47. Assessment notices
47.—
1. The Commissioner may serve a data controller with a notice in accordance with subsection (2) (hereinafter referred to as an “assessment notice”) for the purpose of enabling the Commissioner to determine whether the data controller has complied with, or is complying with, the data protection standards.
2. An assessment notice is a notice which requires the data controller to do all or any of the following—
(a) permit the Commissioner to enter any specified premises for the purposes mentioned in subsection (1);
(b) direct the Commissioner to any documents on the premises that are of a specified description;
(c) assist the Commissioner to view any information of a specified description that is capable of being viewed using equipment on the premises;
(d) comply with any request from the Commissioner for—
(i) a copy of any of the documents to which the Commissioner is directed;
(ii) a copy (in such form as may be requested) of any information which the Commissioner is assisted to view;
(e) direct the Commissioner to any equipment or other material on the premises which is of a specified description;
(f) permit the Commissioner to inspect or examine any of the documents, information, equipment or material to which the Commissioner is directed or which the Commissioner is assisted to view;
(g) permit the Commissioner to observe the processing of any personal data that takes place on the premises;
(h) make available for interview by the Commissioner such specified persons or the persons of a specified description who process personal data on behalf of the data controller as the Commissioner may require to be interviewed.
3. In subsection (2), references to the Commissioner include references to the Commissioner’s officers and staff.
4. An assessment notice shall—
(a) in relation to each requirement imposed by the notice, specify—
(i) the time at which the requirement is to be complied with; or
(ii) the period during which the requirement is to be complied with; and
(b) state the rights of appeal conferred by section 53.
5. The Commissioner may cancel an assessment notice by written notice to the data controller on whom the assessment notice was served.
6. The Commissioner shall issue a code of practice as to the manner in which the Commissioner’s functions under this section are to be exercised, and the code shall—
(a) specify the factors to be considered in determining whether to serve an assessment notice on a data controller;
(b) specify descriptions of documents and information that—
(i) are not to be examined or inspected in pursuance of an assessment notice; or
(ii) are to be examined or inspected, in pursuance of an assessment notice, only by persons of a description specified in the code,
and in particular as concerns documents and information concerning an individual’s physical or mental health or the provision of social care for an individual;
(c) describe the nature of inspections and examinations that may be carried out in pursuance of an assessment notice; and
(d) set out the procedure for preparing, issuing and publishing assessment reports by the Commissioner in respect of data controllers who are served with assessment notices.
7. For the purposes of—
(a) subsection (6)(b), “social care” includes all forms of personal care and other practical assistance provided for individuals who by reason of financial need, age, illness, disability, pregnancy, childbirth, dependence on alcohol or drugs, or any other similar circumstances, are in need of such care or other assistance;
(b) subsection (6)(d), an assessment report is a report that contains—
(i) a determination as to whether a data controller has complied, or is complying with, the data protection standards;
(ii) recommendations as to any steps that the data controller ought to take, or to refrain from taking, to ensure compliance with any of the data protection standards; and
(iii) such other matters as are specified in the code.