Data Protection Act 1998 - Criminal Offences

Legal Guidance, Cyber / online crime


The Data Protection Act 1998 (DPA) came into force on 1 March 2000.

The 1998 Act applies to personal data held in all formats, whether electronic, paper, audio, visual or digital records. Processing, under the terms of the DPA, covers all conceivable manipulations of personal data including collection, use, storage, disclosure and amendment. Mere possession of such data amounts to processing.

Personal data is any recorded information about a living individual that can be identified from that data and other information, which is in the possession of the Data Controller as defined in the judgement in Durant v Financial Services Authority [2003] EWCA Civ 1746, Court of Appeal (Civil Division). A summary of this judgement is available on the Information Commissioner's website.


The DPA sets out what may or may not be done with personal data (personal data is any information that relates/identifies a living individual). The DPA creates a number of criminal offences that can only be instituted by the Commissioner or with the consent of the Director of Public Prosecutions (DPP).

The DPA creates a number of criminal offences, the most relevant DPA offences to consider are:

Section 55(1) DPA unlawful obtaining etc. of personal data
It is an offence to knowingly or recklessly obtain, disclose or procure the disclosure of personal information without the consent of the data controller.

There are some exceptions to this for example, where such obtaining or disclosure was necessary for crime prevention/detection. Section 55(2) sets out four defences to section 55(1).

If a person has obtained personal information illegally it is an offence to offer or to sell personal information. Section 55(3) makes the contravention of section 55(1) a criminal offence.

Section 55(4) and section 55(5) DPA create offences of selling and offering to sell personal data. For the purposes of section 55(5) DPA an advertisement indicating that personal data are or may be for sale is an offer to sell the data.

When prosecuting DPA cases as per the case of R v Julian Connor (Southwark Crown Court, 19 May 2003) prosecutors should remember to adduce evidence that the individuals named in each charge were alive at the time their data was obtained, and as per R v Buckley, England, Wallace and Moore (Winchester Crown Court, September 2003), the prosecution has to prove that the information was data within the meaning of Section 2(1) of the DPA.

There are no custodial sentences in respect of DPA offences and no powers of arrest; all offences are punishable only by a fine. Search warrants are available to the Information Commissioner by virtue of section 50 and the powers outline at schedule 9 of the DPA.

Criminal Justice and Immigration Act 2008

Section 77 Criminal Justice and Immigration Act 2008 came into force on Royal Assent on 8 May 2008. Section 77 gives the Secretary of State the power to alter the penalty for an offence of unlawful obtaining etc. of personal data contrary to section 55 of the DPA. The Secretary of State has not increased the penalty for a section 55 DPA offence. Areas will be informed if this power is exercised.

Notification Offence

Section 17 DPA - Prohibition on processing of personal data without registration.

The DPA contains a number of notification offences. This is where processing is being undertaken by a data controller who has not notified the Commissioner either of the processing being undertaken or of any changes that have been made to that processing.

Personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the Information Commissioner. Contravention of section 17 DPA is an offence. Pursuing offences under section 17 DPA offers a way of officially identifying the data-controller or webmaster of websites.

See also section 21(1) processing without a register entry.

Right of data subject

Section 10 DPA - Right of data subject to prevent processing likely to cause damage or distress.

A persons name and address may already be in the public domain but that does not mean that it is any less personal data. Any processing of that data, including putting it on a website would have to comply with the Data Protection Act. Any question of whether such processing would be fair (one of the key DPA concepts) would depend on why the information was being put on the website. The data subject may have an avenue of recourse under section 10 of the DPA.

Under section 10 DPA a data subject (can be anybody) at anytime can write to a data controller (e.g. webmaster) to require him to cease or not to begin, processing any personal data in respect of which he is the data subject. This is on the grounds that the processing of that data is causing or likely to cause substantial damage or distress to the data subject or another and that damage or distress is or would be unwarranted.

The data controller has 21 days from receiving the data subject notice to provide a written notice stating he has complied or intends to comply, or stating his reasons for regarding the data subject notice as unjustified.

If a data controller (i.e. the person uploading information on to the website) fails to comply with the written request by the data subject to cease processing the data, the data subject could then apply to the Information Commissioner to intervene or to a court.

Relevant Links

The Information Commissioners Office

Data Protection Act 1998

Further reading