Plain English Data Protection Act 2018 – Part 5.2

Anonymous Elizabeth
Anonymous Elizabeth

Part 5.2 – The Information Commissioner

More of the same about the duties and powers of the Information Commissioner in Part 5.2. I’m thinking that while this is good to work through this legislation and begin to understand what tasks and processes we’ve set for ourselves it will be neat a year or two on to see how we have tested this legislation. Sounds like a follow-up blog series in 2020 to me!

Section 129 – Consensual audits

I’m going to have to be honest and say that I read this as consensual adults. I was prepared for something a lot more interesting. But it really is as boring as it actually reads. With permission, the Commish can come in and undertake an audit of a controller’s practices.

Section 130 – Records of national security certificates

So the Commissioner will publish national security certificates. No big whoop. The text of the certificate can be redacted if the minister issuing the certificate believes that publishing it would be against the interests of national security, contrary to public interest and or jeopardise the safety of any person.

Now I understand that we live under a system defined by precedent and that the test for whether any or all of these things are likely will most likely be left up to courts to define. I’d expect up until that time people wishing to abuse the system will just say that one or more of these events are likely causing the certificate to still be published, but without the text.

I’m uneasy about this because it seems silly to create a law and then wait patiently for people to abuse it to understand how we are going to start applying it. I see sense in that methodology as well, I’m just impatient. Impatience seems to be a 21st-century curse.

Section 131 – Disclosure of information to the Commissioner

This is a neat section. It declares that no law or rule will stop a person being able to disclose information to the Information Commissioner.

Section 132 – Confidentiality of information

This section strikes me as a little weird. It is essentially saying that this law also applies to the individuals who are or work for the Information Commissioner. Perhaps because they will likely have access to privileged information this needs to be stated outright? I would think that a law applies to everyone in the country, not just people who are not in the government.

I wouldn’t think writers of legislation would be that blatantly open about a differentiation between everyone and the ruling classes. There must be a use case I can’t foresee here.

Section 133 – Guidance about privileged communications

The Information Commissioner must write up guidance about how privileged information is handled and maintained securely.

Section 134 – Fees for services

You can be charged for any service that is outlined in GDPR or the DPA 2018 if you are not the data subject or a data protection officer (I think that is code for a company that is the subject of the request). Makes sense I guess.

I’m a bit in two minds about whether or not you need to list in your legislation that you can charge fees. Perhaps this is argued about so much that it is easier to put it in from the beginning rather than not putting anything and then arguing in courts whether or not you can charge?

Section 135 – Manifestly unfounded or excessive requests by data subjects etc

Then it is said in the very next section that a Commissioner can charge a fee if the data subject’s request is manifestly unfounded or excessive. Excessive is defined as merely repeating that substance of a previous request. The Commissioner also has to justify unfounded. So this is a bit better at explaining how to determine compliance.

Section 136 – Guidance about fees

The Commissioner needs to publish guidance about the fees so they aren’t sneaky. Sounds fair to me.

Section 137 – Charges payable to the Commissioner by controllers

This is perplexing a bit. Must be a use case that I again can’t see. But the Secretary of State (we’ve had the argument about whom that actually refers to) can require controllers to pay fees to the Commissioner. For what reason doesn’t seem to be indicated.

Section 138 – Regulations under section 137: supplementary

Follows on from section 137 and defines a bunch of loops that the Secretary of State must jump through to do this. There seems to be a lot of thought put into this power. I must just be missing the obvious reason for why this is required.

Section 139 – Reporting to parliament

The Commissioner needs to report annually to Parliament.

Section 140 – Publication by the Commissioner

The report needs to be published.

Section 141 – Notices from the Commissioner

A definition of notices issued by the Information Commissioner, to give them a shape or format.


So I’m feeling a bit more buoyed after these last two parts. Perhaps there is a bit more hope for British legislation authors?

Previous articlePlain English Data Protection Act 2018 – Part 5.1
Next articlePlain English Data Protection Act 2018 – Part 6.1
Born into the wilds of mid-western America, Matthew has lived his life creating. The kind of kid that bought a tarp, some PVC pipe and a skate board; fashioned himself a windsurfing set-up and then saw an opportunity in a local tornado. "Sorry Mom." Undergraduate in Art and Design, Doctorate in Scottish History, Matthew came late to the realisation that if he's going to use his diverse skill set he'd have to employ himself.