C4C5Part V Enforcement
C1I140 Enforcement notices.
1
If the Commissioner is satisfied that a data controller has contravened or is contravening any of the data protection principles, the Commissioner may serve him with a notice (in this Act referred to as “an enforcement notice”) requiring him, for complying with the principle or principles in question, to do either or both of the following—
a
to take within such time as may be specified in the notice, or to refrain from taking after such time as may be so specified, such steps as are so specified, or
b
to refrain from processing any personal data, or any personal data of a description specified in the notice, or to refrain from processing them for a purpose so specified or in a manner so specified, after such time as may be so specified.
2
In deciding whether to serve an enforcement notice, the Commissioner shall consider whether the contravention has caused or is likely to cause any person damage or distress.
3
An enforcement notice in respect of a contravention of the fourth data protection principle which requires the data controller to rectify, block, erase or destroy any inaccurate data may also require the data controller to rectify, block, erase or destroy any other data held by him and containing an expression of opinion which appears to the Commissioner to be based on the inaccurate data.
4
An enforcement notice in respect of a contravention of the fourth data protection principle, in the case of data which accurately record information received or obtained by the data controller from the data subject or a third party, may require the data controller either—
a
to rectify, block, erase or destroy any inaccurate data and any other data held by him and containing an expression of opinion as mentioned in subsection (3), or
b
to take such steps as are specified in the notice for securing compliance with the requirements specified in paragraph 7 of Part II of Schedule 1 and, if the Commissioner thinks fit, for supplementing the data with such statement of the true facts relating to the matters dealt with by the data as the Commissioner may approve.
5
Where—
a
an enforcement notice requires the data controller to rectify, block, erase or destroy any personal data, or
b
the Commissioner is satisfied that personal data which have been rectified, blocked, erased or destroyed had been processed in contravention of any of the data protection principles,
an enforcement notice may, if reasonably practicable, require the data controller to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction; and in determining whether it is reasonably practicable to require such notification regard shall be had, in particular, to the number of persons who would have to be notified.
6
An enforcement notice must contain—
a
a statement of the data protection principle or principles which the Commissioner is satisfied have been or are being contravened and his reasons for reaching that conclusion, and
b
particulars of the rights of appeal conferred by section 48.
7
Subject to subsection (8), an enforcement notice must not require any of the provisions of the notice to be complied with before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, the notice need not be complied with pending the determination or withdrawal of the appeal.
8
If by reason of special circumstances the Commissioner considers that an enforcement notice should be complied with as a matter of urgency he may include in the notice a statement to that effect and a statement of his reasons for reaching that conclusion; and in that event subsection (7) shall not apply but the notice must not require the provisions of the notice to be complied with before the end of the period of seven days beginning with the day on which the notice is served.
9
Notification regulations (as defined by section 16(2)) may make provision as to the effect of the service of an enforcement notice on any entry in the register maintained under section 19 which relates to the person on whom the notice is served.
10
This section has effect subject to section 46(1).
C241 Cancellation of enforcement notice.
1
If the Commissioner considers that all or any of the provisions of an enforcement notice need not be complied with in order to ensure compliance with the data protection principle or principles to which it relates, he may cancel or vary the notice by written notice to the person on whom it was served.
2
A person on whom an enforcement notice has been served may, at any time after the expiry of the period during which an appeal can be brought against that notice, apply in writing to the Commissioner for the cancellation or variation of that notice on the ground that, by reason of a change of circumstances, all or any of the provisions of that notice need not be complied with in order to ensure compliance with the data protection principle or principles to which that notice relates.
41AF1Assessment notices
1
The Commissioner may serve a data controller within subsection (2) with a notice (in this Act referred to as an “assessment notice”) for the purpose of enabling the Commissioner to determine whether the data controller has complied or is complying with the data protection principles.
2
A data controller is within this subsection if the data controller is—
a
a government department,
b
a public authority designated for the purposes of this section by an order made by the Secretary of State, or
c
a person of a description designated for the purposes of this section by such an order.
