Cracking the Code

In a further preview of our Tech Law Masterclass, here is Rosemary Jay on the role of codes of practice under the Data Protection Act 2018.

Photic sneezing, solar retinopathy, photokeratatis, pterygium, or, if you prefer the vernacular, snow blindness, arc eye, welder's flash, bake eye, corneal flash burn, sand man's eye, potato eye, surfer’s eye….

Too much exposure to bright lights can interfere with normal functioning. Prolonged exposure to the GDPR seems to have had a similar effect. However, now we are more used to the dazzle of the new, the time has come to look at some of the more mundane aspects of compliance with the Data Protection Act 2018.


Before diving into the detail a quick overview for those who are not yet familiar with the Act.

The DPA 2018:

  • implements the Law Enforcement Data Protection Directive (LED), which covers the processing of personal data by competent authorities in the criminal justice area - the regime under the LED is, in effect, GDPR as applied to criminal justice bodies;
  • legislates for a data protection regime to cover the processing of personal data by the UK intelligence services - this regime is based on the Council of Europe Data Protection Convention 108 and, although not as detailed or prescriptive as the GDPR, applies the same fundamental rules;
  • extends the GDPR to those areas of UK activity which fall outside EU competence but are not covered by either the law enforcement or intelligence service provisions - the ‘applied GDPR’, which is the same as the GDPR subject only to a few minor modifications;
  •  implements those elements of the GDPR and LED which must be implemented by Member States, for example the establishment of a supervisory authority;
  •  implements those elements of the GDPR and LED which offer Member States some discretion, for example the application of exemptions; and
  •  legislates for a range of provisions additional to the GDPR and LED.

The combination of the GDPR and the Act effectively provide for four data protection regimes, albeit that the GDPR and applied GDPR are almost identical. The Information Commissioner is the supervisory authority for all four regimes; her duties and powers apply across the board. These powers cover:

  • those mandated under the GDPR - these powers require no additional UK legislation but must be subject to safeguards and procedural provisions which are applied under Member State law (in our case the DPA 2018);
  • those imposed under the applied GDPR - the applied GDPR powers are the GDPR powers applied to areas outside EU competence (ie it does what it says on the tin). They are subject to the same safeguards and procedural provisions as GDPR powers;
  • those required by the LED, which gives the supervisory authority broadly the same powers and the GDPR - these are set out in the Act; and
  • those imposed in respect of the intelligence services - the Act gives the supervisory authority broadly the same powers as in the GDPR.

Under all four regimes the Commissioner has strong enforcement powers. She can conduct investigations, impose fines and issue mandatory orders in relation to any processing which breaches the rules.

The introduction of a strong enforcement regime has been a key aim in the data protection reform programme. The European Commission included stronger enforcement as one of the half a dozen key changes in data protection in its summary of the main changes following 25 May 2018, noting that:

‘The 28 data protection authorities will have harmonised powers and will be able to impose fines to businesses up to 20 million EUR or 4% of a company’s worldwide turnover’

The UK government has taken a similar line. In announcing the Data Protection Bill, Matt Hancock, then Minister of State for Digital, said,

Our measures are designed to support businesses in their use of data, and give consumers the confidence that their data is protected and those who misuse it will be held to account’.

This focus on enforcing the rules and holding data controllers to account is, however, accompanied by provisions which require the Commissioner to develop and apply a number of ‘soft law’ tools, in particular, codes of practice.

There are two types of codes of practice in the GDPR and the Act. Neither of them are the equivalent of the Commissioner’s codes which have been developed over the past 20 years.

Codes of practice under the GDPR

The GDPR provides for a specific type of codes of practice. Articles 40 and 41 GDPR provide for industry sponsored codes. These are to be prepared by industry or trade groups and submitted to regulators for approval. There is no barrier on public bodies preparing such codes but they cannot be submitted to the supervisory authority for formal approval. Article 40(4) makes it mandatory for codes which are submitted to the supervisory authority to include mechanisms for monitoring by an independent organisation under art 41(1). However, art 41(6) states that art 41 does not apply to public bodies. All GDPR codes must be subject to mandatory self-regulation by accredited bodies. These codes are to be prepared and run by associations and other bodies representing categories of controllers and processors, not supervisory authorities. It follows that not only will such codes exclude public bodies but they will also be confined to industries which have the scale, scope and expertise to produce and monitor the codes. Inevitably there will be a cost associated with the development, maintenance and supervision of such codes.

