Part 8 E+WData Protection Act 1998
173Assessment noticesE+W
After section 41 of the Data Protection Act 1998 (c. 29) insert—
“41AAssessment notices
(1)The Commissioner may serve a data controller within subsection (2) with a notice (in this Act referred to as an “assessment notice”) for the purpose of enabling the Commissioner to determine whether the data controller has complied or is complying with the data protection principles.
(2)A data controller is within this subsection if the data controller is—
(a)a government department,
(b)a public authority designated for the purposes of this section by an order made by the Secretary of State, or
(c)a person of a description designated for the purposes of this section by such an order.
(3)An assessment notice is a notice which requires the data controller to do all or any of the following—
(a)permit the Commissioner to enter any specified premises;
(b)direct the Commissioner to any documents on the premises that are of a specified description;
(c)assist the Commissioner to view any information of a specified description that is capable of being viewed using equipment on the premises;
(d)comply with any request from the Commissioner for—
(i)a copy of any of the documents to which the Commissioner is directed;
(ii)a copy (in such form as may be requested) of any of the information which the Commissioner is assisted to view;
(e)direct the Commissioner to any equipment or other material on the premises which is of a specified description;
(f)permit the Commissioner to inspect or examine any of the documents, information, equipment or material to which the Commissioner is directed or which the Commissioner is assisted to view;
(g)permit the Commissioner to observe the processing of any personal data that takes place on the premises;
(h)make available for interview by the Commissioner a specified number of persons of a specified description who process personal data on behalf of the data controller (or such number as are willing to be interviewed).
(4)In subsection (3) references to the Commissioner include references to the Commissioner's officers and staff.
(5)An assessment notice must, in relation to each requirement imposed by the notice, specify—
(a)the time at which the requirement is to be complied with, or
(b)the period during which the requirement is to be complied with.
(6)An assessment notice must also contain particulars of the rights of appeal conferred by section 48.
(7)The Commissioner may cancel an assessment notice by written notice to the data controller on whom it was served.
(8)Where a public authority has been designated by an order under subsection (2)(b) the Secretary of State must reconsider, at intervals of no greater than 5 years, whether it continues to be appropriate for the authority to be designated.
(9)The Secretary of State may not make an order under subsection (2)(c) which designates a description of persons unless—
(a)the Commissioner has made a recommendation that the description be designated, and
(b)the Secretary of State has consulted—
(i)such persons as appear to the Secretary of State to represent the interests of those that meet the description;
(ii)such other persons as the Secretary of State considers appropriate.
(10)The Secretary of State may not make an order under subsection (2)(c), and the Commissioner may not make a recommendation under subsection (9)(a), unless the Secretary of State or (as the case may be) the Commissioner is satisfied that it is necessary for the description of persons in question to be designated having regard to—
(a)the nature and quantity of data under the control of such persons, and
(b)any damage or distress which may be caused by a contravention by such persons of the data protection principles.
(11)Where a description of persons has been designated by an order under subsection (2)(c) the Secretary of State must reconsider, at intervals of no greater than 5 years, whether it continues to be necessary for the description to be designated having regard to the matters mentioned in subsection (10).
(12)In this section—
“public authority” includes any body, office-holder or other person in respect of which—
(a)an order may be made under section 4 or 5 of the Freedom of Information Act 2000, or
(b)an order may be made under section 4 or 5 of the Freedom of Information (Scotland) Act 2002;
“specified” means specified in an assessment notice.
41BAssessment notices: limitations
(1)A time specified in an assessment notice under section 41A(5) in relation to a requirement must not fall, and a period so specified must not begin, before the end of the period within which an appeal can be brought against the notice, and if such an appeal is brought the requirement need not be complied with pending the determination or withdrawal of the appeal.
(2)If by reason of special circumstances the Commissioner considers that it is necessary for the data controller to comply with a requirement in an assessment notice as a matter of urgency, the Commissioner may include in the notice a statement to that effect and a statement of the reasons for that conclusion; and in that event subsection (1) applies in relation to the requirement as if for the words from “within” to the end there were substituted “ of 7 days beginning with the day on which the notice is served ”.
