Data Protection offences

Quick Overview

Data Protection Act 2018 — Key Facts

The Data Protection Act 2018, alongside the UK GDPR, creates a number of specific criminal offences beyond the civil regulatory regime. Prosecutions are typically brought by the ICO and most commonly target individuals who access or share personal data outside the scope of their authorised role.

  • Section 170 — Unlawful Obtaining: It is a criminal offence to knowingly or recklessly obtain, disclose, or procure the disclosure of personal data without the consent of the data controller.
  • Unlawful Retention: It is an offence to retain personal data without consent, even where it was originally obtained through lawful means.
  • Section 171 — Re-identification: It is a criminal offence to de-anonymise or re-identify personal data that has been anonymised or redacted.
  • Unlimited Fines: Most criminal offences under the DPA 2018 carry an unlimited fine and result in a permanent criminal record.
  • Obstruction and False Statements: Obstructing an ICO inspection or making false statements in response to an information notice are separate criminal offences.
Full article below

Under investigation?

Facing a charge for Public Order offence

Speak to a specialist criminal defence solicitor immediately. Early legal advice is critical when facing investigation or potential charges.

Speak to a Solicitor Now 0161 383 8855 Get My Free Case Review
"Being investigated does not guarantee a charge. Early intervention is often the difference between a conviction and a dropped case."
Confidential
No obligation
SRA regulated
In this article

Criminal Offences under the Data Protection Act 2018

The Data Protection Act 2018 (DPA 2018), which operates alongside the UK General Data Protection Regulation (UK GDPR), establishes the framework for the lawful handling of personal data in the United Kingdom. Beyond the civil regulatory regime — which includes fines imposed by the Information Commissioner's Office (ICO) — the Act creates a number of specific criminal offences that can result in prosecution, an unlimited fine, and a permanent criminal record.

Prosecutions under the DPA 2018 are typically brought by the ICO. They most commonly target individuals, including employees and former employees, who access or share personal data outside the scope of their authorised role.

Section 170 — Unlawful Obtaining and Disclosure

Section 170 is the most frequently prosecuted provision of the Act. It makes it a criminal offence to knowingly or recklessly obtain, disclose, or procure the disclosure of personal data without the consent of the data controller. This offence is commonly committed by employees who access records beyond the scope of their role, or by former employees who retain data after leaving an organisation.

The prosecution must prove that the defendant knew, or was reckless as to whether, the obtaining or disclosure was without the data controller's consent. A genuine and reasonable belief in authorisation may provide a basis for defence.

The Retention Offence

The DPA 2018 provides that retaining personal data without consent is itself an offence, even where that data was originally obtained through lawful means. A person who receives data for a specific purpose — for example, in the course of a project — and who continues to hold it after that purpose has ended, or after consent has been withdrawn by the data controller, may face criminal liability.

Section 171 — Re-identification of Personal Data

Section 171 targets the de-anonymisation or re-identification of personal data that has been anonymised or redacted. This offence commonly arises in data scraping scenarios, or where software is used to reconstruct or bypass redaction applied to legal, medical, or other disclosed documents. It is not a defence that the data was already in the public domain in anonymised form.

Other Regulatory Offences

The DPA 2018 also creates offences related to interference with the ICO's enforcement functions:

  • Section 119: Obstructing the Commissioner in the exercise of powers to inspect data in connection with international obligations.
  • Section 148: Destroying or falsifying information or documents that have been requested by the ICO.
  • Section 173: Altering personal data with the intention of preventing its disclosure to the data subject following a Subject Access Request.
  • Section 184: Requiring a person to produce certain records as a condition of employment or the provision of a service, where there is no lawful basis for doing so.

Consequences of Conviction

The criminal offences under the DPA 2018 do not carry custodial sentences as the primary penalty. However, a conviction results in an unlimited fine and a permanent criminal record. For professionals in regulated sectors — including financial services, healthcare, and legal services — a conviction may trigger disciplinary proceedings by the relevant professional body and can affect a person's ability to satisfy fitness and propriety requirements.

What to Do if You Are Under Investigation

If you have been contacted by the ICO, received an information notice, or are under investigation for a data protection offence, seek specialist legal advice immediately. Do not respond to an information notice or attend any interview without a solicitor present. The ICO has significant investigative powers, and early legal advice can be decisive in determining how the investigation develops.

Related Advice
Regulatory Law
Get in touch

Talk to us today.
No obligation.

Whether you've been arrested, received a police letter, or are currently under investigation — the earlier you speak to us, the more we can do. All enquiries are strictly confidential.

Phone 0161 383 8855
Email admin@lostocklegal.com
Address Office 6, First Floor, St Thomas House,
18 St Thomas Road, Chorley PR7 1HR
Strictly confidential
No obligation
SRA regulated

Send us a message

We'll respond within 2 hours during business hours


Strictly confidential  ·  SRA regulated  ·  No obligation

Client reviews

What our clients say

5.0
★★★★★
Verified Google Reviews
★★★★★

Amazing guys. Incredibly professional, very helpful in answering all my questions and got the verdict we wanted.

UN
Uwais Nagouda
July 2024 · Google · Verified
★★★★★

Thanks to Alex and his team I've managed to keep my driving licence. Complex case, made it straightforward.

IA
Imtiaz Ali
June 2024 · Google · Verified
★★★★★

I've been using Alex for years, always goes above and beyond. Very knowledgeable and very good at what he does.

KA
Kevin Aspinall
Sept 2024 · Google · Verified
★★★★★

Exceptional service from start to finish. Alex kept me informed at every stage and achieved a brilliant result.

