Coroners and Justice Act 2009

173Assessment noticesE+W

After section 41 of the Data Protection Act 1998 (c. 29) insert—

“41AAssessment notices

(1)The Commissioner may serve a data controller within subsection (2) with a notice (in this Act referred to as an “assessment notice”) for the purpose of enabling the Commissioner to determine whether the data controller has complied or is complying with the data protection principles.

(2)A data controller is within this subsection if the data controller is—

(a)a government department,

(b)a public authority designated for the purposes of this section by an order made by the Secretary of State, or

(c)a person of a description designated for the purposes of this section by such an order.

(3)An assessment notice is a notice which requires the data controller to do all or any of the following—

(a)permit the Commissioner to enter any specified premises;

(b)direct the Commissioner to any documents on the premises that are of a specified description;

(c)assist the Commissioner to view any information of a specified description that is capable of being viewed using equipment on the premises;

(d)comply with any request from the Commissioner for—

(i)a copy of any of the documents to which the Commissioner is directed;

(ii)a copy (in such form as may be requested) of any of the information which the Commissioner is assisted to view;

(e)direct the Commissioner to any equipment or other material on the premises which is of a specified description;

(f)permit the Commissioner to inspect or examine any of the documents, information, equipment or material to which the Commissioner is directed or which the Commissioner is assisted to view;

(g)permit the Commissioner to observe the processing of any personal data that takes place on the premises;

(h)make available for interview by the Commissioner a specified number of persons of a specified description who process personal data on behalf of the data controller (or such number as are willing to be interviewed).

(4)In subsection (3) references to the Commissioner include references to the Commissioner's officers and staff.

(5)An assessment notice must, in relation to each requirement imposed by the notice, specify—

(a)the time at which the requirement is to be complied with, or

(b)the period during which the requirement is to be complied with.

(6)An assessment notice must also contain particulars of the rights of appeal conferred by section 48.

(7)The Commissioner may cancel an assessment notice by written notice to the data controller on whom it was served.

(8)Where a public authority has been designated by an order under subsection (2)(b) the Secretary of State must reconsider, at intervals of no greater than 5 years, whether it continues to be appropriate for the authority to be designated.

(9)The Secretary of State may not make an order under subsection (2)(c) which designates a description of persons unless—

(a)the Commissioner has made a recommendation that the description be designated, and

(b)the Secretary of State has consulted—

(i)such persons as appear to the Secretary of State to represent the interests of those that meet the description;

(ii)such other persons as the Secretary of State considers appropriate.

(10)The Secretary of State may not make an order under subsection (2)(c), and the Commissioner may not make a recommendation under subsection (9)(a), unless the Secretary of State or (as the case may be) the Commissioner is satisfied that it is necessary for the description of persons in question to be designated having regard to—

(a)the nature and quantity of data under the control of such persons, and

(b)any damage or distress which may be caused by a contravention by such persons of the data protection principles.

(11)Where a description of persons has been designated by an order under subsection (2)(c) the Secretary of State must reconsider, at intervals of no greater than 5 years, whether it continues to be necessary for the description to be designated having regard to the matters mentioned in subsection (10).

(12)In this section—

• “public authority” includes any body, office-holder or other person in respect of which—

  (a)

  an order may be made under section 4 or 5 of the Freedom of Information Act 2000, or

  (b)

  an order may be made under section 4 or 5 of the Freedom of Information (Scotland) Act 2002;

• “specified” means specified in an assessment notice.

41BAssessment notices: limitations

(1)A time specified in an assessment notice under section 41A(5) in relation to a requirement must not fall, and a period so specified must not begin, before the end of the period within which an appeal can be brought against the notice, and if such an appeal is brought the requirement need not be complied with pending the determination or withdrawal of the appeal.

(2)If by reason of special circumstances the Commissioner considers that it is necessary for the data controller to comply with a requirement in an assessment notice as a matter of urgency, the Commissioner may include in the notice a statement to that effect and a statement of the reasons for that conclusion; and in that event subsection (1) applies in relation to the requirement as if for the words from “within” to the end there were substituted “ of 7 days beginning with the day on which the notice is served ”.

(3)A requirement imposed by an assessment notice does not have effect in so far as compliance with it would result in the disclosure of—

(a)any communication between a professional legal adviser and the adviser's client in connection with the giving of legal advice with respect to the client's obligations, liabilities or rights under this Act, or

(b)any communication between a professional legal adviser and the adviser's client, or between such an adviser or the adviser's client and any other person, made in connection with or in contemplation of proceedings under or arising out of this Act (including proceedings before the Tribunal) and for the purposes of such proceedings.

(4)In subsection (3) references to the client of a professional legal adviser include references to any person representing such a client.

(5)Nothing in section 41A authorises the Commissioner to serve an assessment notice on—

(a)a judge,

(b)a body specified in section 23(3) of the Freedom of Information Act 2000 (bodies dealing with security matters), or

(c)the Office for Standards in Education, Children's Services and Skills in so far as it is a data controller in respect of information processed for the purposes of functions exercisable by Her Majesty's Chief Inspector of Eduction, Children's Services and Skills by virtue of section 5(1)(a) of the Care Standards Act 2000.

(6)In this section “judge” includes —

(a)a justice of the peace (or, in Northern Ireland, a lay magistrate),

(b)a member of a tribunal, and

(c)a clerk or other officer entitled to exercise the jurisdiction of a court or tribunal;

and in this subsection “tribunal” means any tribunal in which legal proceedings may be brought.

41CCode of practice about assessment notices

(1)The Commissioner must prepare and issue a code of practice as to the manner in which the Commissioner's functions under and in connection with section 41A are to be exercised.

(2)The code must in particular—

(a)specify factors to be considered in determining whether to serve an assessment notice on a data controller;

(b)specify descriptions of documents and information that—

(i)are not to be examined or inspected in pursuance of an assessment notice, or

(ii)are to be so examined or inspected only by persons of a description specified in the code;

(c)deal with the nature of inspections and examinations carried out in pursuance of an assessment notice;

(d)deal with the nature of interviews carried out in pursuance of an assessment notice;

(e)deal with the preparation, issuing and publication by the Commissioner of assessment reports in respect of data controllers that have been served with assessment notices.

(3)The provisions of the code made by virtue of subsection (2)(b) must, in particular, include provisions that relate to—

(a)documents and information concerning an individual's physical or mental health;

(b)documents and information concerning the provision of social care for an individual.

(4)An assessment report is a report which contains—

(a)a determination as to whether a data controller has complied or is complying with the data protection principles,

(b)recommendations as to any steps which the data controller ought to take, or refrain from taking, to ensure compliance with any of those principles, and

(c)such other matters as are specified in the code.

(5)The Commissioner may alter or replace the code.

(6)If the code is altered or replaced, the Commissioner must issue the altered or replacement code.

(7)The Commissioner may not issue the code (or an altered or replacement code) without the approval of the Secretary of State.

(8)The Commissioner must arrange for the publication of the code (and any altered or replacement code) issued under this section in such form and manner as the Commissioner considers appropriate.

(9)In this section “social care” has the same meaning as in Part 1 of the Health and Social Care Act 2008 (see section 9(3) of that Act).”