Out-Law News 3 min. read

ICO asks for new audit powers in local Government and public health sectors


The Information Commissioner has formally requested new powers to conduct compulsory data protection audits of local Government and public health organisations.

The UK's data protection watchdog has presented the Ministry of Justice (MoJ) with a "business case" outlining why the new powers are needed. The watchdog said there are "particularly significant and widespread data protection compliance concerns" in the sectors that merit the new powers being introduced.

Local Government and NHS bodies are among the most complained-about organisations in terms of their compliance with the Data Protection Act (DPA), the Information Commissioner's Office (ICO) said. Having the power to force those organisations to take part in an audit would help identify practices that threaten the security of personal data and prevent data breaches occurring, it said.

"The NHS and local government are two areas where there are already significant and widespread data protection compliance concerns," the ICO said in its business case (21-page / 223KB PDF).

"Data controllers in these sectors are managing huge quantities of complex and often sensitive personal data, they are often involved in wide scale data sharing initiatives and engaging multiple data processors," it said. "The nature of the personal data held by these organisations is such that a breach of the DPA often has particular potential to cause real distress and harm."

"The ability to compel data controllers to allow the Information Commissioner to audit their practices is an essential tool to identify and mitigate risks before serious problems occur ... simply relying on organisations agreeing to an audit is not sufficient," it said. "A power of compulsion is needed even if in practice this serves mainly as an incentive to organisations to sign up to a consensual audit. The value of the audit process is clearly illustrated and the extension of the assessment notice power will provide a clear basis for the Information Commissioner to improve data protection compliance in these areas of significant risk."

Under the UK's Data Protection Act it is unlawful for organisations in control of personal data to fail to take appropriate measures to guard against accidental loss or damage of that personal data. Extra protective measures have to be taken to ensure sensitive personal data such as information about children or health details is secure.

Under the Act the ICO currently has the power to conduct compulsory data protection audits of central Government departments, but must obtain consent from organisations in other sectors before it can investigate their procedures. The ICO has long campaigned for these mandatory auditing powers to be extended.

The ICO said that only 47% of the local Government organisations it has asked to take part in a voluntary audit had agreed to do so and that only 53% of NHS bodies that the ICO's enforcement team had referred for an audit had agreed to the checks. The ICO said it has never had to use its compulsory audit powers on central Government departments, but that the powers provide "a strong driver in persuading data controllers to sign up to a consensual audit".

"Where the power to serve an assessment notice exists data controllers can agree to consensual audits without the notice being necessary in each case. The Information Commissioner has not had to serve an assessment notice to date because 100% of data controllers covered by the existing provisions have agreed to an audit (knowing the option to serve a notice exists if they refuse). The figures above do however demonstrate clearly that without that power to back up requests for access organisations will continue to be reluctant to volunteer. Those data controllers that have something to hide, particularly those who know their processes and controls are insufficient, are perhaps the most likely to want to avoid or postpone closer inspection," the ICO said.

Local authorities down to parish councils with incomes of at least £20,000 should be within the scope of any new powers, along with "all public, private or third sector organisations who deliver publicly funded health care services in the UK," the ICO said.

The ICO has the power to issue fines of up to £500,000 for serious breaches of personal data and has issued heavy fines to some local Government bodies during 2011. However, the watchdog said that the power to issue fines and obtain assurances over future data protection practices had "limitations" and that compulsory audits were also needed to help organisations identify "problem areas" and implement "real world, practical solutions that meet their needs".

"An audit by the Information Commissioner provides independent, specialist expertise and allows for dissemination of standards and good practice across organisations," the ICO said.

"Security of personal data in practice is particularly difficult to assess without the ability to audit an organisation. This is especially the case for manual data which is still in regular use in both the NHS and local Government," it said.

The ICO has previously said that it would not use new powers to fine organisations for data protection law breaches if those breaches are discovered as part of one of its audits.

The watchdog is currently gathering evidence in order to present a further case for compulsory audit powers to be extended to some sectors of private business, it said.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.