The GDPR codes are a far cry therefore from the Commissioner’s codes developed under s 51 of the DPA 1998.

Codes of practice under the 1998 Act

The use of codes of practice to assist compliance has been a gradual development in UK data protection. The early codes under the 1984 Act tended to be industry-led. However, under the 1998 Act, the role of codes gradually became more significant. The Commissioner started to use the power to produce Commissioner’s codes under s 51 of the 1998 Act early in the application of the Act. The first code of real significance was the Employment Practices code, issued in March 2002 after a lengthy gestation period. The code was subsequently revised, the final edition being issued in 2011 under Chris Graham’s tenure as Commissioner. It was followed by codes of practice on Personal Information Online (2010), Subject Access (revised 2017), Privacy Impact Assessments (2013), Anonymisation (2012), Privacy Notices (2016), Direct Marketing (2017) and Data Sharing (2011).

These codes share a number of elements in common. They were developed as a result of market demand. The codes came about as a response by the Commissioner’s office to having to deal with repeated queries about specific issues. They follow a common practice of extensive consultation which has given them a particular kind of authority. They include practical examples and cover issues that affect all data controllers. The codes apply equally across all industries and areas, public and private sector, small and large businesses, charities and commercial entities. Their use has been free.

Interestingly enough there appears to be no hard research about the use of the Commissioner’s codes but anecdotally it seems that DPOs, lawyers and other DP practitioners use them frequently.

Statutory codes

As well as the codes developed by the Commissioner as a result of market demand and interest there were two codes developed in response to a statutory obligation. Only the codes on direct marketing and data sharing had a specific statutory basis under the 1998 Act.[1]

The data-sharing code followed the failure of the Government to introduce wide sharing powers in the Coroners and Justice Act 2009.[2] Having failed in its bid to provide for a very wide set of powers, the government amended the DPA 1998 in order to provide for a code of practice covering the area. The direct marketing code was introduced by an amendment to the DPA 1998 by the Digital Economy Act 2017 as a method of additional regulation of the area, albeit a ‘light touch’ one.

Codes under the DPA 2018

The new codes are specific to the UK, owing nothing to the GDPR or LED. The DPA 2018 mandates the Commissioner to prepare four specific codes, with a power for the Secretary of State to require further codes. The Commissioner has no independent power to initiate or produce codes of practice. In addition to the codes, the Act requires the Commissioner to prepare guidance for individuals on how to seek redress against media organisations.[3] More soft law is to be produced by the Secretary of State in the Framework for Data Processing by Government which will give guidance about the processing of personal data by government departments and other specified persons.

The codes also intersect with a series of codes under other legislation being codes on:

  • the disclosure of information by civil registration officers[4]
  • the disclosure of information to improve public service delivery[5]
  • the disclosure of information to reduce debt in the public sector[6]
  • the disclosure of information to reduce fraud in the public sector[7]and
  • the disclosure of information for research purposes.[8]

The four mandatory DP codes are to cover:

  • direct marketing[9]
  • data–sharing[10]
  • age appropriate design[11] and
  • data protection and journalism.[12]

Status of codes

The codes will not impose legally binding requirements but will be admissible in evidence in legal proceedings. Where the provisions of a code are in force at the time the issue for adjudication arises and are relevant to that issue, they must be taken into account by a court or tribunal.[13]

Procedure for approval of codes

In preparing the codes the Commissioner must consult those who have expertise in the area. The code must be submitted to the Secretary of State who, in turn, must lay the code before Parliament. If neither House of Parliament objects to the code for a period of 40 days it is to be issued by the Commissioner and comes into effect after a further 21 days.

Nature of the codes

The codes on direct marketing, data sharing and journalism must provide both practical guidance to help compliance with the data protection legislation (which includes the Privacy and Electronic Communications Regulations 2003) and guidance to promote good practice, ie practices which are desirable having regard to the interests of data subjects and others. In the journalism code, the Commissioner must also have regard to the ‘special importance’ of the public interest in freedom of expression.

