44. Enforcement notice

44.—

1. In this Part, “enforcement notice” means a notice under subsection (2).

2. Where the Commissioner is satisfied that a data controller has contravened, or is contravening, any of the data protection standards, the Commissioner may serve the data controller with a notice in accordance with subsections (6) to (8) requiring the data controller, with a view to achieving compliance with the data protection standards, to do any or all of the following—

(a) to take specified steps within a specified time, or to refrain from taking specified steps after a specified time;

(b) to refrain from processing any personal data, or any personal data of a specified description; or

(c) to refrain from processing personal data for a specified purpose or in a specified manner, after a specified time,

and for the purposes of this subsection “specified” means specified in the notice.

3. In deciding whether to serve an enforcement notice, the Commissioner shall consider whether the contravention has caused or is likely to cause any individual damage or distress.

4. An enforcement notice, relating to a contravention of the fourth data protection standard—

(a) which requires a data controller to rectify, block, erase or destroy any inaccurate personal data may also require the data controller to rectify, block, erase or destroy any other personal data held by the data controller and containing an expression of opinion which appears to the Commissioner to be based on the inaccurate personal data;

(b) in the case of personal data which accurately record information received or obtained by the data controller from the data subject or a third party, may require the data controller either to—

(i) rectify, block, erase or destroy any inaccurate personal data and any other personal data held by the data controller and containing an expression of opinion as mentioned in paragraph (a); or

(ii) take such steps as are specified in the notice for securing compliance with the requirements specified in section 27(2) and, if the Commissioner thinks fit, for supplementing the personal data with such statement of the true facts relating to the matters dealt with by the personal data as the Commissioner may approve.

5. Where—

(a) an enforcement notice requires the data controller to rectify, block, erase or destroy, any personal data; or

(b) the Commissioner is satisfied that personal data which have been rectified, blocked, erased, or destroyed, had been processed in contravention of any of the data protection standards,

an enforcement notice may, if reasonably practicable, require the data controller to notify third parties, to whom the personal data have been disclosed, of the rectification, blocking, erasure, or destruction.

6. For the purposes of determining whether it is reasonably practicable to require notification of third parties under subsection (5), regard shall be had, in particular, to the number of persons who would have to be notified.

7. An enforcement notice shall contain—

(a) a statement of the data protection standard or standards which the Commissioner is satisfied have been or are being contravened, and the Commissioner’s reasons for reaching that conclusion; and

(b) particulars of the rights of appeal conferred by section 53.

8. Subject to subsection (9), an enforcement notice shall not require any of the provisions of the notice to be complied with before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, the notice need not be complied with pending the determination or withdrawal of the appeal.

9. Subsection (8) shall not apply if the Commissioner, in the enforcement notice—

(a) includes a statement to the effect that by reason of special circumstances the Commissioner considers that an enforcement notice should be complied with as a matter of urgency, together with the Commissioner’s reasons for reaching that conclusion; and

(b) specifies a time within which the notice shall be complied with, being not less than seven days beginning with the day on which the notice is served.

10. Regulations made under this Act may make provision as to the effect of the service of an enforcement notice on any entry in the register maintained under section 17.

11. This section has effect subject to section 51(1).

12. If the Commissioner considers that all or any of the provisions of an enforcement notice need not be complied with in order to ensure compliance with the data protection standards to which the notice relates, the Commissioner may cancel or vary the notice by written notice to the person on whom the enforcement notice was served.

13. A person on whom an enforcement notice has been served may, at any time after the expiration of the period during which an appeal can be brought against that notice, apply in writing to the Commissioner for the cancellation or variation of that notice on the ground that, by reason of any change in circumstances, all or any of the provisions of the notice need not be complied with in order to ensure compliance with the data protection standards to which the notice relates.