from six months imprisonment and/or a £500 fine to ten years imprisonment and/or an unlimited fine.

3. Fraud and Theft

Computer-related fraud can be defined as private gain or benefit by:

  • altering computer input in an unauthorised way;
  • destroying, suppressing, or stealing output;
  • making unapproved changes to stored information; or
  • amending or misusing programs (excluding virus infections).

In addition to being crimes in terms of existing criminal legislation, such fraud and theft may also involve "unauthorised access" or " unauthorised modification" both of which are classified as crimes in the Computer Misuse Act 1990 as amended.

4. Harmful Content - Pornography

Unlawful content is usually material that may lead to civil disputes such as defamation and copyright infringements. Illegal content is usually material that is illegal to possess such as child pornography.

The problem of illegal, harmful, distasteful or offensive content on the computer systems or the internet is of course not restricted to pornography. However in the case of child pornography, which in its nature features the sexual abuse of children, the view is taken that the phenomenon is so offensive that possession as well as circulation of offending images should be criminalised. The Sexual Offences Act 2003 amended the criminal law in the UK so that possession or publication of 'indecent images' of children less than eighteen years of age is a criminal offence.

5. Extreme Material

A proposal to make illegal the possession of a limited range of extreme pornographic material featuring adults is currently being considered by the Home Office. The proposal is to create a new offence of simple possession of pornographic material which is graphic and sexually explicit and which contains actual scenes or realistic depictions of serious violence, bestiality or necrophilia. For further information on this proposal you can access the document "Consultation: On the possession of extreme pornographic material" - online at - http://www.homeoffice.gov.uk/documents/cons-extreme-porn-3008051/.

6. Sexual Offences involving the Internet, and 'grooming'

The Sexual Offences Act 2003 (applying in England and Wales and Northern Ireland) came into force on 1 May 2004 and has created an offence of meeting a child following sexual grooming. The Protection of Children and Prevention of Sexual Offences (Scotland) Act 2005 delivers similar provisions for Scotland. It is now a crime for an individual to befriend a child on the internet or by other means and to meet or intend to meet the child with the intention of abusing them. The maximum sentence is ten years imprisonment. Any knowledge by an institution of such activity must be reported to the police right away.

7. Intellectual Property Offences - Copyright Crime

Copyright law provides for criminal sanction in certain situations.

  • In the UK generally civil remedies provide compensation to wronged intellectual property rights holders.
  • Most of the copyright criminal offences, contained in the Copyright, Designs and Patents Act 1998 (CDPA), are concerned with commercial activity.

Further information on intellectual property crime, including counterfeiting and piracy, can be found on the UK Intellectual Property Office website at - http://www.ipo.gov.uk/crime.htm.

8. Responsibilities for FE and HE institutions

  • Although it is unlikely that the same duty to protect users is required by FE and HE as that required in the school environment for children there remains the responsibility to ensure the health and safety of students and staff.
  • In addition FE and HE institutions have a right and sometimes a duty to ensure that their computer systems are not being used for inappropriate purposes. One such example is the obligation to prevent pornographic images of minors being stored on computer systems.
  • There is no general duty in UK law for institutions to actively monitor the information made available via or on their computer systems - to do so, in fact, increases the risk of liability in respect of any unlawful or illegal material which is there.
  • If for nothing more than preventing damage to reputation there is an obligation on FE and HE institutions to have in place appropriate security technology to ensure the confidentiality, integrity and availability of their computer systems. This requires ongoing sophisticated up to date infrastructure protection systems.

9. Conclusion

  • The prevalence of computer related crime means that FE and HE institutions are affected in many of the same ways as other businesses, organisations and individuals.
  • FE and HE institutions have a legal duty to provide a healthy and safe environment for students and staff. This duty extends to providing a non-threatening environment where students can study and be protected from harassment or criminal activity.
  • From a legal standpoint the duty to ensure that computer systems are not being used for inappropriate purposes is optimally fulfilled by notice and take-down procedures rather than actively monitoring what users are doing which would be likely to draw increased liability upon the institution.
  • At the operations level, what is 'acceptable use' should be strictly enforced and a culture of legal use predominant.
  • Many difficulties originating from within an institution can be confronted and avoided by ensuring that students and staff users adhere to strict conditions of use of IT facilities. It is, for example, the responsibility of each FE and HE institution to foster a culture of computer use which complies with the JANET 'Acceptable Use' guidelines.

John X Kelly

1 February 2007

© JISC Legal - www.jisclegal.ac.uk

 

 

JISC logo

JISC Advance logo

JISC Legal is a JISC Advance service | JISC Legal is hosted by the University of Strathclyde, a charitable body, registered in Scotland, with registration number SC015263 | The contents of this website are provided for information purposes only and do not constitute legal advice. | Login |



 
skip navigation Menu top links right columnn content JISC Legal home page News Events