The provisions on the new code on age-appropriate design are of a different nature. The code will apply to data controllers and, where relevant, data processors, who provide information society services which are likely to be accessed by children. The Commissioner must formulate guidance on the design of such services so that they are presented in a way appropriate for children up to the age of 18, recognising that children have different needs at different ages. The standards must be those which appear to the Commissioner to be desirable ‘having regard to the best interests of children’ and taking into account the UK’s obligations under the UN Convention on the rights of the child. There is a provision for a transitional period of up to 12 months before the code takes effect.

This is a code with a very specific, practical remit. There is no reference to compliance with the data protection legislation and the code is not tied to Articles 12 to 14 GDPR (transparency and notice). A breach of the code will still not, of itself, be a breach of the law, but the code can be taken into account in an action on any aspect of the data protection legislation where it is relevant to the issue. Clearly it will be relevant to whether processing is transparent and whether notices are compliant with the GDPR or equivalent provisions of the 2018 Act. It may also go to a consideration of whether a purported consent given by a child is valid or other grounds for processing are valid, depending on how effectively and appropriately the grounds on which the controller relies have been explained.

The new codes on data sharing and on direct marketing will replace the previous codes. These remain effective only for the purposes of actions relevant to the codes which were started under the 1998 Act and continue to be dealt with under transitional provisions.[14] The Information Commissioner has issued a consultation on the update of the data sharing code under the GDPR.[15] The code of practice on journalism is likely to follow the guidance for journalists issued by the Commissioner in 2014. Consultations on the direct marketing code and the journalism code have not yet been issued.

Background to the new codes

The two new mandatory codes under the 2018 Act have similar backgrounds to the data sharing and direct marketing codes. The introduction of good practice guidance on data protection and journalism was one of the Leveson Inquiry recommendations to the Information Commissioner. The parallel recommendations to government included a raft of other, tougher, recommended changes to the exemptions available for journalistic purposes in the 1998 Act, such as narrowing the journalistic exemption and removing the procedural restrictions on actions where journalism is involved.[16] It should be noted that the government did not follow any of these recommendations in its drafting of the 2018 Act and the journalistic exemptions remain as generous and as procedurally difficult as they ever were.

In 2014 the Commissioner produced guidance for journalists. This did not take the form of a code and was not admissible in legal proceedings. During the Parliamentary debates on the 2018 Bill, efforts were made to resurrect Leveson Part 2. The government resisted but finally agreed to the addition of the code of practice on data protection and journalism, plus a regular review of the code, the accompanying guidance on redress mechanisms and a separate Secretary of State review of the media’s dispute resolution procedures.[17]

The new code on age-appropriate design was inserted into the 2018 Act after an unsuccessful attempt by opposition peers to make age-appropriate design a mandatory requirement before a data controller could rely on the consent of a child to processing.

Further review

In addition the Commissioner has two further and related duties in respect of journalism. Under s 178, she is given a new duty to review compliance with the s 124 code of practice. The first review is to be in 2020. The review must cover compliance with the data protection legislation and with the good practice recommended in the code. This is backed up by power to obtain relevant information. Schedule 17 lifts the various prohibitions on the use of the Commissioner’s powers to obtain information from the press by the use of information notices or mandatory audits during the 18 months before the first review date and 12 months for subsequent reviews. This means that the Commissioner can use her legal powers to demand the provision of information and cooperation for the purposes of the review.

Guidance on redress

The Commissioner must also produce and publish guidance about the steps that may be taken:

Where an individual considers that a media organisation is failing or has failed to comply with the data protection legislation.

The guidance must include information about the rights to complain, the powers of the Commissioner and other forms of dispute resolution. The guidance must include information on the Commissioner’s powers to provide assistance in cases which concern processing for journalistic purposes. The power is not new but has never been widely publicised by subsequent Commissioners, nor ever used in the UK.

Can the Commissioner prepare her own codes?

