Plain English Data Protection Act 2018 – Part 6.1

Anonymous Judge Dredd
Anonymous Judge Dredd

Part 6.1 – Enforcement

It’s starting to get juicy now. Part 6.1 takes a look at the powers the Information Commissioner’s Office. I’m picturing jackboots and automatic weapons.

Section 142 – Information notices

Legislation is a wonderfully unique type of literature. Storytelling it definitely is not unless the UK has started to hire the guy who wrote Memento to write their laws. We have here the definition of an ‘Information Notice’ we’ve banded the term about several times before we knew what it was. But that feels a lot like politics so I can see the parallel.

Of the enforcement levels, we will encounter, this is the polite version. This is the let’s get to the bottom of this together version of enforcement. It is generally a polite request for information which follows a few common sense guidelines.

Section 143 – Information notices: restrictions

All the common restrictions apply, for example, the government cannot use this legislation to get access to privileged information between an attorney and a client.

Section 144 – False statements made in response to information notices

Paraphrasing here it is an offense to lie or recklessly lie in response to an Information Notice.

Section 145 – Information orders

This is mostly the same as an Information Notice, with the notable difference that it is the not nice version. If a person was served an Information Notice and a court deems that the recipient did not comply then the court can issue an Information Order which compels the recipient to comply. It’s much like the letter you receive stamped with Final Demand in big red letters.

Section 146 – Assessment notices

Where the Information Notice was a polite request for information which could escalate to an Information Order the Assessment Notice is the big guns. This is the written notice that the Information Commissioner’s Office needs to gain access and assess a situation. This is what happens after your Mum tells you that’s she’s coming upstairs to sort you and your brothers out.

Fun fact: after the clauses depicting what you would expect such as the Information Commissioner can enter your premises and examine documents it also allows the Information Commissioner to enter your personal house and search for documents. That makes very good sense but will be a shock to the system the first time that power is used.

Section 147 – Assessment notices: restrictions

Same basic restrictions as you find with Information Notices. I did notice a quirk in the wording that exists in both sections though.

So the wording is as such: “An assessment notice does not have effect so far as compliance would result in the disclosure of a communication which is made…between a professional legal adviser and the adviser’s client or between such an adviser or client and another person.” Now if you think about that technically that would mean any disclosure that looks at communications between two people where one of them has ever had a discussion with a legal professional. Obviously, that’s not what was intended, but this seems a bit sloppy.

Section 148 – Destroying or falsifying information and documents etc

If given an Information Notice or an Assessment Notice it is an offense to destroy or falsify required materials. However, if you can prove that something was destroyed was going to be destroyed anyway that is a defense against this offense. So for example, if you have a monthly contract with a shredding company to shred old documents and the Information Commissioner asks for something that gets shredded because of this business process you’ve already set up then you don’t have to be accused of being dastardly.

Section 149 – Enforcement notices

This is the fix it notice. If the Information Commissioner decides you are doing something wrong as defined in this section then they can issue this notice which can either ask you to take steps to fix something or not to take steps to prevent you making something worse.

Section 150 – Enforcement notices: supplementary

Basic details about what details are to be contained within the Enforcement Notice such as details and reasons about the failures, compliance times, actions etc. There is also a shortcut that allows the Commish to suggest you really need to fix something fast with the implication it is a glaring issue and you will need to acquiesce.

Section 151– Enforcement notices: rectification and erasure of personal data etc

Specific details about Enforcement Notices that require updates or erasure of personal data. Now I’ve been wondering a lot lately about the exact nature of personal data. The definition is plain as day in GDPR and in the DPA 2018 and runs: “means any information relating to an identified or identifiable living individual” which is fine, but literally means almost all data.

So take for example the word ‘Scotland’ by itself it is relatively anonymous it doesn’t refer to any identifiable individual, but match it with say the Electoral Roll and then it can be matched with identifiable individuals making it technically personal data. But that is ridiculous you say there is no way for that single word to be considered personal. Well, what about random strings of eleven digit numbers. Eventually, you’ll hit on a phone number which in conjunction with a phone book is linked to a personally identifiable person. Is a list of random eleven digit numbers?

What about a person’s name? My name is Matthew Davis, but just the name alone doesn’t really come back to just myself there are others in this country and across the world with that name.

I’m looking for a test that allows me to understand that the data I’m looking at is personal or not. My argument is that it would be a lot less obvious than at first imagined.

Section 152 – Enforcement notices: restrictions

A few minor restrictions. This is the document to help identify and correct issues. I’m ultimately a fan, although I hope I never see the business end of one.

Section 153 – Enforcement notices: cancellation and variation

And like all good things Enforcement Notices can come to an end with a few guidelines to define how.

Section 154 – Powers of entry and inspection

They can come in and they can find those dirty dishes you conveniently forgot to wash.

Section 155 – Penalty notices

This is the Enforcement Notice if you weren’t just accidentally wrong. This is the one that makes you pay money to the Information Commissioner’s Office.

Section 156 – Penalty notices: restrictions

There are a few restrictions as you would expect with the punitive

Section 157 – Maximum amount of penalty

Nothing has really changed, the maximum amount for a monetary penalty is still the famed €20 million or 4% of annual turnover.

This fact alone has launched a million companies claiming that they can prepare your business for GDPR. They can do this for a not insignificant fee. I really hope that we could harness this energy to do some good in the world rather than support a handful of bank balances.

Section 158 – Fixed penalties for non-compliance with charges regulations

The parking ticket version of the Penalty Notice.

Section 159 – Amount of penalties: supplementary

A few notes, the most interesting to me is that the Secretary of State (remember how confusing that can be?) can make provision for determining how turnover is defined for an undertaking (fancy word for a company). I like this particular clause as it recognizes that this is not as simple as it might appear. It makes me feel warm to glimpse intelligence behind this legislation.

This might be an unfair criticism because there is still the possibility that I am not qualified to understand the brilliance of this document. So I’d suggest you make your own conclusions, but the work I have done leads me to believe we need to locate the brilliance within our own citizens that we can bring to bear on these type of exercises.

Section 160 – Guidance about regulatory action

The Information Commissioner’s Office needs to publish guidance on these Enforcement tools.

Section 161 – Approval of first guidance about regulatory action

Secretary of State gets a final say on the guidance and then there are several clauses really focusing on the time limit needed. 40 days, very biblical in nature.


I’m starting to feel that I would have enjoyed a career in constitutional law. As an outsider’s opinion, I would like to see more people in Constitutional Law that have training in software development. I would like to see a level of logic or of elegance written into these documents.

Previous articlePlain English Data Protection Act 2018 – Part 5.2
Next articlePlain English Data Protection Act 2018 – Part 6.2
Born into the wilds of mid-western America, Matthew has lived his life creating. The kind of kid that bought a tarp, some PVC pipe and a skate board; fashioned himself a windsurfing set-up and then saw an opportunity in a local tornado. "Sorry Mom." Undergraduate in Art and Design, Doctorate in Scottish History, Matthew came late to the realisation that if he's going to use his diverse skill set he'd have to employ himself.