Data Protection Act 2018

Individuals who access personal data unlawfully may be liable for prosecution under the Data Protection Act 2018. Often, conduct charged under the most commonly used provision of the act – the section 170 offence – is also captured by offences under the Computer Misuse Act, most typically the section 1 “unauthorised access” offence under that legislation.

The Data Protection Act 2018 came into law on the 23 May 2018 to implement a commitment made to update the U.K.’s existing data protection laws in the election manifesto of the Conservative party in 2017. The 2018 Act sets new standards for protecting data in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679 [2016] OJ L119/1, or ‘GDPR’). The GDPR has been effective since 25 May 2018.

The 2018 act gave greater powers to the Information Commissioner expanding upon the provisions of the Data Protection Act 1998. Under the 1998 act, as originally enacted, the commission could only serve enforcement notices - although in 2008 in respect of the most serious breaches the ICO was given the power to issue civil monetary penalty notices of up to £500,000. The 2018 act expands the information Commissioners powers and creates new criminal offences.

Section 170 Offence

The section 170 offence is the most commonly charged of the criminal offences which are outlined in the Data Protection Act. The number of prosecutions under this legislation remains low but this may change in the future.

Section 170 criminalises “the knowing or reckless obtaining or disclosure of personal data without the consent of the controller (s. 170).

The previous incarnation of the legislation in the DPA 1998 contained a similar offence - the section 55 offence under the 1998 act. This made it an offence for a person knowingly or recklessly to obtain, disclose or procure the disclosure of personal data without the data controllers consent. The section 55 offence carried a maximum penalty of an unlimited fine. According to the CPS website – the section 55 offence of the 1998 legislation was often charged when individuals were alleged to have unlawfully obtained access to financial and medical records.

The elements of the s.55 and s.170 offence are the same save that there has been an addition to capture conduct amounting to the unlawful retention of data. The offence also criminalises individuals who sell that data. According to the explanatory notes, “this has been added to deal with situations where a personal obtains data lawfully but then intentionally or recklessly retains it without the consent of the controller.”

The section 170 offence provides for a defence in certain circumstances including where:-

• Data is obtained for the purposes of preventing or detecting crime

• To fulfil a legal obligation

• For reasons of public interest

• For acting in the reasonable belief that they had a legal right or would have had the consent of the data controller

• With a view to publication

• And the obtaining of the data was reasonably believed to be justified as being in the public interest

There is a legal burden on the defendant to prove the relevant defences on the balance of probabilities.

Sentencing

Punishment for any criminal offence under the Act is by way of a penalty noticed issued by the ICO – the maximum penalty is an unlimited fine. As to the appropriate level of fines there is no guidance available at present.

A recent example of a prosecution under this provision lead to conviction for a former employees at the Heart of England NHS foundation trust. Prosecuted under the section 55 offence of the Data Protection Act 1998, the former HEFT employee pleaded guilty to unlawfully accessing personal records for 14 individuals and was sentenced to a fine of £1000.

Other Offences

Section 171 of the Data Protection Act targets the knowing or reckless re-identification of information that was previously de-identified.

Section 173 captures the alteration or concealment of information that should have been provided in response to a data subject access request, and in a way that prevents all or part of its disclosure.

BSQ’s solicitors have extensive experience in defending cyber crime charges. Contact us for a no obligation if you need advise about this highly specialist area of law.