04 October 2015


Retired Member

1,170Posts 3,988,298Views 1,460Comments

The DPA more than an Act, it's a way of life

21 October 2011  |  4817 views  |  0

As you are no doubt aware, the Information Commissioners Office (ICO) has a number of regulatory actions it can use to ensure compliance with the Data Protection Act (DPA), not least of which are its powers to serve monetary penalty notices of up to £500,000 for serious contraventions of the data protection principles.  But now there is renewed activity in the arena of providing more ‘new teeth’ to the Commissioner that could see compulsory audits across all sectors, not just central government.

At the 10th annual data protection compliance conference in London on 13th October, the Information Commissioner, Christopher Graham stated that “Compulsory audit powers are needed for local government, the NHS and the private sector” and “the ICO is being blocked from auditing organisations in sectors that are causing concern over their handling of personal information.”  Currently the ICO can only conduct compulsory audits on central government departments, but there have been well publicised cases where breaches have occurred in other organisations that may have been prevented had the ICO been able to audit them. 

As I write this, the Commissioner is preparing a business case that will change the law and provide an extension of the ICO’s Assessment Notice powers under the Coroners and Justice Act of 2009.  Unlike, what the ICO like to term the “good practice” consensual audits, a compulsory audit is conducted following the issuing of an assessment notice.  These notices are used in circumstances where there is a risk that individuals’ data will be compromised, but the organisation is unwilling, for whatever reason, to engage constructively with the ICO.

Given that this change in legislation will give the ICO additional powers to inspect the aforementioned organisations, I wonder whether all data controllers are ready and have their house in order so they can demonstrate to the ICO that they are complying with the Data Protection Act principles and so avoid an assessment notice.  Some of the initial drivers that would lead the ICO to consider using its formal regulatory powers are firms carrying out the following types of conduct, so I suggest that your data controllers at least check these areas:

  • repeated failure to take adequate security measures;
  • collecting and retaining detailed or sensitive personal information on a ‘just in case’ basis;
  • seriously intrusive marketing, for example repeated failure to observe the customers telephone preference service requirements;
  • failure to notify, despite receiving reminders from the ICO; and
  • denial of subject access where it is reasonable to suppose significant information is held.

The ICO does not have to seek the consent of the data controller to undertake this assessment, and the organisation will be required by law to take certain action such as:

  • permitting the Commissioner to enter any specified premises and observe the processing of any personal data that takes place;
  • allowing the Commissioner access to documents, equipment or other material on the premises and provide copies if requested by the commissioner; and
  • making available for interview by the Commissioner persons who process personal data on behalf of the data controller.

In my opinion, these powers, once granted to the ICO, would mean that the ICO’s ‘good practice consensual audit’ may manifest itself into a regulatory tool and for those organisations failing the audit further sanctions could be applied.

Is data and information security embedded into your organisation, is it part of your way of life?  If not then you could become a victim of the Commissioners new regulatory ‘teeth’.

TagsSecurityRetail banking

Comments: (0)

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Retired

Periodic Table of Remittances

27 June 2015  |  1506 views  |  0  |  Recommends 0 TagsPaymentsRetail banking

Is the time now right for data sharing?

25 June 2015  |  1635 views  |  0  |  Recommends 0 TagsMobile & onlineRetail banking

Cloud based Mobile Financial Services and Payments

18 June 2015  |  2622 views  |  0  |  Recommends 1 TagsPaymentsInnovation

A Very Personal Confession ... I Love Regulation

08 June 2015  |  1120 views  |  0  |  Recommends 0 TagsRetail bankingOracleGroupInnovation in Financial Services

Deleted Item

05 June 2015  |  487 views  |  0  |  Recommends 0 TagsMobile & onlinePayments

Retired's profile

job title
member since 2014
Summary profile See full profile »

Retired's expertise

What Retired reads
Retired writes about

Who's commenting on Retired's posts

Dirk Kinvig
Andrew Churchill
Bjorn Soland
Karim Maalouf
Ketharaman Swaminathan
Paul Ruskin
Neil Vernon