03 September 2015

Amanda Hartshorne

Amanda Hartshorne - Tieto

4Posts 13,939Views 0Comments

The DPA more than an Act, it's a way of life

21 October 2011  |  4804 views  |  0

As you are no doubt aware, the Information Commissioners Office (ICO) has a number of regulatory actions it can use to ensure compliance with the Data Protection Act (DPA), not least of which are its powers to serve monetary penalty notices of up to £500,000 for serious contraventions of the data protection principles.  But now there is renewed activity in the arena of providing more ‘new teeth’ to the Commissioner that could see compulsory audits across all sectors, not just central government.

At the 10th annual data protection compliance conference in London on 13th October, the Information Commissioner, Christopher Graham stated that “Compulsory audit powers are needed for local government, the NHS and the private sector” and “the ICO is being blocked from auditing organisations in sectors that are causing concern over their handling of personal information.”  Currently the ICO can only conduct compulsory audits on central government departments, but there have been well publicised cases where breaches have occurred in other organisations that may have been prevented had the ICO been able to audit them. 

As I write this, the Commissioner is preparing a business case that will change the law and provide an extension of the ICO’s Assessment Notice powers under the Coroners and Justice Act of 2009.  Unlike, what the ICO like to term the “good practice” consensual audits, a compulsory audit is conducted following the issuing of an assessment notice.  These notices are used in circumstances where there is a risk that individuals’ data will be compromised, but the organisation is unwilling, for whatever reason, to engage constructively with the ICO.

Given that this change in legislation will give the ICO additional powers to inspect the aforementioned organisations, I wonder whether all data controllers are ready and have their house in order so they can demonstrate to the ICO that they are complying with the Data Protection Act principles and so avoid an assessment notice.  Some of the initial drivers that would lead the ICO to consider using its formal regulatory powers are firms carrying out the following types of conduct, so I suggest that your data controllers at least check these areas:

  • repeated failure to take adequate security measures;
  • collecting and retaining detailed or sensitive personal information on a ‘just in case’ basis;
  • seriously intrusive marketing, for example repeated failure to observe the customers telephone preference service requirements;
  • failure to notify, despite receiving reminders from the ICO; and
  • denial of subject access where it is reasonable to suppose significant information is held.

The ICO does not have to seek the consent of the data controller to undertake this assessment, and the organisation will be required by law to take certain action such as:

  • permitting the Commissioner to enter any specified premises and observe the processing of any personal data that takes place;
  • allowing the Commissioner access to documents, equipment or other material on the premises and provide copies if requested by the commissioner; and
  • making available for interview by the Commissioner persons who process personal data on behalf of the data controller.

In my opinion, these powers, once granted to the ICO, would mean that the ICO’s ‘good practice consensual audit’ may manifest itself into a regulatory tool and for those organisations failing the audit further sanctions could be applied.

Is data and information security embedded into your organisation, is it part of your way of life?  If not then you could become a victim of the Commissioners new regulatory ‘teeth’.

TagsSecurityRetail banking

Comments: (0)

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Amanda

For-bearance or against it?

30 November 2011  |  3540 views  |  0  |  Recommends 0 TagsRisk & regulationRetail bankingGroupFinancial Services Regulation

Light up the sky with rocket propelled mortgage legislation

04 November 2011  |  2397 views  |  0  |  Recommends 0

'Dangerous' liaisons

25 October 2011  |  3199 views  |  0  |  Recommends 0

The DPA more than an Act, it's a way of life

21 October 2011  |  4804 views  |  0  |  Recommends 0 TagsSecurityRetail banking

Amanda's profile

job title Principal Compliance Consultant
location Leeds
member since 2011
Summary profile See full profile »
I use my unique expertise to help financial service firms interpret and implement new rules and legislation by translating compliance regulations into recommendations for workable solutions.

Amanda's expertise

What Amanda reads
Amanda writes about
Amanda's blog archive
2011 (4)

Who's commenting on Amanda's posts