Criminal offences under the Data Protection Act 2018 – a reminder

When dealing with mishaps relating to the handling of personal data, there are a myriad of considerations for controllers, and often the question of whether data breaches are notifiable to either or both of the Information Commissioner’s Office and data subjects is (rightly) a priority matter.  

However, two recent cases have provided a helpful reminder that controllers should also actively have in mind the possibility of criminal offences relating to personal data.  In the context of data breaches, section 170 of the Data Protection Act 2018 is typically of key relevance.  

Section 170 establishes the possibility of criminal offences where a person knowingly or recklessly:

• obtains or discloses personal data without the consent of the controller;
• procures the disclosure of personal data to another person without the consent of the controller; or
• after obtaining personal data, retains it without the consent of the person who was the controller in relation to the personal data when it was obtained.

Section 170 also provides for offences where an individual sells personal data which has been obtained (potentially indirectly) in the circumstances above.

In the first case, an employee sold some 3,600 pieces of personal information obtained from their employer’s internal customer database and also approached competitor companies with the information, claiming it belonged to him. The individual pleaded guilty to criminal offences under section 170 of the DPA 2018; they were reportedly fined £1,200 and ordered to pay £300 in costs.

A further case that has also gained media attention in the last few months reminds us that in instances of more historic allegations, the criminal offences under section 55 of the (old) Data Protection Act 1998 may continue to be relevant.  Broadly speaking, section 55 makes provision for criminal offences along the same lines as section 170 of the DPA 2018, above. In that particular case, a former employee of a car rental company continued to access its customer database and used that information to offer customers who had been involved in road traffic accidents details of his own personal services, in their new guise of a personal injury firm. Prosecution under the 1998 Act was pursued, but only reached the criminal courts recently due to the defendant being outside of the jurisdiction in the USA.  On pleading guilty in August 2024, they were reportedly fined £10,000 plus costs of £1,700. 

The possibility of criminal offences is not limited to section 170 of the DPA 2018 and there are other important offences woven throughout that legislation. For example: 

• Section 171 of the DPA 2018 provides for offences where a person knowingly or recklessly re-identifies information that is de-identified personal data, without the consent of the controller responsible.
• Section 173 of the DPA 2018 provides for offences where a controller (or a person employed by, is an officer of, or is otherwise subject to the direction of, the controller) alters, defaces, blocks, erases, destroys or conceals information with the intention of preventing disclosure of all or part of the information that a person who has made a data subject access request would have been entitled to receive.
• Section 184 of the DPA 2018 provides for offences where a person requires (without appropriate justification) “relevant records” (defined within Schedule 18 of the DPA 2018 as being records obtained via data subject access rights in respect of health data, convictions or cautions or relating to certain statutory functions) as a requirement for employment or a contract for services.

Given that prosecutions may be instituted by the ICO and/or by, or with the consent of, the Director of Public Prosecutions against not just “rogue” individuals, but also body corporates and (in some circumstances) officers of the relevant body corporate such as directors and managers, mitigating the possibility of criminal offences arising should be an active feature of strong information governance systems of any data controller.  We are able to advise on the full range of proactive and reactive issues these considerations prompt; please do contact us if we can assist.