CMA Reference
UK Legal Reference Sheet – Computer Misuse Act 1990 & GDPR (2024 Summary)
Computer Misuse Act 1990 (CMA)
Section 1 – Unauthorised Access
- It is an offence to knowingly gain unauthorised access to any computer system.
- Example: Logging in to an account without permission, even just to look.
Section 2 – Unauthorised Access with Intent
- Accessing systems without permission with intent to commit further crimes, e.g., fraud or data theft.
Section 3 – Unauthorised Acts with Intent to Impair
- Doing something that causes damage, e.g., deploying malware, deleting files, or disrupting systems.
Section 3ZA – Causing Serious Damage
- Aggravated offence where serious harm is caused to national security, health, or economic interests.
Section 3A – Making, Supplying or Obtaining Hacking Tools
- Illegal to make or distribute tools used to commit CMA offences.
UK GDPR (General Data Protection Regulation)
Key Principles (Article 5)
- Lawfulness, fairness, transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality
Article 32 – Security of Processing
- Organisations must implement appropriate technical and organisational security.
Article 33 – Breach Notification
- Must notify ICO within 72 hours if a data breach risks individual rights.
Article 34 – Communication to Data Subjects
- If a breach is high risk to individuals, the affected persons must also be informed without undue delay.
Notes for Incident Response
- Always preserve the chain of custody.
- Ensure actions do not breach privacy laws.
- Attribution must be based on evidence, not suspicion.