DPA 2018: Criminal Offenses
Criminal Offenses [s.170-173, 196]
Rule: The DPA 2018 creates criminal offenses for serious data protection violations, including unlawful obtaining of personal data, re-identification of anonymized data, and obstructing the Information Commissioner.
Unlawful Obtaining of Personal Data [s.170]
It is an offense to knowingly or recklessly obtain, disclose, or procure disclosure of personal data without the controller’s consent.
| Element | Requirement |
|---|---|
| Action | Obtain, disclose, or procure disclosure |
| Without consent | Controller has not consented |
| Mental element | Knowingly or recklessly |
Defenses [s.170(2)]
It is a defense if the person can show:
| Defense | Description |
|---|---|
| Necessary for law enforcement | Prevention/detection of crime, legal proceedings |
| Legal obligation | Required or authorized by law |
| Reasonable belief | Reasonably believed they had a legal right |
| Justified in public interest | Acting in public interest (journalistic, academic, artistic, literary) |
Penalty
- Summary conviction: Fine
- Indictment: Unlimited fine
No imprisonment for this offense (unlike some other jurisdictions).
Re-identification of De-identified Data [s.171]
It is an offense to knowingly or recklessly re-identify information that has been de-identified without the controller’s consent.
| Element | Requirement |
|---|---|
| De-identified data | Personal data processed so it cannot identify anyone without additional info |
| Re-identification | Taking steps to identify a living individual |
| Without consent | Controller has not consented |
| Effectiveness test | Must be effective re-identification (successful or showing it’s possible) |
Defenses [s.171(3)]
| Defense | Description |
|---|---|
| Controller consent | Controller consented |
| Necessary for law enforcement | Prevention/detection of crime |
| Reasonable belief | Reasonably believed controller would consent |
| Testing effectiveness | Testing de-identification effectiveness with intent to inform controller |
Penalty
- Summary conviction: Fine
- Indictment: Unlimited fine
Processing for Re-identification [s.171(2)]
Also an offense to process personal data that is re-identified, knowing or being reckless as to whether it was re-identified in contravention of s.171(1).
Alteration of Records to Prevent Disclosure [s.173]
It is an offense for a person to alter, deface, block, erase, destroy, or conceal information:
- With intent to prevent disclosure under data subject access rights
- Likely to have been the subject of a request
Penalty
- Summary conviction: Fine
- Indictment: Unlimited fine
False Statements to Commissioner [s.144]
It is an offense to knowingly or recklessly make a false statement in response to:
- Information notice
- Assessment notice
- Enforcement notice
Penalty
- Summary conviction: Fine (maximum level 5)
Obstructing the Commissioner [s.196]
It is an offense to obstruct a person exercising powers under:
- Information notices
- Assessment notices
- Inspection warrants
Penalty
- Summary conviction: Fine
Director/Officer Liability [s.198]
Where an offense is committed by a body corporate with consent/connivance of an officer, or attributable to their neglect:
- The officer is also guilty of the offense
- Officers include directors, managers, company secretary, members (for LLPs)
Summary Table
| Offense | Section | Maximum Penalty |
|---|---|---|
| Unlawful obtaining | s.170 | Unlimited fine |
| Re-identification | s.171 | Unlimited fine |
| Altering records | s.173 | Unlimited fine |
| False statements | s.144 | Level 5 fine |
| Obstruction | s.196 | Fine |
Key Points
- No imprisonment — DPA 2018 offenses carry fines only, not custodial sentences
- Personal liability — Directors can be personally liable
- Public interest defense — Available for journalism and similar purposes
- ICO prosecution — Offenses are typically prosecuted by the ICO
- Unlimited fines — For serious offenses on indictment