Part 5.1 – The Information Commissioner
I start this process with a heavy heart after having to endure through sections on law enforcement and intelligence services. I only hope that this part can go further to help us understand what is required in relation to data protection in the UK.
Section 114 – The Information Commissioner
I feel like I’ve been unduly harsh on this legislation so far. However, I’ve run across a statement here that says, “There is to continue to be an Information Commissioner.” Now, that is all fine and good, but you would think the phrase should be something like that there is a requirement to have an Information Commissioner.
The reason being that while a bit pedantic (and if you can be pedantic with legislation then there is really no reason) the current wording suggests that there is something previous dictating that there be an Information Commissioner that is not referenced. So a reader of this legislation has nothing to go back to and see if there is something that is still in effect such as the Data Protection Act of 1998 or even GDPR (even though that is pretty explicit throughout the document). In my opinion, this legislation is littered with these little inconveniences that make this legislation at best a rush job, at worst incompetent.
Section 115 – General functions under the GDPR and safeguards
So I spent the last article chastising this legislation, but for this section, I’m going to have to do a complete flip. This is what I expected this legislation to be. This section sets out that the powers of the Information Commissioner in relation to what was set out in the GDPR and then makes qualifications in regard to how those powers are utilized here in the UK. This is the process as set out in GDPR to begin with.
All in all nothing exciting here, the slight modifications to the powers are that the Information Commissioner might need to use certain methods such as an information notice or an enforcement notice. Nothing unduly restrictive, but essentially lining up the GDPR powers with the processes found in the UK.
Section 116 – Other general functions
Noting the fact that the Information Commissioner is the dude as referred to in several other pieces of legislation and that GDPR is not the be all and end all of the ICs duties.
Section 117 – Competence in relation to courts etc
This article seems a bit confusing. “Nothing in this Act permits or requires the Commissioner to exercise functions in relation to the processing of personal data…” in relation to judiciary processes. I believe they are saying that the courts can’t use this position to get out of ruling on Data Protection issues?
Section 118 – Co-operation and mutual assistance
This is a bit muddled, but making clarifications about co-operation and mutual assistance between several organisations. I’m probably a bit too naive and think that this is a given in public service. Actually, I know I’m a bit naïve, so seeing this is probably better than not.
Section 119 – Inspection of personal data in accordance with international obligations
Oooh, this has some teeth. The IC can inspect and test processes including automated processes that process personal data. I don’t know if this will be used to any great degree, but I like the fact that we have given power for someone to explore these processes and not be turned away with comments such as ‘commercially sensitive’ or ‘it’s too complex.’
Section 120 – Further international role
The Information Commissioner is responsible for putting in place the systems that help the UK carry out its international obligations.
Section 121 – Data-sharing code
The IC has to write a data sharing code. Now they currently have one, but as per a big advisory note on the cover, it has not been updated since DPA 2018 became law. At least it shows they are working on it. So high five ICO!
Section 122 – Direct marketing code
Like the data sharing code this has been written, but an advisory indicates that while this has been updated to comply with GDPR requirements they are working to update the entire code. Another high five!
Section 123 – Age-appropriate design code
This code has yet to be written, but a call for evidence has been put out and has now closed. We’ll wait and see what is produced. This will be an interesting new turn for data protection in the UK.
Section 124 – Data protection and journalism code
The UK has a Data Protection and journalism Guide that it wrote in 2014. There is no advisory that this is being updated, but I would expect that once other codes are brought up to snuff this will be looked at. Unless it is seen as sufficient for the requirement:
Section 125 – Approval of codes prepared under sections 121 to 124
There is a process that is invoked to approve these codes as and when they are written or updated.
Section 126 – Publication and review of codes issued under section 125(4)
These codes have to be published.
Section 127 – Effect of codes issued under section 125(4)
These codes are not legally binding, however they are there and act as guidance for the judiciary should they be presiding over any disputes involving these codes.
Section 128 – Other codes of practice
More codes can be written.
I am rather heartened, by this part so far. This is what I expected this legislation to be. An extension of the GDPR with qualifications to fit that European legislation into our own systems. Long live this type of legislation.