Out-Law News 2 min. read

ICO wants audit powers extended to private, health and local Government sectors


Private sector businesses, local government and health service organisations should be forced to accept compulsory data protection audits, the Information Commissioner's Office (ICO) has said.

The UK's data protection watchdog said compulsory audit powers were needed because it was often "blocked" from reviewing organisations' practices in the sectors when it asks for their permission to do so. Under the Data Protection Act (DPA) the ICO currently has the power to conduct compulsory data protection audits of central Government departments, but must obtain consent from organisations in other sectors before it can investigate their procedures. The Act sets out rules on how organisations must handle personal data.

The ICO said that "data breaches in the NHS continue to be a major problem" and that "the most serious personal data breaches that have resulted in a civil monetary penalty occurred in the local government sector".

The watchdog said it received most data protection complaints about private sector businesses but less than a fifth of companies in the sector contacted by the ICO had agreed to undergo an audit.

"Something is clearly wrong when the regulator has to ask permission from the organisations causing us concern before we can audit their data protection practices," Christopher Graham, Information Commissioner, said in a statement.

"Helping the healthcare sector, local government and businesses to handle personal data better are top priorities, and yet we are powerless to get in there and find out what is really going on," he said. “With more data being collected about all of us than ever before, greater audit powers are urgently needed to ensure that the people handling our data are doing a proper job."

The Information Commissioner said he was "preparing the business case" for the new powers to be introduced.

Kellie Blyth, data protection law expert at Pinsent Masons, the law firm behind Out-Law.com, said that organisations' reluctance to consent to ICO audits could be attributed to fear of the watchdog taking enforcement action against them. The ICO can issue fines of up to £500,000 for serious personal data breaches.

"Undoubtedly the ability to carry out audits across local government and the private sector would force many organisations to reassess their priorities and be more proactive in their approach to conformance with best practice and compliance with the DPA," Blyth said. "While some sectors are ahead of the curve, such as financial services, there are number of sectors where it has not been high on the agenda."

"Unsurprisingly organisations have been reluctant to agree to undergo the voluntary audits, presumably for fear of what the ICO might find, as well as constraints on time and resources which would prevent them fully engaging in the process," Blyth said. "Many organisations also feel that opening their doors to the ICO will automatically put them on the ICO’s radar. In the event of a security breach or complaint received from a data subject it may make matters worse and enforcement action more likely if shortcomings were flagged during the voluntary audit, improvements recommended, but the organisation failed to implement them."

The ICO said 13% of all data protection complaints it now receives concern marketing via text messages with more than 1,000 grievances registered about the practice since April alone. The figures represent a trebling of complaints about marketing texts since 2008/09, the watchdog said.

Overall the ICO has experienced a 2% rise in data protection complaints within the past year, and has received 5% more complaints about compliance with freedom of information (FOI) laws, it said. The ICO is responsible for ensuring public organisations comply with FOI legislation.

The Freedom of Information Act  (FOI) Act and the Freedom of Information (Scotland) Act came into full force on 1 January 2005, giving individuals the right for the first time to see information held by Government departments and public bodies subject to some exceptions.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.