Plain English Data Protection Act 2018 – Part 4.1

Anonymous Snowden
Anonymous Snowden

Part 4.1 – Intelligence Services Processing

Alrighty, then I’m not sure why this even needs to be written down here in part 4.1. I know that an intelligence service as honourable as the GCHQ has never ever overstepped its bounds…what’s that…illegal mass surveillance made public by the Investigatory Powers Tribunal. Crap. I’ll buy the tin foil if you make the hats.

Chapter 1 – Scope and Definitions

Section 82 – Processing to which this Part applies

Here we go being redundant again. This is just pointing out that we are talking about Security Service, Secret Intelligence Service, and GCHQ.

Section 83 – Meaning of “controller” and “processor”

I’m sure it’s not meant to be scary, but the definition of processor lies open the fact that our intelligence service can outsource data processing. There would be absolutely nothing wrong with that, a strong contract and this legislation will guarantee no data breaches or misuse.

Section 84 – Other definitions

Redundant. That this is happening so much in this document I have to believe there is a legal reason for this. No sane person would write in this manner unless they were attempting to fit a system.

Chapter 2 – Principles

Section 85 – Overview

This is just dumb. I’m telling you what you are going to be reading. Would be able to tell if you just read it yes, but here we’ve given you a whole section to prepare yourself for it.

Section 86 – The first data protection principle

So this was getting so redundant that I thought I’d throw this part into a difference checker against the previous law enforcement part. Now if you haven’t seen a difference checker before what it does is it throws two bodies of text against each other and attempts to line them up and locate particular differences.

And I am finding that there are differences, but these look more like they have been written by different individuals, as opposed to any actual real differences in the text. Almost like this was written by representatives of different services and nobody sat down afterward with a red pen and told everyone that they have just written a pile of garbage.

I am starting to get a suspicion that my frustration is being caused by the dreaded design by committee. But to not skip the key aspect of this section the main takeaway is that processing must be lawful.

Section 87 – The second data protection principle

Processing must be specific and legitimate.

Section 88 – The third data protection principle

Processing must be adequate.

Section 89 – The fourth data protection principle

Processing must be accurate.

Section 90 – The fifth data protection principle

Personal data must be kept for no longer than is necessary…yeah I believe this will be absolutely followed by the Intelligence Services.

Section 91 – The sixth data protection principle

Processing must be processed in a manner that takes appropriate security measures.

Chapter 3 – Rights of the Data Subject

Section 92 – Overview

Another mid-document table of contents.

Section 93 – Right to information

This is getting a bit difficult to believe that I can ask GCHQ for all metadata regarding linking my phone records to my internet browsing history. It says I can though.

Section 94 – Right of access

Significantly doubt this. I wonder if anyone has actually given this a go yet?

Section 95 – Right of access: supplementary

I really thought this would essentially read, “yeah but no.” I don’t know what clauses intelligence services would use to get out of complying with any of these rights other than downright lying. Which in all honesty is what I would expect. It is a lot easier to just say that it is impossible or requires disproportionate effort and when questions say that all systems are classified you have to take my word on it.

Section 96 – Right not to be subject to automated decision-making

I do not believe this. Especially when you hear about activities such as rendition. Firmly stating that you do not agree with automated decision making is not going to stop the operative in a black site from beating the living crap out of you. You might get a laugh though.

Section 97 – Right to intervene in automated decision-making

Not for one second.

Section 98 – Right to information about decision-making

Nope. Classified.

Section 99 – Right to object to processing

GCHQ intercepted foreign politicians’ communications at G20 Summit, I’m just going to leave this Guardian headline right here.

Section 100 – Rights to rectification and erasure

Who has the power to check?


So this journey has brought two things to the fore. First, that redundancy has and will most likely be a ‘feature’ of this legislation. My best suspicion is design by committee. And second that I don’t believe this section is worth the ink it was printed with. We have seen British intelligence get caught out after the Snowden revelations and we didn’t get much more than the British government saying, “Phew, it was good to get that off our chest, now everything is legal because you know about it now.”

Previous articlePlain English Data Protection Act 2018 – Part 3.3
Next articlePlain English Data Protection Act 2018 – Part 4.2
Born into the wilds of mid-western America, Matthew has lived his life creating. The kind of kid that bought a tarp, some PVC pipe and a skate board; fashioned himself a windsurfing set-up and then saw an opportunity in a local tornado. "Sorry Mom." Undergraduate in Art and Design, Doctorate in Scottish History, Matthew came late to the realisation that if he's going to use his diverse skill set he'd have to employ himself.