New rights of audit
The Information Commissioner's Office (ICO) is currently conversing with the Government on whether its new audit powers, brought in by the Coroners and Justice Bill, and which already allow the ICO to audit public sector bodies, should be extended to the private sector. The ICO, in a paper submitted to the Government last month, has described how it intends to exercise new private sector audit powers.
The new audit powers could mean organisations that are in breach of or suspected of being in breach of data protection obligations receive an assessment notice from the ICO, followed by an ICO audit team entering premises and conducting investigations for up to three or four days. These investigations could involve data protection compliance information gathering by the ICO audit team(or non-compliance as the case may be), as well as staff interviews.
A memorandum submitted by the ICO to the House of Lords in May this year, urged extending the ICO's rights even further so that sanctions could be imposed for failures to comply with assessment notices and granting the ICO rights to audit 'others involved in an enterprise, such as data processors'. It remains to be seen whether these further changes will be brought in.
Data protection breach fines
The ICO has also, by the Criminal Justice and Immigration Act, been granted new powers to fine entities which deliberately or recklessly breach the Data Protection Act principles and cause (or could cause) substantial damage or distress.
This new fining power is anticipated by the ICO to come into force in April next year. Although the level of fines has not yet been publicised, it is anticipated that they will be significant, in a move to bring the ICO's powers more in line with those of regulators such as the Health and Safety Executive, the Office of Communication and the Financial Services Authority.
Notification fee increase
Not only has the ICO grown teeth, but the estimated additional £16 million per annum generated by recent notification fee increases (applicable from 1 October 2009), means the ICO will have greater resources to pursue data protection breaches and to exercise its new powers.