The code of practice sets out the framework the watchdog follows when issuing 'assessment notices' to central Government departments. Those notices detail that the departments are subject to a mandatory audit. The ICO has the power to issue the notices under the Data Protection Act.
Under the revised code proposed the ICO said it would give Government departments six weeks to agree to a consensual audit before it would consider issuing an assessment notice. The ICO will issue such a notice "if the data controller does not enter into a commitment to allow the audit to take place on specified dates that are acceptable to the ICO within this timescale," the draft code said.
The ICO said it could also issue the notices if there was a "need to be assured" that departments had "taken appropriate measures to comply" with changes to data protection practices previously demanded of them following enforcement action or in accepting formal undertakings. It can also issue the notices where it "has been given a specific responsibility for scrutiny" over a particular department, the draft said.
The watchdog has also withdrawn its guarantee that it will conduct discussions about data protection with staff prior to visiting their premises. It now proposes doing this only "as far as possible".
Under the Data Protection Act the ICO currently has the power to conduct compulsory data protection audits of central Government departments, but must obtain consent from organisations in other sectors before it can investigate their procedures. The ICO has long campaigned for the mandatory auditing scope to be broadened and late last year formally requested the powers be extended to include local Government and public health organisations.
The code of practice sets out that its compulsory audit will assess the Government department's compliance with the Act's "data protection principles". The ICO can conduct on-site inspections, investigate documents and systems and interview staff as part of its audit process.
The ICO's planned revised code of practice also details the ICO's power to conduct compulsory data protection audits under the Privacy and Electronic Communications Regulations. Under that legislation the ICO has the power "to audit the measures taken by a provider of a public electronic communications service to safeguard the security of that service," according to the draft code. The ICO is to issue separate guidance on how it will go about those particular audits later this year.
The ICO's consultation on its proposed revisions is open until 12 March.