DPA 2018: The Information Commissioner
The Information Commissioner [Sections 114-141]
Rule: Part 5 establishes the Information Commissioner as the UK’s independent data protection authority with comprehensive functions including advisory duties, code development, international cooperation, audit powers, and reporting obligations.
The Commissioner’s Role
The Information Commissioner is the UK’s independent authority responsible for upholding information rights and data protection.
Establishment and Status [Sections 114-114A]
Section 114: The Information Commissioner
| Feature | Details | Citation |
|---|---|---|
| Corporation sole | Commissioner is a legal entity | s.114(1) |
| Continuity | Same office as under previous legislation | s.114(2) |
| Detailed provisions | Schedule 12 covers appointment, tenure, resources | s.114(3) |
Corporation sole means:
- All powers vest in the Commissioner personally
- Office continues regardless of individual holder
- Can sue and be sued
- Can hold property
- Can enter contracts
Section 114A: The Information Commission
Creates a new body corporate called “the Information Commission” to support the Commissioner.
Purpose:
- Provide institutional framework
- Support Commissioner’s functions
- Employ staff and manage resources
- Details in Schedule 12A
Note: This section establishes organizational structure separate from Commissioner’s role.
General Functions [Sections 115-117]
Section 115: Functions Under UK GDPR
The Commissioner has general functions derived from UK GDPR Articles 57-58:
| Function | Description | Legal Basis |
|---|---|---|
| Monitor compliance | Oversee application of UK GDPR | Art 57(1)(a) |
| Promote awareness | Inform public and controllers | Art 57(1)(d) |
| Give advice | Advise Parliament, government, public | Art 57(1)(c) |
| Handle complaints | Investigate data subject complaints | Art 57(1)(f) |
| Conduct investigations | On own initiative or on complaint | Art 58(1)(a) |
| Issue warnings | To controllers/processors | Art 58(2)(a) |
| Order compliance | Require specific actions | Art 58(2)(c) |
| Impose penalties | Financial penalties for infringements | Art 58(2)(i) |
Procedural safeguards (s.115(3)):
- Information notices must meet s.142-145 requirements
- Assessment notices must meet s.146-148 requirements
- Enforcement notices must meet s.149-154 requirements
- Penalty notices must meet s.155-161 requirements
Section 116: Other General Functions
Additional responsibilities:
| Area | Responsibility | Citation |
|---|---|---|
| Law enforcement | Monitor Part 3 compliance | s.116(2) |
| Non-UK GDPR processing | Functions under Schedule 13 | s.116(3) |
| General oversight | All data protection legislation | s.116(1) |
Schedule 13 functions include:
- Monitoring compliance with Parts 3-4
- Promoting public awareness
- Advising on legislative proposals
- Cooperating with other regulators
Section 117: Limits on Competence
Commissioner cannot exercise functions regarding:
| Excluded Processing | Rationale | Citation |
|---|---|---|
| Individual acting in judicial capacity | Judicial independence | s.117(a) |
| Court/tribunal in judicial capacity | Separation of powers | s.117(b) |
Examples of excluded processing:
- Judge’s case notes
- Court administrative records
- Tribunal deliberations
- Judicial correspondence
Not excluded:
- Court administrative functions
- Non-judicial court processing
- Employment records of court staff
International Role [Sections 118-120]
Section 118: Co-operation Between Convention Parties
Commissioner’s role in international data protection cooperation:
Under Data Protection Convention:
- Mutual assistance between authorities
- Information exchange
- Joint investigations
- Complaint handling across borders
Schedule 14 Part 2 details:
- Procedures for international requests
- Information sharing protocols
- Joint enforcement mechanisms
Section 119: Inspection for International Obligations
Commissioner may inspect personal data when necessary to discharge UK’s international obligations.
| Requirement | Details | Citation |
|---|---|---|
| Notice | 7 days’ notice to controller/processor | s.119(2) |
| Authorization | Requires written authorization | s.119(3) |
| Purpose | Only for international obligation compliance | s.119(1) |
| Obstruction offense | Preventing inspection is criminal offense | s.119(5) |
International obligations include:
- Treaties and conventions
- EU adequacy decisions (pre-Brexit)
- Bilateral agreements
- Council of Europe obligations
Section 119A: Standard Clauses for Transfers
Commissioner may issue standard data protection clauses for international transfers.
