A Guide to Section 55 of the Data Protection Act 1998

Nick Titchener headshot

Nick Titchener

Managing Partner

What is the Data Protection Act?   

The Data Protection Act (DPA) is an act of the UK Parliament which defines the ways in which information about people may be legally used and handled. The main intent is to protect individuals against misuse or abuse of information about them.

The Data Protection Act 2018 is the UK’s third generation data protection law, replacing the UK’s existing data protection laws in accordance with the General Data Protection Regulation (GDPR). This was done to modernise the UK’s previous data protection laws, giving individuals more control over their personal information in a digital age.

Why are GDPR and the Data Protection Act both needed?

GDPR changes the regulatory environment and gives the Information Commissioner’s Office (“ICO”) the power to impose eye-watering fines for those in breach.  

The Act deals with elements of the regulatory framework not covered by GDPR, and sets out the specific criminal offences relating to data protection. There is some continuity with the existing regime governed by the Data Protection Act 1998 (“DPA 1998”) but new offences have also been introduced onto the statute book.

What is a data controller?

The data controller determines the purposes for which, and the manner in which, personal data is processed. It can do this either on its own or jointly or in common with other organisations. This means that the data controller exercises overall control over the ‘why’ and the ‘how’ of a data processing activity.

What is section 55 of the Data Protection Act 1998?

When understanding criminal law there is a need to look back on past legislation as well as existing legislation and the new criminal offences in order to see how the law will be applied to a data breach. 

Sections 55A to 55E of the Data Protection Act 1998 provide the Commissioner with the power to serve a monetary penalty in the case of a data breach.

Section 55A states that if there has been a ‘serious contravention’ of the data protection principles, the Commissioner may serve the data controller with a monetary penalty notice. Fines are imposed when the breach is ‘likely to cause substantial damage or substantial distress’ and the contravention was deliberate or the controller should have known of the risk.

What is section 170 of the Data Protection Act 2018?

When the Data Protection Act was updated in 2018, section 55 of the Data Protection Act 1998 was replaced by section 170. Section 170 expands and develops section 55 which criminalised recklessly or knowingly disclosing, obtaining or procuring personal data without the consent of the data controller, and the sale or offering for sale of that data. 

Section 55 had been mostly used to prosecute anyone who had obtained financial or healthcare records without a legitimate reason. Section 170 adds the offence of knowingly retaining personal data, even if it has been lawfully obtained, without the consent of the data controller. There are a few exceptions, including when the data was needed to prevent or detect a crime.

Section 170 also includes provisions regarding the processing of personal data by criminal justice agencies and police, implementing the Law Enforcement Directive to cover national and trans-national data sharing.

What is the risk of being held responsible for a data breach?

No business or individual is immune to the risk of being affected, as the higher possibility of breaching the Data Protection Act is becoming more apparent in this digital age. 

However, you are not guilty of the offence if it can be shown that:

  • Obtaining the data was needed to prevent crime
  • The data was needed by the order of a court or rule of law
  • You had a reasonable belief that you had a legal right to obtain or share the data 
  • That you obtained data in the public interest / with special purposes ie journalistic or literary 

The majority of cases under Section 55 resulted in fines of hundreds of pounds and resolved in the magistrates’ court. Unfortunately there are now increasing numbers of fines for six figures and corporate clients will need to provide financial statements from a five-year period.

Where data has been obtained electronically, the Computer Misuse Act may also be applicable and where the data has been obtained by deception, fraud by false representation might also be applicable.

If you do find yourself accused of a data breach, our lawyers can:

  • Support you at criminal interviews under caution 
  • Respond to Production Orders 
  • Assist if you are subject to a search and seizure
  • Represent you in court 

When facing data protection offences you need specialist data breach lawyers who will understand the history and the complexities of data protection laws. Contact Lawtons for support. Our team of legal professionals are highly experienced and will provide you with the individual guidance you need.

Related Articles