3
An assessment notice is a notice which requires the data controller to do all or any of the following—
a
permit the Commissioner to enter any specified premises;
b
direct the Commissioner to any documents on the premises that are of a specified description;
c
assist the Commissioner to view any information of a specified description that is capable of being viewed using equipment on the premises;
d
comply with any request from the Commissioner for—
i
a copy of any of the documents to which the Commissioner is directed;
ii
a copy (in such form as may be requested) of any of the information which the Commissioner is assisted to view;
e
direct the Commissioner to any equipment or other material on the premises which is of a specified description;
f
permit the Commissioner to inspect or examine any of the documents, information, equipment or material to which the Commissioner is directed or which the Commissioner is assisted to view;
g
permit the Commissioner to observe the processing of any personal data that takes place on the premises;
h
make available for interview by the Commissioner a specified number of persons of a specified description who process personal data on behalf of the data controller (or such number as are willing to be interviewed).
4
In subsection (3) references to the Commissioner include references to the Commissioner's officers and staff.
5
An assessment notice must, in relation to each requirement imposed by the notice, specify—
a
the time at which the requirement is to be complied with, or
b
the period during which the requirement is to be complied with.
6
An assessment notice must also contain particulars of the rights of appeal conferred by section 48.
7
The Commissioner may cancel an assessment notice by written notice to the data controller on whom it was served.
8
Where a public authority has been designated by an order under subsection (2)(b) the Secretary of State must reconsider, at intervals of no greater than 5 years, whether it continues to be appropriate for the authority to be designated.
9
The Secretary of State may not make an order under subsection (2)(c) which designates a description of persons unless—
a
the Commissioner has made a recommendation that the description be designated, and
b
the Secretary of State has consulted—
i
such persons as appear to the Secretary of State to represent the interests of those that meet the description;
ii
such other persons as the Secretary of State considers appropriate.
10
The Secretary of State may not make an order under subsection (2)(c), and the Commissioner may not make a recommendation under subsection (9)(a), unless the Secretary of State or (as the case may be) the Commissioner is satisfied that it is necessary for the description of persons in question to be designated having regard to—
a
the nature and quantity of data under the control of such persons, and
b
any damage or distress which may be caused by a contravention by such persons of the data protection principles.
11
Where a description of persons has been designated by an order under subsection (2)(c) the Secretary of State must reconsider, at intervals of no greater than 5 years, whether it continues to be necessary for the description to be designated having regard to the matters mentioned in subsection (10).
12
In this section—
“public authority” includes any body, office-holder or other person in respect of which—
- a
an order may be made under section 4 or 5 of the Freedom of Information Act 2000, or
- b
an order may be made under section 4 or 5 of the Freedom of Information (Scotland) Act 2002;
- a
“specified” means specified in an assessment notice.
41BAssessment notices: limitations
1
A time specified in an assessment notice under section 41A(5) in relation to a requirement must not fall, and a period so specified must not begin, before the end of the period within which an appeal can be brought against the notice, and if such an appeal is brought the requirement need not be complied with pending the determination or withdrawal of the appeal.
2
If by reason of special circumstances the Commissioner considers that it is necessary for the data controller to comply with a requirement in an assessment notice as a matter of urgency, the Commissioner may include in the notice a statement to that effect and a statement of the reasons for that conclusion; and in that event subsection (1) applies in relation to the requirement as if for the words from “within” to the end there were substituted of 7 days beginning with the day on which the notice is served.
3
A requirement imposed by an assessment notice does not have effect in so far as compliance with it would result in the disclosure of—
a
any communication between a professional legal adviser and the adviser's client in connection with the giving of legal advice with respect to the client's obligations, liabilities or rights under this Act, or
b
any communication between a professional legal adviser and the adviser's client, or between such an adviser or the adviser's client and any other person, made in connection with or in contemplation of proceedings under or arising out of this Act (including proceedings before the Tribunal) and for the purposes of such proceedings.
4
In subsection (3) references to the client of a professional legal adviser include references to any person representing such a client.
5
Nothing in section 41A authorises the Commissioner to serve an assessment notice on—
a
a judge,
b
a body specified in section 23(3) of the Freedom of Information Act 2000 (bodies dealing with security matters), or
c
the Office for Standards in Education, Children's Services and Skills in so far as it is a data controller in respect of information processed for the purposes of functions exercisable by Her Majesty's Chief Inspector of Eduction, Children's Services and Skills by virtue of section 5(1)(a) of the Care Standards Act 2000.
