Computer Access
The Computer Misuse Act 1990 makes offences of:

- Unauthorised access to computer material (i.e. both hacking and access by Unauthorised users);

- Unauthorised modification of computer material (e.g. the insertion of a time bomb such as the 'Friday 13th' data destruction program); and

- Ulterior intent (i.e. Unauthorised access for the purpose of committing a crime).

Penalties for Unauthorised access (apart from those provided for under the Act which are up to 5 years imprisonment and/or an unlimited fine) may include dismissal for employees.

A policy/procedure such as the following might be appropriate:

1. Employees may only operate within their own departmental operations and service areas. Access to other areas is restricted to Authorised personnel only. Access to the systems, particularly, but not exclusively, the computer systems, is reserved to Authorised personnel only. Unauthorised access to, or in any way tampering with, any computer system or software, or computer installation (including but not restricted to the items in this rule) will be regarded as gross misconduct and may render the offender liable to dismissal and prosecution under the Computer Misuse Act 1990.

2. All computer records will be backed up daily (or more often if required) with back up stored in (a remote location).

3. Data files altered during daily working will also be backed up daily with back up stored in (a remote location).

4. In no instance should any computer owned or leased by the business be used for playing games or for any purpose other than the legitimate work of the business. Nor shall employees using their computers or electronic equipment use them for such purposes in the workplace. Nor may employees access the Internet (or any other information service obtained via computer access) whilst at work other than with the previous written permission of [a director]. The attention of all employees is drawn to [the organisation] ELECTRONIC COMMUNICATIONS policy.

4. Breach of these rules is regarded as gross misconduct, the maximum penalty for which under the organisation disciplinary policy is summary (without notice) dismissal.

5. No software and/or disks, etc. other than those owned or leased by [the Organisation] may be used in its computers. All software and disks must be purchased new from recognised and reputable suppliers, backed by a confirmation that all such items are free from viruses, etc., and/or with a guarantee/liability acceptance that, in the event that virus(es) which have caused damage, were present on purchase, the supplier will reimburse losses.

6. Anti-virus programs should be used regularly (specify intervals) to check that all systems, software and disks, etc. (including backup files) are virus free. Any item found infected must be immediately separated from any networking arrangement, and steps taken to eliminate the virus.

Destruction of Data
Since it may be possible to access data, formerly stored on the hard disk of a computer even though the user deleted it, suitable protection (or destruction) must be considered for such disks. This problem becomes more acute in considering the number of personal computers used both in and outside the Organisation - including many which commute with employees.