Cookies on Pinsent Masons website

This website uses cookies to allow us to see how the site is used. The cookies cannot identify you. If you continue to use this site we will assume that you are happy with this

If you want to use the sites without cookies or would like to know more, you can do that here.

Bodies subjected to ICO audit will escape immediate fines

Privacy watchdog the Information Commissioner's Office (ICO) has said that it will not use new powers to fine organisations for data protection law breaches if those breaches are discovered as part of one of its audits.12 Feb 2010

The ICO has published the details of how it will use new powers to conduct compulsory inspections of organisations to ensure that they are complying with data protection law.

After HM Revenue and Customs lost 25 million people's names, bank details and other personal information in 2007 the Government committed to giving the ICO new powers to inspect Government departments' treatment of personal data with or without their permission.

Those powers were granted to it by a law passed last year and the ICO is now consulting on a code of practice designed to govern its inspections. It plans to publish the finished code in April of this year.

Separate new powers given to the ICO allow it to fine organisations found to have been responsible for serious data protection breaches. Fines can reach £500,000 but the ICO's draft Code of Practice says that it will not issue fines based on information gathered in an audit.

"The Information Commissioner will not impose a monetary penalty on a data controller where a contravention was discovered in the course of carrying out an audit," says the draft Code.

The ICO said that it might take other enforcement action based on the audit and that if problems it found in an audit are not subsequently fixed it might issue fines.

"The Information Commissioner must reserve the right to use any of his powers in the case of any identified major non-compliance where the data controller refuses to address a recommendation within an acceptable timescale," says the draft Code.

The ICO said that it would decide which organisations to audit based on direct complaints, press reports, information from other regulators and those bodies' annual reports. It said that it would still ask permission to conduct an audit but would use its powers to conduct one when that permission was denied.

"My audit team is developing a risk based approach to help us focus on those organisations … where complaints are significant and where business intelligence highlights the risk of failure," said Information Commissioner Christopher Graham.

"Our engagement with such organisations is normally on a consensual basis. However, there will be instances where this approach alone isn’t sufficient, where I will need the power to allow me to undertake compulsory audits in circumstances where there is a risk that individuals’ data will be compromised but the organisation is unwilling, for whatever the reason, to engage constructively with my auditors," he said.

"This Code provides the framework for how such audits will be conducted when an Assessment Notice has been served on an organisation. It outlines the approach to the audit including opportunities for consultation in relation to the audit report findings and recommendations," it said.

The Code of Practice will apply to all audits, including those carried out on private bodies with their consent. It contains some provisions specific to compulsory audits, though, including details on what documents are to be inspected and how

Audits will be carried out by 'competent auditors' and will result in the publication of an assessment notice when the organisation falls short of the required standards of data protection, the ICO's draft Code said. Where the ICO thinks that there is a risk of serious breaches of individuals' privacy it will issue an urgent notice.

Compulsory audits will feature interviews with staff as well as documents and the organisation will see a draft of the ICO's report before publication to allow it to correct factual errors and identify omissions.

The ICO's Code said that audits will not necessarily lead to direct action against organisations.

"The Information Commissioner does not intend that ‘consensual’ and ‘compulsory’ audits will lead to formal enforcement action; rather they are seen as a means of encouraging compliance and good practice," it said. "However, on issuing the final report the Information Commissioner will identify whether it is his intention to follow up on any data controller responses to his recommendations. Follow up may be by way of written assurances of actions taken from the data controller or a further audit."

Expertise in Confidential Information

Ideas, techniques and know-how can lie at the heart of a business. Pinsent Masons' international intellectual property team is dedicated to helping you to protect those intangible valuables that help you to stand out from your competitors.

More about Confidential Information