Can I get a criminal record if I do not follow the Data Protection Act 2018?
I am often asked by practitioners, ‘why are there no criminal offences within the Data Protection Act 2018 (“the Act”)?’ The simple answer I give is there are many criminal offences listed.
I did recently ask the Information Commissioners Office (ICO), using the Freedom of Information Act, for the number of criminal offences that have been committed under the 1998 Act that led, which to prosecution, and this numbered just one in the five years from 2015 -2020.
Therefore, with the introduction of the 2018 Data Protection Act, it is worth reflecting and sharing with practitioners the offences as currently only the BCS Data Protection Practitioners Course covers off this lesser-known area of Data Protection Law.
It is important to note that the criminal offences we review are applicable to the general processing of personal data under the section 2 of the Act the UK & EU GDPR and section 3 Law Enforcement and section 4 Intelligence Services processing.
So let us take each offence in turn.
Breach of confidentiality by the Information Commissioner, Section 132 of the Act
Section 132 places a statutory duty on the ICO to ensure that all matters they deal with from either identifiable individuals or businesses, is kept confidential. Section 132 makes it a criminal offence for the Commissioner or a member of their staff to disclose information that is out with their statutory functions and without the permission of the third party. In essence, it mirrors the common law duty of confidentiality but goes further by putting ICO leakers at risk of prosecution.
False statements made in response to information notices, Section 144 of the Act
As you would expect Section 144 makes it a criminal offence to knowingly or recklessly make a statement that is false in response to an information notice issued by the ICO.
Destroying or falsifying Information and documents, Section 148 of the Act
Section 148 comes into play when the ICO has issued an information notice or an assessment notice against a Data Controller. It is an offence to destroy or otherwise dispose of, conceal, block, or where relevant, falsify it, with the intention of preventing the ICO from viewing or being provided with or directed to it. In essence, obstructing an investigation from the ICO could get you a substantial fine.
The unlawful procurement of personal data, Section 170 of the Act
It is a criminal offence under section 170 for a person to knowingly or recklessly obtain or disclose personal data without the consent of the controller, or, after obtaining personal data, to retain it without the consent of the person who obtained that personal data. This at first may seem obvious but there are a number of defences which include acting with a reasonable belief that they had the consent of the Data Controller.
Another defence used, is when acting in accordance with an instruction of a court or law, or in the case of journalists where they are believed to be acting in the public interest. The MPs expenses scandal being a good example, when a member of staff passed personal data to the Daily Telegraph about MPs extraordinary expenses claims, believing it to be in the public interest. It is important to note that this offence relates to the personal data only.
Re-identification of de-identified personal, Section 171 of the Act
Section 171 is complex, but in essence, it makes it an offence without the consent of the Data Subject to re-identify them following an exercise whereby the Data Subject believed their data was unidentifiable. There are defences within section 171, similar to section 170 under the 2018 Act.
Alteration of personal data to prevent disclosure to data subject, Section 173 of the Act
Section 173 makes it an offence to alter personal data to prevent its disclosure following the exercise of a right to access or the right to data portability application. In essence makes it a criminal offence to alter personal data after a request for disclosure has been made.
Prohibition of the requirement to produce relevant records, Section 184 of the Act
Section 184 makes it illegal for one person to require another person to provide records obtained via the right of access applications as a condition of their employment or contract. It is also an offence for a provider of goods, facilities or services to the public to request such records from another as a condition for providing a service. In simplistic terms, you can work for us if you get the DSAR records from your old employer and let us see them!
Liability of directors, Section 198 of the Act
Section 198 is my favourite section of the Data Protection Act 2018. Section 198 gives powers to prosecute a director, manager, secretary or similar officer of the body corporate, or a person who was purporting to act in such a capacity for a breach of the Act of the body corporate. Section 198 (3) extends to membership organisations and holds the members liable.
To get yourself in the dock you would have had to have breached the 2018 Act with the consent or connivance of, or to be attributable to the neglect of the officers of the body corporate.
Punishments for transgression
The 2018 Data Protection Act placed the burden of ensuring that all the offences listed above with the exception of section 198, are recordable. Section 198 outlines those offences which it deems to be recordable. Recordable punishments are recorded on the Police National Computer and record of the offence is kept on file.
As well having a criminal record, a data protection transgression could see you with a substantial fine. Section 196 outlines the potential penalties which indicates fines for those convicted. There are no powers of arrest or custodial sentences. The Crown Prosecution Service has not issued guidance on the level of fines but such matters before the courts mean that both the Crown Court and Magistrates Courts have unlimited power when it comes to setting the level of fines.
You can view all of our upcoming training courses on our schedule page.
by Nigel Gooding
Nigel is founder of the Data Privacy Advisory Service, and he plays a vital part in our success. Due to his extensive experience, Nigel is recognised as a leading expert in the industry.