Failure to comply with the provisions of the Data Protection Act is not in itself a criminal offence. Criminal offences can be committed under section 17 (processing personal data without notification) and section 55 (unlawful obtaining and selling of personal data).
Since the Act came into force the Information Commissioner, who is the independent supervisory authority, has successfully prosecuted individuals and organisations in the criminal courts on 46 different occasions for offences under sections 17 and 55 of the Act. These figures do not include all those who have breached the Act or been served with an enforcement notice for a breach which is not a criminal offence.