The Coroners and Justice Bill proposes increasing the powers of the Information Commissioner's Office (ICO), the regulator of the Data Protection Act 1998 (DPA). If these amendments become law, they will enable the ICO to
- Carry out mandatory compliance audits of government departments and designated public authorities (not private organisations);
- Encourage the take up by organisations of voluntary Good Practice Assessments under section 51(7) DPA (GPAs);
- Change the current fee structure for notifications; for all but the smallest organisations, the £35 annual fee is expected to be raised;
- Specify the time and place for information sought under an Information Notice to be provided to the ICO; and
- Require an explanation of any information found on premises during a search conducted by the ICO under warrant.
The proposals are largely enhancements to existing ICO powers; though consistent with what he has been seeking, they plainly do not go as far as the Information Commissioner would like.
As well as bringing in compulsory audits for the public sector, voluntary compliance assessments are being raised up the agenda for private sector organisations; in light of the proposal for the ICO to collect prior consent from organisations, GPAs may be less "voluntary" than previously thought.
A sharp increase is expected in assessments conducted every year on public authorities and private bodies, from around 17 currently to approximately 105 assessments conducted by the ICO with a further 20 possibly being outsourced. The additional ICO resources are to be funded by the new fee regime.
All the signs are that the ICO is going to become more active in auditing than at any time previously. There has never been a better time for organisations – particularly those handling sensitive and/or extensive quantities of personal information - to undertake internal compliance reviews of their use of personal information, and carry out any necessary work, before they appear on the ICO's radar.
The ICO has been seeking additional enforcement powers for a number of years. Now, some eight months after the Criminal Justice and Immigration Act 2008 bestowed the (still pending) ability to issue civil fines (Monetary Penalty Notices), further powers are being proposed.
The Coroners and Justice Bill received its second reading on 26 January 2009 and is currently at Committee stage.
The main powers are commented on below in more detail.
Mandatory Audits of Government Departments by the ICO
Following the major data loss by HMRC in 2007, the ICO has had a de facto power to conduct spot checks of central government departments. The amendments in the Bill essentially put this power on a statutory footing.
The proposals allow the ICO to issue an "assessment notice" against a government department or designated public authority, requiring the party served to permit – ultimately - the Commissioner or his officers to enter specified premises, to inspect documents and equipment there, to interview individuals there and take copies of information held. There would be a right of appeal against the issue of an "assessment notice" although, currently, no proposed sanction for failing to comply.
The ICO considers that mandatory assessment powers should be extended to private sector organisations. In its preliminary commentary on the Bill, the ICO points to the large amounts of sensitive information held by some private sector bodies, e.g. the credit reference agencies, and the fact that most of the tens of thousands of complaints received every year relate to private sector organisations.
Assessment notices would supplement the ICO's existing power (a) to apply to a circuit judge for a warrant to enter and inspect premises where there are reasonable grounds for suspecting that a breach of the DPA has occurred or is occurring and (b) - with consent - to carry out a Good Practice Assessment of an organisation's compliance (see below).
Promoting (Voluntary) Good Practice Assessments (GPAs)
The Bill's Impact Assessment indicates that in future the ICO may seek "pre-emptive" consent from organisations to allow the ICO to conduct a GPA. This consent may be sought at the notification stage (i.e. when an organisation registers with the ICO particulars of its processing activities). Presumably an organisation could refuse or later revoke its consent, although one could imagine such moves being described as "courageous" by the fictional civil servant, Sir Humphrey Appleby.
Another measure aimed at promoting GPAs is that organisations which agree to submit to a GPA will be exempt from a Monetary Penalty Notice (though not an Enforcement Notice) in relation to any breaches of the DPA discovered during the GPA process.
One controversial aspect of the Bill has little to do with the ICO or its powers. Concerns have been voiced by some over the proposal to allow government departments to seek somewhat euphemistically termed "information-sharing" orders. These orders would allow (a) the use of specific personal data held in the public sector for new purposes and / or (b) the sharing of the data with third parties, including the private sector.
Ministers seeking an order would have to certify that the sharing of personal information in question was necessary, specifying (1) the person, or class of person, enabled to share the information; (2) the purposes for which the information may be shared; and (3) the information, or a description of the class of information, that may be shared.
To become law, such orders would need to be submitted in draft to the ICO and subsequently approved by affirmative resolution of Parliament. The ICO's view is that the current safeguards in the Bill in relation to information-sharing orders are not sufficient.