SB
Sarah Birchall
Oct 2024 · Google · Verified
★★★★★

Would not hesitate to recommend. Took the time to explain everything clearly and fought hard for the right outcome.

MH
Mohammed Hussain
Nov 2024 · Google · Verified
★★★★★

Incredibly reassuring during an incredibly stressful time. Professional, discreet, and delivered exactly what they promised.

JT
James Turner
Dec 2024 · Google · Verified
Common questions

Data Protection FAQ

Can an employee be prosecuted personally?
Yes. Section 170 most commonly targets individuals rather than organisations. Employees and former employees who access or share data outside their authorised role face personal prosecution and a criminal record.
Is believing you were authorised a defence?
A genuine and reasonable belief in authorisation can provide a basis for defence to a Section 170 charge. Whether it succeeds depends on the specific facts and circumstances.
Does a data protection conviction go on my criminal record?
Yes. A conviction under the DPA 2018 results in a permanent criminal record, which may need to be declared for certain roles and can affect fitness and propriety assessments in regulated sectors.
What should I do if I receive an ICO information notice?
Do not respond without legal advice. Failing to comply with an information notice, or making a false statement in response to one, is itself a separate criminal offence.
Regulatory

Data Protection offences

Facing this allegation is serious — and often unexpected. Early specialist advice makes all the difference to the outcome.

Quick Overview
Data Protection Act 2018 — Key Facts

The DPA 2018 creates specific criminal offences beyond the civil regulatory regime. Prosecutions are typically brought by the ICO and most commonly target individuals who access or share personal data outside the scope of their authorised role.

  • Section 170 — Unlawful ObtainingIt is a criminal offence to knowingly or recklessly obtain, disclose, or procure the disclosure of personal data without the consent of the data controller.
  • Unlawful RetentionIt is an offence to retain personal data without consent, even where it was originally obtained through lawful means.
  • Section 171 — Re-identificationIt is a criminal offence to de-anonymise or re-identify personal data that has been anonymised or redacted.
  • Unlimited FinesMost criminal offences under the DPA 2018 carry an unlimited fine and result in a permanent criminal record.
  • ObstructionObstructing an ICO inspection or making false statements in response to an information notice are separate criminal offences.
Full article below ↓
📞 Call 0161 383 8855 ✉ Email Us

Criminal Offences Under the DPA 2018

The Data Protection Act 2018 operates alongside the UK GDPR and creates a number of specific criminal offences. Beyond the civil regulatory regime — which includes fines imposed by the Information Commissioner's Office (ICO) — these offences can result in prosecution, an unlimited fine, and a permanent criminal record.

Prosecutions are typically brought by the ICO and most commonly target individuals, including employees and former employees, who access or share personal data outside the scope of their authorised role.

Section 170 — Unlawful Obtaining and Disclosure

Section 170 is the most frequently prosecuted provision. It makes it a criminal offence to knowingly or recklessly obtain, disclose, or procure the disclosure of personal data without the consent of the data controller. This offence is commonly committed by employees who access records beyond the scope of their role, or by former employees who retain data after leaving an organisation.

The prosecution must prove that the defendant knew, or was reckless as to whether, the obtaining or disclosure was without the data controller's consent. A genuine and reasonable belief in authorisation may provide a basis for defence.

The Retention Offence

Retaining personal data without consent is itself an offence, even where that data was originally obtained through lawful means. A person who continues to hold data after the purpose for which it was provided has ended, or after consent has been withdrawn, may face criminal liability.

Section 171 — Re-identification

Section 171 targets the de-anonymisation or re-identification of personal data that has been anonymised or redacted. This offence commonly arises in data scraping scenarios, or where software is used to reconstruct or bypass redaction. It is not a defence that the data was already in the public domain in anonymised form.

"The ICO has significant investigative powers. Do not respond to an information notice or attend any interview without a solicitor present."

— Lostock Legal Solicitors

Other Regulatory Offences

  • Section 119: Obstructing the Commissioner in the exercise of inspection powers.
  • Section 148: Destroying or falsifying information or documents requested by the ICO.
  • Section 173: Altering personal data to prevent its disclosure following a Subject Access Request.
  • Section 184: Requiring a person to produce certain records as a condition of employment without lawful basis.
Under investigation by the ICO?
Don't respond without advice.

The ICO has significant investigative powers. Early legal advice can be decisive in determining how the investigation develops.

Call Now — 0161 383 8855
Or email for a confidential review

Consequences of Conviction

A conviction results in an unlimited fine and a permanent criminal record. For professionals in regulated sectors — including financial services, healthcare, and legal services — a conviction may trigger disciplinary proceedings and can affect fitness and propriety requirements.

What to Do if You Are Under Investigation

If you have been contacted by the ICO, received an information notice, or are under investigation for a data protection offence, seek specialist legal advice immediately. Do not respond to an information notice or attend any interview without a solicitor present.

Get in touch

Speak to a specialist

Data protection defence · SRA regulated


🔒 Strictly confidential · 24/7 Response within 2 hours

Common questions

Data Protection FAQ

Yes. Section 170 most commonly targets individuals rather than organisations. Employees and former employees who access or share data outside their authorised role face personal prosecution and a criminal record.

A genuine and reasonable belief in authorisation can provide a basis for defence to a Section 170 charge. Whether it succeeds depends on the specific facts and circumstances.

Yes. A conviction under the DPA 2018 results in a permanent criminal record, which may need to be declared for certain roles and can affect fitness and propriety assessments in regulated sectors.

Do not respond without legal advice. Failing to comply with an information notice, or making a false statement in response to one, is itself a separate criminal offence.

📞 Call Now ✉ Free Consultation