|Legal basis||Description of offence/penalty/prohibited activity by individual||Sanction options||Would it apply to Bill activity?||What bill activity would it not cover?||Lexis link|
|s. 55 of the Data Protection Act 1998 - Unlawful obtaining etc of personal data||Core offence - "A person must not knowingly or recklessly, without the consent of the data controller—(a) obtain or disclose personal data or the information contained in personal data, or (b) procure the disclosure to another person of the information contained in personal data." (Note full text has further detail and caveats, also selling of data obtained contrary to above also an offence s.55(4).)||CRIMINAL offence - Triable either way max penalty is an unlimited fine in the Crown Court. (s.60) Also court can order the forfeiting, destruction or erasure of data or documents used in the offending processing .||YES. Applies to the processing of personal data in any form including the sharing of information and any potential leakage or abuse arising from such sharing.||Only shares which involve no 'personal data', or involve only the disclosure of non-personal data. But as per the DPA definition personal data has two limbs and so even de-identified data being leaked will be caught by the offence so long as it is not truly anonymous.||here|
|s.39(1 and 9) of the Statistics and Registration Service Act 2007 - Offence of unauthorised disclosure of personal information held by the Statistics Board (aka UKSA)||Core Offence - "Subject to this section personal information held by the (Statistics) Board in relation to the exercise of any of its functions must not be disclosed by (a) any member or employee of the Board, (b) a member of any committee of the Board, or (c) any other person who has received it directly or indirectly from the Board." (Note personal information is defined in near identical way to DPA personal data, but internal admin arrangements of the board (UKSA) are excluded even if they are personal data, and for SRSA persons include both natural persons and bodies corporate.)||CRIMINAL OFFENCE - Triable either way, max penalty is 2 years imprisonment and/or an unlimited fine in the Crown Court.||YES. Applies to any use of UKSA data under the Bill.||Any activity not involving UKSA data. Even in a share using UKSA data it would only apply in relation to the UKSA data and would not apply to say the DWP data it was matched with. It would also only apply in relation to the UKSA data that amounted to 'personal information' (see description of offence).||here|
|s.19 of the Commissioners of Revenue and Customs Act 2005 - Offence of wrongful disclosure of revenue and customs information||Core offence - "A person commits an offence if he contravenes section 18(1) [or (2A)] or 20(9) by disclosing revenue and customs information relating to a person whose identity—|
(a) is specified in the disclosure, or
(b) can be deduced from it.
(2) In subsection (1) “revenue and customs information relating to a person” means information about, acquired as a result of, or held in connection with the exercise of a function of the Revenue and Customs (within the meaning given by section 18(4)(c)) in respect of the person; but it does not include information about internal administrative arrangements of Her Majesty's Revenue and Customs (whether relating to Commissioners, officers or others).
(3) It is a defence for a person charged with an offence under this section of disclosing information to prove that he reasonably believed—
(a) that the disclosure was lawful, or
(b) that the information had already and lawfully been made available to the public."
|CRIMINAL OFFENCE - Triable either way, max penalty is 2 years imprisonment and/or an unlimited fine in the Crown Court.||YES. Would apply to any use of powers in the Bill where HMRC remains the data controller of the HMRC identifiable information at all times (e.g. TTP share with all bodies being processors) this is because the description of HMRC official in s.18(1) is clarified in s.18(4) to include any 'person acting on behalf of the Commissioners or an officer of Revenue and Customs' and so would include data processors of HMRC.||Only to shares featuring HMRC, and even then only to HMRC data and where HMRC remains the data controller of all the HMRC identifiable data at all times.||here|
|s.123 Social Security Administration Act 1992 - Offence of Unauthorised disclosure of information relating to particular persons||Core offence - "(1) A person who is or has been employed in social security administration or adjudication is guilty of an offence if he discloses without lawful authority any information which he acquired in the course of his employment and which relates to a particular person.|
(2) A person who is or has been employed in the audit of expenditure or the investigation of complaints is guilty of an offence if he discloses without lawful authority any information—
(a) which he acquired in the course of his employment;
(b) which is, or is derived from, information acquired or held by or for the purposes of any of the government departments or other bodies or persons referred to in Part I of Schedule 4 to this Act or Part I of [Schedule 4] to the Northern Ireland Administration Act; and
(c) which relates to a particular person."
(note s.123(6) goes on to define person who has been employed so as to include persons providing services to the various bodies specified in part 1 of sch 4, so would cover data processors as well)
|CRIMINAL OFFENCE - Triable either way, max penalty is 2 years imprisonment and/or an unlimited fine in the Crown Court.||YES. Would apply to any use of powers in the Bill where DWP (or other specified Social Security body) remains the data controller of the relevant identifiable information at all times (e.g. TTP share with all bodies being processors) this is because the description of 'person employed' includes any data processors of that body.||Only to shares featuring at least one of the bodies specified in Part 1 of Sch 4 of the Act, and even then only to where that body remains the data controller of all the data at all times. It also would not apply if the data does not relate to a particular person, or there is lawful authority for the disclosure or if the data has previously been disclosed to the public lawfully.||here|
|s.55A Data Protection Act 1998 - Power of Information Commissioner to impose a monetary penalty||The Information Commissioner may serve a monetary penalty notice on a data controller for a serious contravention of the data protection principles if it was of a kind likely to cause substantial damage or substantial distress. The Commissioner must also be satisfied that the contravention was deliberate or that the data controller knew or ought to have known that there was a risk that the contravention would occur, and that it would be of a kind likely to cause substantial harm or substantial distress but failed to take reasonable steps to prevent it occurring||MONETARY PENALTY RECOVERABLE THROUGH CIVIL COURTS - penalties of up to £500,000||YES. Applies to the processing of personal data in any form including the sharing of information and any potential leakage or abuse arising from such sharing.||Only shares which involve no 'personal data', or involve only the disclosure of non-personal data.|