6
In this section “judge” includes —
a
a justice of the peace (or, in Northern Ireland, a lay magistrate),
b
a member of a tribunal, and
c
a clerk or other officer entitled to exercise the jurisdiction of a court or tribunal;
and in this subsection “tribunal” means any tribunal in which legal proceedings may be brought.
41CCode of practice about assessment notices
1
The Commissioner must prepare and issue a code of practice as to the manner in which the Commissioner's functions under and in connection with section 41A are to be exercised.
2
The code must in particular—
a
specify factors to be considered in determining whether to serve an assessment notice on a data controller;
b
specify descriptions of documents and information that—
i
are not to be examined or inspected in pursuance of an assessment notice, or
ii
are to be so examined or inspected only by persons of a description specified in the code;
c
deal with the nature of inspections and examinations carried out in pursuance of an assessment notice;
d
deal with the nature of interviews carried out in pursuance of an assessment notice;
e
deal with the preparation, issuing and publication by the Commissioner of assessment reports in respect of data controllers that have been served with assessment notices.
3
The provisions of the code made by virtue of subsection (2)(b) must, in particular, include provisions that relate to—
a
documents and information concerning an individual's physical or mental health;
b
documents and information concerning the provision of social care for an individual.
4
An assessment report is a report which contains—
a
a determination as to whether a data controller has complied or is complying with the data protection principles,
b
recommendations as to any steps which the data controller ought to take, or refrain from taking, to ensure compliance with any of those principles, and
c
such other matters as are specified in the code.
5
The Commissioner may alter or replace the code.
6
If the code is altered or replaced, the Commissioner must issue the altered or replacement code.
7
The Commissioner may not issue the code (or an altered or replacement code) without the approval of the Secretary of State.
8
The Commissioner must arrange for the publication of the code (and any altered or replacement code) issued under this section in such form and manner as the Commissioner considers appropriate.
9
In this section “social care” has the same meaning as in Part 1 of the Health and Social Care Act 2008 (see section 9(3) of that Act).
42 Request for assessment.
1
A request may be made to the Commissioner by or on behalf of any person who is, or believes himself to be, directly affected by any processing of personal data for an assessment as to whether it is likely or unlikely that the processing has been or is being carried out in compliance with the provisions of this Act.
2
On receiving a request under this section, the Commissioner shall make an assessment in such manner as appears to him to be appropriate, unless he has not been supplied with such information as he may reasonably require in order to—
a
satisfy himself as to the identity of the person making the request, and
b
enable him to identify the processing in question.
3
The matters to which the Commissioner may have regard in determining in what manner it is appropriate to make an assessment include—
a
the extent to which the request appears to him to raise a matter of substance,
b
any undue delay in making the request, and
c
whether or not the person making the request is entitled to make an application under section 7 in respect of the personal data in question.
4
Where the Commissioner has received a request under this section he shall notify the person who made the request—
a
whether he has made an assessment as a result of the request, and
b
to the extent that he considers appropriate, having regard in particular to any exemption from section 7 applying in relation to the personal data concerned, of any view formed or action taken as a result of the request.
C343 Information notices.
1
If the Commissioner—
a
has received a request under section 42 in respect of any processing of personal data, or
b
reasonably requires any information for the purpose of determining whether the data controller has complied or is complying with the data protection principles,
he may serve the data controller with a notice (in this Act referred to as “an information notice”) requiring the data controller, within such time as is specified in the notice, to furnish the Commissioner, in such form as may be so specified, with such information relating to the request or to compliance with the principles as is so specified.
2
An information notice must contain—
a
in a case falling within subsection (1)(a), a statement that the Commissioner has received a request under section 42 in relation to the specified processing, or
b
in a case falling within subsection (1)(b), a statement that the Commissioner regards the specified information as relevant for the purpose of determining whether the data controller has complied, or is complying, with the data protection principles and his reasons for regarding it as relevant for that purpose.
3
An information notice must also contain particulars of the rights of appeal conferred by section 48.
4
Subject to subsection (5), the time specified in an information notice shall not expire before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, the information need not be furnished pending the determination or withdrawal of the appeal.