Parliamentary procedure:
- Draft clauses laid before Parliament
- 40-day approval period
- Either House can reject
- Take effect 21 days after approval
Purpose:
- Facilitate lawful international transfers
- Provide standardized contractual terms
- Ensure adequate safeguards
- Alternative to individual assessments
Section 120: Further International Role
Commissioner must:
| Duty | Description | Purpose |
|---|---|---|
| Develop cooperation | Create mechanisms for mutual assistance | Cross-border enforcement |
| Mutual enforcement | Provide assistance to foreign authorities | Global data protection |
| Engage stakeholders | Work with data subjects, controllers, international bodies | Promote best practices |
Practical application:
- Memoranda of understanding with foreign regulators
- Joint investigations (e.g., with Irish DPC, French CNIL)
- Participation in International Conference of Data Protection and Privacy Commissioners
- Input to OECD, Council of Europe data protection work
Commissioner’s Duties [Sections 120A-120D]
Section 120A: Principal Objective
The Commissioner’s principal objective is securing appropriate level of protection for personal data while:
- Promoting public awareness and trust
- Balancing data protection with other public interests
“Appropriate protection” means:
- Proportionate to risks
- Reflects data sensitivity
- Considers context of processing
- Balances individual rights with societal needs
Section 120B: Duty Regarding Innovation and Competition
Commissioner must have regard to:
| Consideration | Why It Matters | Application |
|---|---|---|
| Desirability of innovation | Economic growth, technological advancement | Guidance on lawful innovation |
| Desirability of competition | Market efficiency, consumer choice | Avoid creating barriers to entry |
Practical effect:
- Regulatory sandboxes for new technologies
- Innovation-friendly guidance
- Proportionate enforcement for startups
- Technology-neutral regulation
Section 120C: Criminal Justice and Security Duty
In exercising Part 3 functions (law enforcement), Commissioner must consider:
Effectiveness of:
- Crime prevention and detection
- Investigation and prosecution
- Criminal justice administration
Security considerations:
- National security
- Defense
- Public security
Balance required:
- Data protection rights vs public safety
- Individual privacy vs effective law enforcement
- Proportionality in each case
Section 120D: Child Protection Duty
Commissioner must consider online harms to children when exercising functions.
Age-appropriate design:
- Default privacy settings for children
- Age verification mechanisms
- Risk assessments for child safety
- Codes of practice for online services
Related to:
- Age-Appropriate Design Code (s.123)
- Online Safety legislation
- Child protection duties
Codes of Practice [Sections 121-127]
Section 121: Data-Sharing Code
Commissioner must prepare code containing:
Content requirements:
- Practical guidance on lawful data sharing
- UK GDPR compliance for sharing
- Good practice recommendations
- Examples and case studies
Topics typically covered:
- Legal bases for sharing
- Transparency requirements
- Security measures for shared data
- Data sharing agreements
- Accountability frameworks
Status: ICO has published Data Sharing Code of Practice
Section 122: Direct Marketing Code
Commissioner must prepare code covering:
| Topic | Coverage | Purpose |
|---|---|---|
| Electronic marketing | Emails, SMS, automated calls | PECR compliance |
| Postal marketing | Direct mail | UK GDPR compliance |
| Telephone marketing | Voice calls | Best practices |
| Consent mechanisms | Obtaining and recording consent | Legal compliance |
| Opt-out processes | Unsubscribe mechanisms | Data subject rights |
Status: ICO has published direct marketing guidance
Section 123: Age-Appropriate Design Code
Commissioner must prepare code for online services likely to be accessed by children.
Requirements:
| Standard | Description | Citation |
|---|---|---|
| Best interests | Default to child’s best interests | s.123(3)(a) |
| Developmental needs | Appropriate to child’s age | s.123(3)(b) |
| Data minimization | Collect only necessary data | s.123(3)(c) |
| Privacy by default | Highest privacy settings default | s.123(3)(d) |
“Likely to be accessed by children”:
- Social media platforms
- Gaming services
- Educational apps
- Entertainment sites
- Any service targeting or attracting children
Status: ICO has published Children’s Code (Age-Appropriate Design Code)
Section 124: Data Protection and Journalism Code
Commissioner must prepare code on:
Balancing:
- Data protection rights (UK GDPR)
- Freedom of expression rights (Article 10 ECHR)
- Public interest journalism
- Special purposes protections
Topics:
- When journalism exemptions apply
- Consent requirements for sources
- Handling sensitive information
- Publication decisions
- Correction and deletion requests
Section 124A: Power to Prepare Other Codes
Secretary of State may by regulations require Commissioner to prepare codes on:
- Any aspect of data protection legislation
- Good practice in data processing
- Specific sectors or activities
Process:
- Regulations specify code content
- Commissioner prepares draft
- Parliamentary approval required
Sections 124B-124C: Code Development Process
Expert panels (s.124B):
- Commissioner must establish panels
- Experts review draft codes
- Make recommendations on content
- Ensure practical applicability
Impact assessments (s.124C):
- Assess likely effects on organizations
- Consider compliance costs
- Evaluate benefits to data subjects
- Publish assessment with draft code
Section 125: Parliamentary Approval
All codes prepared under ss.121-124A require Parliamentary approval.
