- Latest available (Revised)
- Point in Time (02/12/2019)
- Original (As enacted)
Version Superseded: 31/12/2020
Point in time view as at 02/12/2019.
Data Protection Act 2018, Cross Heading: Offences relating to personal data is up to date with all changes known to be in force on or before 30 November 2024. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations.
Changes and effects yet to be applied by the editorial team are only applicable when viewing the latest version or prospective version of legislation. They are therefore not accessible when viewing legislation as at a specific point in time. To view the ‘Changes to Legislation’ information for this provision return to the latest version view using the options provided in the ‘What Version’ box above.
(1)It is an offence for a person knowingly or recklessly—
(a)to obtain or disclose personal data without the consent of the controller,
(b)to procure the disclosure of personal data to another person without the consent of the controller, or
(c)after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.
(2)It is a defence for a person charged with an offence under subsection (1) to prove that the obtaining, disclosing, procuring or retaining—
(a)was necessary for the purposes of preventing or detecting crime,
(b)was required or authorised by an enactment, by a rule of law or by the order of a court or tribunal, or
(c)in the particular circumstances, was justified as being in the public interest.
(3)It is also a defence for a person charged with an offence under subsection (1) to prove that—
(a)the person acted in the reasonable belief that the person had a legal right to do the obtaining, disclosing, procuring or retaining,
(b)the person acted in the reasonable belief that the person would have had the consent of the controller if the controller had known about the obtaining, disclosing, procuring or retaining and the circumstances of it, or
(c)the person acted—
(i)for the special purposes,
(ii)with a view to the publication by a person of any journalistic, academic, artistic or literary material, and
(iii)in the reasonable belief that in the particular circumstances the obtaining, disclosing, procuring or retaining was justified as being in the public interest.
(4)It is an offence for a person to sell personal data if the person obtained the data in circumstances in which an offence under subsection (1) was committed.
(5)It is an offence for a person to offer to sell personal data if the person—
(a)has obtained the data in circumstances in which an offence under subsection (1) was committed, or
(b)subsequently obtains the data in such circumstances.
(6)For the purposes of subsection (5), an advertisement indicating that personal data is or may be for sale is an offer to sell the data.
(7)In this section—
(a)references to the consent of a controller do not include the consent of a person who is a controller by virtue of Article 28(10) of the GDPR or section 59(8) or 105(3) of this Act (processor to be treated as controller in certain circumstances);
(b)where there is more than one controller, such references are references to the consent of one or more of them.
(1)It is an offence for a person knowingly or recklessly to re-identify information that is de-identified personal data without the consent of the controller responsible for de-identifying the personal data.
(2)For the purposes of this section and section 172—
(a)personal data is “de-identified” if it has been processed in such a manner that it can no longer be attributed, without more, to a specific data subject;
(b)a person “re-identifies” information if the person takes steps which result in the information no longer being de-identified within the meaning of paragraph (a).
(3)It is a defence for a person charged with an offence under subsection (1) to prove that the re-identification—
(a)was necessary for the purposes of preventing or detecting crime,
(b)was required or authorised by an enactment, by a rule of law or by the order of a court or tribunal, or
(c)in the particular circumstances, was justified as being in the public interest.
(4)It is also a defence for a person charged with an offence under subsection (1) to prove that—
(a)the person acted in the reasonable belief that the person—
(i)is the data subject to whom the information relates,
(ii)had the consent of that data subject, or
(iii)would have had such consent if the data subject had known about the re-identification and the circumstances of it,
(b)the person acted in the reasonable belief that the person—
(i)is the controller responsible for de-identifying the personal data,
(ii)had the consent of that controller, or
(iii)would have had such consent if that controller had known about the re-identification and the circumstances of it,
(c)the person acted—
(i)for the special purposes,
(ii)with a view to the publication by a person of any journalistic, academic, artistic or literary material, and
(iii)in the reasonable belief that in the particular circumstances the re-identification was justified as being in the public interest, or
(d)the effectiveness testing conditions were met (see section 172).
