Understanding Section 170 of the Data Protection Act 2018: Unlawful Obtaining of Personal Data

Hey everyone, so today we’re going to chat about something a bit serious but super important when it comes to our digital lives: Section 170 of the Data Protection Act 2018. You might have heard about data breaches and the big fines that can come with them, but did you know there are actual criminal offenses for how people get and use personal information? This section of the law is all about that – specifically, the unlawful obtaining of personal data. It’s not just about big companies; it can affect individuals too, so it’s worth knowing the basics.

Key Takeaways

• Section 170 of the Data Protection Act 2018 makes it a crime to knowingly or recklessly obtain, disclose, or keep personal data without the data controller’s permission.
• This law also covers selling personal data that was obtained illegally.
• There are specific defenses available, like if the actions were necessary for preventing crime, were legally required, or were justified in the public interest.
• Believing you had a legal right or consent, even if mistaken, can also be a defense if that belief was reasonable.
• While employers aren’t automatically liable for employee actions (as seen in the Morrisons case), they can still face consequences if they failed to implement adequate security measures or if employees acted on their instructions.

Understanding Section 170 Data Protection Act 2018

So, let’s talk about Section 170 of the Data Protection Act 2018. It’s the part that deals with the unlawful obtaining of personal data, and honestly, it’s pretty serious stuff. While we often hear about big fines for data breaches, this section focuses on criminal offenses for individuals who mess with personal data in specific ways. It’s not just about accidental leaks; it’s about intentional or reckless actions.

The Core Offence Under Section 170

At its heart, Section 170 makes it a criminal offense for someone to knowingly or recklessly obtain, disclose, or procure the disclosure of personal data without the consent of the data controller. Think of it as a line in the sand. You can’t just go around grabbing or sharing people’s private information if you don’t have the right to do so. This applies even if the data was initially obtained lawfully, but then retained without proper consent.

Key Elements of the Offence

To break it down, there are a few main things the law looks at:

• Obtaining Personal Data: This means getting hold of personal data when you shouldn’t have. It’s not just about hacking into systems; it could be as simple as looking at a file you’re not supposed to see.
• Disclosing Personal Data: Sharing that data with someone else who isn’t authorized to see it.
• Procuring Disclosure: This is a bit more indirect. It means causing or arranging for someone else to disclose data they shouldn’t.
• Retaining Personal Data: Even if you got the data initially without meaning to do anything wrong, if you keep it without the controller’s okay, that can also be an offense.
• Knowledge or Recklessness: The person has to have known they were doing something wrong, or been reckless about whether their actions would lead to an unlawful obtainment or disclosure.

Distinguishing From Other Data Protection Offences

It’s important to note that Section 170 isn’t the only criminal offense in the Data Protection Act. For instance, Section 171 deals with re-identifying de-identified data, and Section 173 covers intentionally destroying data to prevent disclosure during a subject access request. Section 170 specifically targets the unauthorized acquisition and sharing of personal data itself, rather than other related data handling missteps.

Prohibited Actions Under Section 170

Section 170 of the Data Protection Act 2018 lays out specific actions that are considered criminal offenses when it comes to personal data. It’s not just about having the data; it’s about how you get it, what you do with it, and whether you had permission. The core idea is that you can’t just take or share someone’s personal information without the data controller’s okay.

Unlawful Obtaining Of Personal Data

This is the most straightforward part of the offense. It means knowingly or recklessly getting your hands on personal data without the consent of the person or organization that controls it. Think of it like this: if you don’t have a legitimate reason or permission, you shouldn’t be accessing it. This could involve:

• Accessing databases you’re not authorized for.
• Copying files that contain personal details without approval.
• Using someone else’s login credentials to get into systems.

It’s important to remember that "recklessly" covers situations where someone might not have intended to break the law but acted in a way that showed a disregard for the potential consequences of obtaining the data. For instance, an employee snooping through customer records out of curiosity, even if they didn’t plan to misuse the information, could fall under this. The Crown Prosecution Service has noted that historically, similar offenses often involved accessing sensitive records like financial or healthcare information without a business need. This is a serious matter, and understanding the boundaries is key to avoiding trouble, especially when dealing with sensitive personal information.

