Data Protection Act 2018 - Criminal Offences
The Data Protection Act 2018 (DPA 2018) came into force on 25 May 2018, replacing the Data Protection Act 1998. The DPA 2018 brought the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED) into UK Law.
GDPR is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). It is brought in to UK Law by means of Part 2 of the DPA 2018.
Part 3 of the DPA 2018 transposes the EU Data Protection Directive 2016/680 (Law Enforcement Directive) into domestic UK law and sets out the requirements for the processing of personal data for criminal ‘law enforcement purposes’.
Personal data is any information relating to an identified or identifiable living individual. An identifying characteristic could include a name, ID number or location data. You should treat such information as personal data even if it can only be potentially linked to a living individual.
Section 119: Obstructing the Commissioner in inspecting personal data to discharge an international obligation
Section 119 is described as a ‘future-proofed’ version of s.54A DPA 1998. It is a provision that criminalises obstructing the ICO’s inspection of European information systems. The Commissioner may inspect personal data where the inspection is necessary in order to discharge an international obligation of the United Kingdom, subject to the restriction in subsection (2). Section 119 (6) states that it is an offence (a)intentionally to obstruct a person exercising the power under subsection (1), or (b)to fail without reasonable excuse to give a person exercising that power any assistance the person may reasonably require.
Section 132: Prohibition placed upon the Commissioner, or the Commissioner’s staff against disclosing information obtained in the course of their role (which is not available to the public)
Section 132 replaces section 59 DPA 1998 and criminalises action by former or current ICO staff who disclose data obtained during the course of their duties. Section 132 (2) clarifies the circumstances in which disclosure – with lawful authority – may be made. Section 132 (3) however confirms that it is an offence for a person knowingly or recklessly to disclose information in contravention of subsection (1).
It is an offence for a person, in response to information notice from the Commissioner, to make or recklessly make, a statement which they know to be false in a material respect.
Under Section 148 (2) (a) it is an offence for a person to destroy or otherwise dispose of, conceal, block or (where relevant) falsify all or part of the information, document, equipment or material. Section 148 (2) (b) makes to cause or permit the actions set pout in the previous subsection.
Section 170 of the Act builds on section 55 DPA 1998 which criminalised knowingly or recklessly obtaining, disclosing or procuring personal data without the consent of the data controller, and the sale or offering for sale of that data. The provision was most typically/commonly used to prosecute those who had accessed healthcare and financial records without a legitimate reason. Section 170 adds the offence of knowingly or recklessly retaining personal data (which may have been lawfully obtained) without the consent of the data controller. There are some exceptions: for example where such obtaining, disclosing, procuring or retaining was necessary for the purposes of preventing or detecting crime. Section 170 (2) and (3) set out the defences to Section 170 (1).
Section 171 - a new offence - criminalises the re-identification of personal data that has been ‘de-identified’ (de-identification being a process - such as redactions - to remove/conceal personal data). Section (5) states that it is an offence for a person knowingly or recklessly to process personal data that is information that has been re-identified. Sections 171 (3) and (4) set out the defences to Section 171 (1) – for example, the re-identification was necessary for the purposes of preventing or detecting crime. Sections 171 (6) and (7) set out the defences to Section 171 (5).
Section 173 relates to the processing of requests for data from individuals for their personal data. Section 173 (3) makes it a criminal offence for organisations (persons listed in Section 173 (4)) to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure. It builds on an offence under the Freedom of Information Act 2000. Possible defences to an offence under section 173 (3) are set out in Section 173 (5).
Section 184 (1) makes it an offence for a person to require another to provide them with or give them access to a relevant record linked to the employment, continued employment of one of their employees or a contract for the provisions of services to them. Section 184 (2) makes it an offence for a person to require another to provide them with or access to a relevant record if the requestor is involved in the provision of goods, facilities or services to the public or the requirement is a condition of providing or offering to provide goods, facilities or services to the other person or a third party. Section 184 (3) details the possible defences to offences under subsection 184 (1) or (2).
It is an offence under paragraph 15 (1) for a person to intentionally obstruct a person in the execution of a warrant issued under this Schedule or to fail without reasonable excuse to give a person executing the warrant such assistance as may be required. Under paragraph 15 (2) it is an offence for a person to make a statement in response to a requirement under paragraph 5(2(c) or (d) or 3(c) or (d) which the person knows to be false in a material respect or recklessly make such a statement.
There are no custodial sentences in respect of offences under DPA 2018 and no powers of arrest; all offences are punishable only by a fine.
Schedule 15 – Powers of entry and inspection, sets out the circumstances in which the Information Commissioner may apply for a search warrant.
The DPA 2018 removed Section 77 (power to alter penalty for unlawfully obtaining etc personal data) of the Criminal Justice and Immigration Act 2008.
Under the DPA 2018, organisations that determine the purpose for which personal data is processed (controllers) must pay the ICO a data protection fee unless they are exempt. The new data protection fee replaces the requirement to ‘notify’ (or register), which was in the DPA 1998. The Information Commissioner has the power to enforce the DPA 2018 and to serve monetary penalties on those who refuse to pay their data protection fee.
The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling