12 June, 2019
The issue of criminality under data protection has once again come into the spotlight. A Stockport Home Limited employee, Wendy Masterson, was found guilty at Stockport Magistrates Court on 6th June 2019 of unlawfully accessing individual's personal data without having a legitimate reason to do so under s55 of the Data protection Act 1998 (DPA 1998).
The former customer service officer interrogated her employer's case management system to look up anti-social behaviour outside of what was required in order for her to fulfil her job and without any other authorisation to do so. The access was widespread, with 67 instances of unlawful access occurring between January and December 2017.
This prosecution was brought under the previous data protection legislation, the DPA 1998, as the unlawful access occurred before the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA 2018) came into force on 25th May 2018. Under current legislation, the s55 DPA 1998 offence of unlawfully obtaining, or disclosing, personal data is now found in s170 DPA 2018.
This offence can apply to both organisations as well as individuals; a company selling personal data without the consent of the data subjects is guilty under s170 as is a worker who looks up the personal data of friends and family outside of a professional need.
There have been some minor amendments to this offence under DPA 2018. The offence now extends to making it illegal to retain personal data beyond what it was collected for, for instance where an employee or organisation deliberately holds onto data past the retention period for which there is a lawful a basis to hold it for (remember, storing data is processing and in order to process personal data you need a lawful basis to do so, as defined under Article 6,9 and 10 of the GDPR).
Under s55 DPA 1998 there was scope for an offender to be sentenced to a custodial sentence if found guilty of this offence, although this has never in fact been used in practice. This offence is now solely dealt with by a monetary fine, although it is important to note that where a s170 offence has been committed there may be other grounds for a custodial sentence for crimes committed at the same time; e.g. fraud.