Data Protection Act Breaches

Make an enquiry

Home → Data Protection Solicitors → Data Protection Act Breaches

There are a number of criminal offences which are set down in the Data Protection Act 1998. If you find yourself being prosecuted for any of the following, get in touch with the regulatory investigations team at Richard Nelson LLP. We will provide any advice and representation that may be necessary to reach a favourable conclusion to your case.

The main offences are as follows:

Unlawful obtaining, disclosing, retaining or procuring of personal data

S170 Data Protection Act 2018 (replacing S55 Data Protection Act 1998)

This relates to the unlawful obtaining, retaining or disclosure of personal data without the consent of the controller.

The risks of becoming held responsible for, being exposed to or being affected by unauthorised breaches are becoming ever more apparent in the digital age in which we all live and work. Nearly every week, the media reports on a data breach where personal data has been accessed and obtained without consent. No person or business is immune to the risk of being affected.

Laws are in place to protect the personal data and ensure that it is being held securely. The main offence is governed by s170 Data Protection Act 2018 which makes it illegal to knowingly or recklessly obtain, retain, disclose or procure the disclosure of personal data without consent, or to sell or offer to sell personal data which has been unlawfully obtained, retained, disclosed or procured.

There are a number of statutory defences available that mean that a person is not guilty of the offence if it can be demonstrated that:


Re-identification of de-identified personal data

S171 Data Protection Act 2018

It is an offence for a person knowingly or recklessly to re-identify information that is de-identified personal data without the consent of the controller responsible for de-identifying the personal data.

There are a number of statutory defences available that mean that a person is not guilty of the offence if it can be demonstrated that:


Alteration etc of personal data to prevent disclosure to data subject

S173 Data Protection Act 2018

It is an offence for a person who is a controller, or employed or directed by the controller, to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information that the person making the request would have been entitled to receive.

It is a defence for a person alleged to have committed a S173 offence to prove that the alteration, defacing, blocking, erasure, destruction or concealment of the information would have occurred in the absence of a request made in exercise of a data subject access right, or the person acted in the reasonable belief that the person making the request was not entitled to receive the information in response to the request.


The liability of the director, manager, secretary, officer or person, as well as the body corporate

S198 Data Protection Act 2018

If an offence under this Act has been committed by a body corporate, and it is proved to have been committed with the consent or connivance of or to be attributable to neglect on the part of a director, manager, secretary or similar officer of the body corporate, or a person who was purporting to act in such a capacity, that director, manager, secretary, officer or person, as well as the body corporate, is guilty of the offence and liable to be proceeded against and punished accordingly.



Other offences under the Data Protection Act 2018


What can the ICO do in response to a breach?

If the ICO feels that data has been breached by unlawful behaviour, then it can start an investigation which may lead to a prosecution before the courts. It has the power to investigate breaches either from complaints it receives from the public or on its own volition.

The ICO can apply for a search warrant to search premises to identify what data any individual or business holds. It also has the power to interview individuals or company officials under caution with a view to considering prosecuting breaches before the courts.

If taken to court, the matter will commence in the Magistrates Court but more serious breaches, given the volume or nature of the breach, are transferred to the Crown Court where fines of several thousand pounds can be issued.

It is therefore vital that anybody who comes to the attention of the ICO regarding alleged breaches of personal data receives expert legal advice from the outset. Richard Nelson LLP has experienced lawyers who can assist you. If you require assistance of this nature, please contact us today.

Find out more about the ICO’s regulatory powers.

Get in touch

For more information about the services we can provide and about how we can help you and your business, contact us.

< Back to Regulatory Investigations

What we do...

Richard Nelson LLP’s data protection solicitors are able to help individuals and businesses being investigated for various different Data Protection Act breaches. Our main services include:

  • Breach of S17 of the Data Protection Act 1998

  • Breach of S55 of the Data Protection Act 1998

  • ICO Prosecutions

Request a Callback

  • We treat all personal data in accordance with our Privacy Policy.
  • This field is for validation purposes and should be left unchanged.