DPA 2018: Enforcement Mechanisms
Enforcement Mechanisms [Sections 142-169]
Rule: The Information Commissioner has extensive enforcement powers including information gathering, assessments, enforcement notices, penalties up to £17.5m or 4% of global turnover, with rights of appeal to the Tribunal.
Part 6: The Information Commissioner
Part 6 of the Data Protection Act 2018 establishes the Commissioner’s enforcement toolkit for investigating, correcting, and penalizing data protection violations.
Information Notices [Sections 142-145]
Section 142: Power to Require Information
| Power | Details | Citation |
|---|---|---|
| Information notices | Commissioner can require controller/processor to provide information | s.142(1) |
| Scope | Information reasonably required to determine compliance | s.142(2) |
| Form | Written notice specifying information and timeframe | s.142(3) |
| Assistance | Can require explanation or assistance | s.142(4) |
What can be required:
- Documents and records
- Explanations of data processing activities
- Details of security measures
- Information about data flows
- Evidence of consent or legal basis
- Compliance documentation
Timeframe:
- Notice must specify deadline for response
- Must be reasonable given scope of request
- Can be extended on application
Section 143: Restrictions on Information Notices
Protected information cannot be required:
| Protection Type | Description | Citation |
|---|---|---|
| Legal privilege | Communications with legal advisers | s.143(1)(a) |
| Parliamentary privilege | Parliamentary proceedings and papers | s.143(1)(b) |
| Banking confidentiality | Limited to specific banking data | s.143(2) |
Exceptions:
- Information about compliance with DPA requirements
- Information already publicly available
- Information held for regulatory purposes
Section 144: False Statements in Response
It is an offense to make a statement:
- Which you know to be false or misleading, or
- Being reckless as to whether it is false or misleading, and
- In purported compliance with an information notice
Penalties: Criminal offense (summary conviction)
Section 145: Information Orders
If a person fails to comply with an information notice:
- Commissioner may apply to court for an information order
- Court may order compliance if satisfied notice was proper
- Court may modify the notice requirements
- Failure to comply with court order = contempt of court
Process:
- Commissioner serves information notice
- Recipient fails to comply
- Commissioner applies to court
- Court hearing (recipient can defend)
- If granted, court order issued
- Non-compliance with order = criminal offense
Assessment Notices [Sections 146-148]
Section 146: Power to Conduct Assessments
The Commissioner may issue an assessment notice requiring a controller or processor to permit assessment of compliance.
| Assessment Power | Details | Citation |
|---|---|---|
| Entry to premises | Commissioner can enter specified premises | s.146(2)(a) |
| Document inspection | Direct Commissioner to relevant documents | s.146(2)(b) |
| Equipment access | View information using equipment on premises | s.146(2)(c) |
| Copy documents | Provide copies in requested format | s.146(2)(d) |
| Assist Commissioner | Direct to equipment and materials | s.146(2)(e) |
What is assessed:
- Compliance with UK GDPR
- Compliance with Parts 3-4 of DPA 2018
- Implementation of security measures
- Data processing procedures
- Record-keeping practices
- Staff training and awareness
Timing:
- Notice specifies time periods for compliance
- Cannot require action before appeal period expires
- If appeal lodged, compliance suspended pending outcome
Section 147: Notification to Controllers
Where Commissioner gives assessment notice to a processor, must (where reasonably practicable) give copy to each controller for whom processor processes data.
Rationale: Controllers have responsibility for processor compliance and need to know about assessments.
Section 148: Assessment Notices: Restrictions
Commissioner may not issue assessment notice with respect to:
- Processing for special purposes (journalism, academic/artistic/literary purposes)
- Unless determination under s.174 has taken effect
- And court has granted leave
Purpose: Protects freedom of expression and media
Enforcement Notices [Sections 149-154]
Section 149: Power to Issue Enforcement Notices
Commissioner may issue enforcement notice where satisfied that person has failed or is failing to comply with:
| Failure Type | Legal Basis | Severity |
|---|---|---|
| UK GDPR breach | Articles of UK GDPR | High |
| Part 3 breach | Law enforcement processing | High |
| Part 4 breach | Intelligence services processing | High |
| Other Parts breach | Parts 2, 5-7 provisions | Medium |
Enforcement notice can require:
- Steps to remedy the contravention
- Specific actions within specified timeframe
- Cessation of processing activities
- Implementation of security measures
- Changes to processing practices
Section 150: Enforcement Notices - Supplementary
Commissioner’s powers include:
| Power | Description | Use Case |
|---|---|---|
| Total ban | Ban all processing by controller/processor | Serious systemic failures |
| Partial ban | Ban only specified descriptions of processing | Specific unlawful activities |
| Corrective action | Require specific remedial steps | Remediable violations |
