Data Protection Offences under the Data Protection Act
By s.17(1) personal data as defined by the Data protection Act must not be processed ie stored, retrieved or erased, unless the “data controller” is properly registered with the commissioner.
s. 17(3) states that regulations may provide that this does not apply in respect of processing of a type which results in that processing being unlikely to prejudice the rights and freedoms of data subjects.
The conditions for processing by a data controller:
Schedules 2 and 3 to the Data Protection Act. At least one of the following conditions must be met whenever you process personal data:
Consent of subject
For the person to start a contract
The processing is necessary because of a legal obligation that applies to you (except an obligation imposed by a contract).
The processing is necessary to protect the individual’s “vital interests”. (Life and death situations.)
Courts and justice considerations.
The processing is in accordance with the “legitimate interests” condition.
Relevant exceptions include law enforcement etc. Section 20 imposes a duty on every “data controller” that appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Failure by a data controller to comply with this duty is an offence (s. 21(2)). This is an offence of strict liability, ie it can be committed without there being any criminal intent. A “data controller” is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. By s. 55 (1) A person must not knowingly or recklessly, without the consent of the data controller— obtain or disclose personal data or the information contained in personal data, or procure the disclosure to another person of the information contained in personal data. This does not apply to a person who shows that the obtaining, disclosing or procuring, was necessary; for the purpose of preventing or detecting crime, or was required or authorised by or under any enactment, by any rule of law or by the order of a court, or that he acted in the reasonable belief that he had in law the right to obtain, disclose or procure the disclosure of the the data or information, or he acted in the reasonable belief that he would have had the consent of the data controller or that it was justified as being in the public interest. It is also an offence to sell or offer for sale or advertise for sale any data or information restricted by the Data Protection Act.