Dear Mr Main,

Freedom of Information Request

Thank you for your email of 26 June in which you asked for information from the Department for Business, Innovation and Skills (BIS) on inspections conducted by the Information Commissioner on private sector bodies.

Your email has been passed to the Ministry of Justice (MOJ) because we are responsible for data protection and data sharing. Your request has been passed to me because I have responsibility for answering requests which relate to data protection; your request has been handled under the Freedom of Information Act 2000 (FOIA).

The information you have requested is not held by the MOJ. The ability for the Information Commissioner to inspect a data controller without his or her consent by serving them with an assessment notice is one of the provisions in the Coroners and Justice Bill, currently before Parliament. Therefore, no assessment notices have yet been served by the Information Commissioner (ICO).

Under proposed new section 41A(2)(b) of the Data Protection Act 1998 (inserted by Clause 162 of the Bill), the Secretary of State will be able to designate certain data controllers as liable for assessment notices by statutory instrument if they are a public authority.

In addition, the Government proposed an amendment to the Bill which was passed by the Committee in the House of Lords on 21 July. New section 41A(2)(c) of the Data Protection Act 1998 added by this amendment will allow the Secretary of State to designate by statutory instrument certain descriptions of private sector data controller as liable for assessment notices, following a recommendation by the ICO if they are both satisfied that it is necessary for the description of data controller in question to be designated having regard to (a) the nature and quantity of data under the control of such persons, and (b) any damage or distress which may be caused by a contravention by such persons of the data protection principles.

It is important to note that there is no intention that the Secretary of State will be able to order individual assessments to take place. The Data Protection Act 1998 is enforced by the ICO independently of the Government. As an independent office, the ICO has autonomy to decide how to discharge its statutory responsibility to promote the following of good data protection practice by data controllers.

I hope this information is useful. As part of our obligations under the FOIA, the MOJ has an independent review process. If you are dissatisfied with this decision, you may write to request an internal review. The internal review will be carried out by someone who did not make the original decision, and they will re-assess how the Department handled the original request.

If you wish to request an internal review, please write or send an email to the Data Access and Compliance Unit within two months of the date of this letter, at the following address:

Data Access and Compliance Unit

Information Directorate

6th Floor

Post point 6.25

102 Petty France

London

SW1H 9AJ

e-mail: [email address]

If you remain dissatisfied after an internal review decision, you have the right to apply to the ICO under Section 50 of the FOIA. You can contact the ICO at the following address:

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Internet: https://www.ico.gov.uk/Global/contact_us.aspx

Yours Sincerely,

Ollie Simpson

Policy Advisor