(1) The Commissioner may, by notice in writing served on any person, request that person to furnish to him or her in writing in the time specified —
(a) access to personal data;
(b) information about and documentation of the processing of personal data;
(c) information related to the security of processing of personal data; and
(d) any other information in relation to matters specified in the notice as is necessary or expedient for the performance by the Commissioner of his or her functions and exercise of his or her powers and duties under this Act.
(2) Notwithstanding subsection (1), where the personal data is processed for the purpose of compliance with a legal obligation to which the data controller is subject, the Minister may by Regulations prescribe rules and procedures for the purposes of implementation of this subsection.
(3) Where the information requested by the Commissioner is stored in a computer, disc, cassette, or on microfilm, or preserved by any mechanical or electronic device, the person named in the information notice shall produce or give access to the information in a form in which it can be taken away and in which it is visible and legible.
(4) A notice required or authorized by this Act to be served on or given to any person by the Commissioner may —
(a) if that person is an individual, be served on that person at his or her usual or last known address or place of business —
(i) by delivering personally to the person,
(ii) by sending it to the person by post addressed to him or her, or
(iii) by leaving it for the person;
(b) if that person is a body corporate or partnership, be served —
(i) by sending it by post to the proper officer of the body corporate at its principal office,
(ii) by addressing it to the proper officer of the partnership and leaving it at the office of the proper officer.