Main menu


+44 (0)151 600 3000


+44 (0)161 836 8800


+44 (0)1772 823 921

Search form

Search form


The Data Protection Bill – Criminal Offences

The Data Protection Bill – Criminal Offences
Wednesday 15th November 2017

There are just over 6 months left before the EU General Data Protection Regulation (GDPR) comes into force, and most businesses are now aware of the hefty administrative fines for breaching the new EU rules. However, the UK’s new Data Protection Bill (“the Bill”) also creates criminal offences for the UK, some of which exist neither in the current Data Protection Act 1998 (DPA) framework nor the GDPR.

Unlawful obtaining of personal data

Under the DPA, it is an offence to knowingly or recklessly obtain, disclose or procure the disclosure of personal data without the consent of the data controller. It is also an offence to sell, or offer to sell, illegally obtained personal data. This offence is extended under the Bill to include the retention of personal data. Therefore, an innocent recipient of personal data (where, for example, the data was disclosed to them by mistake) will commit an offence by failing to delete or destroy that data.

Defences to this offence involve proving that the actions were necessary to detect or prevent crime, required or authorised by law or an order of the Courts, or justified as being in the public interest. It is also a defence to prove that the alleged offender reasonably believed that they either had a legal right to obtain, disclose, procure or retain the data, or that the controller would have given its consent if had known about the circumstances.

Re-identification of de-identified personal data

Personal data is “de-identified” if it has been processed in such a way that it can no longer be attributed to a specific data subject (such as through encryption, anonymisation or pseudonymisation). The Bill makes it an offence to “re-identify” such data (so that data subjects can again be identified from it) without the consent of the relevant controller, or to process personal data which has been unlawfully re-identified by someone else.

This new offence also has defences relating to the prevention or detection of crime, authorisation by law or by the Courts, and justification in the public interest. If an alleged offender can prove that they reasonably believed they were either the subject or the controller of the data, had the subject or controller’s consent, or would have had such consent if the subject or controller knew of the circumstances, they will also have a defence.

It has been suggested that this offence could be disastrous for some security researchers (sometimes known as “ethical hackers”), who routinely attempt to decrypt encrypted data for the purposes of testing and improving security systems. However, where a researcher is commissioned to test the security of a system in this way, they will likely benefit from the consent of the relevant controller. Even where such actions have not been commissioned or requested, it is conceivable that ethical hackers could rely on the defence of public interest. Alternatively, it may be that the controller would have consented had they known of the circumstances – businesses may even be grateful for researchers pointing out security vulnerabilities in their systems (provided those vulnerabilities are not exploited during the process). These defences are not clear cut, however, and it remains to be seen how such actions will be treated when the Bill comes into effect.

Preventing disclosure of personal data

The GDPR retains (and extends) the rights of data subjects to access their personal data. Where a data subject makes such a request (e.g. a subject access request or data portability request) and is entitled to receive the information requested, it will be an offence for the data controller (or its employees, officers or persons under its control) to alter, deface, block, erase, destroy or conceal that information with the intention of preventing its disclosure to the data subject.

It will be a defence to prove that the infringing actions would have occurred in the absence of the data subject’s request, or that the person altering (etc.) the information reasonably believed the requestor was not entitled to receive the information requested.

Prohibition on requiring relevant records

Under the Bill, it will be an offence for a person (P1) to require another person to provide P1 with health records or criminal records in connection with P1’s recruitment (or the continued employment) of an employee, or in connection with a contract for the provision of services to P1.

Where a person (P2) provides goods, services or facilities to the public (or a section of the public), it will also be an offence for P2 to require access to health or criminal records as a condition of providing those goods, services or facilities to any third party.

The wording of these offences is largely lifted from the DPA, but the existing rules relate only to criminal records (although some health records may benefit from protection in other legislation such as the Access to Medical Reports Act 1988).

Further offences and penalties

Under the DPA, it is currently a criminal offence for a controller to process personal data without first being registered with the Information Commissioner’s Office (ICO). Carried over from the Data Protection Act 1984, this offence may have been practicable 20 or 30 years ago but, with developments in technology and the increasing use of personal data, it has become a costly burden for many businesses. This offence is abolished in the GDPR and the Bill, and controllers will instead have an obligation to keep their own records and make them available to the ICO upon request.

It will be an offence under the Bill to intentionally obstruct the ICO’s inspection of personal data (where inspection is necessary for the ICO to comply with its obligations) or to fail without reasonable excuse to give such assistance as the ICO reasonably requires for such inspections. It will also be an offence to fail to comply with an information notice issued by the ICO, to knowingly or recklessly make a false statement in response to such a notice, or to interfere with the execution of a warrant obtained by the ICO in connection with a suspected data protection breach or offence.

Currently, there are no custodial sentences for the criminal offences under the Bill, which are all punishable (in England and Wales) by uncapped fines.

This article is part of a series produced between November and December 2017 for Brabners Data Protection Month – you can find all of our data protection articles on our Data Protection Month page.