| |
|
PART V |
|
ENFORCEMENT |
Enforcement notices. |
39. - (1) If the Commissioner is satisfied that a data controller has contravened or is contravening any of the data protection principles, the Commissioner may serve him with a notice (in this Act referred to as "an enforcement notice") requiring him, for complying with the principle or principles in question, to do either or both of the following- |
|
(a) to take within such time as may be specified in the notice, or to refrain from taking after such time as may be so specified, such steps as are so specified, or |
|
(b) to refrain from processing any personal data, or any personal data of a description specified in the notice, or to refrain from processing them for a purpose so specified or in a manner so specified, after such time as may be so specified. |
|
(2) In deciding whether to serve an enforcement notice, the Commissioner shall consider whether the contravention has caused or is likely to cause any person damage or distress. |
|
(3) An enforcement notice in respect of a contravention of the fourth data protection principle may require the data controller- |
|
(a) to rectify, block, erase or destroy any inaccurate data and any other data held by him and containing an expression of opinion which appears to the Commissioner to be based on the inaccurate data, or |
|
(b) in the case of data which accurately record information received or obtained by the data controller from the data subject or a third party, either to take the steps mentioned in paragraph (a), or to take such steps as are specified in the notice for securing compliance with the requirements specified in paragraph 8 of Part II of Schedule 1 and, if the Commissioner thinks fit, for supplementing the data with such statement of the true facts relating to the matters dealt with by the data as the Commissioner may approve. |
|
(4) Where- |
|
(a) an enforcement notice in respect of a contravention of the fourth data protection principle contains such a requirement as is mentioned in subsection (3)(a), or |
|
(b) the Commissioner is satisfied that personal data which have been rectified, blocked, erased or destroyed were inaccurate, |
|
an enforcement notice may, if reasonably practicable, require the data controller to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction; and in determining whether it is reasonably practicable to require such notification regard shall be had, in particular, to the number of persons who would have to be notified. |
|
(5) An enforcement notice must contain- |
|
(a) a statement of the data protection principle or principles which the Commissioner is satisfied have been or are being contravened and his reasons for reaching that conclusion, and |
|
(b) particulars of the rights of appeal conferred by section 47. |
|
(6) Subject to subsection (7), the time specified in an enforcement notice must not expire before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, the notice need not be complied with pending the determination or withdrawal of the appeal. |
|
(7) If by reason of special circumstances the Commissioner considers that an enforcement notice should be complied with as a matter of urgency he may include in the notice a statement to that effect and a statement of his reasons for reaching that conclusion; and in that event subsection (6) shall not apply but the notice must not require the provisions of the notice to be complied with before the end of the period of seven days beginning with the day on which the notice is served. |
|
(8) Notification regulations (as defined by section 15(2)) may make provision as to the effect of the service of an enforcement notice on any entry in the register maintained under section 18 which relates to the person on whom the notice is served. |
|
(9) This section has effect subject to section 45(1). |
Cancellation of enforcement notice. |
40. - (1) If the Commissioner considers that all or any of the provisions of an enforcement notice need not be complied with in order to ensure compliance with the data protection principle or principles to which it relates, he may cancel or vary the notice by written notice to the person on whom it was served. |
|
(2) A person on whom an enforcement notice has been served may, at any time after the expiry of the period during which an appeal can be brought against that notice, apply in writing to the Commissioner for the cancellation or variation of that notice on the ground that, by reason of a change of circumstances, all or any the provisions of that notice need not be complied with in order to ensure compliance with the data protection principle or principles to which that notice relates. |
Request for assessment. |
41. - (1) A request may be made to the Commissioner by or on behalf of any person who is, or believes himself to be, directly affected by any processing of personal data for an assessment as to whether it is likely or unlikely that the processing has been or is being carried out in compliance with the provisions of this Act. |
|
(2) On receiving a request under this section, the Commissioner shall make an assessment in such manner as appears to him to be appropriate, unless he has not been supplied with such information as he may reasonably require in order to- |
|
(a) satisfy himself as to the identity of the person making the request, and |
|
(b) enable him to identify the processing in question. |
|
(3) The matters to which the Commissioner may have regard in determining in what manner it is appropriate to make an assessment include- |
|
(a) the extent to which the request appears to him to raise a matter of substance, |
|
(b) any undue delay in making the request, and |
|
(c) whether or not the person making the request is entitled to make an application under section 7 in respect of the personal data in question. |
|
(4) Where the Commissioner has received a request under this section he shall notify the person who made the request- |
|
(a) whether he has made an assessment as a result of the request, and |
|
(b) to the extent that he considers appropriate, having regard in particular to any exemption from section 7 applying in relation to the personal data concerned, of any view formed or action taken as a result of the request. |
Information notices. |
42. - (1) If the Commissioner- |
|
(a) has received a request under section 41 in respect of any processing of personal data, or |
|
(b) reasonably requires any information for the purpose of determining whether the data controller has complied or is complying with the data protection principles, |
|
