Unlawfully obtaining etc. personal data
75 Power to alter penalty for unlawfully obtaining etc. personal data
(1) The Secretary of State may by order provide for a person who is guilty of an offence under section 55 of the Data Protection Act 1998 (c. 29) (unlawful obtaining etc. of personal data) to be liable—
(a) on summary conviction, to imprisonment for a term not exceeding the specified period or to a fine not exceeding the statutory maximum or to both,
(b) on conviction on indictment, to imprisonment for a term not exceeding the specified period or to a fine or to both.
(2) In subsection (1)(a) and (b) “specified period” means a period provided for by the order but the period must not exceed—
(a) in the case of summary conviction, 12 months (or, in Northern Ireland, 6 months), and
(b) in the case of conviction on indictment, two years.
(3) The Secretary of State must ensure that any specified period for England and Wales which, in the case of summary conviction, exceeds 6 months is to be read as a reference to 6 months so far as it relates to an offence committed before the commencement of section 282(1) of the Criminal Justice Act 2003 (increase in sentencing powers of magistrates’ courts from 6 to 12 months for certain offences triable either way).
(4) Before making an order under this section, the Secretary of State must consult—
(a) the Information Commissioner,
(b) such media organisations as the Secretary of State considers appropriate, and
(c) such other persons as the Secretary of State considers appropriate.
(5) An order under this section may, in particular, amend the Data Protection Act 1998.
76 New defence for purposes of journalism and other special purposes
In section 55(2) of the Data Protection Act 1998 (c. 29) (defences against offence of unlawfully obtaining etc. personal data) after “it,” at the end of paragraph
“(ca) that he acted—
(i) for the special purposes,
(ii) with a view to the publication by any person of any journalistic, literary or artistic material, and
(iii) in the reasonable belief that in the particular circumstances the obtaining, disclosing or procuring was justified as being in the public interest,”.
77 Data protection: additional offences
(1) After section 55 of the Data Protection Act 1998 (c. 29) insert—
“55A Data protection: additional offences
(1) A data controller must not—
(a) intentionally or recklessly disclose information contained in personal data to another person,
(b) repeatedly and negligently allow information to be contained in personal data to be disclosed, or
(c) intentionally or recklessly fail to comply with duties under section 4(4).
(2) Subsection (1)(a) does not apply if the data controller can show that the disclosure—
(a) was necessary for the purpose of preventing or detecting crime,
(b) was required or authorised by or under any enactment, by any rule of law, or by the order of a court, or
(c) was justified in the particular circumstances as being in the public interest.
(3) This section shall apply whether or not the data controller is—
(a) a relevant authority under section 29, or 30
(b) exercising a relevant function under section 31.
(4) A data controller who contravenes subsection (1) is guilty of an offence.”
(2) In section 63 of the Data Protection Act 1998, omit subsection (5).