Privacy Law and Policy Reporter
Supreme Court of the Australian Capital Territory (Miles CJ)
(available at http://www.austlii.edu.au/au/cases/act/supreme_ct/unrep1016.html)
The respondent, who was employed at Grade ASO4 in the Australian Taxation Office (ATO), obtained the tax file numbers and personal details of 30 persons with the same surname as himself, and personal details of others. He was shortly to retire from the ATO and go into business by himself.
By April 1994 he had no duties of substance but was given access to a data base, apparently containing details relating to all Australian taxpayers. He began playing with it in order to test its capabilities. He became addicted to the system for the purpose of stress release. He obtained a printout of the name and address of every tax payer in Australia with the same surname as himself. He checked the income of certain persons whom he knew in order to assist him in choosing a suitable vocation. He obtained details of companies with which he might have had, or might come to have, commercial dealings.
The Crimes Act 1914 (Cth) creates an offence under s 76B where a person ‘intentionally and without authority obtains access to ... data stored in a Commonwealth computer’. A more serious offence occurs under s 76B(2) where the unauthorised access is to ‘data that the person knows or ought reasonably to know relates to ... (v) the personal affairs of any person’.
Miles CJ set aside as ‘manifestly inadequate’ the Magistrate’s decision not to record a conviction on one charge and to dismiss the other two altogether, and instead ordered on all three charges a conviction be recorded, and that sentence be deferred upon the respondent entering into a recognisance in the same terms as that set by the Magistrate.
Miles CJ observed:
15. Paragraph 76B(2)(b) is intended to protect information under the control of the Commonwealth, and also to protect the privacy of persons to whom such information relates. The income tax laws require almost every person who earns an income in Australia to have a tax file number and to furnish returns with particulars, sometimes of a very personal and private nature. The information received by the ATO in this way is stored on computer. A tax file number, which is virtually confidential between the ATO and the taxpayer, provides the key to other detailed information about the taxpayer. For the efficient functioning of the ATO, it is no doubt essential for numerous officers to have access to much of the information on the computer including tax file numbers. The potential to retrieve such information and even to have it produced in a printed form is enormous. The officers who are granted access are entrusted with that capacity only for the legitimate purposes of their duties. The average tax payer would, I am sure, be outraged at the prospect of an officer of the ATO perusing details of the tax payer’s personal affairs, which the taxpayer has disclosed under threat of penalty, other than for a proper purpose. The outrage may be all the greater if the officer were motivated by commercial or other ‘nefarious’ purpose, but, in my view, that is not to the point. In my view, it was wrong for the Magistrate to have regard to the hypothesis that it was ‘routine’ for an officer like the respondent, authorised to obtain access to information of a private kind on the computer, to use that authority at the officer’s whim in order to obtain such information, not for the purposes of the office itself, but for amusement, edification or any other private purpose.
The ‘computer crime’ offences in the Commonwealth Crimes Act 1914 (ss 76A-76E), and the corresponding provisions in the NSW Crimes Act 1901 (ss 108-110) provide incidental legal protection to privacy of considerable importance.
Graham Greenleaf, General Editor.
Supreme Court of New South Wales, 15 December 1995 (Hunt CJ, Allen and Dunford JJ)
(Available at http://www.austlii.edu.au/au/cases/nsw/supreme_ct/unrep209.html)
The appellant worked within the Debt Management Section of the Australian Taxation Office (ATO) in its Relief Section. He was required by his employers to prepare documentation concerning applications for taxation relief, but was not authorised to make determinations granting relief. Following determination of an application, he was required to insert data into an ATO computer system which operated only in the Debt Management Section. He had access to the computer by entering his user ID and password. His duties included the entry of various codes into the computer, but he was permitted by his employer to enter relief code ‘43’ only where relief had been granted. In 19 instances, no grant of relief had been made and the appellant knew this but he inserted relief code ‘43’ in the computer indicating that relief had been granted when this was not the case. There was no financial gain to the appellant, but he did so because of ‘a desire to expedite the process, a heavy workload and concern about suggested inconsistencies in determinations of applications for relief’. The computer system had the capacity to be programmed to restrict the insertion of data and to beep and display the words ‘no right of access’ if insertion was attempted contrary to the restriction, but had not been programmed to restrict entry of relief code ‘43’ by the appellant.
The Crimes Act 1914 (Cth) creates an offence in s 76C where a person ‘intention-ally and without authority or lawful excuse ... destroys, erases or alters data stored in, or inserts data into, a Commonwealth comp-uter’. The issue was whether the appellant acted ‘without authority’ in terms of s 76C even though the computer would physically accept the insertion of relief code ‘43’. It was contended that because the computer accepted the data, the computer authorised the insertion of the data.
Dunford J (with whom Allen J and Hunt CJ agreed) held that ‘the effect of s 76C is that the ‘authority’ referred to is authority to destroy, erase, alter or insert the particular data; and general authority to gain access to or use the computer is not sufficient if the particular entry etc is not authorised’, and that in the 19 instances in this case ‘the applicant had a limited authority to make entries into the computer and therefore, by going outside the limitations imposed, he was acting without authority’.
The court followed (see para 8) the approach taken by the High Court in Kennison v Daire  HCA 4; (1986) 160 CLR 129 (see http://www.austlii.edu.au/au/cases/cth/high_ct/160clr129.html), a case concerning larceny from an automated teller machine (ATM), where it was held that:
The fact that the bank programmed the machine in a way that facilitated the commission of a fraud by a person holding a card did not mean that the bank consented to the withdrawal of money by a person who had no account with the bank. It is not suggested that any person, having the authority of the bank to consent to the particular transaction, did so. The machine could not give the bank’s consent in fact and there is no principle of law that requires it to be treated as though it were a person with authority to decide and consent.
In Gilmour the court held that ‘similarly here the computer could not give the authority; such authority had to come, if at all, from the appellant’s superiors or departmental procedure, and that authority was only to enter code 43 when relief had been granted.’
Of particular relevance to questions of unauthorised access, the court also noted Barker v The Queen  HCA 18; (1983) 153 CLR 338 (see http://www.austlii.edu.au/au/cases/cth/high_ct/153clr338.html), where it was held that a person whose entry to premises is author-ised for a particular purpose enters as a trespasser if he enters for any other purpose.
This decision deals with insertion of data under s 76C, but is a leading decision on the meaning of ‘without authority’ in relation to all computer crime provisions.
Graham Greenleaf, General Editor.