he may serve the data controller with a notice (in this Act referred to as "an information notice") requiring the data controller, within such time as is specified in the notice, to furnish the Commissioner, in such form as may be so specified, with such information relating to the request or to compliance with the principles as is so specified. |
|
(2) An information notice must contain- |
|
(a) in a case falling within subsection (1)(a), a statement that the Commissioner has received a request under section 41 in relation to the specified processing, or |
|
(b) in a case falling within subsection (1)(b), a statement that the Commissioner regards the specified information as relevant for the purpose of determining whether the data controller has complied, or is complying, with the data protection principles and his reasons for regarding it as relevant for that purpose. |
|
(3) An information notice must also contain particulars of the rights of appeal conferred by section 47. |
|
(4) Subject to subsection (6), the time specified in an information notice shall not expire before the end of the period within which an appeal can be brought against the notice. |
|
(5) If an appeal is brought against the notice the information need not be furnished pending the determination or withdrawal of the appeal. |
|
(6) If by reason of special circumstances the Commissioner considers that the information is required as a matter of urgency, he may include in the notice a statement to that effect and a statement of his reasons for reaching that conclusion; and in that event subsection (4) shall not apply, but the notice shall not require the information to be furnished before the end of the period of seven days beginning with the day on which the notice is served. |
|
(7) A person shall not be required by virtue of this section to furnish the Commissioner with any information in respect of- |
|
(a) any communication between a professional legal adviser and his client in connection with the giving of legal advice to the client with respect to his obligations, liabilities or rights under this Act, or |
|
(b) any communication between a professional legal adviser and his client, or between such an adviser or his client and any other person, made in connection with or in contemplation of proceedings under or arising out of this Act (including proceedings before the Tribunal) and for the purposes of such proceedings. |
|
(8) In subsection (7) references to the client of a professional legal adviser include references to any person representing such a client. |
|
(9) A person shall not be required by virtue of this section to furnish the Commissioner with any information if the furnishing of that information would, by revealing evidence of the commission of any offence other than an offence under this Act, expose him to proceedings for that offence. |
|
(10) The Commissioner may cancel an information notice by written notice to the person on whom it was served. |
|
(11) This section has effect subject to section 45(3). |
Special information notices. |
43. - (1) If the Commissioner- |
|
(a) has received a request under section 41 in respect of any processing of personal data, or |
|
(b) has reasonable grounds for suspecting that, in a case in which a data controller has made a claim under section 31 in any proceedings, the personal data to which the proceedings relate- |
|
(i) are not being processed only for the special purposes, or
|
|
(ii) are not being processed with a view to the publication by any person of any journalistic, literary or artistic material which has not previously been published by the data controller,
|
|
he may serve the data controller with a notice (in this Act referred to as a "special information notice") requiring the data controller, within such time as is specified in the notice, to furnish the Commissioner, in such form as may be so specified, with such information as is so specified for the purpose specified in subsection (2). |
|
(2) That purpose is the purpose of ascertaining- |
|
(a) whether the personal data are being processed only for the special purposes, or |
|
(b) whether they are being processed with a view to the publication by any person of any journalistic, literary or artistic material which has not previously been published by the data controller. |
|
(3) A special information notice must contain- |
|
(a) in a case falling within paragraph (a) of subsection (1), a statement that the Commissioner has received a request under section 41 in relation to the specified processing, or |
|
(b) in a case falling within paragraph (b) of that subsection, a statement of the Commissioner's grounds for suspecting that the personal data are not being processed as mentioned in that paragraph. |
|
(4) A special information notice must also contain particulars of the rights of appeal conferred by section 47. |
|
(5) Subject to subsection (7), the time specified in a special information notice shall not expire before the end of the period within which an appeal can be brought against the notice. |
|
(6) If an appeal is brought against the notice the information need not be furnished pending the determination or withdrawal of the appeal. |
|
(7) If by reason of special circumstances the Commissioner considers that the information is required as a matter of urgency, he may include in the notice a statement to that effect and a statement of his reasons for reaching that conclusion; and in that event subsection (5) shall not apply, but the notice shall not require the information to be furnished before the end of the period of seven days beginning with the day on which the notice is served. |
|
(8) A person shall not be required by virtue of this section to furnish the Commissioner with any information in respect of- |
|
(a) any communication between a professional legal adviser and his client in connection with the giving of legal advice to the client with respect to his obligations, liabilities or rights under this Act, or |
|
(b) any communication between a professional legal adviser and his client, or between such an adviser or his client and any other person, made in connection with or in contemplation of proceedings under or arising out of this Act (including proceedings before the Tribunal) and for the purposes of such proceedings. |
|
(9) In subsection (8) references to the client of a professional legal adviser include references to any person representing such a client. |
|
(10) A person shall not be required by virtue of this section to furnish the Commissioner with any information if the furnishing of that information would, by revealing evidence of the commission of any offence other than an offence under this Act, expose him to proceedings for that offence. |
|
(11) The Commissioner may cancel a special information notice by written notice to the person on whom it was served. |