Important criminal offences under the Data Protection Act 2018 | Xcina

Important criminal offences under the Data Protection Act 2018

Risk Management Consultancy

The UK’s Data Protection Act 2018 (DPA 2018 or ‘the Act’) sits alongside and supplements the UK GDPR – for example, it provides exemptions to data subject rights requests and lists the substantial public interest conditions for processing special categories of personal data.

One other area of significance that the DPA 2018 details is that of criminal offences. This blog post will provide an overview of the key criminal offences that organisations (and individuals) should be aware of and the practical steps that are required to achieve a defensible position.

Criminal offenceWhat this meansWhat you should do

Unlawful obtaining etc of personal data:

Section 170 of the Act criminalises the deliberate or reckless obtaining, disclosing, procuring disclosure

to another and retention of personal data without the consent of the data controller

The data controller is the organisation that determines the ‘why’ and the ‘how’ of the personal data processing. This provision criminalises the act of obtaining or disclosing personal data without the data controller’s permission and is commonly used to prosecute individuals who have accessed health and care data without a legitimate reason.

· Train staff to make them aware of their data protection obligations. This includes ensuring that information is not accessed inappropriately and without a legitimate reason.

· Ensure your business has a robust ‘joiners and leavers’ process so that staff who are leaving return all their hardware information assets and erase or return any personal information they no longer need to retain (even if it was obtained lawfully).

· Introduce access controls so the information cannot be copied onto removable media or retrieved without prior authorisation.

Prohibition of requirement to produce relevant records:

Section 184 makes it an offence for an employer to require employees or contractors to provide certain records obtained via subject access requests as a condition of their employment or contract

This provision would apply if an employer compelled a prospective employee to provide a record of their health data as a requirement for employment. Such conduct may give the employer access to records which they would not otherwise have been entitled. There are established legal routes for employers to carry out background checks, which do not rely on them obtaining information via subject access requests.

· Establish and implement a Subject Access Request Policy and Procedure. This should detail the implications of Section 184 and emphasise that employers are not allowed to force a prospective employee to obtain certain records as a condition of their employment.

· HR staff and all recruiting managers should be made aware of how to conduct criminal record checks and occupational health checks in a manner that is compliant with data protection law. Existing processes may need to be mapped in order to identify gaps and areas of noncompliance.

Re-identification of de-identified personal data:

Section 171 creates a new offence of knowingly or recklessly re-identifying information that has been de-identified without the consent of the controller who de-identified the data

This offence was created in response to concerns made by the late Dame Fiona Caldicott, National Data Guardian for health and care, about the security of de-identified data held in online files (such as patient data). ‘De-identification’ in this context can relate to information that has been redacted to remove or conceal personal data.

· If data has been obtained in a de-identified format, it should not be ‘re-identified’ without a legitimate reason and only after consultation with both the relevant organisation’s Data Protection Officer and, if required, the Information Commissioner’s Office (ICO).

· Staff who are likely to receive information in a de-identified format, such as departments that obtain market research data, should be made aware of Section 171 and its implications.

· In most cases, the ability to ‘re-identify’ data will depend on whether sperate datasets can be matched (also known as ‘jigsaw identification’). The ICO considers this processing activity as ‘high-risk’ and therefore will require the completion of a Data Protection Impact Assessment to assess necessity and proportionality.

Alteration etc of personal data to prevent disclosure to data subject:

Section 173 makes it a criminal offence for organisations to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure following the

exercise of a subject access right

It is not uncommon for a business to receive a long and complex subject access request from a disgruntled employee. The request may include access to copies of emails containing their personal data that were sent to and received from all employees of the business. In some cases, an exemption can be applied or it may be argued that the request is ‘excessive’ in nature and requires extra time to process. However, even after narrowing the scope, it is likely that copies of email will have to be disclosed (some of which may paint the employer in a negative light). This provision prevents employees from knowingly deleting such information in order to prevent its disclosure.

· Section 173 should be communicated to all employees during their induction training as it can significantly influence behaviours in the workplace (i.e. staff being more mindful when sending emails and discussing other employees).

· This should also be articulated in the organisation’s Subject Access Requests Policy and Procedure as well as the Acceptable Use Policy.

· It may be possible to eliminate the risk of this criminal offence by granting the organisation’s Data Protection Team the ability to independently access personal data stores and extract the necessary information. However, this can only be legitimately carried out by considering transparency, fairness and carrying out a Data Protection Impact Assessment.

It is important to note that offenders of the Act can be fined an unlimited amount by the Crown Court. Employees of an organisation should therefore consider data protection as a personal responsibility and not just a business one.

If you require advice and support on how to comply with the principles for processing personal data under the UK GDPR and the DPA 2018, please contact our Data Protection Team at Xcina Consulting. We provide our clients with pragmatic advice and guidance to ensure they achieve a robust and defensible position. For more information contact us at

Subscribe to Updates

Receive regular updates from our expert consultants as they provide clarification and guidance on issues impacting your organisation.

Subscribe >>