Data misuse is often discussed alongside cybersecurity, within the overall context of data protection; but it is important to make the distinction between data which has been obtained legitimately but misused and data which has been collected illegally (eg without consent) or stolen (via computer hacking).

Data theft generally involves a cyberattack or harvesting of data by other means where data subjects are unaware of the collection or modification of their data; this type of cybercrime is largely covered by the Computer Misuse Act. Even where the data is provided knowingly and willingly, its collection may still be illegal if it breaches the Data Protection Act (DPA) or General Data Protection Regulation (GDPR).

The term “data misuse” is normally applied to personal data which has been initially willingly and legitimately provided by customers to a company, but is later used (either by the company or a third party) for purposes which are outside the scope of legitimate reasons for the initial data collection. This is what we will be discussing in this article.