| Time limits | Set compliance deadlines | Proportionate to severity |
Notice requirements:
- Explain consequences of non-compliance
- Set reasonable timeframes
- Provide appeal rights information (ss. 162, 164)
- Cannot require compliance before appeal period expires
Section 151: Rectification and Erasure Orders
Enforcement notice may require controller to:
Rectify inaccurate personal data:
- Correct errors in personal data
- Complete incomplete data
- Update outdated information
Erase personal data:
- Delete data processed unlawfully
- Remove data no longer necessary
- Comply with data subject’s erasure rights
Restrict processing:
- Temporarily limit processing
- Pending accuracy verification
- Pending legal claims
Notify third parties:
- Inform recipients of rectification
- Notify recipients of erasure
- Tell recipients of restrictions
Section 152: Enforcement Notices - Restrictions
Commissioner may not give enforcement notice for:
- Processing for special purposes
- Unless determination under s.174 has taken effect
- And court has granted leave
Special purposes protection: Safeguards freedom of expression
Section 153: Cancellation and Variation
| Action | Who Can Request | Process |
|---|---|---|
| Cancel notice | Commissioner or recipient | Written notice |
| Vary notice | Commissioner or recipient | Written notice |
| Application | Recipient can apply to Commissioner | Must be in writing |
Grounds for variation:
- Changed circumstances
- Notice no longer necessary
- Notice disproportionate
- Technical impossibility
Section 154: Powers of Entry and Inspection
Detailed in Schedule 15 - includes:
- Warrant procedures
- Powers to inspect premises
- Powers to examine documents
- Powers to interview personnel
- Limits and safeguards
Penalty Notices [Sections 155-161]
Section 155: Power to Impose Penalties
Commissioner may issue penalty notice requiring payment of specified amount in sterling.
Basis for penalty:
- Failure described in s.149(2)-(5)
- Breach of UK GDPR, Part 3, or Part 4
- Failure to comply with Commissioner’s notices
Section 156: Penalty Notices - Restrictions
Same restrictions as enforcement notices:
- Cannot penalize special purposes processing
- Unless determination under s.174 in effect
- And court grants leave
Section 157: Maximum Penalty Amounts
Two-tier system based on infringement type:
| Tier | Maximum Amount | Applies To | Citation |
|---|---|---|---|
| Higher tier | £17,500,000 or 4% of worldwide turnover | Serious infringements (UK GDPR Art 83(5)) | s.157(2) |
| Standard tier | £8,700,000 or 2% of worldwide turnover | Other infringements (UK GDPR Art 83(4)) | s.157(3) |
Higher tier infringements include:
- Basic processing principles (Art 5)
- Legal basis failures (Art 6)
- Consent violations (Art 7)
- Special category data breaches (Art 9)
- Data subject rights violations (Arts 12-22)
- Transfer breaches (Arts 44-49)
Standard tier infringements include:
- Controller/processor obligations (Arts 8, 11, 25-39)
- Certification body breaches (Art 42-43)
- Monitoring body breaches (Art 41(4))
Determining factors (from s.155 and UK GDPR Art 83(2)):
- Nature, gravity, and duration of infringement
- Intentional or negligent character
- Actions to mitigate damage
- Degree of responsibility
- Previous infringements
- Cooperation with Commissioner
- Categories of data affected
- Manner in which infringement became known
- Compliance with previous notices
- Adherence to codes of conduct
- Financial benefits gained or losses avoided
- Effective, proportionate, and dissuasive effect
Section 158-161: Penalty Notice Procedures
Schedule 16 provides detailed rules:
| Procedure | Requirement | Purpose |
|---|---|---|
| Notice of intent | Must precede penalty notice | Allow representations |
| Representations | 28 days to respond | Due process |
| Final notice | After considering representations | Reasoned decision |
| Payment terms | Usually 28 days | Recovery procedures |
| Variation | Commissioner can vary penalty | Changed circumstances |
Appeals [Section 162-164]
Section 162: Rights of Appeal to Tribunal
A person may appeal to the First-tier Tribunal against:
| Notice Type | Appeal Rights | Citation |
|---|---|---|
| Information notice | Can appeal issuance | s.162(1)(a) |
| Assessment notice | Can appeal issuance | s.162(1)(b) |
| Enforcement notice | Can appeal issuance | s.162(1)(c) |
| Penalty notice | Can appeal issuance and/or amount | s.162(1)(d) |
| Refusal to cancel/vary | Can appeal refusal | s.162(2) |
Tribunal system:
- First-tier Tribunal (Information Rights) - initial appeals
- Upper Tribunal (Administrative Appeals Chamber) - complex issues or appeals from First-tier
Tribunal powers:
- Confirm, vary, or cancel notice
- Substitute different notice
- Remit to Commissioner for reconsideration
- Award costs in limited circumstances
Section 163: Determination by Commissioner
Appeals against Commissioner’s determinations under special purposes provisions.
Section 164: Commissioner Not Required to Disclose
Commissioner not required to disclose information if:
- Contrary to public interest
- Prejudices commercial interests
- Prejudices investigation or proceedings
Complaints [Sections 165-167]
Section 165: Complaints by Data Subjects
UK GDPR Articles 57(1)(f), (2) and 77 give data subjects right to complain to Commissioner.
