DENIS Kelleher's article on computer hacking (Computimes, May 5th) threw useful light on the Criminal Damage Act (1991) and the way it tries to address this growing problem. The Data Protection Act (1988), though it does not specifically deal with hacking, also has some relevance. Unlike the Criminal Damage Act, for example, it does define data - as "information in a form in which it can be processed". Processing, in turn, is "performing logical or arithmetical operations on data".
The Data Protection Act is essentially a law to protect the privacy of individuals, and relates to information about living people. If the Act has a central principle, it is that information about someone belongs primarily to that person. While others may in certain circumstances use it, they do not own it, and what they may do with it is clearly circumscribed.
Mr Kelleher identifies "two basic computer offences" in the Criminal Damage Act that relate to hacking. The Data Protection Act has a third. Under section 22, someone - other than an employee or agent of a data controller or processor - who obtains access to data without appropriate prior authority and then discloses the information, is guilty of an offence, and the Act provides for fines of up to £50,000.
In addition, section 7 of the Act provides that insofar as the law of tort does not already provide for such a duty, there shall be a duty of care owed to a data subject by a data controller. It is open to a data subject whose data has been attacked or copied by a hacker to take a civil action against the data controller. There is clearly a premium, therefore, on each data controller taking all reasonable care in relation to personal data which (s)he holds