UK Act of Parliament 2017 United Kingdom

Higher Education and Research Act 2017

What this means for your business

17 obligations

11 penalties

9 can imprison

4 guides

• Enforced by: IPO, OPSS, ECJU
• Applies to: United Kingdom
• On this page: 17 compliance obligations, 4 practical guides across 3 topics

Read full text on legislation.gov.uk →

What you must do

17 compliance obligations under this legislation — 9 can result in imprisonment.

Management duties 3

Ensure research disclosures comply with data protection & IP law

If you share or publish any information for research, you must first make sure it isn’t protected data or IP that you’re not allowed to disclose. In other words, you shouldn’t release info that contravenes GDPR or the Investigatory Powers Act. Failing to do so can lead to prosecution.

Any Person s.65 IPO When you disclose information for research purposes

Follow the code of practice when disclosing or using information under s.48

If your business ever discloses information or uses information that is covered by section 48 of the Higher Education and Research Act 2017, you must follow the minister’s code of practice on that disclosure and use. This means checking the relevant code and making sure your handling of the data complies with it.

Any Person s.52 IPO When disclosing or using information under section 48 of the Higher Education …

Follow the ministerial code when disclosing higher‑education data

If you share or use data that falls under sections 35‑39 of the Higher Education and Research Act, you must read and comply with the minister’s code of practice. The code explains when and how you can disclose personal information and what safeguards are required. In practice, you’ll need to consider the code every time you share or reuse such data.

Any Person s.43 IPO when disclosing or using information that is covered by sections 35‑39 of …

Other requirements 2

Follow the code of practice when disclosing information under s56

If your business ever has to share information under section 56 of the Higher Education and Research Act, you must do it in line with the Minister’s code of practice (and any related data‑protection codes). In practice this means checking the code before you release or use the data and keeping a record that you have done so.

Any Person s.60 IPO When disclosing or using information under section 56 of the Higher Education …

Follow the Statistics Board code when handling personal data under s64

If your business discloses, processes or uses personal information under section 64 of the Higher Education and Research Act, you must take the Statistics Board’s code of practice into account. This means checking the code and ensuring your own procedures align with it whenever you handle that data.

Any Person s.70 IPO When you disclose, process or use personal information under section 64 of …

Offences and prohibitions 11

Disclose personal HMRC information without permission

2 years imprisonment

If your business receives personal data from HM Revenue & Customs and you pass it on without HMRC’s consent, you commit a criminal offence. On conviction you face an unlimited fine and up to two years’ imprisonment, unless you can show you reasonably believed the disclosure was lawful or the information was already public.

Any Person s.42 Ofcom

Disclose personal information from Revenue Scotland without permission

2 years imprisonment

If your business receives personal data from Revenue Scotland under sections 64(1) or 64(5) and then shares that data without the required consent, you commit a criminal offence. Conviction can lead to up to 12 months in prison and an unlimited fine on summary conviction, or up to 2 years in prison and an unlimited fine on indictment.

Any Person s.69 Ofcom

Disclose personal information without authority

2 years imprisonment

If your business shares personal data that you received under the Higher Education and Research Act (sections 35‑39) when the law requires you to keep it confidential, and you know or are reckless about the breach, you commit a criminal offence. On conviction you could face up to two years’ imprisonment, an unlimited fine, or both.

Any Person s.41 Ofcom

Illegally disclose personal information

2 years imprisonment

If your business receives personal data under section 56 and then discloses it (or allows someone else to disclose it) without a legal excuse, you commit a criminal offence. The offence applies when you know the disclosure is unauthorised or are reckless about it. On conviction you face up to two years’ imprisonment and an unlimited fine, and the case can be tried either in the Crown Court or, in certain circumstances, in a magistrates’ court.

Any Person s.58 Ofcom

Infringe copyright or making‑available right by communicating work to the public

If your business communicates a copyrighted work (or a recording with a performer’s making‑available right) to the public, and you know or should know that this infringes the copyright, you commit an offence when you do it for profit or when you cause, or risk causing, a loss to the rights holder. Conviction can lead to a fine and/or imprisonment, the exact limits of which are set out in the underlying Copyright, Designs and Patents Act 1988.

Any Person s.32 Ofcom

Unauthorised disclosure of HMRC personal data

6 months imprisonment

If your business receives personal information from HMRC and then shares it without the Commissioners’ consent, you commit a criminal offence. You may avoid conviction only if you can show you reasonably believed the disclosure was lawful or that the information was already public. A conviction can lead to an unlimited fine and possible imprisonment, with the exact penalties set out in another Act.

