GLD Vacancies

Put on the spot

Spot checks of central government departments by the Information Commissioner's Office could be the first step towards compulsory audits for all data controllers, including local authorities. Alison Deighton explains what the checks will involve and outlines the risk management measures public sector organisations should consider adopting, even if they are yet to be subject to the regime.

The Information Commissioner is to receive new powers under the Coroners and Justice Act 2009 (CJA) to audit government departments for compliance with the requirements of the Data Protection Act 1998 (DPA). The new statutory powers formalise the existing informal agreement between the Government and the Information Commissioner's Office (ICO), under which government departments are required to voluntarily submit to ICO audits.

Although the new statutory powers are currently limited to government departments and other bodies which carry out duties on behalf of the Crown, the audit powers may be extended to other public authorities (including local authorities) and private sector data controllers by an order of the Secretary of State. The ICO has repeatedly called for rights to audit all data controllers (in both the public and private sectors) and the ICO's exercise of its new powers will be a test ground for a wider extension of audit rights.

Scope of spot checks

The CJA received Royal Assent on 12 November 2009. The provisions of the CJA, relating to the DPA amendments, are set out in Part 8 and further consequential amendments are included in Schedule 20. The commencement date for the data protection provisions has not yet been published, although it is expected that they will come into effect in early April 2010.

Section 173, Part 8, of the CJA sets out the provisions relating to data protection audits. These provisions permit the ICO to serve assessment notices upon government departments and other data controllers designated by order. Government departments are stated to include "any part of the Scottish Administration; Northern Ireland department; the Welsh Assembly Government; and any body or authority exercising statutory functions on behalf of the Crown."

The assessment notice will permit the ICO to conduct investigations into the data controller's practices and will be followed by a visit from the ICO audit team. The investigation may involve information gathering and staff interviews in order to assess the organisation's data protection compliance. The ICO will not need to obtain the consent of the data controller to undertake the assessment.

The CJA also specifies that the Information Commissioner must publish a code of practice, approved by the Secretary of State, detailing the manner in which it intends to exercise these new functions. Such a code must specify the factors to be considered in determining whether to serve an assessment notice on a data controller and the nature of inspections, examination interviews and the resulting reports.

Spot checks in practice

The grant of the power to conduct audits has followed substantial lobbying from the ICO. The ICO has stressed that the inspection should not be considered to be a punitive measure, but a means of verifying compliance with the data protection regime.

The ICO has indicated that it will adopt a risk-based approach to decide which bodies will be the subject of an audit. It is expected that the ICO will target organisations where it appears that there is a particular risk to individuals or a suspicion of non-compliance. This could apply, for instance, to government departments with extensive collections of highly sensitive personal information which individuals are required to provide by law, or where a series of complaints has been received. The ICO has stated that "this risk based approach is in line with the principles of regulatory good practice" and that it only expects to conduct around 100 assessments per year across all sectors.

The receipt of an assessment notice will require data controllers to submit to an audit. The notice may require a data controller to, amongst other things, permit the ICO to enter any specified premises; inspect any documents, information and materials; take copies of documents; and observe the processing of personal data that takes place on the premises. The notice may also require the data controller to make individuals who process personal data on the data controller's behalf available for interview. The notice will specify the time at which or the period during which, the requirement must be complied with and will give details of the right to appeal.

The scale of the assessment is expected to depend upon the size of the organisation, for a larger organisation this would involve approximately 3-4 auditors visiting for 3-4 days on agreed dates, and interviewing 12-30 members of staff.

Following the assessment, the ICO will prepare a report which will make a determination as to whether a data controller has complied and is complying with the data protection principles. The report will contain recommendations of steps that the data controller should take to ensure compliance with those principles, and any other matters specified in the code.

The results of audits may be made public by the ICO, although the ICO has indicated that publication will only occur after receipt of representations by the data controller in relation to the findings of the ICO's audit report.

Risk management measures

There is a very real possibility that the new audit powers will be extended to cover all public authorities (including local authorities) and private organisations within the next few years. This, coupled with the ICO's new powers to impose monetary penalties for serious breaches of data protection principles, which are also expected to come into force in April 2010, should be pushing data protection up the risk agenda of all organisations.

Government departments should prioritise reviewing their personal data storage, processing and security practices to ensure that they are able to demonstrate that their houses are in order. In light of repeated calls from the ICO for its audit powers to be extended beyond government departments, councils and other public authorities and private organisations which process large volumes of personal data would be well advised to follow suit. It would be wise to monitor how the new audit powers are implemented, observe how spot checks are conducted (including which bodies are targeted) and consider any measures that need to be taken to ensure compliance.

Alison Deighton is an Associate in TLT’s Commercial team with particular expertise in data protection and freedom of information law. She can be contacted on 0117 917 8016 or via www.TLTsolicitors.com.