Procedure:
| Step | Timeline | Action |
|---|---|---|
| Lay draft | - | Commissioner lays before Parliament |
| Approval period | 40 days | Either House can object |
| Takes effect | 21 days after approval | Code becomes effective |
Effect of objection:
- Code does not take effect
- Commissioner may revise and re-submit
- Must address Parliamentary concerns
Section 126: Publication and Review
Commissioner must:
| Duty | Requirement | Purpose |
|---|---|---|
| Publish codes | Make publicly available | Accessibility |
| Keep under review | Ongoing review | Ensure currency |
| Revise as needed | Update when necessary | Reflect changes |
Conflicts with international obligations:
- If code would breach international obligation
- Commissioner must not apply conflicting provision
- Must notify Parliament of conflict
Section 127: Effect of Codes
Legal status of codes:
| Effect | Description | Citation |
|---|---|---|
| Admissible evidence | Can be used in legal proceedings | s.127(1) |
| Commissioner must consider | When assessing compliance | s.127(2) |
| Courts must consider | When relevant to proceedings | s.127(3) |
| Not directly enforceable | Breach doesn’t create liability | s.127(4) |
Practical significance:
- Strong persuasive authority
- Demonstrates good practice
- Following code = defense against enforcement
- Departing from code = need good justification
Consensual Audits [Section 129]
Section 129: Power to Conduct Audits
Commissioner may assess whether controller or processor complies with good practice.
Requirements:
| Requirement | Details | Citation |
|---|---|---|
| Consent | Must have consent of assessed party | s.129(1) |
| Scope | Assessment of good practice compliance | s.129(2) |
| Report | Commissioner must report findings | s.129(3) |
| Definition | ”Good practice” defined in s.124A | s.129(4) |
Good practice means:
- Compliance with data protection legislation
- Implementation of appropriate safeguards
- Following relevant codes of practice
- Proportionate and effective measures
Audit process:
- Organization requests or agrees to audit
- Commissioner inspects practices and systems
- Identifies strengths and weaknesses
- Provides recommendations
- Follow-up on implementation
Benefits:
- Proactive compliance assurance
- Identify issues before enforcement
- Build trust with Commissioner
- Demonstrate commitment to data protection
National Security Certificates [Section 130]
Section 130: Records of Certificates
Transparency mechanism for national security exemptions.
| Requirement | Details | Citation |
|---|---|---|
| Minister sends copy | Certificate under s.27, 79, or 111 | s.130(1) |
| Commissioner publishes | Record of certificate | s.130(2) |
| Content | Minister name, date, text (if safe) | s.130(3) |
| Exceptions | Can withhold if security risk | s.130(4) |
| Revocation notice | Minister must notify when revoked | s.130(5) |
Purpose:
- Accountability for exemptions
- Public awareness of restrictions
- Balance security with transparency
National security certificates exempt data from:
- Subject access rights
- Other data subject rights
- Commissioner’s oversight powers
- In specified circumstances
Information Disclosure [Sections 131-133]
Section 131: Disclosure to Commissioner
Persons may disclose information to Commissioner if:
- Relevant to Commissioner’s functions
- Would not otherwise be lawful
- In public interest
Protected disclosures:
- Whistleblowing about data protection breaches
- Information about systemic failures
- Evidence of serious contraventions
Section 132: Confidentiality of Information
Commissioner must not disclose information obtained in performing functions unless:
| Exception | Description | Citation |
|---|---|---|
| Consent | Person who provided consents | s.132(2)(a) |
| Required by law | Legal obligation to disclose | s.132(2)(b) |
| Necessary for functions | Required to perform duties | s.132(2)(c) |
| Legal proceedings | Needed for tribunal/court case | s.132(2)(d) |
Criminal offense to wrongfully disclose confidential information (s.132(6))
Safeguards:
- Information security measures
- Access controls within ICO
- Staff training on confidentiality
- Disciplinary procedures for breaches
Section 133: Privileged Communications
Commissioner must have regard to need to protect legal privilege.
Legal professional privilege includes:
- Communications with solicitors/barristers
- For purpose of obtaining legal advice
- Or in connection with litigation
Effect:
- Commissioner cannot compel disclosure of privileged documents
- Privilege belongs to client, not lawyer
- Can be waived by client
- Independent of other exemptions
Fees and Charges [Sections 134-138]
Section 134: Fees for Services
Commissioner may charge reasonable fees for services provided.
