Breaches and Offences

Section 2(4) of the Act states:

"it is the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller".

A data controller breaches the Act by failing to comply with this duty although it is not an offence to contravene the data protection principles.

There are several offences which can result in a fine of up to £5000 in the Summary Court or an unlimited fine in the High Court. These are:

  • Failure to notify the Commissioner of processing;
  • Failure to notify the Commissioner of changes to the register entry;
  • Failure to make certain information relating to notification available on request;
  • Failure to comply with an Enforcement Notice, an Information Notice or a Special Information Notice;
  • Making a false or reckless statement in purported compliance with a Notice;
  • The unlawful obtaining or disclosure of personal data, or the procuring of such;
  • Intentionally obstructing, or failing to give assistance reasonably required to, a person executing a warrant

Where an offence has been committed there may also be personal liability for directors and/or other similar officers.


From 1 February 2016, section 63 of the Freedom of Information Act introduced the offence of record tampering in relation to compliance with subject access requests. This ONLY applies to public authorities specified under the Freedom of Information.