(3)A requirement imposed by an assessment notice does not have effect in so far as compliance with it would result in the disclosure of—
(a)any communication between a professional legal adviser and the adviser's client in connection with the giving of legal advice with respect to the client's obligations, liabilities or rights under this Act, or
(b)any communication between a professional legal adviser and the adviser's client, or between such an adviser or the adviser's client and any other person, made in connection with or in contemplation of proceedings under or arising out of this Act (including proceedings before the Tribunal) and for the purposes of such proceedings.
(4)In subsection (3) references to the client of a professional legal adviser include references to any person representing such a client.
(5)Nothing in section 41A authorises the Commissioner to serve an assessment notice on—
(a)a judge,
(b)a body specified in section 23(3) of the Freedom of Information Act 2000 (bodies dealing with security matters), or
(c)the Office for Standards in Education, Children's Services and Skills in so far as it is a data controller in respect of information processed for the purposes of functions exercisable by Her Majesty's Chief Inspector of Eduction, Children's Services and Skills by virtue of section 5(1)(a) of the Care Standards Act 2000.
(6)In this section “judge” includes —
(a)a justice of the peace (or, in Northern Ireland, a lay magistrate),
(b)a member of a tribunal, and
(c)a clerk or other officer entitled to exercise the jurisdiction of a court or tribunal;
and in this subsection “tribunal” means any tribunal in which legal proceedings may be brought.
41CCode of practice about assessment notices
(1)The Commissioner must prepare and issue a code of practice as to the manner in which the Commissioner's functions under and in connection with section 41A are to be exercised.
(2)The code must in particular—
(a)specify factors to be considered in determining whether to serve an assessment notice on a data controller;
(b)specify descriptions of documents and information that—
(i)are not to be examined or inspected in pursuance of an assessment notice, or
(ii)are to be so examined or inspected only by persons of a description specified in the code;
(c)deal with the nature of inspections and examinations carried out in pursuance of an assessment notice;
(d)deal with the nature of interviews carried out in pursuance of an assessment notice;
(e)deal with the preparation, issuing and publication by the Commissioner of assessment reports in respect of data controllers that have been served with assessment notices.
(3)The provisions of the code made by virtue of subsection (2)(b) must, in particular, include provisions that relate to—
(a)documents and information concerning an individual's physical or mental health;
(b)documents and information concerning the provision of social care for an individual.
(4)An assessment report is a report which contains—
(a)a determination as to whether a data controller has complied or is complying with the data protection principles,
(b)recommendations as to any steps which the data controller ought to take, or refrain from taking, to ensure compliance with any of those principles, and
(c)such other matters as are specified in the code.
(5)The Commissioner may alter or replace the code.
(6)If the code is altered or replaced, the Commissioner must issue the altered or replacement code.
(7)The Commissioner may not issue the code (or an altered or replacement code) without the approval of the Secretary of State.
(8)The Commissioner must arrange for the publication of the code (and any altered or replacement code) issued under this section in such form and manner as the Commissioner considers appropriate.
(9)In this section “social care” has the same meaning as in Part 1 of the Health and Social Care Act 2008 (see section 9(3) of that Act).”
Commencement Information
I1S. 173 in force at 1.2.2010 for specified purposes by S.I. 2010/145, art. 2(2), Sch. para. 15
I2S. 173 in force at 6.4.2010 in so far as not already in force by S.I. 2010/816, art. 2, Sch. para. 12
174Data-sharing code of practiceE+W
(1)After section 52 of the Data Protection Act 1998 (c. 29) insert—
“52AData-sharing code
(1)The Commissioner must prepare a code of practice which contains—
(a)practical guidance in relation to the sharing of personal data in accordance with the requirements of this Act, and
(b)such other guidance as the Commissioner considers appropriate to promote good practice in the sharing of personal data.
(2)For this purpose “good practice” means such practice in the sharing of personal data as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, and includes (but is not limited to) compliance with the requirements of this Act.
(3)Before a code is prepared under this section, the Commissioner must consult such of the following as the Commissioner considers appropriate—
(a)trade associations (within the meaning of section 51);
(b)data subjects;
(c)persons who appear to the Commissioner to represent the interests of data subjects.
(4)In this section a reference to the sharing of personal data is to the disclosure of the data by transmission, dissemination or otherwise making it available.