5
If by reason of special circumstances the Commissioner considers that the information is required as a matter of urgency, he may include in the notice a statement to that effect and a statement of his reasons for reaching that conclusion; and in that event subsection (4) shall not apply, but the notice shall not require the information to be furnished before the end of the period of seven days beginning with the day on which the notice is served.
6
A person shall not be required by virtue of this section to furnish the Commissioner with any information in respect of—
a
any communication between a professional legal adviser and his client in connection with the giving of legal advice to the client with respect to his obligations, liabilities or rights under this Act, or
b
any communication between a professional legal adviser and his client, or between such an adviser or his client and any other person, made in connection with or in contemplation of proceedings under or arising out of this Act (including proceedings before the Tribunal) and for the purposes of such proceedings.
7
In subsection (6) references to the client of a professional legal adviser include references to any person representing such a client.
8
A person shall not be required by virtue of this section to furnish the Commissioner with any information if the furnishing of that information would, by revealing evidence of the commission of any offence other than an offence under this Act, expose him to proceedings for that offence.
9
The Commissioner may cancel an information notice by written notice to the person on whom it was served.
10
This section has effect subject to section 46(3).
44 Special information notices.
1
If the Commissioner—
a
has received a request under section 42 in respect of any processing of personal data, or
b
has reasonable grounds for suspecting that, in a case in which proceedings have been stayed under section 32, the personal data to which the proceedings relate—
i
are not being processed only for the special purposes, or
ii
are not being processed with a view to the publication by any person of any journalistic, literary or artistic material which has not previously been published by the data controller,
he may serve the data controller with a notice (in this Act referred to as a “special information notice”) requiring the data controller, within such time as is specified in the notice, to furnish the Commissioner, in such form as may be so specified, with such information as is so specified for the purpose specified in subsection (2).
2
That purpose is the purpose of ascertaining—
a
whether the personal data are being processed only for the special purposes, or
b
whether they are being processed with a view to the publication by any person of any journalistic, literary or artistic material which has not previously been published by the data controller.
3
A special information notice must contain—
a
in a case falling within paragraph (a) of subsection (1), a statement that the Commissioner has received a request under section 42 in relation to the specified processing, or
b
in a case falling within paragraph (b) of that subsection, a statement of the Commissioner’s grounds for suspecting that the personal data are not being processed as mentioned in that paragraph.
4
A special information notice must also contain particulars of the rights of appeal conferred by section 48.
5
Subject to subsection (6), the time specified in a special information notice shall not expire before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, the information need not be furnished pending the determination or withdrawal of the appeal.
6
If by reason of special circumstances the Commissioner considers that the information is required as a matter of urgency, he may include in the notice a statement to that effect and a statement of his reasons for reaching that conclusion; and in that event subsection (5) shall not apply, but the notice shall not require the information to be furnished before the end of the period of seven days beginning with the day on which the notice is served.
7
A person shall not be required by virtue of this section to furnish the Commissioner with any information in respect of—
a
any communication between a professional legal adviser and his client in connection with the giving of legal advice to the client with respect to his obligations, liabilities or rights under this Act, or
b
any communication between a professional legal adviser and his client, or between such an adviser or his client and any other person, made in connection with or in contemplation of proceedings under or arising out of this Act (including proceedings before the Tribunal) and for the purposes of such proceedings.
8
In subsection (7) references to the client of a professional legal adviser include references to any person representing such a client.
9
A person shall not be required by virtue of this section to furnish the Commissioner with any information if the furnishing of that information would, by revealing evidence of the commission of any offence other than an offence under this Act, expose him to proceedings for that offence.
10
The Commissioner may cancel a special information notice by written notice to the person on whom it was served.
45 Determination by Commissioner as to the special purposes.
1
Where at any time it appears to the Commissioner (whether as a result of the service of a special information notice or otherwise) that any personal data—
a
are not being processed only for the special purposes, or
b
are not being processed with a view to the publication by any person of any journalistic, literary or artistic material which has not previously been published by the data controller,
he may make a determination in writing to that effect.
2
Notice of the determination shall be given to the data controller; and the notice must contain particulars of the right of appeal conferred by section 48.
