The ICO has published the details of how it will use new powers to conduct compulsory inspections of organisations to ensure that they are complying with data protection law.
After HM Revenue and Customs lost 25 million people's names, bank details and other personal information in 2007 the Government committed to giving the ICO new powers to inspect Government departments' treatment of personal data with or without their permission.
Those powers were granted to it by a law passed last year and the ICO is now consulting on a code of practice designed to govern its inspections. It plans to publish the finished code in April of this year.
Separate new powers given to the ICO allow it to fine organisations found to have been responsible for serious data protection breaches. Fines can reach £500,000 but the ICO's draft Code of Practice says that it will not issue fines based on information gathered in an audit.
"The Information Commissioner will not impose a monetary penalty on a data controller where a contravention was discovered in the course of carrying out an audit," says the draft Code.
The ICO said that it might take other enforcement action based on the audit and that if problems it found in an audit are not subsequently fixed it might issue fines.
"The Information Commissioner must reserve the right to use any of his powers in the case of any identified major non-compliance where the data controller refuses to address a recommendation within an acceptable timescale," says the draft Code.
The ICO said that it would decide which organisations to audit based on direct complaints, press reports, information from other regulators and those bodies' annual reports. It said that it would still ask permission to conduct an audit but would use its powers to conduct one when that permission was denied.
"My audit team is developing a risk based approach to help us focus on those organisations … where complaints are significant and where business intelligence highlights the risk of failure," said Information Commissioner Christopher Graham.
"Our engagement with such organisations is normally on a consensual basis. However, there will be instances where this approach alone isn’t sufficient, where I will need the power to allow me to undertake compulsory audits in circumstances where there is a risk that individuals’ data will be compromised but the organisation is unwilling, for whatever the reason, to engage constructively with my auditors," he said.
"This Code provides the framework for how such audits will be conducted when an Assessment Notice has been served on an organisation. It outlines the approach to the audit including opportunities for consultation in relation to the audit report findings and recommendations," it said.
The Code of Practice will apply to all audits, including those carried out on private bodies with their consent. It contains some provisions specific to compulsory audits, though, including details on what documents are to be inspected and how
Audits will be carried out by 'competent auditors' and will result in the publication of an assessment notice when the organisation falls short of the required standards of data protection, the ICO's draft Code said. Where the ICO thinks that there is a risk of serious breaches of individuals' privacy it will issue an urgent notice.
Compulsory audits will feature interviews with staff as well as documents and the organisation will see a draft of the ICO's report before publication to allow it to correct factual errors and identify omissions.
The ICO's Code said that audits will not necessarily lead to direct action against organisations.
"The Information Commissioner does not intend that ‘consensual’ and ‘compulsory’ audits will lead to formal enforcement action; rather they are seen as a means of encouraging compliance and good practice," it said. "However, on issuing the final report the Information Commissioner will identify whether it is his intention to follow up on any data controller responses to his recommendations. Follow up may be by way of written assurances of actions taken from the data controller or a further audit."