Any Person s.59 Ofcom

Unauthorised disclosure of HMRC personal data

2 years imprisonment

If your business receives personal information from HM Revenue & Customs (for example, tax data about employees or customers) you must not pass it on to anyone else unless you have HMRC’s consent. Sharing that information without permission is a criminal offence. If you are prosecuted you could face a fine and possibly other penalties as set out in the Commissioners for Revenue and Customs Act 2005.

Any Person s.51 Ofcom

Unauthorised disclosure of personal data from Welsh Revenue Authority

2 years imprisonment

If your business receives personal information from the Welsh Revenue Authority under sections 64(1) or 64(5) and you share that data with anyone else without the required permission or a permitted purpose, you commit a criminal offence. Conviction can lead to up to two years’ imprisonment and an unlimited fine, with the case potentially tried in either a magistrates’ court or a Crown Court.

Any Person s.68 Ofcom

Unauthorised disclosure of personal data received from HMRC

Unlimited fine

If your business receives personal information from HM Revenue & Customs for research or processing and then shares it with anyone else (unless an explicit exemption applies), you commit a criminal offence. Breaching this rule can lead to an unlimited fine and, in the most serious cases, imprisonment. A defence is available only if you can show you reasonably believed the disclosure was lawful or that the data was already public.

Any Person s.67 Ofcom

Unauthorised disclosure of personal information

2 years imprisonment

If your business receives personal information under section 48 of the Higher Education and Research Act and then shares it without a lawful reason, you have committed a criminal offence. The offence applies when you know, or are reckless about, the breach. Conviction can lead to up to two years in prison, an unlimited fine, or both.

Any Person s.50 Ofcom

Unauthorised disclosure of personal research data

2 years imprisonment

If your organisation receives personal information for research or processing under the Higher Education and Research Act and then discloses it in breach of the rules, knowing or being reckless about the breach, you commit a criminal offence. On conviction you face up to two years’ imprisonment and an unlimited fine (or both). The offence can be tried in either a magistrates’ court or a Crown Court depending on the case.

Any Person s.66 Ofcom

Registration and licensing 1

Register with OFCOM and comply with conditions for dynamic spectrum access services

If your business provides a service that tells users which radio frequencies are available and how they can be used, you must apply to OFCOM for registration, pay any required fees and follow any conditions OFCOM sets. OFCOM can change or cancel your registration and can impose financial penalties if you breach those conditions.

Any Person s.8 IPO When you provide or intend to provide a dynamic spectrum access service

Penalties for non-compliance

11 penalties under this legislation. 9 can result in imprisonment. 10 carry an unlimited fine.

Prison risk

Disclose personal HMRC information without permission

Unlimited fine and/or 2 years imprisonment

Either way s.42 Penalises: Disclose personal HMRC information without permission

Prison risk

Disclose personal information from Revenue Scotland without permission

Unlimited fine and/or 2 years imprisonment

Either way s.69 Penalises: Disclose personal information from Revenue Scotland without permission

Prison risk

Disclose personal information without authority

Unlimited fine and/or 2 years imprisonment

Either way s.41 Penalises: Disclose personal information without authority

Prison risk

Illegally disclose personal information

Unlimited fine and/or 2 years imprisonment

Either way s.58 Penalises: Illegally disclose personal information

Prison risk

Unauthorised disclosure of HMRC personal data

Unlimited fine and/or 6 months imprisonment

Either way s.59 Penalises: Unauthorised disclosure of HMRC personal data

Prison risk

Unauthorised disclosure of HMRC personal data

Unlimited fine and/or 2 years imprisonment

Either way s.51 Penalises: Unauthorised disclosure of HMRC personal data

Prison risk

Unauthorised disclosure of personal data from Welsh Revenue Authority

Unlimited fine and/or 2 years imprisonment

Either way s.68 Penalises: Unauthorised disclosure of personal data from Welsh Revenue …

Prison risk

Unauthorised disclosure of personal information

Unlimited fine and/or 2 years imprisonment

Either way s.50 Penalises: Unauthorised disclosure of personal information

Prison risk

Unauthorised disclosure of personal research data

Unlimited fine and/or 2 years imprisonment

Either way s.66 Penalises: Unauthorised disclosure of personal research data

Unlimited fine

Unauthorised disclosure of personal data received from HMRC

Unlimited fine

Summary only s.67 Penalises: Unauthorised disclosure of personal data received from HMRC

Fine

Infringe copyright or making‑available right by communicating work to the public

Penalty applies

s.32 Penalises: Infringe copyright or making‑available right by communicating work …

Practical guidance

Our guides explain how to comply with the requirements above.