Procuring Disclosure Without Consent

This offense goes a step further than just obtaining data yourself. It involves actively causing or arranging for someone else to disclose personal data without the controller’s consent. This could mean asking a colleague to send you information they shouldn’t, or tricking someone into revealing data they have access to. It’s about facilitating the unauthorized spread of information. For example, if you persuade an administrator to email you a list of employee salaries, even though you’re not authorized to receive it, you could be committing this offense.

Retaining Personal Data Without Consent

Even if you obtained the data lawfully at some point, you can still fall foul of Section 170 if you keep it without the controller’s consent. This applies after you’ve already got the data. So, if you were initially allowed to access certain records for a specific project, but you continue to hold onto them after the project is finished, or if your access is revoked, you might be committing an offense. The key here is the ongoing "retention" without permission. This is a distinction from older laws, as the Data Protection Act 2018 specifically includes the offense of recklessly retaining data, even if it was initially obtained lawfully.

Selling Personal Data Obtained Unlawfully

So, you’ve got personal data, but maybe not in the most legal way. Section 170 of the Data Protection Act 2018 doesn’t just stop at the unlawful obtaining or disclosing part; it also goes after people who try to profit from it. It’s a criminal offense to sell personal data if you obtained it in circumstances that broke Section 170. This means if you got the data without the controller’s consent, or kept it when you shouldn’t have, trying to sell it afterwards is a whole new ballgame of trouble.

Offence of Selling Illegally Obtained Data

This part is pretty straightforward. If you’ve committed an offense under Section 170(1) – meaning you knowingly or recklessly obtained, disclosed, procured, or retained personal data without the controller’s okay – then selling that data is a separate, punishable offense. It doesn’t matter if you obtained it directly or indirectly, as long as the initial acquisition was unlawful according to Section 170. The law is designed to stop the flow of illegally acquired information, and selling it is a major way that flow continues. Think of it like this:

• Step 1: Obtain personal data without consent (violating Section 170(1)(a)).
• Step 2: Decide to sell this data.
• Result: You’ve now committed a second offense under Section 170(4).

We’ve seen cases where individuals have been fined for this. For instance, someone sold customer information from their employer’s database. They ended up with a fine and had to pay costs. It really shows that the authorities take this seriously, even if the amounts might seem small compared to other data protection penalties. A recent UK Financial Conduct Authority prosecution also highlighted the risks of malicious insiders, with an employee convicted for unlawfully obtaining and disclosing data, serving as a reminder for organizations to prevent such exfiltration [d686].

Offering Personal Data For Sale

It’s not just about completing the sale; even offering to sell data that was obtained unlawfully is an offense. This covers situations where someone advertises that they have personal data available for sale. The law considers an advertisement indicating data is or may be for sale as an offer to sell it. So, even if no one actually buys it, the act of offering it up can land you in hot water. This is particularly relevant in the digital age where data can be advertised on various online platforms. The key here is the intent and the action of making the data available for purchase, regardless of whether a transaction occurs.

Defences Available Under Section 170

So, you’ve heard about the offence of unlawfully obtaining personal data under Section 170 of the Data Protection Act 2018. It sounds pretty serious, right? But what if you genuinely believed you had a good reason, or that you were allowed to access the data? The good news is, the law recognizes that sometimes there are legitimate justifications. Section 170 isn’t a blunt instrument; it allows for several defences if you’re charged with an offence.

Necessity For Crime Prevention Or Detection

Sometimes, getting your hands on personal data, even without explicit consent, might be the only way to stop something bad from happening. The law gets this. If you can prove that obtaining, disclosing, or retaining the data was absolutely necessary to prevent or detect a crime, that can be a valid defence. Think about it – if you stumbled upon information that pointed to an ongoing fraud or a planned illegal activity, and you acted on it to alert the authorities, the courts would likely see that as a reasonable, albeit unusual, course of action. It’s not about snooping for fun; it’s about acting responsibly when faced with potential wrongdoing.

Legal Authorisation Or Court Orders

This one’s pretty straightforward. If you were legally required to obtain or disclose personal data, or if you were acting under a court order, then you’re generally in the clear. This could cover situations where a law specifically mandates the sharing of certain information, or where a judge has ordered access to data for a legal proceeding. It’s a way of saying that if the system itself tells you to get the data, you shouldn’t be punished for following instructions.