Commissioner’s obligations when receiving complaint:
| Obligation | Timeline | Details |
|---|---|---|
| Take appropriate steps | Ongoing | Investigate as appropriate |
| Inform of outcome | Reasonable time | Provide result of complaint |
| Inform of rights | With outcome | Right to tribunal order (s.166) |
| Provide information | On request | How to pursue complaint |
“Appropriate steps” includes:
- Investigating complaint (to extent appropriate)
- Informing complainant of progress
- Coordinating with other supervisory authorities if needed
- Providing updates every 3 months if ongoing
What can be complained about:
- Unlawful processing of personal data
- Breach of UK GDPR rights
- Data security failures
- Unfair or excessive data collection
- Lack of transparency
- Denial of data subject rights
Section 166: Orders to Progress Complaints
If Commissioner fails to take appropriate steps within 3 months, complainant may apply to First-tier Tribunal for order.
Tribunal may order Commissioner to:
- Take appropriate steps to respond
- Inform complainant of progress
- Inform complainant of outcome
- Act within specified period
Purpose: Ensure complaints receive timely, appropriate consideration.
Important: Section 166 is about procedural defects (failure to progress), not substantive outcomes (disagreement with decision).
Section 167: Representations and Mediation
Complaints procedures must include:
- Opportunity for representations
- Mechanisms for mediation
- Alternative dispute resolution options
Compensation [Section 168-169]
Section 168: Compensation for UK GDPR Contraventions
UK GDPR Article 82 provides right to compensation for material or non-material damage.
Clarification: “Non-material damage” includes distress.
Claims process:
- Bring claim in court (County Court or High Court)
- Burden on claimant to prove damage
- Must show causal link to infringement
- Compensation reflects actual harm
Types of damages:
- Material damage: Financial loss, property damage
- Non-material damage: Distress, anxiety, loss of control over data
Section 169: Compensation for Other Contraventions
Extends compensation right to contraventions of:
- Part 3 (law enforcement processing)
- Part 4 (intelligence services processing)
Related Sections
Special Purposes [Sections 174-179]
Protections for journalism, academic, artistic, and literary purposes:
- Determination procedures before enforcement
- Court leave required for notices
- Balancing data protection with freedom of expression
Criminal Offenses [Sections 170-173, 196]
Covered in separate guidance:
- Unlawful obtaining of personal data (s.170)
- Re-identification offenses (s.171)
- Alteration/concealment in subject access (s.173)
- Destroying/falsifying information (s.196)
Practical Examples
Scenario 1: Information notice for data breach investigation
- Commissioner receives breach notification
- Issues information notice requiring incident reports, affected data volumes, remediation steps
- Controller must respond within 28 days
- Failure to respond → information order from court
- False statements in response → criminal offense
Scenario 2: Assessment notice for GDPR compliance audit
- Commissioner receives multiple complaints about company
- Issues assessment notice requiring premises access
- Company must permit inspection within 30 days
- Commissioner reviews security measures, data flows, consent records
- Findings inform enforcement decision
Scenario 3: Enforcement notice for unlawful marketing
- Company sends marketing emails without consent
- Commissioner issues enforcement notice requiring:
- Cease all non-consensual email marketing
- Implement opt-in consent mechanism
- Delete marketing lists obtained unlawfully
- Comply within 14 days
- Company appeals to Tribunal (suspends enforcement pending outcome)
Scenario 4: Penalty notice for security failures
- Major data breach due to inadequate security
- 10 million customer records exposed
- Commissioner imposes £12 million penalty (higher tier)
- Based on: severity, negligence, number affected, financial impact
- Company can appeal penalty amount to Tribunal
Scenario 5: Data subject complaint process
- Individual complains to Commissioner about employer’s surveillance
- Commissioner investigates over 2 months
- Finds unlawful processing
- Issues enforcement notice to employer
- Informs complainant of outcome and right to compensation claim
Scenario 6: Tribunal appeal process
- Company receives £5 million penalty notice
- Submits representations showing mitigating factors
- Commissioner reduces to £3 million
- Company still appeals to Tribunal
- Tribunal reduces further to £1.8 million based on evidence
Enforcement Strategy
Commissioner’s approach:
- Education first - guidance and advice
- Warnings - informal warnings for minor issues
- Formal notices - information, assessment, enforcement
- Penalties - for serious or repeated violations
- Prosecution - criminal offenses under ss.170-173, 196
Factors influencing enforcement:
- Public interest
- Harm to data subjects
- Systemic vs isolated failures
- Cooperation of organization
- Remediation efforts
- Deterrent effect needed
Citation
Data Protection Act 2018, Part 6
Sources
- Section 142 - Information notices
- Section 146 - Assessment notices
- Section 149 - Enforcement notices
- Section 155 - Penalty notices
- Section 162 - Appeals
- Section 165 - Complaints
- ICO Data Protection Fining Guidance