Electronic Communications Code

Rights and obligations for communications network operators to install and maintain electronic communications apparatus on public and private land.

Apply for creative industry funding and grants

Funding opportunities for creative businesses - Arts Council Project Grants, BFI Film Fund, Screen Scotland, Ffilm Cymru Wales, Northern Ireland …

Apply for innovation funding

Access Innovate UK grants and competitions for research, development, and game-changing technologies.

Age verification for online services

How to implement age verification to comply with the Online Safety Act and ICO Children's Code. Covers verification methods, pornography …

Sections and provisions

129 classified provisions from this legislation.

6 Duties 12 Offences and penalties 20 Powers 23 Definitions 9 Exemptions

Duties 6

• s.8 Regulation of dynamic spectrum access services person →
• s.43 Code of practice of sections 35 →
• s.52 Code of practice →
• s.60 Code of practice →
• s.65 Provisions supplementary to section 64 of Parts 1 →
• s.70 Code of practice →

Offences and penalties 12

• s.20 Financial penalties imposed by regulator →
• s.32 Offences: infringing copyright and making available right →
• s.41 Confidentiality of personal information →
• s.42 Information disclosed by the Revenue and Customs →
• s.50 Confidentiality of personal information →
• s.51 Information disclosed by the Revenue and Customs →
• s.58 Confidentiality of personal information →
• s.59 Information disclosed by the Revenue and Customs →
• s.66 Bar on further disclosure of personal information →
• s.67 Information disclosed by the Revenue and Customs →
• s.68 Information disclosed by the Welsh Revenue Authority →
• s.69 Information disclosed by Revenue Scotland →

Powers 20

• s.5 Power to make transitional provision in connection with the code →
• s.6 Power to make consequential provision etc in connection with the code →
• s.7 Application of the code: protection of the environment →
• s.18 Regulator's power to require information →
• s.23 Regulator's power to require internet service providers to block access to material →
• s.24 No power to give notice under section 23(1) where detrimental to national security etc →
• s.35 Disclosure of information to improve public service delivery →
• s.36 Disclosure of information to gas and electricity suppliers etc →
• s.37 Disclosure of information by gas and electricity suppliers etc →
• s.39 Disclosure of information by water and sewerage undertakers etc →
• s.44 Regulations under this Chapter →
• s.54 Regulations under this Chapter →
• s.62 Regulations under this Chapter →
• s.64 Disclosure of information for research purposes →
• s.71 Accreditation for the purposes of this Chapter →
• s.72 Delegation of functions of the Statistics Board →
• s.97 Televising events of national interest: power to amend qualifying conditions →
• s.106 Power to create offence of breaching limits on internet and other ticket sales →
• s.115 Guarantee of pension liabilities under Telecommunications Act 1984 →
• s.116 Regulations under section 115 →

Definitions 23

• Schedule 2 The electronic communications code: transitional provision →
• Schedule 4 Public service delivery: specified persons for the purposes of section 35 →
• Schedule 5 Public service delivery: specified persons for the purposes of sections 36 and 37 →
• Schedule 8 Specified persons for the purposes of the fraud provisions →
• s.30 Interpretation and general provisions relating to this Part →
• s.38 Disclosure of information to water and sewerage undertakers etc →
• s.45 Interpretation of this Chapter etc →
• s.47 Consequential provision →
• s.48 Disclosure of information to reduce debt owed to the public sector →
• s.55 Interpretation of this Chapter →
• s.56 Disclosure of information to combat fraud against the public sector →
• s.63 Interpretation of this Chapter →
• s.73 Interpretation of this Chapter →
• s.74 Disclosure of non-identifying information by the Revenue and Customs →
• s.75 Disclosure of non-identifying information by the Welsh Revenue Authority →
• s.76 Disclosure of non-identifying information by Revenue Scotland →
• s.77 Disclosure of employer reference information by the Revenue and Customs →
• s.104 Internet filters →
• s.107 Prevention or restriction of use of communication devices for drug dealing →
• s.112 Power to apply settlement finality regime to payment institutions →
• ... and 3 more definitions

Exemptions 9

• s.10 Fixed penalties under Wireless Telegraphy Act 2006 →
• s.11 Search warrants under Wireless Telegraphy Act 2006 →
• s.12 Disposal of seized property under Wireless Telegraphy Act 2006 →
• s.40 Further provisions about disclosures under any of sections 35 to 39 →
• s.49 Further provisions about power in section 48 →
• s.57 Further provisions about power in section 56 →
• s.80 Access to information by the Statistics Board →
• s.91 Suspension of radio licences for inciting crime or disorder →
• s.98 Strategic priorities and provision of information →