Data Protection Act 2018 - Criminal Offences

Updated: 10 December 2018|Legal Guidance, Cyber / online crime

Introduction

The Data Protection Act 2018 (DPA 2018) came into force on 25 May 2018, replacing the Data Protection Act 1998. The DPA 2018 brought the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED) into UK Law.

What is the GDPR?

GDPR is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). It is brought in to UK Law by means of Part 2 of the DPA 2018.

 What is the LED?

Part 3 of the DPA 2018 transposes the EU Data Protection Directive 2016/680 (Law Enforcement Directive) into domestic UK law and sets out the requirements for the processing of personal data for criminal ‘law enforcement purposes’.

What is personal data?

Personal data is any information relating to an identified or identifiable living individual.  An identifying characteristic could include a name, ID number or location data. You should treat such information as personal data even if it can only be potentially linked to a living individual.

Offences under the DPA 2018

Section 119: Obstructing the Commissioner in inspecting personal data to discharge an international obligation

Section 119 is described as a ‘future-proofed’ version of s.54A DPA 1998. It is a provision that criminalises obstructing the ICO’s inspection of European information systems. The Commissioner may inspect personal data where the inspection is necessary in order to discharge an international obligation of the United Kingdom, subject to the restriction in subsection (2). Section 119 (6) states that it is an offence (a)intentionally to obstruct a person exercising the power under subsection (1), or (b)to fail without reasonable excuse to give a person exercising that power any assistance the person may reasonably require.

Section 132: Prohibition placed upon the Commissioner, or the Commissioner’s staff against disclosing information obtained in the course of their role (which is not available to the public)

Section 132 replaces section 59 DPA 1998 and criminalises action by former or current ICO staff who disclose data obtained during the course of their duties. Section 132 (2) clarifies the circumstances in which disclosure – with lawful authority – may be made. Section 132 (3) however confirms that it is an offence for a person knowingly or recklessly to disclose information in contravention of subsection (1).

Section 144: False statement made in response to an information notice

It is an offence for a person, in response to information notice from the Commissioner, to make or recklessly make, a statement which they know to be false in a material respect.

Section 148: Destroying or falsifying information and documents etc

Under Section 148 (2) (a) it is an offence for a person to destroy or otherwise dispose of, conceal, block or (where relevant) falsify all or part of the information, document, equipment or material. Section 148 (2) (b) makes to cause or permit the actions set pout in the previous subsection.

Section 170: Unlawful obtaining etc of personal data

Section 170 of the Act builds on section 55 DPA 1998 which criminalised knowingly or recklessly obtaining, disclosing or procuring personal data without the consent of the data controller, and the sale or offering for sale of that data. The provision was most typically/commonly used to prosecute those who had accessed healthcare and financial records without a legitimate reason. Section 170 adds the offence of knowingly or recklessly retaining personal data (which may have been lawfully obtained) without the consent of the data controller. There are some exceptions: for example where such obtaining, disclosing, procuring or retaining was necessary for the purposes of preventing or detecting crime. Section 170 (2) and (3) set out the defences to Section 170 (1).

Section 171: Re-identification of de-identified personal data

Section 171 - a new offence - criminalises the re-identification of personal data that has been ‘de-identified’ (de-identification being a process - such as redactions - to remove/conceal personal data). Section (5) states that it is an offence for a person knowingly or recklessly to process personal data that is information that has been re-identified. Sections 171 (3) and (4) set out the defences to Section 171 (1) – for example, the re-identification was necessary for the purposes of preventing or detecting crime. Sections 171 (6) and (7) set out the defences to Section 171 (5).

Section 173: Alteration etc of personal data to prevent disclosure to data subject

(also features in criminal offences list below)

Section 173 relates to the processing of requests for data from individuals for their personal data. Section 173 (3) makes it a criminal offence for organisations (persons listed in Section 173 (4)) to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure. It builds on an offence under the Freedom of Information Act 2000. Possible defences to an offence under section 173 (3) are set out in Section 173 (5).

Section 184: Prohibition of requirement to produce relevant records

Section 184 (1) makes it an offence for a person to require another to provide them with or give them access to a relevant record linked to the employment, continued employment of one of their employees or a contract for the provisions of services to them. Section 184 (2) makes it an offence for a person to require another to provide them with or access to a relevant record if the requestor is involved in the provision of goods, facilities or services to the public or the requirement is a condition of providing or offering to provide goods, facilities or services to the other person or a third party. Section 184 (3) details the possible defences to offences under subsection 184 (1) or (2).

Schedule 15, Paragraph 15. Powers of Entry and Inspection

It is an offence under paragraph 15 (1) for a person to intentionally obstruct a person in the execution of a warrant issued under this Schedule or to fail without reasonable excuse to give a person executing the warrant such assistance as may be required. Under paragraph 15 (2) it is an offence for a person to make a statement in response to a requirement under paragraph 5(2(c) or (d) or 3(c) or (d) which the person knows to be false in a material respect or recklessly make such a statement.

There are no custodial sentences in respect of offences under DPA 2018 and no powers of arrest; all offences are punishable only by a fine.

Schedule 15 – Powers of entry and inspection, sets out the circumstances in which the Information Commissioner may apply for a search warrant.

The DPA 2018 removed Section 77 (power to alter penalty for unlawfully obtaining etc personal data) of the Criminal Justice and Immigration Act 2008.

Notification Offence

Under the DPA 2018, organisations that determine the purpose for which personal data is processed (controllers) must pay the ICO a data protection fee unless they are exempt. The new data protection fee replaces the requirement to ‘notify’ (or register), which was in the DPA 1998. The Information Commissioner has the power to enforce the DPA 2018 and to serve monetary penalties on those who refuse to pay their data protection fee.

Right of data subjects

The GDPR provides the following rights for individuals:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling

Guidance on the CPS’ obligations in respect of these rights can be found here: Data protection and the CPS and Privacy Notice. 

Further reading