Justification In The Public Interest

This defence is a bit broader and can be trickier to argue, but it’s important. It essentially means that in certain specific circumstances, accessing or disclosing personal data, even without consent, was justified because it was in the public interest. This isn’t a free pass to do whatever you want. It usually applies to situations where the public good outweighs the individual’s right to privacy. For example, whistleblowing on serious misconduct within an organisation might fall under this, especially if the information revealed could lead to significant public benefit or prevent harm. It requires a careful balancing act, and the justification needs to be strong.

Belief As A Defence

Reasonable Belief Of Legal Right

So, you’ve been accused of getting your hands on personal data without the proper go-ahead. It happens, right? Well, Section 170 of the Data Protection Act 2018 does offer a way out if you can show you genuinely thought you had the right to do it. This isn’t about making excuses after the fact; it’s about what you reasonably believed at the time you obtained, disclosed, procured, or kept the data. The key here is "reasonable belief." It means your belief had to be sensible and something a normal person would have thought in your shoes, given the circumstances. It’s not enough to just say, "I thought I could." You’d need to back that up with why you thought that. Maybe you misunderstood a policy, or perhaps there was some ambiguity about who controlled the data. The courts will look at the whole picture to decide if your belief was truly reasonable.

Reasonable Belief Of Consent

This defense is a bit like the one above, but it focuses specifically on consent. If you’re charged with obtaining or disclosing personal data without the controller’s consent, you can argue that you reasonably believed you did have that consent. Again, the emphasis is on what you genuinely and reasonably thought. Did you have a conversation that implied consent? Did a previous pattern of behavior suggest it was okay? Perhaps you thought a manager or a colleague had already given the green light. The law understands that sometimes things aren’t crystal clear, and people can make honest mistakes. However, just like with the legal right defense, you’ll need to show that your belief in having consent was sensible and justifiable based on the information you had at the time. It’s about proving you weren’t deliberately ignoring the rules but were acting on what you thought was a valid understanding.

Belief In Public Interest For Special Purposes

This defense is a bit more specialized and applies when the data handling is related to certain "special purposes." These purposes include journalistic, academic, artistic, or literary activities. If you obtained, disclosed, procured, or retained personal data for these kinds of reasons, and you genuinely and reasonably believed it was in the public interest to do so, you might have a defense. Think about investigative journalism or academic research that requires access to personal information to uncover something important or shed light on a societal issue. The belief that your actions served the public interest needs to be reasonable in the specific circumstances. It’s a high bar, as it involves balancing the individual’s privacy rights against the potential public benefit of the disclosure or use of the data. This defense acknowledges that sometimes, accessing personal data might be necessary for activities that benefit society as a whole, but it requires a strong, justifiable belief that this is the case.

Criminal Liability For Employers

Employer Responsibility For Employee Actions

So, what happens when one of your employees goes rogue and unlawfully obtains personal data? It’s a big worry for businesses, and understandably so. The good news, sort of, is that the law doesn’t automatically hold employers responsible for every single misstep an employee makes. The big court case involving Morrisons, a supermarket chain, really clarified this. An employee there leaked payroll data, but the Supreme Court decided Morrisons wasn’t liable. Why? Because the employee was acting out of personal spite, not doing anything related to their actual job duties. It was pretty clear they were on a personal mission against the company.

Morrisons Case And Its Implications

The Morrisons case was a huge relief for many companies. Before that, there was a real fear that employers could be held responsible for any data-related crime an employee committed, even if the company had no idea. The Supreme Court basically said that for an employer to be liable, the employee’s actions need to be closely linked to their job. If they’re just doing their own thing, especially something malicious, the employer is usually in the clear. This ruling helped set a boundary, showing that employers aren’t automatically on the hook for every employee’s bad behavior.

When Employers May Still Face Liability

Now, don’t get too comfortable. While the Morrisons case offered some breathing room, employers can still get into trouble. If you explicitly tell an employee to get data unlawfully, well, that’s on you. Also, if your company hasn’t put decent security measures in place, and an employee exploits those weaknesses to get data, you could still be held responsible. It really comes down to whether you’ve done your part to protect the data. Think of it like this:

• Direct Instruction: If you tell an employee, "Go get that customer list, no matter how," you’re liable.
• Negligent Security: If your data security is so bad a light breeze could blow it open, and an employee takes advantage, that’s a problem.
• Failure to Train: Not properly training staff on data protection rules can also be a weak spot that leads to liability.

Basically, while you’re not responsible for every rogue employee, you are responsible for creating a secure environment and not encouraging or enabling illegal data handling.

