Search Legislation

Data Protection Act 2018

Changes over time for: Cross Heading: Offences relating to personal data

 Help about opening options

Version Superseded: 31/12/2020

Alternative versions:

Status:

Point in time view as at 02/12/2019.

Changes to legislation:

Data Protection Act 2018, Cross Heading: Offences relating to personal data is up to date with all changes known to be in force on or before 30 November 2024. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations. Help about Changes to Legislation

Close

Changes to Legislation

Changes and effects yet to be applied by the editorial team are only applicable when viewing the latest version or prospective version of legislation. They are therefore not accessible when viewing legislation as at a specific point in time. To view the ‘Changes to Legislation’ information for this provision return to the latest version view using the options provided in the ‘What Version’ box above.

Offences relating to personal dataU.K.

170Unlawful obtaining etc of personal dataU.K.

(1)It is an offence for a person knowingly or recklessly—

(a)to obtain or disclose personal data without the consent of the controller,

(b)to procure the disclosure of personal data to another person without the consent of the controller, or

(c)after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.

(2)It is a defence for a person charged with an offence under subsection (1) to prove that the obtaining, disclosing, procuring or retaining—

(a)was necessary for the purposes of preventing or detecting crime,

(b)was required or authorised by an enactment, by a rule of law or by the order of a court or tribunal, or

(c)in the particular circumstances, was justified as being in the public interest.

(3)It is also a defence for a person charged with an offence under subsection (1) to prove that—

(a)the person acted in the reasonable belief that the person had a legal right to do the obtaining, disclosing, procuring or retaining,

(b)the person acted in the reasonable belief that the person would have had the consent of the controller if the controller had known about the obtaining, disclosing, procuring or retaining and the circumstances of it, or

(c)the person acted—

(i)for the special purposes,

(ii)with a view to the publication by a person of any journalistic, academic, artistic or literary material, and

(iii)in the reasonable belief that in the particular circumstances the obtaining, disclosing, procuring or retaining was justified as being in the public interest.

(4)It is an offence for a person to sell personal data if the person obtained the data in circumstances in which an offence under subsection (1) was committed.

(5)It is an offence for a person to offer to sell personal data if the person—

(a)has obtained the data in circumstances in which an offence under subsection (1) was committed, or

(b)subsequently obtains the data in such circumstances.

(6)For the purposes of subsection (5), an advertisement indicating that personal data is or may be for sale is an offer to sell the data.

(7)In this section—

(a)references to the consent of a controller do not include the consent of a person who is a controller by virtue of Article 28(10) of the GDPR or section 59(8) or 105(3) of this Act (processor to be treated as controller in certain circumstances);

(b)where there is more than one controller, such references are references to the consent of one or more of them.

171Re-identification of de-identified personal dataU.K.

(1)It is an offence for a person knowingly or recklessly to re-identify information that is de-identified personal data without the consent of the controller responsible for de-identifying the personal data.

(2)For the purposes of this section and section 172—

(a)personal data is “de-identified” if it has been processed in such a manner that it can no longer be attributed, without more, to a specific data subject;

(b)a person “re-identifies” information if the person takes steps which result in the information no longer being de-identified within the meaning of paragraph (a).

(3)It is a defence for a person charged with an offence under subsection (1) to prove that the re-identification—

(a)was necessary for the purposes of preventing or detecting crime,

(b)was required or authorised by an enactment, by a rule of law or by the order of a court or tribunal, or

(c)in the particular circumstances, was justified as being in the public interest.

(4)It is also a defence for a person charged with an offence under subsection (1) to prove that—

(a)the person acted in the reasonable belief that the person—

(i)is the data subject to whom the information relates,

(ii)had the consent of that data subject, or

(iii)would have had such consent if the data subject had known about the re-identification and the circumstances of it,

(b)the person acted in the reasonable belief that the person—

(i)is the controller responsible for de-identifying the personal data,

(ii)had the consent of that controller, or

(iii)would have had such consent if that controller had known about the re-identification and the circumstances of it,

(c)the person acted—

(i)for the special purposes,

(ii)with a view to the publication by a person of any journalistic, academic, artistic or literary material, and

(iii)in the reasonable belief that in the particular circumstances the re-identification was justified as being in the public interest, or

(d)the effectiveness testing conditions were met (see section 172).

(5)It is an offence for a person knowingly or recklessly to process personal data that is information that has been re-identified where the person does so—

(a)without the consent of the controller responsible for de-identifying the personal data, and

(b)in circumstances in which the re-identification was an offence under subsection (1).

(6)It is a defence for a person charged with an offence under subsection (5) to prove that the processing—

(a)was necessary for the purposes of preventing or detecting crime,

(b)was required or authorised by an enactment, by a rule of law or by the order of a court or tribunal, or

(c)in the particular circumstances, was justified as being in the public interest.

