Winchester Vacancies

MPs back ICO power to hold compulsory audits of councils and NHS trusts

The Information Commissioner should be able to compel councils and NHS trusts to undergo compulsory data protection audits, MPs have recommended.

In a report published last week, the Justice Committee expressed concern at the number of public sector bodies to have refused free audits from the watchdog.

The MPs said: “It is shocking that public sector organisations, which hold highly sensitive data, should refuse a free audit, and even more so in cases where there are serious concerns over the security of that data.

“It is indicative of a culture in some public authorities in which data protection and privacy do not register as being sufficiently important.”

The committee recommended that “as a general rule” public sector organisations should accept the offer of a free audit from the Information Commissioner, and considered that it was in the public interest from them to do so.

The report said the case for extending compulsory audit to NHS trusts and local councils was clear. “While bodies continue to decline free and consensual audits, the only feasible recourse for the Information Commissioner is a civil monetary penalty which ultimately is at the expense of the taxpayer and council taxpayer.”

It called on the Justice Secretary to bring forward an order under s. 41A of the Data Protection Act extending the power to serve assessment notices.

The committee meanwhile warned that the ICO could be left with a £42.8m funding shortfall as a result of forthcoming EU data protection legislation.

The report said: “We have concerns relating to the funding of the Information Commissioner’s Office at a time when its responsibilities in the field of data protection look set to expand dramatically if new EU data protection legislation comes into effect and recommendations made by the Leveson Inquiry for the ICO to take on additional functions are adopted.

“At the same time, the proposed EU Regulation would remove the Information Commissioner’s funding for data protection work through the notification fee payable to him by data controllers.”

The MPs recommended that the Government find a way of retaining a fee-based self-financing system for the ICO’s data protection work, if necessary by negotiating an option for the UK to retain the notification fee or introduce an alternative fee.

The committee also:

  • Repeated its calls for penalties for data protection offences to be increased to provide a more effective deterrent;
  • Commended the ICO for handling more casework and significantly cutting the backlog of freedom of information appeals at the same time as reducing its budget;
  • Called for the Information Commissioner to be given greater independence from the executive by being made directly responsible to, and funded by, Parliament.



Sir Alan Beith MP, chair of the committee, said: “Taxpayers will have to pick up the tab for the Information Commissioner’s vital data protection work when new EU rules come into force unless the Government can find a way of retaining a fee-based self-financing system.”

On the issue of penalties, Sir Alan added: “We do not understand why the Government has not adopted the recommendation made by us and other parliamentary committees that custodial sentences should be made available for breaches of section 55 of the Data Protection Act.

“This issue should not be lost in wider data protection enforcement questions arising from the Leveson Report.”

A copy of the report – The functions, powers and resources of the Information Commissioner – can be viewed here.