Who pays:
- Organizations (not data subjects or DPOs)
- For services Commissioner provides
- At organization’s request
Examples:
- Advisory services
- Training programs
- Certification schemes
- Consultancy on compliance
Limitations:
- Must be reasonable
- Cannot charge data subjects
- Cannot charge DPOs for statutory functions
Section 135: Manifestly Unfounded or Excessive Requests
When data subject or DPO makes request that is manifestly unfounded or excessive:
| Power | Details | Citation |
|---|---|---|
| Charge fee | Commissioner may charge reasonable fee | s.135(1) |
| Burden of proof | Commissioner must prove request is unfounded/excessive | s.135(2) |
Manifestly unfounded:
- No legitimate purpose
- Vexatious intent
- Harassment of Commissioner
Excessive:
- Unreasonably frequent requests
- Disproportionate burden on resources
- Repetitive requests without new grounds
Section 136: Guidance About Fees
Commissioner must publish guidance on:
- When fees may be charged
- How fees are calculated
- Circumstances for fee waivers
- Appeals process
Section 137: Controller Charges
Secretary of State may make regulations requiring controllers to pay charges to Commissioner.
Purpose:
- Fund Commissioner’s operations
- Cover cost of regulatory activities
- Proportionate to controller size/activities
Regulations may specify:
| Aspect | Details | Citation |
|---|---|---|
| Timing | When charges must be paid | s.137(2)(a) |
| Discounts | Reduced rates for categories | s.137(2)(b) |
| Exemptions | Who doesn’t pay | s.137(2)(c) |
| Refunds | Circumstances for refunds | s.137(2)(d) |
Information requirements:
- Controllers must provide information to determine charge
- Must notify changes in circumstances
- Failure to provide = offense
Data Protection Fee:
- Implemented via Data Protection (Charges and Information) Regulations 2018
- Three tiers based on size and turnover
- Must pay annually
- ICO guidance on data protection fee
Section 138: Regulations Supplementary
Regulations under s.137 may include:
- Penalties for late payment
- Recovery procedures
- Appeals against charges
- Enforcement mechanisms
Reports and Notices [Sections 139-141]
Section 139: Reporting to Parliament
Commissioner must lay before Parliament:
| Report | Frequency | Content |
|---|---|---|
| Annual report | Yearly | Commissioner’s activities and priorities |
| Strategic plans | As needed | Forward plans and objectives |
| Special reports | Ad hoc | Significant issues or investigations |
Purpose:
- Parliamentary oversight
- Public accountability
- Transparency of operations
- Inform legislative debate
Typical annual report contents:
- Enforcement statistics
- Complaint volumes
- Guidance issued
- International work
- Resource utilization
- Strategic priorities
Section 140: Publication by Commissioner
Commissioner must publish:
What must be published:
- Enforcement notices issued
- Penalty notices issued
- Significant determinations
- Guidance and codes
- Consultation documents
- Research findings
Exceptions to publication:
- Where publication would:
- Breach data protection principles
- Prejudice investigations
- Compromise national security
- Cause disproportionate harm
Publication methods:
- ICO website
- Press releases
- Social media
- Dedicated registers
Section 141: Notices from Commissioner
Form of notices:
- Must be in writing
- Must state legal basis
- Must explain consequences of non-compliance
- Must inform of appeal rights
Delivery methods:
| Method | When Used | Effect |
|---|---|---|
| Personal service | Formal enforcement | Immediate effect |
| Post | Standard notices | Effective on delivery |
| Electronic | Agreed method only | Requires consent |
Requirements for valid service:
- Correct address
- Proper identification of recipient
- Clear and unambiguous terms
- Reasonable time for compliance
Practical Application
For Organizations
When dealing with Commissioner:
- Respond promptly to information requests
- Cooperate with assessments and audits
- Pay data protection fee annually
- Follow codes of practice
- Maintain records of compliance
Benefits of cooperation:
- Reduced enforcement risk
- Access to guidance and support
- Opportunity to influence policy
- Demonstrate commitment to compliance
For Data Subjects
What Commissioner can do for you:
- Investigate complaints
- Provide guidance on rights
- Take enforcement action against controllers
- Promote data protection awareness
What Commissioner cannot do:
- Provide legal advice
- Represent you in court
- Award compensation (courts do this)
- Resolve every individual complaint
For Practitioners
Understanding Commissioner’s role:
- Independent regulator
- Balances multiple objectives
- Risk-based approach to enforcement
- Focus on systemic issues
Engaging with Commissioner:
- Seek advisory opinions when uncertain
- Participate in consultations
- Attend Commissioner’s events and webinars
- Monitor published guidance and updates
Citation
Data Protection Act 2018, Part 5
Sources
- Section 114 - The Information Commissioner
- Section 115 - General functions
- Section 121-124 - Codes of practice
- Section 137 - Charges
- ICO Data Sharing Code
- ICO Data Protection Fee