ICO Audits: Consultation

February 12, 2010

The Information Commissioner’s Office has launched a consultation on a new draft code of practice which sets out its proposed approach to using the new auditing powers which are due to come into effect in April 2010. The new powers derive from ss. 41A to 41C of the Data Protection Act (by virtue of the Coroners and Justice Act 2009,s 173).

The ICO indicates an intention to take ‘a proportionate and risk-based approach’ to auditing, based on a range of intelligence including complaints received, business and media reports and annual statements issued by the organisation.

The auditing process allows the ICO to assess whether organisations are processing personal information in line with the Data Protection Act and to advise on best practice. The ICO will continue to request consent for an audit to be carried out where it is identified that personal information may be at risk. However, where an organisation refuses to work with the auditing team, but is considered as being at significant risk of compromising personal data, the ICO will be able to serve an Assessment Notice – a compulsory audit notice. Initially the ICO will only be able to conduct these compulsory audits on central government departments. It will though be able to make a case to the Government for the power of compulsion to be available more widely as there is power to extend it by statutory instrument.

The draft code of practice has been designed to provide advice on the ICO’s auditing framework to all public and private sector organisations and will be relevant whether an audit is to be carried out by consent or with compulsion.

David Smith, Deputy Commissioner at the ICO, said: ‘Auditing plays a key role in educating and assisting organisations to meet their obligations under the Data Protection Act. We will work with organisations that want to get it right and are keen to follow best practice. However, those government departments less willing to work with us will face an Assessment Notice if there is evidence to suggest they are putting personal information at risk. Whilst our auditing powers are restricted to central government departments initially, we will, where we can make a good case, seek to extend our powers to undertake compulsory audits in the rest of the public and private sectors.’

The draft code includes information on the factors considered before issuing an Assessment Notice, the ICO’s approach to compulsory audits and the Information Commissioner’s considerations regarding further action following an audit. It states (at para. 4.1):
‘Assessment Notices will only be served where it is deemed necessary by the Information Commissioner because:
– a risk assessment has been conducted and indicates a high probability that personal data is not being processed in compliance with the Act with a significant likelihood of damage and distress to individuals, and
– the data controller has failed to respond to a written request from the Information Commissioner to undertake an audit or has refused consent to such an audit, without adequate reasons.’

Moreover, where information is obtained via an audit that might have led to the imposition of a monetary penalty, the draft Code proposes that such a penalty will normally be imposed only where the advice of the ICO arising from the audit is not taken. The ICO do not rule out any enforcement action however where significant risks are revealed (para. 6).

While the Code indicates that assessment audits will be carried out by ‘competent auditors’ Para. 2.4), the Code includes no indication of how competence is to be assessed or how those audited are to be assured of that competence.

The consultation launched on 11 February 2010 and closes on 24 March 2010. The draft code is available on the ICO’s website at http://www.ico.gov.uk/about_us/consultations/our_consultations.aspx

Comments and suggestions can be sent to Chris Turner at Chris.turner@ico.gsi.gov.uk