Offences under the Data Protection Act 1998 and other related Acts
Content
3. Penalties under the Data Protection Act
4. The Computer Misuse Act 1990
5. The Copyright Designs and Patents Act 1988
1. Introduction
The University (as a data controller), students and staff are required to comply with the Data Protection Act 1998 ("the Act").
The Act creates a number of criminal offences. These include:
- Offences related to notification;
- Enforced subject access;
- Obtaining and disclosing offences;
- Procuring and selling offences;
- Other offences.
The Act will impose personal liability on individuals if the University commits an offence attributable to their consent or neglect.
2. The Offences
2.1 Offences related to notification
- The University is a data controller which has registered with the Information Commissioner. It would be an offence for the University to process personal data without notifying the Commissioner of its use of personal data as required by the Act.
- Notification offences - the data subject must know the identity of the data controller and the intended purposes of processing the data.
2.2 Enforced subject access (s.56(5) of the Act)
Unless one of the limited exemptions apply (e.g. the Rehabilitation of Offenders Act 1974 and/or the requirements set out in the University's Guidelines for students on Disclosure and Guidelines on employing people with a criminal record), if a person connected with:
- the recruitment of another person as an employee;
- the continued employment of another person; or
- any contract for the provision of services to him by another person,
as a precondition requires the data subject or a third party to supply or produce personal data in the form of a "relevant record" (e.g. records of cautions, criminal convictions and certain social security records relating to the data subject), this is an offence under the Act.
2.3 Unlawful obtaining and disclosing of personal data (s.55(1) of the Act)
- Knowingly or recklessly obtaining or disclosing personal data or the information contained in personal data without the consent of the data controller.
- Knowingly or recklessly procuring the disclosure to another person of information contained in the personal data without the consent of the data controller.
The obtaining/disclosing/procuring without the consent of the data controller will not be an offence if:
- it was necessary for the prevention or detection of crime;
- it was required or authorised by statute, rule of law, or court order;
- the "obtainer" etc. acted in the reasonable belief that he/she had a right in law to act as he did or that he would have had the consent of the data controller if they had known of the particular circumstances;
- it was, or in the particular circumstances, justifiable as being in the public interest.
2.4 Unlawful selling of personal data (s.55(4) and (5) of the Act)
Selling personal data (including information extracted from personal data) obtained in contravention of s.55(1) of Act (see Section 2.3 above).
2.5 Other offences
- It is an offence to fail to respond to an information notice or to breach an enforcement notice.
- Appropriate technical and organisational security measures must be taken against unauthorised or unlawful processing of data and against accidental loss, destruction or damage,
- Personal data may not be transferred to a country outside the European Economic Area unless that country ensures an adequate level of protection for data subjects; exceptions include where the data subject has consented to the transfer .
- Automatic decision making on matters significantly affecting a data subject.
3. Penalties under the Data Protection Act
3.1 Enforcement and Information Notices
- The Information Commissioner has the power to prosecute those it believes may have committed a criminal offence. It can also issue an enforcement notice (including ordering the erasure, rectification or de-registration of the personal data) if it believes an organisation has not complied with one or more of the Data Protection Principles.
- The Information Commissioner may also issue an information notice (requiring the University to supply any information needed to assess whether the Act has been breached).
- The University could also be liable for a financial penalty for failure to notify or comply with an enforcement of information notice.
- Any person convicted of any [other] offence under the Act, may also be liable to a fine.
As of April 2010, the Information Commissioner will be able to fine organisations up to £500,000 for serious breaches of the Data Protection Act
The Information Commissioner's Office has issued guidance about how it intends to use these powers in the event of a breach of the Act.
3.2 Compensation
An individual who can establish that he/she has suffered loss or damage as a result of inaccurate or unauthorised data, or as a result of an unauthorised disclosure or of loss of data may claim compensation.
3.3 Disciplinary Proceedings
In accordance with the University's Rules and Regulations, a breach of the Act may lead to University disciplinary procedures.
4. The Computer Misuse Act 1990
The Computer Misuse Act 1990 created three offences of unauthorised access, ulterior intent and unauthorised modification to deal with those who deliberately and without authority misuse computer systems. The police enforce it and successful prosecution can result in a term of imprisonment.
Further information for the use of computing facilities via the Regulations for the Use of Computing Facilities.
5. The Copyright Designs and Patent Act 1988
This legislation should also be observed.