Prior to April 2010, there were two types of assessment by the Information Commissioner under the Data Protection Act 1998:
- under s 42 an individual could (and can) request an assessment by the Commissioner of some processing which affects him or which he believes affects him, and the Commissioner if he has not sufficient information from the data controller can investigate by means of an Information Notice (ss 43-44) and/or entry and inspection but only by a warrant (s 50 and Sched 9)
- under s 51(7) a data controller could (and can) voluntarily request the Commissioner to assess his (data controller’s) own compliance, relates to an analysis by the Commissioner of a particular data controller’s processing, for compliance, not with the Data Protection Principles but with ‘good practice’ as defined (s 51(2)) for the purposes of the Commissioner’s Codes.
On 6 April 2010 new ss 41A-41C of the Data Protection Act 1998 came into force. They permit the Commissioner to serve Assessment Notices on certain classes of data controller ‘for the purpose of enabling the Commissioner to determine whether the data controller has complied or is complying with the data protection principles’ (s 41A (1)).
At present these powers apply only to a government department or a designated public authority. The Secretary of State can designate other categories of data controllers, but has not so far done so.
These powers enable the Commissioner or his staff to enter a data controller’s premises without a warrant and require to see documents, information and machines.
Also in April 2010, the Commissioner issued, under s 41C, an Assessment notices code of practice, which provides further information.
In the Code (section 2.1), the Commissioner may conduct, with the agreement of the data controller, a consensual assessment.
The Information Commissioner sees auditing as a constructive process with real benefits for data controllers and so aims to establish, wherever possible, a participative approach. He will usually seek the consent of a data controller to an audit in line with the approach of ‘consensual’ audits in the first instance. Where, however, data controllers are unwilling to engage and risks have been identified the information Commissioner will use his powers to issue an ‘assessment notice’.
These ‘consensual’ assessments seem to me to be pretty much the same as the old voluntary request for assessment by a data controller under s 51(7) – a provision which is still available.
Furthermore a new s 55A(3A), introduced by para 13 of sch 20 to the Coroners and Justice Act 2009, prevents the Commissioner from using an Assessment as a way of gleaning information leading to a monetary penalty. Under s 55A(1)-(3) the Commissioner can inflict a monetary penalty only if he is satisfied that a contravention of the principles was deliberate or reckless (‘knew or ought to have known that there was a risk’). But s 55A(3A) adds:
(3A) The Commissioner may not be satisfied as mentioned in subsection (1) by virtue of any matter which comes to the Commissioner’s attention as a result of anything done in pursuance of –
(a) an assessment notice;
(b) an assessment under section 51(7).
(The assessment under s 51(7) is the voluntary matter between the Commissioner and a data controller, and is an analysis by the Commissioner of the data controller’s processing, for compliance, not with the Data Protection Principles but with ‘good practice’.)
The assessment will be in two phases – an adequacy audit (a paper exercise off-site) and a compliance audit (on site, including interviews) (Code, 4.2). The result will be an audit report showing:
- a summary of findings;
- an audit opinion;
- detailed findings against predefined risks; and
- associated recommendations (Code, 5.1).
‘Executive Summary’ reports will be published on the Commissioner’s website, after taking into account the data controller’s opinions about the suitability for publication of any element, though the full reports may be eligible for release under the Freedom of Information Act (Code, 5.2).
The Commissioner does not expect to take any further formal enforcement action ‘rather [audits] are seen as a means of encouraging compliance and good practice’ (Code, 6).
Thus Assessment Notices are very different from the power to inflict a monetary penalty under ss 52A-55A, which also came into force at the same time.
Assessments to date
In the 18 months since Assessment Codes became part of the Commissioner’s enforcement powers, the Commissioner has carried out assessments of (insofar as I have been able to find them) some 19 organisations, of which all but three are in the public sector. In every one these cases the Commissioner has persuaded the organisation to seek a ‘consensual’ assessment, rather than submit to a compulsory one. In nine of the cases, including all three non-public authorities, the original request was from the organisation itself (in one case because of an amalgamation), in one case the request was from the ICO who wanted to assess a large organisation (Lancashire Police). In the remaining 10 cases, the need for an assessment arose as a result of one or more perceived failings.
Each organisation was given an assessment value which was colour-coded:
Orange – limited assurance of compliance
Yellow – reasonable assurance
Green – high assurance.
These colours are taken from the Commissioner’s Auditing data protection: a guide to ICO data protection audits (May 2011), p 29, which deals with audit grading. There is also a red for Very Limited Assurance, though to date I have not found any instance of this!