(7)It is also a defence for a person charged with an offence under subsection (5) to prove that—

(a)the person acted in the reasonable belief that the processing was lawful,

(b)the person acted in the reasonable belief that the person—

(i)had the consent of the controller responsible for de-identifying the personal data, or

(ii)would have had such consent if that controller had known about the processing and the circumstances of it, or

(c)the person acted—

(i)for the special purposes,

(ii)with a view to the publication by a person of any journalistic, academic, artistic or literary material, and

(iii)in the reasonable belief that in the particular circumstances the processing was justified as being in the public interest.

(8)In this section—

(a)references to the consent of a controller do not include the consent of a person who is a controller by virtue of Article 28(10) of the GDPR or section 59(8) or 105(3) of this Act (processor to be treated as controller in certain circumstances);

(b)where there is more than one controller, such references are references to the consent of one or more of them.

172Re-identification: effectiveness testing conditionsU.K.

(1)For the purposes of section 171, in relation to a person who re-identifies information that is de-identified personal data, “the effectiveness testing conditions” means the conditions in subsections (2) and (3).

(2)The first condition is that the person acted—

(a)with a view to testing the effectiveness of the de-identification of personal data,

(b)without intending to cause, or threaten to cause, damage or distress to a person, and

(c)in the reasonable belief that, in the particular circumstances, re-identifying the information was justified as being in the public interest.

(3)The second condition is that the person notified the Commissioner or the controller responsible for de-identifying the personal data about the re-identification—

(a)without undue delay, and

(b)where feasible, not later than 72 hours after becoming aware of it.

(4)Where there is more than one controller responsible for de-identifying personal data, the requirement in subsection (3) is satisfied if one or more of them is notified.

173Alteration etc of personal data to prevent disclosure to data subjectU.K.

(1)Subsection (3) applies where—

(a)a request has been made in exercise of a data subject access right, and

(b)the person making the request would have been entitled to receive information in response to that request.

(2)In this section, “data subject access right” means a right under—

(a)Article 15 of the GDPR (right of access by the data subject);

(b)Article 20 of the GDPR (right to data portability);

(c)section 45 of this Act (law enforcement processing: right of access by the data subject);

(d)section 94 of this Act (intelligence services processing: right of access by the data subject).

(3)It is an offence for a person listed in subsection (4) to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information that the person making the request would have been entitled to receive.

(4)Those persons are—

(a)the controller, and

(b)a person who is employed by the controller, an officer of the controller or subject to the direction of the controller.

(5)It is a defence for a person charged with an offence under subsection (3) to prove that—

(a)the alteration, defacing, blocking, erasure, destruction or concealment of the information would have occurred in the absence of a request made in exercise of a data subject access right, or

(b)the person acted in the reasonable belief that the person making the request was not entitled to receive the information in response to the request.

Back to top

Options/Help

Print Options

You have chosen to open The Whole Act

The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

You have chosen to open The Whole Act as a PDF

The Whole Act you have selected contains over 200 provisions and might take some time to download.

Would you like to continue?

You have chosen to open The Whole Act without Schedules

The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

You have chosen to open The Whole Act without Schedules as a PDF

The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download.

Would you like to continue?

You have chosen to open the Whole Act

The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

You have chosen to open the Whole Act without Schedules

The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

You have chosen to open Schedules only

The Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

Close

Legislation is available in different versions:

Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.

Original (As Enacted or Made): The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.

Point in Time: This becomes available after navigating to view revised legislation as it stood at a certain point in time via Advanced Features > Show Timeline of Changes or via a point in time advanced search.

Close

See additional information alongside the content

Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.

Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.

Close

Opening Options

Different options to open legislation in order to view more content on screen at once

Close

Explanatory Notes

Text created by the government department responsible for the subject matter of the Act to explain what the Act sets out to achieve and to make the Act accessible to readers who are not legally qualified. Explanatory Notes were introduced in 1999 and accompany all Public Acts except Appropriation, Consolidated Fund, Finance and Consolidation Acts.

Close

More Resources

Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:

  • the original print PDF of the as enacted version that was used for the print copy
  • lists of changes made by and/or affecting this legislation item
  • confers power and blanket amendment details
  • all formats of all associated documents
  • correction slips
  • links to related legislation and further information resources
Close

Timeline of Changes

This timeline shows the different points in time where a change occurred. The dates will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. The first date in the timeline will usually be the earliest date when the provision came into force. In some cases the first date is 01/02/1991 (or for Northern Ireland legislation 01/01/2006). This date is our basedate. No versions before this date are available. For further information see the Editorial Practice Guide and Glossary under Help.

Close

More Resources

Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:

  • the original print PDF of the as enacted version that was used for the print copy
  • correction slips

Click 'View More' or select 'More Resources' tab for additional information including:

  • lists of changes made by and/or affecting this legislation item
  • confers power and blanket amendment details
  • all formats of all associated documents
  • links to related legislation and further information resources