As you are no doubt aware, the Information Commissioners Office (ICO) has a number of regulatory actions it can use to ensure compliance with the Data Protection Act (DPA), not least of which are its powers to serve monetary penalty notices of up to £500,000
for serious contraventions of the data protection principles. But now there is renewed activity in the arena of providing more ‘new teeth’ to the Commissioner that could see compulsory audits across all sectors, not just central government.
At the 10th annual data protection compliance conference in London on 13th October, the Information Commissioner, Christopher Graham stated that
“Compulsory audit powers are needed for local government, the NHS and the private sector”
and “the ICO is being blocked from auditing organisations in sectors that are causing concern over their handling of personal information.” Currently the ICO can only conduct compulsory audits on central government departments, but there
have been well publicised cases where breaches have occurred in other organisations that may have been prevented had the ICO been able to audit them.
As I write this, the Commissioner is preparing a business case that will change the law and provide an extension of the ICO’s Assessment Notice powers under the Coroners and Justice Act of 2009. Unlike, what the ICO like to term the “good practice” consensual
audits, a compulsory audit is conducted following the issuing of an assessment notice. These notices are used in circumstances where there is a risk that individuals’ data will be compromised, but the organisation is unwilling, for whatever reason, to engage
constructively with the ICO.
Given that this change in legislation will give the ICO additional powers to inspect the aforementioned organisations, I wonder whether all data controllers are ready and have their house in order so they can demonstrate to the ICO that they are complying
with the Data Protection Act principles and so avoid an assessment notice. Some of the initial drivers that would lead the ICO to consider using its formal regulatory powers are firms carrying out the following types of conduct, so I suggest that your data
controllers at least check these areas:
- repeated failure to take adequate security measures;
- collecting and retaining detailed or sensitive personal information on a ‘just in case’ basis;
- seriously intrusive marketing, for example repeated failure to observe the customers telephone preference service requirements;
- failure to notify, despite receiving reminders from the ICO; and
- denial of subject access where it is reasonable to suppose significant information is held.
The ICO does not have to seek the consent of the data controller to undertake this assessment, and the organisation will be required by law to take certain action such as:
- permitting the Commissioner to enter any specified premises and observe the processing of any personal data that takes place;
- allowing the Commissioner access to documents, equipment or other material on the premises and provide copies if requested by the commissioner; and
- making available for interview by the Commissioner persons who process personal data on behalf of the data controller.
In my opinion, these powers, once granted to the ICO, would mean that the ICO’s ‘good practice consensual audit’ may manifest itself into a regulatory tool and for those organisations failing the audit further sanctions could be applied.
Is data and information security embedded into your organisation, is it part of your way of life? If not then you could become a victim of the Commissioners new regulatory ‘teeth’.