23 October 2016


Retired Member

1,975Posts 6,431,153Views 2,302Comments

The DPA more than an Act, it's a way of life

21 October 2011  |  5027 views  |  0

As you are no doubt aware, the Information Commissioners Office (ICO) has a number of regulatory actions it can use to ensure compliance with the Data Protection Act (DPA), not least of which are its powers to serve monetary penalty notices of up to £500,000 for serious contraventions of the data protection principles.  But now there is renewed activity in the arena of providing more ‘new teeth’ to the Commissioner that could see compulsory audits across all sectors, not just central government.

At the 10th annual data protection compliance conference in London on 13th October, the Information Commissioner, Christopher Graham stated that “Compulsory audit powers are needed for local government, the NHS and the private sector” and “the ICO is being blocked from auditing organisations in sectors that are causing concern over their handling of personal information.”  Currently the ICO can only conduct compulsory audits on central government departments, but there have been well publicised cases where breaches have occurred in other organisations that may have been prevented had the ICO been able to audit them. 

As I write this, the Commissioner is preparing a business case that will change the law and provide an extension of the ICO’s Assessment Notice powers under the Coroners and Justice Act of 2009.  Unlike, what the ICO like to term the “good practice” consensual audits, a compulsory audit is conducted following the issuing of an assessment notice.  These notices are used in circumstances where there is a risk that individuals’ data will be compromised, but the organisation is unwilling, for whatever reason, to engage constructively with the ICO.

Given that this change in legislation will give the ICO additional powers to inspect the aforementioned organisations, I wonder whether all data controllers are ready and have their house in order so they can demonstrate to the ICO that they are complying with the Data Protection Act principles and so avoid an assessment notice.  Some of the initial drivers that would lead the ICO to consider using its formal regulatory powers are firms carrying out the following types of conduct, so I suggest that your data controllers at least check these areas:

  • repeated failure to take adequate security measures;
  • collecting and retaining detailed or sensitive personal information on a ‘just in case’ basis;
  • seriously intrusive marketing, for example repeated failure to observe the customers telephone preference service requirements;
  • failure to notify, despite receiving reminders from the ICO; and
  • denial of subject access where it is reasonable to suppose significant information is held.

The ICO does not have to seek the consent of the data controller to undertake this assessment, and the organisation will be required by law to take certain action such as:

  • permitting the Commissioner to enter any specified premises and observe the processing of any personal data that takes place;
  • allowing the Commissioner access to documents, equipment or other material on the premises and provide copies if requested by the commissioner; and
  • making available for interview by the Commissioner persons who process personal data on behalf of the data controller.

In my opinion, these powers, once granted to the ICO, would mean that the ICO’s ‘good practice consensual audit’ may manifest itself into a regulatory tool and for those organisations failing the audit further sanctions could be applied.

Is data and information security embedded into your organisation, is it part of your way of life?  If not then you could become a victim of the Commissioners new regulatory ‘teeth’.

TagsSecurityRetail banking

Comments: (0)

Comment on this story (membership required)

Latest posts from Retired

Fintech innovation in the B2B space has only just begun

12 September 2016  |  10425 views  |  1 comments | recomends Recommends 0 TagsPaymentsInnovation

Protecting Data with DLP

23 August 2016  |  5029 views  |  0 comments | recomends Recommends 0 TagsSecurityBrexit

How to end what ails online commerce

22 August 2016  |  4584 views  |  2 comments | recomends Recommends 0 TagsPaymentsTransaction banking

What internet retailers need to know about Google’s recent webspam report

08 August 2016  |  8283 views  |  0 comments | recomends Recommends 0 TagsPayments

Modelling fixed income: Why realtime analytics are key

29 July 2016  |  5260 views  |  0 comments | recomends Recommends 0 TagsPost-trade & ops

Retired's profile

job title
member since 2014
Summary profile See full profile »

Retired's expertise

What Retired reads
Retired writes about

Who's commenting on Retired's posts

Hardeep Singh
Ketharaman Swaminathan
Graham Seel
Gerard Hergenroeder
Konstantin Rabin
Matt Schofield
Anna Robert
Ian Davis
Steve Patel
Aparty Behera
Karim Maalouf