| |
|
| |
1. Duties |
| |
The Information Commissioner is an independent officer who is appointed by Her Majesty the Queen and who reports directly to Parliament. The Information Commissioner’s duties in relation to the Data Protection Act 1998 are to:- |
| |
- promote the following of good practice by data controllers and, in particular, promote the observance of the requirements of the 1998 Act by data controllers;
|
| |
- spread information on the1998 Act and how it works; and
|
| |
- encourage, where appropriate, the development of Codes of Practice for guidance as to good practice.
|
 
| |
2. Requests for assessment |
| |
Any person who is, or believes themselves to be, directly affected by any processing of personal data may ask the Information Commissioner to assess whether or not it is likely that any processing of personal data has been or is being carried out in compliance with the 1998 Act. On receiving a request for assessment the Information Commissioner must make an assessment unless he or she has not been given sufficient information to be satisfied as to the identity of the person making the request or identify the processing in question. |
| |
The Information Commissioner has a wide discretion in deciding the appropriate way in which to make an assessment, but he or she will consider, for example: |
| |
- the extent to which the request appears to raise a matter of substance;
|
| |
- whether there has been any undue delay in making the request; and
|
| |
- whether or not the person making the request is entitled to make an application for subject access in respect of the personal data in question.
|
| |
The Information Commissioner must notify the person who made the request whether s/he has made an assessment and may notify that person of any view formed or action taken as a result of the request. |
| |
3. Enforcement notices |
| |
The Information Commissioner has the power to serve enforcement notices upon a data controller who the Information Commissioner is satisfied has contravened or is contravening any of the Data Protection Principles. An enforcement notice requires a data controller to take, or refrain from taking, specified steps or to refrain from processing any personal data (or personal data of a specified description) altogether, or from processing for a specified purpose or in a specified manner. Compliance with an enforcement notice should ensure compliance with the Principle(s) in question. Failure to comply with an enforcement notice is an offence unless the person charged is able to show that they exercised all due diligence to comply with the notice. There is a right of appeal to the Data Protection Tribunal against an enforcement notice and in certain circumstances the Information Commissioner may cancel or vary the notice. |
| |
4. Information notices |
| |
In order to make an assessment the Information Commissioner may serve an information notice on a data controller to require them to provide specified information, within a specified period of time, either for the purposes of determining the assessment or to decide whether or not the data controller has complied, or is complying with the Data Protection Principles. There is a right of appeal to the Data Protection Tribunal against an information notice. |
| |
5. Special information notices |
| |
Where a request for an assessment is made or the data controller claims the special purposes exemption and where the Information Commissioner has reasonable grounds for suspecting that personal data are not being processed for those special purposes or are not being processed with a view to publication of journalistic, literary or artistic material (which has not previously been published by the data controller), the Information Commissioner may serve the data controller with a special information notice to determine whether or not that is the case. There is a right of appeal to the Data Protection Tribunal against a special information notice. |
| |
6. Enforcement notices in the case of special purposes |
| |
Where the Information Commissioner suspects that personal data are not being processed only for special purposes or are not being processed with a view to the publication of journalistic, literary or artistic material, he or she is not able to serve an enforcement notice until a determination to that effect has been made and an order for leave has been obtained from the court for the notice to be served. |
| |
7. Assistance to individuals |
| |
The Information Commissioner can, in cases involving personal data processed for special purposes, give assistance to individuals who are a party to proceedings relating to specified provisions of the 1998 Act (namely subject access rights, right to prevent processing, rights in relation to automated decision-taking, rights to rectification etc and right to compensation). The Information Commissioner has a wide discretion whether or not and to what extent she will provide assistance but it must be in connection with a matter which in the Information Commissioner’s opinion involves a matter of substantial public interest. |
| |
8. Maintenance of a register |
| |
Under the Data Protection Act 1984 the Information Commissioner maintained a register of data users (now known under the 1998 Act as data controllers). The Information Commissioner will continue to maintain a register of data controllers although the system of registration has been replaced by a system of notification - see section 6 of OG 58 A3. |
| |
9. Preliminary assessment |
| |
The Information Commissioner has the power to make a preliminary assessment as to whether particular types of processing are likely to comply with the provisions of the 1998 Act in the case of processing likely: |
| |
- to cause substantial damage or substantial distress to data subjects; or
|
| |
- otherwise significantly to prejudice the rights and freedoms of data subjects.
|
| |
Such types of processing (known as ‘assessable processing’) are to be determined by orders of the Secretary of State but the three possible categories subject to preliminary assessment are likely to be data matching, processing involving genetic data and processing by private investigators. |
| |
A preliminary assessment would take place upon the Information Commissioner receiving notification from the data controller, which will delay the start of that processing. However, the Information Commissioner is unable to prevent processing after prescribed time limits have expired, notwithstanding that their preliminary assessment is unfavourable. The Information Commissioner can only act to prohibit the processing once the assessable processing has started. |
| |
10. Powers of entry and inspection |
| |
If there are reasonable grounds for suspecting that an offence has been or is being committed under the 1998 Act, or that any of the Data Protection Principles have been or are being contravened, and if the Information Commissioner has already demanded and has been unreasonably refused access, he or she may apply to a circuit judge for a warrant to enter and search premises on which it is suspected that evidence of the offence or contravention of the Data Protection Principles is to be found. |
| |
The warrant will authorise the Information Commissioner or any of their officers or staff: |
| |
- to enter and search the premises at any time within 7 days of the date of the warrant;
|
| |
- to inspect, examine, operate and test any equipment found there which is used or intended to be used for processing of personal data;
|
| |
-
- to inspect and seize any documents or other material found there which may be evidence of an offence or contravention of the principles.
|
| |
Communications made for the purpose of proceedings under the 1998 Act between a professional legal adviser and their client are exempt from inspection and seizure as are personal data which fall within the National Security exemption. |
|