Category Archives: offences

April 11, 2025 · 5:03 am

Retaining data for journalistic purposes?

This is a quite extraordinary data protection story, by Jamie Roberton and Amelia Jenne of Channel 4 News , involving a mother of a woman who died in suspicious circumstances.

It appears that a “Victims’ Right to Review” exercise was undertaken by Gloucestershire Police, at the request of the family of Danielle Charters-Christie, who was found dead inside the caravan that she shared with her partner – who had been accused of domestic abuse – in Gloucestershire on 26 February 2021.

Officers then physically handed a 74-page document to Danielle’s mother, and the contents of it were subsequently reported by Channel 4 News. But, now, the police say that the Review report was “inadvertently released”, are demanding that Danielle’s mother destroy it, and have referred her apparent refusal to do so to the Information Commissioner’s Office as a potential offence under s170(3) of the Data Protection Act 2018.

That provision creates an offence of “knowingly,…after obtaining personal data, [retaining] it without the consent of the person who was the controller in relation to the personal data when it was obtained”.

But here’s a thing: it is a defence, under s170(3)(c) for a person charged with the offence to show that they acted (and here, the retention of the data would be the “action”) for the purposes of journalism, with a view to the publication by a person of any journalistic material, and in the reasonable belief that in the particular circumstances the retaining was justified as being in the public interest.

The ICO is tasked as a prosecutor for various data protection offences, including the one at s170 DPA. No doubt whoever at the ICO is handed this file will be having close regard to whether this statutory defence would apply, but will also, in line with the ICO’s duty as a prosecutor, to consider evidential factors, but also whether a prosecution would be in the public interest.

At the same time, of course, the ICO has civil enforcement powers, and might well be considering what were the circumstances under which the police, as a controller, wrongly disclosed personal data in such apparently serious circumstances.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection Act 2018, Information Commissioner, law enforcement, offences, police

Tagged as , , ,

March 11, 2025 · 6:04 am

Why is the ICO so quiet about prosecutions?

Not infrequently, I get contacted (personally and professionally) by individuals who are concerned that their personal data has been compromised in circumstances that may constitute the criminal offence of “obtaining” or “retaining”, under section 170 of the Data Protection Act 2018.

In many cases, there is not much I can bring to the table. If an offence has been committed then this is a matter for the prosecutor. Normally, for data protection offences, this is the Information Commissioner’s Office.

But what strikes me is that there appears to be no information on the ICO website for anyone who wants to report an alleged or potential offence. Their “For the public” pages don’t cover the scenario, and all of the data protection complaints information there is predicated on the assumption that the individual will be complaining about the data controller’s compliance (whereas, in a section 170 offence, the controller is more of the status of “victim”).

In fact, the best I can find is one brief reference (at page 61) of a lengthy guide to the DPA 2018, aimed at “organisations and individuals who are already familiar with data protection law”, and which doesn’t even actually explain that the offences described can be prosecuted by the ICO.

Dr David Erdos has recently highlighted both the low number of ICO prosecutions, and the rather slapdash way in which the ICO appears to be handling information about them. But the section 170 provisions are criminal ones for a reason: they will sometimes involve the most distressing and serious interferences with people’s data protection and privacy rights.

Surely the ICO should pay more attention to such incidents, and assist concerned data subjects (or others) who might want to report potential offences?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, Information Commissioner, offences

Tagged as ,

September 18, 2020 · 12:48 pm

Tony Abbott hacking and data protection offences

The story about the hacking of Tony Abbott’s travel and other personal details, after he foolishly posted a picture of a flight boarding pass on social media, is both amusing and salutary (salutary for Abbott, and, I would suggest, Qantas and any other airline which prints boarding passes with similar details). What is also interesting to consider, is whether, if this hacking had occurred in the UK, it might have constituted an offence under data protection law.

Under section 170(1)(a) and 170(1)(c) of the Data Protection Act 2018 it is an offence for a person knowingly or recklessly…to obtain or disclose personal data without the consent of the controller, and also an offence for a person knowingly or recklessly…after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.

There is at least an argument that this would have been a knowing obtaining of personal data without the consent of the controller (whether that controller was Qantas, or Abbott himself).

There are defences to both of these where the person can prove that the obtaining, disclosure, retaining etc. was in the particular circumstances, justified as being in the public interest.

Also, and this may be engaged here, it is a defence if the person acted for journalistic purposes, with a view to the publication by a person of any journalistic, academic, artistic or literary material, and in the reasonable belief that in the particular circumstances the obtaining, disclosing, retaining etc. was justified as being in the public interest. One does not have to be a paid journalist, or journalist by trade, to rely on this defence.

Prosecution in both cases may only be brought by the Information Commissioner, or with the consent of the Director of Public Prosecutions. The offences are triable either way, and punishable by an unlimited fine.

I write all this not to condemn the “hacker”, nor to condone Abbott. However, it is worth remembering that similar hacking, in the UK at least, is not without its risks.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, offences

Tagged as ,