Practical Implications And Case Examples

Low Prosecution Rates Under Section 170

So, we’ve talked about what Section 170 is all about – basically, not getting your hands on personal data illegally. You might think, with all these rules, there must be tons of people getting prosecuted, right? Well, the reality is a bit different. Prosecutions specifically under Section 170 of the Data Protection Act 2018 haven’t been super common. It’s not like every little slip-up leads to a court date. But don’t let that fool you into thinking it’s not a big deal.

Lessons From Previous Legislation

Even though Section 170 is the current law, looking back at cases under the old Data Protection Act 1998 can still teach us a lot. Section 55 of that older act had similar rules about unlawfully obtaining data. For instance, there was a case involving a former employee of a car rental company. This person kept accessing customer data even after leaving the company. They then used that info to hawk their own services to customers who’d had accidents. This case, which finally went to court recently because the person was in the US, shows that these kinds of actions can have serious consequences. The individual ended up with a hefty fine of £10,000 plus costs. It’s a clear sign that even if Section 170 prosecutions are few, the potential for criminal charges is very real, especially when you look at how similar laws were enforced.

Real-World Consequences Of Violations

What happens when someone actually breaks these rules? We’ve seen a few examples. In one instance, an employee sold personal data from their employer’s customer database. They even tried to sell it to rival companies. This person pleaded guilty and faced penalties, including a fine of £1,200 and £300 in costs. While these amounts might not seem astronomical, they represent a tangible penalty for breaking data protection laws.

It’s also worth remembering the big Morrisons case. While the Supreme Court ultimately decided Morrisons wasn’t responsible for a disgruntled employee leaking payroll data, it was a close call. The initial ruling had worried many businesses. The key takeaway here is that while employers might not be automatically liable for every employee’s rogue actions, they can still be in trouble if they haven’t put proper security measures in place or if they instructed the employee to obtain the data unlawfully. So, even if prosecutions are rare, the financial and reputational damage from a data breach or unlawful obtaining of data can be significant. It really hammers home the point that getting data protection right isn’t just a suggestion; it’s a necessity.

Wrapping Up Section 170

So, that’s a look at Section 170 of the Data Protection Act 2018. It basically says you can’t just go around grabbing or sharing personal information without the owner’s okay, and selling data you got this way is also a no-go. There are some exceptions, like if you’re stopping a crime or if the law says you have to, but for the most part, you need to be careful. We’ve seen a couple of cases where people got in trouble, facing fines and other penalties. While prosecutions aren’t super common, it’s definitely something to be aware of, both for employees and employers. Keeping your data practices in check and training your staff is a good idea to avoid any headaches down the road.

Frequently Asked Questions

What exactly is Section 170 of the Data Protection Act 2018 about?

Basically, Section 170 makes it against the law for someone to get, share, or keep personal information without the permission of the person or company in charge of that data. It also covers selling personal data that was obtained this way. Think of it like stealing someone’s private diary and then trying to sell it – that’s not allowed.

What does ‘unlawfully obtaining personal data’ mean in simple terms?

It means getting someone’s private information, like their name, address, or phone number, when you’re not supposed to. This could be by hacking into a computer, tricking someone into giving it to you, or just taking it when you shouldn’t have access.

Are there any situations where it’s okay to get or share personal data without permission?

Yes, there are a few exceptions. For example, if you need the information to help prevent or solve a crime, or if a court order or another law says you can have it. Sometimes, if it’s really important for the public good, that can also be a valid reason.

Can employers get in trouble if their employees break Section 170 rules?

It’s tricky. Usually, employers aren’t responsible if an employee breaks the law on their own, especially if the employee was acting out of personal reasons, like the Morrisons case showed. However, if the employer told the employee to get the data unlawfully, or if they didn’t have good security in place, they might still be held responsible.

What happens if someone sells personal data they got illegally?

That’s a big no-no under Section 170. If you obtained personal data without permission and then try to sell it, or even just offer it for sale, you can face criminal charges. This applies whether you got the data yourself or it was obtained illegally by someone else and you then got it.

Are there many cases where people are prosecuted under Section 170?

Honestly, not very many cases actually go to court for Section 170. However, similar laws existed before, and those cases show that people can face serious consequences, including fines. It’s important not to ignore these rules just because prosecutions are rare; the law is there to protect people’s private information.