Data protection offences explained

The Data Protection Act 1998

This Act of Parliament was passed in order to control how personal or customer information is used by organisations or Government bodies. It applies to any data held whether on a computer in digital form, or paper copies.

The Act sets out a number of different offences which can be committed.

Data Protection Offences

By s.17(1) personal data as defined by the Data Protection Act must not be processed ie stored, retrieved or erased, unless the “data controller” is properly registered with the commissioner.

"Personal Data" is classed as being any information relating to an identified or identifiable living individual.  Various characteristics might include their name, their location data or an ID number.

A “data controller” is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.

s. 17(3) states that regulations may provide that this does not apply in respect of processing of a type which results in that processing being unlikely to prejudice the rights and freedoms of data subjects.

The conditions for processing by a Data Controller:

The law sets out various conditions which must be met whenever a data controller is processing personal data. These can be found in Schedules 2 and 3 of the Act. At least one of the following conditions must be met:

• Consent of subject

• For the person to start a contract

• The processing is necessary because of a legal obligation that applies to you (except an obligation imposed by a contract).

• The processing is necessary to protect the individual’s “vital interests”. (Life and death situations.)

• Courts and justice considerations.

• The processing is in accordance with the “legitimate interests” condition.

There are various exceptions to this - for example, law enforcement. Section 20 imposes a duty on every “data controller” that appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Hacks on organisations, leading to leaks of personal data, are an increasingly common event. Being hacked and losing control of such data is not an offence. But S.21(2) states that it is an offence if a Data Controller has failed to put in place appropriate measures to guard against such an attack. This is a strict liability offence which means such a failure does not need to be deliberate. This is a highly technical area and specialist advice should be sought from Cyber Crime Solicitors.

• A further offence within the Act refers to the provision or disclosure of personal data without consent of the Data Controller: By s. 55 (1) A person must not knowingly or recklessly, without the consent of the data controller— obtain or disclose personal data or the information contained in personal data, or procure the disclosure to another person of the information contained in personal data. There are, however, exceptions to the above law. This was not apply where a person can show that the obtaining, disclosing or procuring, was necessary;

• for the purpose of preventing or detecting crime;

• or was required or authorised by or under any enactment, by any rule of law or by the order of a court;

• or that he acted in the reasonable belief that he had in law the right to obtain, disclose or procure the disclosure of the the data or information,

• or he acted in the reasonable belief that he would have had the consent of the data controller or that it was justified as being in the public interest. It is also an offence to sell or offer for sale or advertise for sale any data or information restricted by the Data Protection Act.

Data Protection Act 2018

This more recent legislation introduced a number of new offences. This act largely sought to increase the breadth of the offences under the old Act, and also to strengthen the ability of the Information Commissioner's Office (ICO) to investigate potential breaches by creating offences for providing misleading information to the ICO. Conviction of any of the above offences cannot lead to a custodial sentence and somebody convicted of these offences can only ever receive a fine as the maximum punishment. The size of the fine will be dependent upon the scale and nature of the breach and the ability of the convicted person to pay such a fine. Anyone under suspicion for these types of offences would be well-advised to contact cyber crime solicitors for initial advice.