Question to the Department for Digital, Culture, Media & Sport:

To ask the Secretary of State for Digital, Culture, Media and Sport, what recent assessment she has made of the potential merits of making the misuse of (a) personal details or (b) corporate details a police recordable crime.

The Data Protection Act 2018 (DPA) contains a number of criminal offences relating to the misuse of personal data. They include, at section 170, the unlawful obtaining, disclosing, or retaining personal data without the consent of the data controller; and at section 171, the re-identification of de-identified personal data without a lawful reason.

The penalties for these offences are set out in section 196 of the DPA. A person who is convicted is liable to an unlimited fine in the courts. Under section 199 of the DPA, these offences are recordable which means that those committing such offences will have a criminal record on conviction.

The ICO has a range of enforcement powers under the DPA to tackle the unlawful processing of personal data, including the power to require organisations to stop risky processing activities or serve civil monetary penalties. Details of the ICO’s enforcement activity can be found on its website.

In addition to offences under the DPA, there are a number of other recordable criminal offences relating to the misuse or theft of personal data and company information, which can be prosecuted in certain circumstances. They include offences under the Computer Misuse Act 1990, the Theft Acts and the Fraud Act 2006.