Jon Baines writes:
If the Information Commissioner (IC) reasonably requires any information for the purpose of determining whether a data controller has complied or is complying with the data protection principles, section 43 of the Data Protection Act 1998 (DPA) empowers him to serve a notice on the data controller requiring it to furnish him with specified information relating to compliance with the principles. In short, he may serve an “information notice” on the data controller which requires the latter to assist him by providing relevant information. A data controller has a right of appeal, to the First-tier Tribunal (Information Rights) (FTT), under section 48 DPA.
These provisions have recently come into play in an appeal by Medway Council of an IC Information Notice. That it did not go well for the former is probably rather understating it.
Read more about what happened on Information Rights and Wrongs.
Note: The breaches described in Jon’s post had never been reported on any of my blogs, and may not have been public knowledge at the time, although this blog did note another breach involving Medway Council in 2012; that breach involved a contractor and exposed hundreds of employees’ names, date of birth, staff ID numbers, contract start dates and working hours. The contractor claimed it was a victim of data theft, but the council cancelled their contract with them as a result of the breach.