Coverage of GDPR in the media and on legal blogs like this usually focuses on the threat posed to a business by large ICO fines and the reputational damage associated with a breach of data protection law. But certain breaches of GDPR (introduced in the UK by the Data Protection Act, 2018 (‘the DPA’)) can also lead to criminal prosecution of employees who access personal data unlawfully or their employers who control the data.
While the number of prosecutions under the DPA is extremely low, the ICO has shown itself to be extremely proactive when it comes to imposing fines and other civil sanctions under the DPA. So we wouldn’t be surprised if there’s a significant uptick in GDPR or DPA-related prosecutions in the future. Here we look at criminal liability under the DPA, concentrating in particular on section 170 offences: What happens when personal data is unlawfully obtained or disclosed?
What Does s170 of the DPA say?
Section 170 forms part of a suite of criminal offences within the DPA framework, including the offence of requiring an individual to produce health and other records as a requirement of employment (s184) and the offence of providing a false statements in response to an information notice from the ICO (s144).
Under s170, it is a criminal offence to:
- Knowingly or recklessly obtain, disclose or procure personal data without the consent of the data controller
- Sell that data
- Recklessly retain personal data – even if it was obtained lawfully – without the consent of the data controller.
What Does A s170 Offence Look Like?
As we’ve said there have been very few cases involving s170 prosecutions. But a similar provision existed under older data protection legislation (although it did not include the offence of recklessly retaining data that the DPA contains). We can look at how that older provision was applied in practice to gauge what employers and employees should be aware of when it comes to s170.
According to the Crown Prosecution Service the offence under the previous rules usually involved unlawful accessing of healthcare and financial records. An employee of the Heart of England NHS Foundation Trust (HEFT) for example was prosecuted under s55 (the relevant section of the old DPA) for viewing personal data of seven family members on internal databases as well as the health data of seven children known to her. Crucially there was no business need for her to do this and so the court found she broke data protection law.
Are There Any Defences If I Am Investigated Under s170?
Yes. There are several defences to prosecutions under s170. These include:
- Where the information was obtained or disclosed to prevent a crime
- If the personal data was obtained because of some legal requirement
- If accessing the data was justified in the public interest
It’s also possible to avoid liability under s170 if the person who obtained the data acted in the reasonable belief that he or she had a legal right to do so.
Employers and Section 170
One concern for many of the businesses we represent is whether or not they might have to answer for the criminal behaviour of an employee. Take the situation of a disgruntled employee accessing data contrary to s170. Might the employer also be criminally liable?
In 2020 – in a case involving scrutiny of s55 of the old DPA – the Supreme Court ruled in favour of the supermarket chain Morrisons. It found that as an employer it could not be held responsible when an employee uploaded a file containing the payroll data of thousands of Morrisons employees to a publicly accessible website. (The employee also leaked the information to several UK newspapers.) Reversing the decision of the Court of Appeal that did find Morrisons responsible for the unlawful behaviour of the employee, the Supreme Court decided that:
- Disclosure of the data was not sufficiently connected to what the employee was allowed to do in the course of his employment with Morrisons
- It was ‘abundantly clear.. that the employee was pursuing a personal vendetta against his employer’
The Supreme Court judgment in the Morrisons case came as a relief to many businesses. The ramifications of the Court of Appeal decision to hold employers responsible for the criminal accessing of data by a disgruntled employee were only beginning to be fully appreciated. Nevertheless it’s important to note that despite the Morrisons decision an employer might still face criminal liability if:
- An employee unlawfully obtains data on the instructions of the employer
- The organisation has failed to implement adequate security measures as required under the DPA/GDPR.
Comment
The number of prosecutions under s170 is low but cases under previous legislation demonstrate the criminal jeopardy – to employers and their staff – posed by unlawfully accessing personal data. The Morrisons case provides some relief to employers because they won’t as easily be held responsible for criminal acts of employees. One thing the legislation and the cases we’ve looked at do demonstrate clearly however is that GDPR compliance must be taken seriously. Regular staff training in data protection requirements and GDPR audits is essential.
Contact Us
For more information on GDPR compliance contact our director Shubha Nath at Nath Solicitors on 0203 983 8278 or contact the firm online.
