Privacy of personal information is paramount and sacrosanct to all private citizens. Access to the personal information of citizens is deemed to be restricted and may only be accessed if the individual requesting access has both the relevant authority and is entitled to access the restricted information in furtherance of their task/duty.

Many individuals are granted and thereby presented with exclusive access to restricted data by way of their employment. At times, employees access restricted data in furtherance of a purpose ulterior to that which has been assigned and thence may face criminal prosecution.

The Law in NSW

The unauthorised access to or modification of restricted data held in a computer is governed by section 308H of the Crimes Act 1900 (NSW) which stipulates as follows:

"(1) A person -

(a) who causes any unauthorised access to or modification of restricted data held in a computer, and
(b) who knows that the access or modification is unauthorised, and
(c) who intends to cause that access or modification

Is guilty of an offence: maximum penalty - imprisonment for 2 years.

(2) An offence against this section is a summary offence.
(3) In this section -

"restricted data" means data held in a computer, being data to which access is restricted by an access control system associated with a function of the computer.

(4) Proceedings for an offence against this section must be committed not later than 12 months from when the offence was alleged to have been committed".

The threshold for a finding of guilt under section 308H is low in that the prosecution must demonstrate that the defendant has knowingly and intentionally caused an unauthorised access to the restricted data held in a computer: Sharrock v R [2019] NSWDC 850, at [26] per Grant DCJ.

What amounts to Access?

The access to the restricted data is defined by the circumstances in which the defendant has obtained access to the data. The access may relate to data which is either active or not active and the use of the restricted data by the defendant is not an element relevant to the offending conduct: Braimah-Mahamah v R [2016] NSWDC 138, at 28 per Hatzistergos DCJ.

Access, specifically to data held in a computer, is further defined in section 308A(1) as:

  • The display of data by the computer or any other output of the data,
  • The copying or moving of the data to any other place in the computer or to any data storage device, or
  • The execution of a program.

Whereas, on the other hand, modification refers to the alteration, removal or addition of data: section 308A(2).

What is "data held in a computer"?

Data held in a computer is defined in section 308 Crimes Act to include:

  • Data entered or copied into a computer,
  • Data held in any removable storage which was in a computer for a time, or
  • Data held in any data storage device on a computer network of which a computer forms a part.

What is "unauthorised access to or modification of data"?

The unauthorised access to or modification of data by a person is:

"unauthorised if the person is not entitled to have caused that access, modification or impairment": section 308B(1) Crimes Act.

The person is seen to have accessed, modified, or impaired data if:

  • The access, modification or impairment to the restricted data is caused by the authorised person (s 308B(2A)(a)),
  • The computer concerned is in the lawful custody of the authorised person when the access, modification, or impairment is caused (s 308B(2A)(b)),
  • The known purpose of the access, modification or impairment is to preserve, or prevent the concealment, fabrication, destruction, or loss of, evidence of the commission of an offence (s 308B(2A)(c)), and
  • The person is deemed to have caused the unauthorised access, modification, or impairment if the person's conduct substantially contributes to the unauthorised access, modification, or impairment (s 308B(3)).

It should be noted that "any such access, modification or impairment is not unauthorised merely because the person has an ulterior purpose for that action": section 308B(2). The object of this section was to "protect an officer who has a legitimate entitlement to access particular data but who may have an ulterior purpose for that access": Salter v DPP [2011] NSWCCA 190, at [19]. Should the officer be able to establish that they had a legitimate purpose to access the restricted data they will not be held in breach of this provision even if it comes to light that there is present an ulterior purpose. The assessment of whether the access to the restricted data is permitted requires the prosecution to:

"...identify the entry and to determine whether the entry was within the scope of the permission that had been given. If the permission was not subject to some express or implied limitation which excluded the entry from its scope, then the entry will be with lawful justification but if the permission was subject to an actual express or implied limitation which excluded the actual entry made, then the entry will be "without lawful authority to do so.

In my view, the section requires attention to whether the particular entry in question was an entry that was made without lawful authority. In a case of a hacker, it will be clear that he has no authority to enter the system. In the case of an employee, the question will be whether that employee had authority to affect the entry with which he stands charged. If he has a general and unlimited permission to enter the system, then no offence is proved. If, however, there are limits upon the permission given to him to enter that system, it will be necessary to ask was the entry within the scope of that permission? If it was, then no offence was committed; if it was not, then he as entered the system without lawful authority to do so": Director of Public Prosecutions v Murdoch (1993) 1 VR 406, at [409]-[410] per Hayne JA.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.