(5)It is an offence for a person knowingly or recklessly to process personal data that is information that has been re-identified where the person does so—
(a)without the consent of the controller responsible for de-identifying the personal data, and
(b)in circumstances in which the re-identification was an offence under subsection (1).
(6)It is a defence for a person charged with an offence under subsection (5) to prove that the processing—
(a)was necessary for the purposes of preventing or detecting crime,
(b)was required or authorised by an enactment, by a rule of law or by the order of a court or tribunal, or
(c)in the particular circumstances, was justified as being in the public interest.
(7)It is also a defence for a person charged with an offence under subsection (5) to prove that—
(a)the person acted in the reasonable belief that the processing was lawful,
(b)the person acted in the reasonable belief that the person—
(i)had the consent of the controller responsible for de-identifying the personal data, or
(ii)would have had such consent if that controller had known about the processing and the circumstances of it, or
(c)the person acted—
(i)for the special purposes,
(ii)with a view to the publication by a person of any journalistic, academic, artistic or literary material, and
(iii)in the reasonable belief that in the particular circumstances the processing was justified as being in the public interest.
(8)In this section—
(a)references to the consent of a controller do not include the consent of a person who is a controller by virtue of Article 28(10) of the GDPR or section 59(8) or 105(3) of this Act (processor to be treated as controller in certain circumstances);
(b)where there is more than one controller, such references are references to the consent of one or more of them.
(1)For the purposes of section 171, in relation to a person who re-identifies information that is de-identified personal data, “the effectiveness testing conditions” means the conditions in subsections (2) and (3).
(2)The first condition is that the person acted—
(a)with a view to testing the effectiveness of the de-identification of personal data,
(b)without intending to cause, or threaten to cause, damage or distress to a person, and
(c)in the reasonable belief that, in the particular circumstances, re-identifying the information was justified as being in the public interest.
(3)The second condition is that the person notified the Commissioner or the controller responsible for de-identifying the personal data about the re-identification—
(a)without undue delay, and
(b)where feasible, not later than 72 hours after becoming aware of it.
(4)Where there is more than one controller responsible for de-identifying personal data, the requirement in subsection (3) is satisfied if one or more of them is notified.
(1)Subsection (3) applies where—
(a)a request has been made in exercise of a data subject access right, and
(b)the person making the request would have been entitled to receive information in response to that request.
(2)In this section, “data subject access right” means a right under—
(a)Article 15 of the GDPR (right of access by the data subject);
(b)Article 20 of the GDPR (right to data portability);
(c)section 45 of this Act (law enforcement processing: right of access by the data subject);
(d)section 94 of this Act (intelligence services processing: right of access by the data subject).
(3)It is an offence for a person listed in subsection (4) to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information that the person making the request would have been entitled to receive.
(4)Those persons are—
(a)the controller, and
(b)a person who is employed by the controller, an officer of the controller or subject to the direction of the controller.
(5)It is a defence for a person charged with an offence under subsection (3) to prove that—
(a)the alteration, defacing, blocking, erasure, destruction or concealment of the information would have occurred in the absence of a request made in exercise of a data subject access right, or
(b)the person acted in the reasonable belief that the person making the request was not entitled to receive the information in response to the request.
The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Whole Act you have selected contains over 200 provisions and might take some time to download.
Would you like to continue?
The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download.
Would you like to continue?
The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As Enacted or Made): The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.
Point in Time: This becomes available after navigating to view revised legislation as it stood at a certain point in time via Advanced Features > Show Timeline of Changes or via a point in time advanced search.
Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.
Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.
Text created by the government department responsible for the subject matter of the Act to explain what the Act sets out to achieve and to make the Act accessible to readers who are not legally qualified. Explanatory Notes were introduced in 1999 and accompany all Public Acts except Appropriation, Consolidated Fund, Finance and Consolidation Acts.
Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:
This timeline shows the different points in time where a change occurred. The dates will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. The first date in the timeline will usually be the earliest date when the provision came into force. In some cases the first date is 01/02/1991 (or for Northern Ireland legislation 01/01/2006). This date is our basedate. No versions before this date are available. For further information see the Editorial Practice Guide and Glossary under Help.
Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:
Click 'View More' or select 'More Resources' tab for additional information including: