Data Protection Act 2018

Offences relating to personal data

170Unlawful obtaining etc of personal data

(1)It is an offence for a person knowingly or recklessly—

(a)to obtain or disclose personal data without the consent of the controller,

(b)to procure the disclosure of personal data to another person without the consent of the controller, or

(c)after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.

(2)It is a defence for a person charged with an offence under subsection (1) to prove that the obtaining, disclosing, procuring or retaining—

(a)was necessary for the purposes of preventing or detecting crime,

(b)was required or authorised by an enactment, by a rule of law or by the order of a court or tribunal, or

(c)in the particular circumstances, was justified as being in the public interest.

(3)It is also a defence for a person charged with an offence under subsection (1) to prove that—

(a)the person acted in the reasonable belief that the person had a legal right to do the obtaining, disclosing, procuring or retaining,

(b)the person acted in the reasonable belief that the person would have had the consent of the controller if the controller had known about the obtaining, disclosing, procuring or retaining and the circumstances of it, or

(c)the person acted—

(i)for the special purposes,

(ii)with a view to the publication by a person of any journalistic, academic, artistic or literary material, and

(iii)in the reasonable belief that in the particular circumstances the obtaining, disclosing, procuring or retaining was justified as being in the public interest.

(4)It is an offence for a person to sell personal data if the person obtained the data in circumstances in which an offence under subsection (1) was committed.

(5)It is an offence for a person to offer to sell personal data if the person—

(a)has obtained the data in circumstances in which an offence under subsection (1) was committed, or

(b)subsequently obtains the data in such circumstances.

(6)For the purposes of subsection (5), an advertisement indicating that personal data is or may be for sale is an offer to sell the data.

(7)In this section—

(a)references to the consent of a controller do not include the consent of a person who is a controller by virtue of Article 28(10) of the GDPR or section 59(8) or 105(3) of this Act (processor to be treated as controller in certain circumstances);

(b)where there is more than one controller, such references are references to the consent of one or more of them.

171Re-identification of de-identified personal data

(1)It is an offence for a person knowingly or recklessly to re-identify information that is de-identified personal data without the consent of the controller responsible for de-identifying the personal data.

(2)For the purposes of this section and section 172—

(a)personal data is “de-identified” if it has been processed in such a manner that it can no longer be attributed, without more, to a specific data subject;

(b)a person “re-identifies” information if the person takes steps which result in the information no longer being de-identified within the meaning of paragraph (a).

(3)It is a defence for a person charged with an offence under subsection (1) to prove that the re-identification—

(a)was necessary for the purposes of preventing or detecting crime,

(b)was required or authorised by an enactment, by a rule of law or by the order of a court or tribunal, or

(c)in the particular circumstances, was justified as being in the public interest.

(4)It is also a defence for a person charged with an offence under subsection (1) to prove that—

(a)the person acted in the reasonable belief that the person—

(i)is the data subject to whom the information relates,

(ii)had the consent of that data subject, or

(iii)would have had such consent if the data subject had known about the re-identification and the circumstances of it,

(b)the person acted in the reasonable belief that the person—

(i)is the controller responsible for de-identifying the personal data,

(ii)had the consent of that controller, or

(iii)would have had such consent if that controller had known about the re-identification and the circumstances of it,

(c)the person acted—

(i)for the special purposes,

(ii)with a view to the publication by a person of any journalistic, academic, artistic or literary material, and

(iii)in the reasonable belief that in the particular circumstances the re-identification was justified as being in the public interest, or

(d)the effectiveness testing conditions were met (see section 172).

(5)It is an offence for a person knowingly or recklessly to process personal data that is information that has been re-identified where the person does so—

(a)without the consent of the controller responsible for de-identifying the personal data, and

(b)in circumstances in which the re-identification was an offence under subsection (1).

(6)It is a defence for a person charged with an offence under subsection (5) to prove that the processing—

(a)was necessary for the purposes of preventing or detecting crime,

(b)was required or authorised by an enactment, by a rule of law or by the order of a court or tribunal, or

(c)in the particular circumstances, was justified as being in the public interest.

(7)It is also a defence for a person charged with an offence under subsection (5) to prove that—

(a)the person acted in the reasonable belief that the processing was lawful,

(b)the person acted in the reasonable belief that the person—

(i)had the consent of the controller responsible for de-identifying the personal data, or

(ii)would have had such consent if that controller had known about the processing and the circumstances of it, or

(c)the person acted—

(i)for the special purposes,

(ii)with a view to the publication by a person of any journalistic, academic, artistic or literary material, and

(iii)in the reasonable belief that in the particular circumstances the processing was justified as being in the public interest.

(8)In this section—

(a)references to the consent of a controller do not include the consent of a person who is a controller by virtue of Article 28(10) of the GDPR or section 59(8) or 105(3) of this Act (processor to be treated as controller in certain circumstances);

(b)where there is more than one controller, such references are references to the consent of one or more of them.

172Re-identification: effectiveness testing conditions

(1)For the purposes of section 171, in relation to a person who re-identifies information that is de-identified personal data, “the effectiveness testing conditions” means the conditions in subsections (2) and (3).

(2)The first condition is that the person acted—

(a)with a view to testing the effectiveness of the de-identification of personal data,

(b)without intending to cause, or threaten to cause, damage or distress to a person, and

(c)in the reasonable belief that, in the particular circumstances, re-identifying the information was justified as being in the public interest.

(3)The second condition is that the person notified the Commissioner or the controller responsible for de-identifying the personal data about the re-identification—

(a)without undue delay, and

(b)where feasible, not later than 72 hours after becoming aware of it.

(4)Where there is more than one controller responsible for de-identifying personal data, the requirement in subsection (3) is satisfied if one or more of them is notified.

173Alteration etc of personal data to prevent disclosure to data subject

(1)Subsection (3) applies where—

(a)a request has been made in exercise of a data subject access right, and

(b)the person making the request would have been entitled to receive information in response to that request.

(2)In this section, “data subject access right” means a right under—

(a)Article 15 of the GDPR (right of access by the data subject);

(b)Article 20 of the GDPR (right to data portability);

(c)section 45 of this Act (law enforcement processing: right of access by the data subject);

(d)section 94 of this Act (intelligence services processing: right of access by the data subject).

(3)It is an offence for a person listed in subsection (4) to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information that the person making the request would have been entitled to receive.

(4)Those persons are—

(a)the controller, and

(b)a person who is employed by the controller, an officer of the controller or subject to the direction of the controller.

(5)It is a defence for a person charged with an offence under subsection (3) to prove that—

(a)the alteration, defacing, blocking, erasure, destruction or concealment of the information would have occurred in the absence of a request made in exercise of a data subject access right, or

(b)the person acted in the reasonable belief that the person making the request was not entitled to receive the information in response to the request.