(1)The Commissioner may by written notice (an “assessment notice”) require a controller or processor to permit the Commissioner to carry out an assessment of whether the controller or processor has complied or is complying with the data protection legislation.
(2)An assessment notice may require the controller or processor to do any of the following—
(a)permit the Commissioner to enter specified premises;
(b)direct the Commissioner to documents on the premises that are of a specified description;
(c)assist the Commissioner to view information of a specified description that is capable of being viewed using equipment on the premises;
(d)comply with a request from the Commissioner for a copy (in such form as may be requested) of—
(i)the documents to which the Commissioner is directed;
(ii)the information which the Commissioner is assisted to view;
(e)direct the Commissioner to equipment or other material on the premises which is of a specified description;
(f)permit the Commissioner to inspect or examine the documents, information, equipment or material to which the Commissioner is directed or which the Commissioner is assisted to view;
(g)provide the Commissioner with an explanation of such documents, information, equipment or material;
(h)permit the Commissioner to observe the processing of personal data that takes place on the premises;
(i)make available for interview by the Commissioner a specified number of people of a specified description who process personal data on behalf of the controller, not exceeding the number who are willing to be interviewed.
(3)In subsection (2), references to the Commissioner include references to the Commissioner's officers and staff.
(4)An assessment notice must, in relation to each requirement imposed by the notice, specify the time or times at which, or period or periods within which, the requirement must be complied with (but see the restrictions in subsections (6) to (9)).
(5)An assessment notice must provide information about—
(a)the consequences of failure to comply with it, and
(b)the rights under sections 162 and 164 (appeals etc).
(6)An assessment notice may not require a person to do anything before the end of the period within which an appeal can be brought against the notice.
(7)If an appeal is brought against an assessment notice, the controller or processor need not comply with a requirement in the notice pending the determination or withdrawal of the appeal.
(8)If an assessment notice—
(a)states that, in the Commissioner's opinion, it is necessary for the controller or processor to comply with a requirement in the notice urgently,
(b)gives the Commissioner's reasons for reaching that opinion, and
(c)does not meet the conditions in subsection (9)(a) to (d),
subsections (6) and (7) do not apply but the notice must not require the controller or processor to comply with the requirement before the end of the period of 7 days beginning when the notice is given.
(9)If an assessment notice—
(a)states that, in the Commissioner's opinion, there are reasonable grounds for suspecting that a controller or processor has failed or is failing as described in section 149(2) or that an offence under this Act has been or is being committed,
(b)indicates the nature of the suspected failure or offence,
(c)does not specify domestic premises,
(d)states that, in the Commissioner's opinion, it is necessary for the controller or processor to comply with a requirement in the notice in less than 7 days, and
(e)gives the Commissioner's reasons for reaching that opinion,
subsections (6) and (7) do not apply.
(10)The Commissioner may cancel an assessment notice by written notice to the controller or processor to whom it was given.
(11)Where the Commissioner gives an assessment notice to a processor, the Commissioner must, so far as reasonably practicable, give a copy of the notice to each controller for whom the processor processes personal data.
(12)In this section—
“domestic premises” means premises, or a part of premises, used as a dwelling;
“specified” means specified in an assessment notice.
(1)An assessment notice does not require a person to do something to the extent that requiring the person to do it would involve an infringement of the privileges of either House of Parliament.
(2)An assessment notice does not have effect so far as compliance would result in the disclosure of a communication which is made—
(a)between a professional legal adviser and the adviser's client, and
(b)in connection with the giving of legal advice to the client with respect to obligations, liabilities or rights under the data protection legislation.
(3)An assessment notice does not have effect so far as compliance would result in the disclosure of a communication which is made—
(a)between a professional legal adviser and the adviser's client or between such an adviser or client and another person,
(b)in connection with or in contemplation of proceedings under or arising out of the data protection legislation, and
(c)for the purposes of such proceedings.
(4)In subsections (2) and (3)—
(a)references to the client of a professional legal adviser include references to a person acting on behalf of such a client, and
(b)references to a communication include—
(i)a copy or other record of the communication, and
(ii)anything enclosed with or referred to in the communication if made as described in subsection (2)(b) or in subsection (3)(b) and (c).
(5)The Commissioner may not give a controller or processor an assessment notice with respect to the processing of personal data for the special purposes.
(6)The Commissioner may not give an assessment notice to—
(a)a body specified in section 23(3) of the Freedom of Information Act 2000 (bodies dealing with security matters), or
(b)the Office for Standards in Education, Children's Services and Skills in so far as it is a controller or processor in respect of information processed for the purposes of functions exercisable by Her Majesty's Chief Inspector of Education, Children's Services and Skills by virtue of section 5(1)(a) of the Care Standards Act 2000.