The Data Protection Act 1998 makes it an offence to “knowingly or recklessly” obtain or disclose data. This makes the action of “data theft”, to be a criminal act.
Technically, the losses of data by the goverment, e.g. the 25 million records lost by the HMRC, could actually fall under this act as the loss was “reckless”. This is espeically true following the Poynter report into the incident which states that the data loss was entirely unavoidable.
55 Unlawful obtaining etc. of personal data
(1) A person must not knowingly or recklessly, without the consent of the data controller—
(a) obtain or disclose personal data or the information contained in personal data, or
(b) procure the disclosure to another person of the information contained in personal data.
(2) Subsection (1) does not apply to a person who shows—
(a) that the obtaining, disclosing or procuring—
(i) was necessary for the purpose of preventing or detecting crime, or
(ii) was required or authorised by or under any enactment, by any rule of law or by the order of a court,
(b) that he acted in the reasonable belief that he had in law the right to obtain or disclose the data or information or, as the case may be, to procure the disclosure of the information to the other person,
(c) that he acted in the reasonable belief that he would have had the consent of the data controller if the data controller had known of the obtaining, disclosing or procuring and the circumstances of it, or
(d) that in the particular circumstances the obtaining, disclosing or procuring was justified as being in the public interest.
(3) A person who contravenes subsection (1) is guilty of an offence.
(4) A person who sells personal data is guilty of an offence if he has obtained the data in contravention of subsection (1).
(5) A person who offers to sell personal data is guilty of an offence if—
(a) he has obtained the data in contravention of subsection (1), or
(b) he subsequently obtains the data in contravention of that subsection.
(6) For the purposes of subsection (5), an advertisement indicating that personal data are or may be for sale is an offer to sell the data.
(7) Section 1(2) does not apply for the purposes of this section; and for the purposes of subsections (4) to (6), “personal data” includes information extracted from personal data.
(8 ) References in this section to personal data do not include references to personal data which by virtue of section 28 are exempt from this section.