Over the weekend, the Mail on Sunday piled more pressure on Prince Andrew.
It alleged that he asked his police protection officer to investigate his accuser, Virginia Giuffre, just before the newspaper published a photo of Ms Giuffre’s first meeting with the prince in February 2011. The Mail alleges that Prince Andrew gave the officer her date of birth and social security number. The Sunday Telegraph also claimed that he “sought to dig up dirt” on Ms Giuffre.
Ms Giuffre, who took her own life earlier this year, said she was among the girls and young women sexually exploited by convicted sex offender Jeffrey Epstein and his wealthy circle. Prince Andrew has consistently denied all allegations against him.
The Metropolitan Police said on Sunday, “We are aware of media reporting and are actively looking into the claims made.” Of course we don’t have detailed information about the circumstances around latest allegations against Prince Andrew, but (if true) there is a possible breach of Section 170 of the Data Protection Act 2018 (DPA). This makes it a criminal offence for a person to knowingly or recklessly:
(a) obtain or disclose personal data without the consent of the controller,
(b) procure the disclosure of personal data to another person without the consent of the controller, or
(c) after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.
So if the latest allegations are true, Prince Andrew and/or his police protection officer at the time, could have committed a criminal offence under the DPA 2018. Unlike the other allegations against him, this offence does not carry a prison term; just a fine. Successive Information Commissioners have argued that a custodial sentence under S.170 would be a better deterrent (but to no avail).
Will the Information Commissioner’s Office be knocking on Prince Andrew’s door? In June 2023, the ICO disclosed that, since 1stJune 2018, 92 cases involving S.170 offences were investigated by its Criminal Investigations Team. There have been a number of more recent S.170 prosecutions. These often involve people accessing/disclosing confidential information for financial gain.
Depending again on the circumstances, there may also be an offence under section 1 of the Computer Misuse Act 1990 which carries tougher sentences including a maximum of 2 years imprisonment on indictment. In July 2022, a woman who worked for Cheshire Police pleaded guilty to using the police data systems to check up on ex-partners and in August 2022, the ICO commenced criminal proceedings against eight individuals over the alleged unlawful accessing and obtaining of customers’ personal data from vehicle repair garages to generate potential leads for personal injury claims.
This and other data protection developments will be discussed in detail on our forthcoming GDPR Update workshop. The new (2nd) edition of the UK GDPR Handbook has been published. It contains all the changes made by the Data (Use and Access) Act 2025.