Data Protection Act: Section 55

June 22, 2008 — 585

The Data Protection Act 1998 makes it an offence to “knowingly or recklessly” obtain or disclose data. This makes the action of “data theft”, to be a criminal act.

The Criminal Justice and Immigration Act 2008 makes two changes to this section of the DPA. The first increases the penalties for this offence, the second adds a defence for reasons of journalism.

Two recent cases of data theft are both relating to the police, they are available here and here.

Technically, the losses of data by the goverment, e.g. the 25 million records lost by the HMRC, could actually fall under this act as the loss was “reckless”. This is espeically true following the Poynter report into the incident which states that the data loss was entirely unavoidable.

55 Unlawful obtaining etc. of personal data

(1) A person must not knowingly or recklessly, without the consent of the data controller—

(a) obtain or disclose personal data or the information contained in personal data, or

(b) procure the disclosure to another person of the information contained in personal data.

(2) Subsection (1) does not apply to a person who shows—

(a) that the obtaining, disclosing or procuring—

(i) was necessary for the purpose of preventing or detecting crime, or

(ii) was required or authorised by or under any enactment, by any rule of law or by the order of a court,

(b) that he acted in the reasonable belief that he had in law the right to obtain or disclose the data or information or, as the case may be, to procure the disclosure of the information to the other person,

(c) that he acted in the reasonable belief that he would have had the consent of the data controller if the data controller had known of the obtaining, disclosing or procuring and the circumstances of it, or

(d) that in the particular circumstances the obtaining, disclosing or procuring was justified as being in the public interest.

(3) A person who contravenes subsection (1) is guilty of an offence.

(4) A person who sells personal data is guilty of an offence if he has obtained the data in contravention of subsection (1).

(5) A person who offers to sell personal data is guilty of an offence if—

(a) he has obtained the data in contravention of subsection (1), or

(b) he subsequently obtains the data in contravention of that subsection.

(6) For the purposes of subsection (5), an advertisement indicating that personal data are or may be for sale is an offer to sell the data.

(7) Section 1(2) does not apply for the purposes of this section; and for the purposes of subsections (4) to (6), “personal data” includes information extracted from personal data.

(8 ) References in this section to personal data do not include references to personal data which by virtue of section 28 are exempt from this section.

Posted in Data Loss, Data Misuse, Data Protection Act. Tags: , , , . 10 Comments »

10 Responses to “Data Protection Act: Section 55”

  1. Police Officer Pleads Guilty to Breach of Data Protection Law « Data - Where is it? Says:
    June 22, 2008 at 9:00 pm

    […] Broom admitted three offences of breaching the Data Protection Act by obtaining personal information, and pleased guilty to putting a person in fear of violence by […]

    Reply
  2. Data Protection Act - 12 month Sentance « Data - Where is it? Says:
    June 22, 2008 at 9:01 pm

    […] or recklessly disclosing personal data without the consent of the data controller contrary to section 55 of the Data Protection Act. He was sentenced to a 12-month conditional discharge and made to pay £1,340 costs. While he was […]

    Reply
  3. Increase in sentance for data theft « Data - Where is it? Says:
    June 26, 2008 at 6:36 am

    […] powers to increase the sentance for anyone found guilty of “data theft”, as defined by Section 55 of the Data Protection Act 1998. To further increase the sentance the Home Secretary (Secretary of […]

    Reply
  4. Defence Against Data Theft « Data - Where is it? Says:
    June 26, 2008 at 6:43 am

    […] Act 2008 creates a new defence against data breaches/data theft, which is an offence under Section 55 of the Data Protection Act […]

    Reply
  5. Report into Disc Loss « Data - Where is it? Says:
    June 26, 2008 at 7:05 am

    […] the loss was “reckless” then this would be an offence under Section 55 of the Data Protection Act, which since May 2008 has had increased sentacing […]

    Reply
  6. Virgin loses bank details « Data - Where is it? Says:
    June 26, 2008 at 7:09 am

    […] the Section 55 of the Data Protection Act this can be considered an criminal […]

    Reply
  7. Law: Data Protection Act Section Excemptions « Data - Where is it? Says:
    March 2, 2009 at 11:48 am

    […] data is no longer guarded under the data protection principles, Parts II, III and V of the act, or section 55 of the data protection act. The exemption to Section 55 is the most interesting exemption as this section makes it an offence […]

    Reply
  8. Data Theft: Parliment « Data – Where is it? Says:
    May 9, 2009 at 10:05 am

    […] reason is that Section 55 of the data protection act, which effectively criminalizes data “theft” [strictly […]

    Reply
  9. Data Theft – T-Mobile 2nd Conviction « Where is Your Data? Says:
    November 28, 2010 at 3:36 pm

    […] Hames was found guilty under Section 55 of the Data Protection Act. Sentancing will not occur until the New Year […]

    Reply
  10. OFT warns debt collectors not to use social networking to contact debtors | AspenIT.co.uk | Computing & Technology News Says:
    October 19, 2011 at 11:04 pm

    […] certainly appears that it could be a breach of Section 55 of the DPA which states that companies have to keep people’s personal information safe. The legality of […]

    Reply

Leave a comment

«

»