3
A determination under subsection (1) shall not take effect until the end of the period within which an appeal can be brought and, where an appeal is brought, shall not take effect pending the determination or withdrawal of the appeal.
46 Restriction on enforcement in case of processing for the special purposes.
1
The Commissioner may not at any time serve an enforcement notice on a data controller with respect to the processing of personal data for the special purposes unless—
a
a determination under section 45(1) with respect to those data has taken effect, and
b
the court has granted leave for the notice to be served.
2
The court shall not grant leave for the purposes of subsection (1)(b) unless it is satisfied—
a
that the Commissioner has reason to suspect a contravention of the data protection principles which is of substantial public importance, and
b
except where the case is one of urgency, that the data controller has been given notice, in accordance with rules of court, of the application for leave.
3
The Commissioner may not serve an information notice on a data controller with respect to the processing of personal data for the special purposes unless a determination under section 45(1) with respect to those data has taken effect.
47 Failure to comply with notice.
1
A person who fails to comply with an enforcement notice, an information notice or a special information notice is guilty of an offence.
2
A person who, in purported compliance with an information notice or a special information notice—
a
makes a statement which he knows to be false in a material respect, or
b
recklessly makes a statement which is false in a material respect,
is guilty of an offence.
3
It is a defence for a person charged with an offence under subsection (1) to prove that he exercised all due diligence to comply with the notice in question.
48 Rights of appeal.
1
A person on whom an enforcement notice, an information notice or a special information notice has been served may appeal to the Tribunal against the notice.
2
A person on whom an enforcement notice has been served may appeal to the Tribunal against the refusal of an application under section 41(2) for cancellation or variation of the notice.
3
Where an enforcement notice, an information notice or a special information notice contains a statement by the Commissioner in accordance with section 40(8), 43(5) or 44(6) then, whether or not the person appeals against the notice, he may appeal against—
a
the Commissioner’s decision to include the statement in the notice, or
b
the effect of the inclusion of the statement as respects any part of the notice.
4
A data controller in respect of whom a determination has been made under section 45 may appeal to the Tribunal against the determination.
5
Schedule 6 has effect in relation to appeals under this section and the proceedings of the Tribunal in respect of any such appeal.
49 Determination of appeals.
1
If on an appeal under section 48(1) the Tribunal considers—
a
that the notice against which the appeal is brought is not in accordance with the law, or
b
to the extent that the notice involved an exercise of discretion by the Commissioner, that he ought to have exercised his discretion differently,
the Tribunal shall allow the appeal or substitute such other notice or decision as could have been served or made by the Commissioner; and in any other case the Tribunal shall dismiss the appeal.
2
On such an appeal, the Tribunal may review any determination of fact on which the notice in question was based.
3
If on an appeal under section 48(2) the Tribunal considers that the enforcement notice ought to be cancelled or varied by reason of a change in circumstances, the Tribunal shall cancel or vary the notice.
4
On an appeal under subsection (3) of section 48 the Tribunal may direct—
a
that the notice in question shall have effect as if it did not contain any such statement as is mentioned in that subsection, or
b
that the inclusion of the statement shall not have effect in relation to any part of the notice,
and may make such modifications in the notice as may be required for giving effect to the direction.
5
On an appeal under section 48(4), the Tribunal may cancel the determination of the Commissioner.
6
Any party to an appeal to the Tribunal under section 48 may appeal from the decision of the Tribunal on a point of law to the appropriate court; and that court shall be—
a
the High Court of Justice in England if the address of the person who was the appellant before the Tribunal is in England or Wales,
b
the Court of Session if that address is in Scotland, and
c
the High Court of Justice in Northern Ireland if that address is in Northern Ireland.
7
For the purposes of subsection (6)—
a
the address of a registered company is that of its registered office, and
b
the address of a person (other than a registered company) carrying on a business is that of his principal place of business in the United Kingdom.
50 Powers of entry and inspection.
Schedule 9 (powers of entry and inspection) has effect.
Pt. V applied (with modifications) (1.3.2000) by S.I. 1999/2093, reg. 36(1), Sch. 4
Pt. V applied (with modifications) (1.3.2000) by S.I. 2000/190, art. 5(2)