27 November 2015


Retired Member

1,294Posts 4,401,979Views 1,543Comments

The DPA more than an Act, it's a way of life

21 October 2011  |  4839 views  |  0

As you are no doubt aware, the Information Commissioners Office (ICO) has a number of regulatory actions it can use to ensure compliance with the Data Protection Act (DPA), not least of which are its powers to serve monetary penalty notices of up to £500,000 for serious contraventions of the data protection principles.  But now there is renewed activity in the arena of providing more ‘new teeth’ to the Commissioner that could see compulsory audits across all sectors, not just central government.

At the 10th annual data protection compliance conference in London on 13th October, the Information Commissioner, Christopher Graham stated that “Compulsory audit powers are needed for local government, the NHS and the private sector” and “the ICO is being blocked from auditing organisations in sectors that are causing concern over their handling of personal information.”  Currently the ICO can only conduct compulsory audits on central government departments, but there have been well publicised cases where breaches have occurred in other organisations that may have been prevented had the ICO been able to audit them. 

As I write this, the Commissioner is preparing a business case that will change the law and provide an extension of the ICO’s Assessment Notice powers under the Coroners and Justice Act of 2009.  Unlike, what the ICO like to term the “good practice” consensual audits, a compulsory audit is conducted following the issuing of an assessment notice.  These notices are used in circumstances where there is a risk that individuals’ data will be compromised, but the organisation is unwilling, for whatever reason, to engage constructively with the ICO.

Given that this change in legislation will give the ICO additional powers to inspect the aforementioned organisations, I wonder whether all data controllers are ready and have their house in order so they can demonstrate to the ICO that they are complying with the Data Protection Act principles and so avoid an assessment notice.  Some of the initial drivers that would lead the ICO to consider using its formal regulatory powers are firms carrying out the following types of conduct, so I suggest that your data controllers at least check these areas:

  • repeated failure to take adequate security measures;
  • collecting and retaining detailed or sensitive personal information on a ‘just in case’ basis;
  • seriously intrusive marketing, for example repeated failure to observe the customers telephone preference service requirements;
  • failure to notify, despite receiving reminders from the ICO; and
  • denial of subject access where it is reasonable to suppose significant information is held.

The ICO does not have to seek the consent of the data controller to undertake this assessment, and the organisation will be required by law to take certain action such as:

  • permitting the Commissioner to enter any specified premises and observe the processing of any personal data that takes place;
  • allowing the Commissioner access to documents, equipment or other material on the premises and provide copies if requested by the commissioner; and
  • making available for interview by the Commissioner persons who process personal data on behalf of the data controller.

In my opinion, these powers, once granted to the ICO, would mean that the ICO’s ‘good practice consensual audit’ may manifest itself into a regulatory tool and for those organisations failing the audit further sanctions could be applied.

Is data and information security embedded into your organisation, is it part of your way of life?  If not then you could become a victim of the Commissioners new regulatory ‘teeth’.

TagsSecurityRetail banking

Comments: (0)

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Retired

Big Data Pitfalls: The Amateur Data Scientist

26 October 2015  |  1617 views  |  0  |  Recommends 0 TagsInnovation

Reflections on FinovateFall: Mobile, Money and Millennials

24 September 2015  |  1080 views  |  0  |  Recommends 0 TagsPaymentsInnovation

Interoperability: Prerequisite for Next Generation of Mobile Money

08 September 2015  |  1901 views  |  0  |  Recommends 0 TagsPaymentsInnovation

Think More Broadly: Banks CAN Monetize Cash Transactions

31 August 2015  |  1563 views  |  0  |  Recommends 0 TagsPaymentsInnovation

Software development in the retail FX Industry

28 August 2015  |  386 views  |  0  |  Recommends 0 TagsTrade execution

Retired's profile

job title
member since 2014
Summary profile See full profile »

Retired's expertise

What Retired reads
Retired writes about

Who's commenting on Retired's posts

Ketharaman Swaminathan
Brendan Burge
Astrid Mitchell
Balasubramaniam GD
Tony Ballardie
Graham Seel
Bjorn Soland
John Candido
Gregg Weintraub
Stanley Epstein
Charmaine Oak
Roy Vella