52BData-sharing code: procedure
(1)When a code is prepared under section 52A, it must be submitted to the Secretary of State for approval.
(2)Approval may be withheld only if it appears to the Secretary of State that the terms of the code could result in the United Kingdom being in breach of any of its Community obligations or any other international obligation.
(3)The Secretary of State must—
(a)if approval is withheld, publish details of the reasons for withholding it;
(b)if approval is granted, lay the code before Parliament.
(4)If, within the 40-day period, either House of Parliament resolves not to approve the code, the code is not to be issued by the Commissioner.
(5)If no such resolution is made within that period, the Commissioner must issue the code.
(6)Where—
(a)the Secretary of State withholds approval, or
(b)such a resolution is passed,
the Commissioner must prepare another code of practice under section 52A.
(7)Subsection (4) does not prevent a new code being laid before Parliament.
(8)A code comes into force at the end of the period of 21 days beginning with the day on which it is issued.
(9)A code may include transitional provision or savings.
(10)In this section “the 40-day period” means the period of 40 days beginning with the day on which the code is laid before Parliament (or, if it is not laid before each House of Parliament on the same day, the later of the 2 days on which it is laid).
(11)In calculating the 40-day period, no account is to be taken of any period during which Parliament is dissolved or prorogued or during which both Houses are adjourned for more than 4 days.
52CAlteration or replacement of data-sharing code
(1)The Commissioner—
(a)must keep the data-sharing code under review, and
(b)may prepare an alteration to that code or a replacement code.
(2)Where, by virtue of a review under subsection (1)(a) or otherwise, the Commissioner becomes aware that the terms of the code could result in the United Kingdom being in breach of any of its Community obligations or any other international obligation, the Commissioner must exercise the power under subsection (1)(b) with a view to remedying the situation.
(3)Before an alteration or replacement code is prepared under subsection (1), the Commissioner must consult such of the following as the Commissioner considers appropriate—
(a)trade associations (within the meaning of section 51);
(b)data subjects;
(c)persons who appear to the Commissioner to represent the interests of data subjects.
(4)Section 52B (other than subsection (6)) applies to an alteration or replacement code prepared under this section as it applies to the code as first prepared under section 52A.
(5)In this section “the data-sharing code” means the code issued under section 52B(5) (as altered or replaced from time to time).
52DPublication of data-sharing code
(1)The Commissioner must publish the code (and any replacement code) issued under section 52B(5).
(2)Where an alteration is so issued, the Commissioner must publish either—
(a)the alteration, or
(b)the code or replacement code as altered by it.
52EEffect of data-sharing code
(1)A failure on the part of any person to act in accordance with any provision of the data-sharing code does not of itself render that person liable to any legal proceedings in any court or tribunal.
(2)The data-sharing code is admissible in evidence in any legal proceedings.
(3)If any provision of the data-sharing code appears to—
(a)the Tribunal or a court conducting any proceedings under this Act,
(b)a court or tribunal conducting any other legal proceedings, or
(c)the Commissioner carrying out any function under this Act,
to be relevant to any question arising in the proceedings, or in connection with the exercise of that jurisdiction or the carrying out of those functions, in relation to any time when it was in force, that provision of the code must be taken into account in determining that question.
(4)In this section “the data-sharing code” means the code issued under section 52B(5) (as altered or replaced from time to time).”
(2)In section 51 of the Data Protection Act 1998 (c. 29) (general duties of Commissioner), after subsection (5) insert—
“(5A)In determining the action required to discharge the duties imposed by subsections (1) to (4), the Commissioner may take account of any action taken to discharge the duty imposed by section 52A (data-sharing code).”
Commencement Information
I3S. 174 in force at 1.2.2010 by S.I. 2010/145, art. 2(2), Sch. para. 16
175Further amendments of the Data Protection Act 1998 (c. 29)E+W
Schedule 20 contains further amendments of the Data Protection Act 1998 (c. 29).
Commencement Information
I4S. 175 in force at 1.2.2010 for specified purposes by S.I. 2010/145, art. 2(2), Sch. para. 17
I5S. 175 in force at 6.4.2010 for specified purposes by S.I. 2010/816, art. 2, Sch. para. 13