The Data Protection Act 2018: new criminal offences for data breaches

The Data Protection Act 2018 (“the Act”) repeals and replaces the UK’s existing data protection laws to keep them up to date for the digital age to ensure that United Kingdom “retains its world-class regime protecting personal data”. It sets new standards for protecting personal data, in accordance with the General Data Protection Regulation (“GDPR”) , the directly effective EU regulation which came into force on 25 May 2018. (See our related blogs ).

It also includes a number of provisions relating to processing of personal data by police and criminal justice agencies as it implements the related Law Enforcement Directive extending its provisions to cover national as well as trans-national data sharing. (See our related blog)

Changing the regulatory environment

GDPR changes the regulatory environment and gives the Information Commissioner’s Office (“ICO”) the power to impose eye watering fines for those in breach. (See our related blog)

The Act deals with elements of the regulatory framework not covered by GDPR, and sets out the specific criminal offences relating to data protection. There is some continuity with the existing regime governed by the Data Protection Act 1998 (“DPA 1998”) but new offences have also been introduced onto the statute book.

This article considers the changes to data protection offences, an increased appetite to prosecute and penalise offenders and the critical importance of the broader criminal context in understanding these specific offences.

Something Old, Something New…

Many of the criminal offences build on or update parts of the DPA 1998:

Access and Disclosure Offences

• Section 170 of the Act builds on s.55 DPA 1998 which criminalised knowingly or recklessly obtaining, disclosing or procuring personal data without the consent of the data controller, and the sale or offering for sale of that data. The provision was most typically/commonly used to prosecute those who had accessed healthcare and financial records without a legitimate reason. This adds the offence of knowingly or recklessly retaining personal data (which may have been lawfully obtained) without the consent of the data controller;
  
• Section 184 relates to Subject Access Requests and builds on s.56 DPA 1998. It is designed to prevent organisations from trying to use Subject Access Requests as background checks. It creates the offence of requiring relevant records (a record relating to health, convictions or cautions, or statutory functions), as a requirement for employment or a contract for the provision of services. Organisations are expected to run the necessary background checks without compelling people to obtain and disclose their personal data.

• Section 144 replicates s.47 (2) DPA 1998 in criminalising the provision of false statements in response to an information notice (a demand from the ICO to produce information within a certain timeframe);
  
• Paragraph 15 of Schedule 15 criminalises obstructing a warrant or making a false statement in response to a request for information pursuant to a warrant, replicating paragraph 12 of Schedule 9 DPA 1998.

• Section 119 is described as a ‘future-proofed’ version of s.54A DPA 1998, a provision that criminalises obstructing the ICO’s inspection of European information systems;
  
• Section 132 is set to replace s.59 DPA 1998, criminalising action by former or current ICO staff to unlawfully disclose data obtained during the course of their duties.

The two new offences which are introduced address specific concerns relating to the operation of existing data protection regime:

• Following a recommendation by Dame Fiona Caldicott, the National Data Guardian for Health and Care, section 171 criminalises the re-identification of personal data that has been ‘de-identified’ (de-identification being a process - such as redactions - to remove/conceal personal data);

• Section 173 relates to the processing of requests for data from individuals for their personal data, and makes it a criminal offence for organisations to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure. It builds on an offence under the Freedom of Information Act 2000.

Liability and Sentencing

The Act empowers prosecutors to proceed against individuals, body corporates and those associated with them. Directors are put in the spotlight as Section 198 (which is intended to have the same effect as s.61 DPA 1998), provides that where an offence has been committed by a body corporate with the consent or connivance of an officer (or a person purporting to act in that capacity) then both the body corporate and the relevant person are liable to prosecution. (See our related blog)

Despite suggestions made during the passage of the Bill that certain offences under the DPA might be punished by imprisonment, the Act preserves the status quo ante of financial penalties only. The Crown Court may impose unlimited fines, a power extended to the Magistrates’ Courts since 13 March 2015. There is little authority on the appropriate level of fines for such offences, beyond the general guidelines on the relevance of defendants’ means and ability to pay. Though this may be addressed in future following the recent Sentencing Council consultation which proposes a draft general sentencing guideline for use where there is no offence specific guideline which includes data protection offences. Most cases brought by the ICO under s.55 DPA have been resolved in the Magistrates’ Court with fines in the hundreds or low thousands of pounds.

However, there is an appetite in the senior courts for increasingly significant fines of five and six figures. For corporate offenders, the sentencing court will expect detailed financial statements covering a five year period to be provided.

The new landscape

It is important not to put the ‘data blinkers’ on when assessing whether conduct connected to obtaining, retaining and processing data is criminal. Data is a valuable commodity and obtaining and misusing it may attract criminal liability outside of the data protection legislation. For example, the case of R v Hill and others started life as a conspiracy to defraud (guilty pleas being offered to DPA 1998 offences) and several private detectives were successfully prosecuted for a similar conspiracy in the aftermath of the 2011 phone hacking scandal.

That data protection prosecutions can only be brought by the ICO obviously precludes the typical path of a criminal investigation from police to Crown Prosecution Service (“CPS”). Even if the CPS was empowered to act, the limited sentencing powers would likely tempt prosecutors to seek alternative charges. As well as conspiracy to defraud, one can envisage Fraud by False Representation and Computer Misuse Act offences being applicable where data has been obtained by deception or electronically.

Conclusion

Whilst the regulatory framework provided by GDPR has understandably garnered significant attention, GDPR must be read alongside the Act to understand how the data protection landscape is changing.

In the criminal context in particular there is also a need to look back upon existing legislation to understand how it will be applied to the use and misuse of personal data.

Should you have any GDPR or data protection queries, please contact Kingsley Napley’s data protection team.