ICO to get powers to audit public bodies without consent

Out-Law News | 25 Nov 2008 | 5:51 pm | 3 min. read

The Information Commissioner will be able to perform spot-checks on government departments and public sector bodies to make sure they are complying with the Data Protection Act under new plans announced by the Government yesterday.

The UK's privacy chief had hoped for a right also to audit private sector organisations without their consent but the Government has rejected that request.

Yesterday's report also announced changes to the funding arrangements for the Information Commissioner's Office (ICO). A tiered fee structure based on size of organisation will replace the current flat-rate notification fee of £35.

The report follows a consultation on the Information Commissioner's inspection powers and funding arrangements. That consultation was launched by the Ministry of Justice in July. Yesterday the Ministry published a summary of the 72 responses to that consultation, and its proposals.

Another report published by the Ministry of Justice yesterday proposed a new law to ease data sharing. (See today's two stories on that report: Government announces new law for increased data sharing, OUT-LAW News, 25/11/2008; and The UK does not need a data breach notification law, says Government, OUT-LAW News, 25/11/2008)

Justice Secretary Jack Straw said the changes outlined in the two reports will strengthen the Information Commissioner's ability to enforce the Data Protection Act and improve the transparency and accountability of organisations dealing with personal information.

"This is very important if we are to regain public confidence in the handling and sharing of personal information," he said.

Good Practice Assessments

The Ministry of Justice has proposed that a system be introduced where organisations volunteer to have their data protection compliance audited. This good practice assessment (GPA) would be carried out by the ICO.

It also proposes that organisations which ask for a GPA to be carried out be exempted from a civil penalty notice – effectively a fine for non-compliance with the Data Protection Act. That raised concerns among some observers that an organisation with a data protection problem might register for a GPA before the problem becomes public in order to qualify for that exemption.

Yesterday, the Ministry confirmed its plans for GPAs. It said that it proposes "to legislate to exempt data controllers who consent to a Good Practice Assessment (GPA), should a breach be found as part of that GPA, from the new monetary penalty at section 55A [of the Data Protection Act".

Section 55A of the Data Protection Act will give the ICO a new power to fine organisations for serious breaches of data protection principles. (See: Government announces new law for increased data sharing, OUT-LAW News, 25/11/2008)

The Government will also empower the ICO to audit public sector bodies against the will of the organisation.

"[The] Ministry of Justice proposes to legislate to allow the ICO to undertake undertake GPA of public sector data controllers without requiring consent from the organisation in question," said the report.

The report said that businesses would not face non-consensual GPAs. "We are conscious of imposing further burdens on business, but more significantly we must consider the nature of the information held and processed by the public sector," it said.

The Ministry also confirmed that data controllers who consent to a GPA will be exempt from a civil monetary penalty under section 55A of the Act for a breach discovered during that assessment. "This measure is designed to promote good practice, allowing data controllers to invite scrutiny, safe in the knowledge that no penalty would be imposed for problems identified," said the report.

Deputy Commissioner David Smith said the ICO generally welcomed the Ministry's proposals.

"We particularly welcome the government’s commitment to legislate to enable the ICO to inspect central government departments and other public sector bodies’ compliance with the Data Protection Act without always requiring consent," he said.

"We would have preferred to have this power to undertake audits extended to private sector organisations as well," said Smith.

Rosemary Jay, head of the information law team at Pinsent Masons, the law firm behind OUT-LAW.COM, said the Government's refusal to extend the new audit power to the private sector was the right decision.

"I do not think that anyone outside Wilmslow [where the ICO is based] regarded it as justifiable, especially as they have existing powers to require information that are rarely used," she said.

"The changes to the powers are minor and administrative, and no doubt useful, but as these powers are rarely used, there was no apparent crying need for them," said Jay. "The message to the ICO was 'use the powers you have before asking for any more'. That's not an unreasonable message."

The Government said yesterday that the necessary legislation will be introduced as soon as parliamentary time allows.

Pinsent Masons and Amberhawk Training are holding an Update session on 26th January in London where this topic forms part of the agenda. If you are interested in this event, please email [email protected] for a brochure.