As noted above the Commissioner’s codes have covered a range of practical areas such as dealing with personal data in employment, subject access, anonymisation and privacy notices. There does not appear to be any available research on the effectiveness of codes of practice but the fact that the codes cover issues of everyday compliance which affect almost all data controllers plus the fact that several of the codes have been revised and re-issued over the years, argues that they have been useful tools for data controllers. The employment code was first issued in 2002 and last revised and reissued in 2011.

It is notable that none of the mandated codes or guidance appear to owe their being to industry or consumer need. Rather they result from pressures in the political environment. They are a result of political negotiation, not perceived user need. With such reluctant parentage it is not unreasonable to wonder how much, if any, impact they are likely to have. To the extent that past performance is a guide to the future, the answer would appear to be, not much.

The data-sharing code does not appear to have been cited in any legal proceedings that the writer has been able to trace,[18] nor has the direct marketing code. Its predecessor document, the Commissioner’s guidance on direct marketing, was referred to by the Information Tribunal in Xerpla Ltd v Information Commissioner.[19] In that case the guidance was cited as relevant by the Commissioner. The Tribunal appears to have accepted it as relevant, although the Commissioner lost the appeal, in effect because she had not applied her own guidance correctly.

The Commissioner’s guidance on data protection and journalism does not appear to have been cited in any cases before the courts. The relevant provisions in the 1998 Act were considered most recently in the cases of Stunt v Associated Newspapers Ltd[20] and Stube v NGN and Express Newspapers[21]however there is no reference to the Commissioner’s guidance in either report.

Of course the impact of a code of practice is not limited to its role in legal proceedings. However, to the extent this is a guide, it does not bode well for the future efficacy of the new mandatory codes. It should also be noted that the codes of practice on journalism and on age-appropriate design cover only specialist and limited areas. The codes will not be relevant to most data controllers or processors.

The Commissioner’s role and relationship with data controllers and understanding of data subject concerns would, one assumes, give her a unique insight into those areas where detailed and authoritative guidance is needed by data controllers. Nevertheless, under the GDPR, LED and DPA 2018, the Commissioner has no specific authority to develop additional codes of practice, without the authority of the Secretary of State.

A rose by any other name?

It can be argued that the general powers under art. 57 GDPR to promote public awareness, as well as awareness among data controllers and data processors, can be used as the basis for robust long-lasting guidance which is no different in reality to a code. However, the fact that guidance has been developed as a code brings a clear element of status to it. A code has gravitas. The term signifies that this is a thoughtful and detailed resource. It has been developed with users and other stakeholders. It is likely to be an enduring, authoritative piece of guidance.

The removal of the specific power to issue a document as a code may lead to a reluctance on the part of the Commissioner to use the title. There are also practical considerations. To update the current codes for the new regime will take real resource, whatever they are called. The pressures on the Office from other duties will be considerable and once codes no longer have a statutory backing they may move down the order of priority.

We must hope that despite these pressure the Commissioner’s practical, wide-ranging codes on issues of general concern, such as employment, subject access and privacy notices, will not become a thing of the past.

Rosemary Jay is a senior consultant attorney at Hunton Andrews Kurth and perhaps best known as author of Data Protection Law & Practice.

[1] Data Protection Act 1998, ss 52A and 52AA

[2] The Digital Economy Act 2017 did eventually legislate for a range of specific data sharing powers

[3] Data Protection Act 2018, s 177

[4] Registration Service Act 1953, s 19AC

[5] Digital Economy Act 2017, s 43

[6] Ibid s 52

[7] Ibid, s 60

[8] Ibid, s 70

[9] Ibid, s124

[10] Ibid, s 125

[11] Ibid, s 126

[12] Ibid, s 127

[13] Data Protection Act 2018, s 127

[14] Ibid, sch 20


[16] See report by Lord Leveson, November 2012

[17] Data Protection Act 2018, s 179

[18] Bangura v Loughborough University [2016] EWHC 1503 deals with disclosure between the university and local police force, with no mention of the Code on data sharing

[19] 20 August 2018 EA/2017/0262

[20] [2017] EWHC 695

[21] [2018] EWHC 1234 (QB)

Published: 2018-10-18T09:10:00


      Please wait...