The published summaries (presumably the Executive Summary Reports referred to in the Code at 5.1) are very brief and have little detail. They do however set out in summary areas of good practice in the organisation and areas for improvement.
The organisations, in chronological order, are:
|
Organisation |
Trigger event for assessment |
Date |
Assessment |
|
Cornwall Council |
2 incidents where personal data was compromised |
Dec 2010 |
Orange |
|
North Devon Healthcare NHS Trust |
several personal data losses |
13 Dec 2010 |
Yellow |
|
Gravesham Borough Council |
delay in responding to subject access request |
Jan 2011 |
Orange |
|
NHS Greater Glasgow & Clyde |
self reported personal data breach |
Jan 2011 |
Yellow |
|
NHS Birmingham East & Primary Care Trust |
patient records sent to wrong address promotional video using patients without consent patient notes left in a taxi staff able to access data which should have been protected |
Mar 2011 |
Orange |
|
The Royal Society |
No trigger |
Mar 2011 |
Orange |
|
Newcastle City Council |
5 data breaches by Newcastle |
5 Apr 2011 |
Orange |
|
NHS Ayrshire & Arran |
mental health records inappropriately accessed by another patient |
7 Apr 2011 |
Yellow |
|
Kirklees Neighbourhood Housing |
No trigger. |
4 May 2011 |
Orange |
|
N W London Hospitals NHS Trust |
2 laptops & 1 desktop stolen then Chief Executive gave ICO an undertaking and then patient data in printout left on a bus |
Jun 2011 |
Yellow |
|
G E Money Home Lending |
No trigger |
Jul 2011 |
Green |
|
Highways Agency |
No trigger |
Jul 2011 |
Yellow |
|
Portsmouth City Council |
inappropriate disclosure of third-party data in response to a subject access request |
8 Jul 2011 |
Yellow |
|
Nationwide Building Society |
No trigger |
Aug 2011 |
Green |
|
Metropolitan Police |
No trigger |
Aug 2011 |
Yellow |
|
Aneurin Bevan Health Board[1] |
Amalgamation of several smaller organisations |
Sep 2011 |
Yellow |
|
Burnley Borough Council |
No trigger |
Sep 2011 |
Yellow |
|
Lancashire Police |
Approach from ICO as Lancs Police was an organisation handling large volumes of data |
12 Sep 2011 |
Yellow |
|
Crown Prosecution Service |
No trigger. |
12 Sep 2011 |
Yellow |
I suggest the second column is the most interesting. Many organisations seem voluntarily to have requested an assessment (the No Trigger’ assessments). This certainly applies to the non-public authority organisations. It also applies to some of the public authorities. One (Aneurin Bevan Health Board) had just come into existence as a result of an amalgamation of several small organisations and was clearly concerned at uniformity of approach and common standards. Another Lancashire Police was apparently approached by the Information Commissioner’s Office – presumably as an exercise.
In the other cases, one or more events have been brought somehow to the attention of the Commissioner who has persuaded the data controller to agree to a consensual audit. The difference between assessing for compliance with the Act (s 41A) and for compliance with good practice (s 51(7)) is perhaps less important than might at first appear. If the compliance is with the Act, it can hardly be argued to be non-compliant with a Code – a fortiori the other way round.
Conclusion
It will come as no surprise that the Commissioner has used his new powers cautiously, and in no instance conducted a non-consensual audit. Nevertheless the power to enter without a warrant remains in terrorem and once the system beds down, one might expect the numbers of types of organisation that can be assessed in this way to increase, and it must also be the case that sooner or later the Commissioner will be moved to conduct a non-consensual audit.
However, the ability to conduct a consensual audit, and persuade a possibly non-compliant data controller to accept this, has largely reduced the significance of the fact that a compulsory assessment is only possible in cases of government departments.
Richard Morgan is an IT Consultant of over 40 years’ experience. He is a Fellow of the British Computer Society. For many years he was Computer Officer at the two Houses of Parliament. He has always been interested in the interaction of IT and Law and is a founder member and a past Chairman of the Society for Computers and Law. He lectures and writes articles on IT and Law. He is the author with Kit Burden of Morgan & Burden on Computer Contracts 8th edition Sweet & Maxwell 2009, and of Legal Protection of Software: A Handbook xpl (formerly EMIS) 2002, and with Ruth Boardman of Data Protection Strategy, Sweet & Maxwell 2003.
[1] This was effectively two Assessments – one in March 2011 and then a follow up in September. In the first, 36 recommendations were made, which seem largely to have been implemented. Both assessments scored Yellow.
