Persistent breaches of the Act
A data controller who persistently breaches the Act and has been served with an enforcement notice can be prosecuted for failing to comply with a notice. This offence carries a maximum penalty of a £5,000 fine in the magistrates' court and an unlimited fine in the Crown Court.
Notification offences
A data controller who fails to notify the Information Commissioner's Office of the processing being undertaken or of any changes to that processing can be prosecuted. Failure to notify is a strict liability offence. This means that if a data controller has to notify, they must notify. Being unaware of the law is not an excuse.
Examples
- In October 2005, two debt collection companies, trading from the same location, were each fined £5,000 (the maximum amount) and ordered to pay £300 towards prosecution costs, by Manchester city magistrates, for failing to notify
- In April 2005, a recruitment company pleading guilty to an offence of not being notified under S17(1) of the Data Protection Act 1998. They were fined £100 and ordered to pay prosecution costs of £700
Unlawful obtaining or disclosing of personal information
It is a criminal offence to knowingly or recklessly obtain, disclose or procure the disclosure of personal information, without the consent of the data controller.
Examples
- Private detectives who obtain personal information for their customers by deception commit this kind of offence
- An individual who works for a bank commits an offence if they disclose account details of someone other than for legitimate work purposes
If a person has obtained personal information illegally, it is an offence to sell it or to offer to sell it.
Data Protection Act scams
There have been many complaints surrounding companies claiming to be Data Protection Act or CCTV 'notification agencies' and encouraging firms to pay them exaggerated sums to notify with the ICO or risk large fines.
Examples
- Two people were sentenced to a total of six-and-a-half-years' imprisonment in December 2004 after pleading guilty to conning businesses across the UK out of nearly £700,000 in data protection scams.