Friday, July 6 2012

PERSONS who may have used computers to carry out the leak of raw data relating to the Secondary Entrance Assessment (SEA) results could face a $15,000 fine and imprisonment for two years under the provisions of the Computer Misuse Act.

According to Section 3 of the Act, a person, “who knowingly and without authority causes a computer to perform any function for the purpose of securing access to any programme or data held in that computer or in any other computer commits an offence and is liable on summary conviction to a fine of fifteen thousand dollars and to imprisonment for two years.”

It is also an offence under the Act to obstruct or interfere with the lawful use of a computer and its systems, punishable by two years prison and a $15,000 fine.

A portable document format (PDF) of what appeared to be a spreadsheet document, containing a table of students, their schools and assessment results circulated on Wednesday, the day before the SEA results were due to be officially released.

In immediate reaction, the Ministry of Education said it had referred the matter to the police and may have involved criminal conduct.

“Active investigations are being pursued to determine those responsible for this act of sabotage and for possible prosecution of criminal conduct,” the ministry said. It was unclear how the raw data was leaked. There are other offences which may be relevant.

One possibility is the Data Protection Act which sets out principles which organisations, including the State, must comply with. The legislation was proclaimed in January and protects personal information.

The definition of personal information includes information relating to the education of an individual. Persons handling personal information must comply with the code of practice protecting the information in the Act.

Section 92 of the Data Protection Act notes that, “ (1) A person who wilfully discloses personal

information in contravention of this Act, commits an offence.” Further, “(2) A person who collects, stores or disposes of personal information in a manner that contravenes this Act commits an offence.” A person who breaches confidentiality obligations also commits an offence.

Penalties are: three to five years imprisonment and a fine of $50,000 to $100,000, depending on whether the matter is taken at the lower or higher courts.

Ironically, the Ministry of Education is also, under the Act, under a legal obligation to protect the information but putting “reasonable” safeguards in place.

Section 35 stipulates that, “A public body shall protect personal information in its custody or under its control by making reasonable security arrangements against such risks as unauthorised access, collection, use, alteration, disclosure or disposal.”