The Information Commissioner, Christopher Graham, used his talk at the 10th Annual Data Protection Compliance Conference to call for a broadening of the Information Commissioner’s Office (‘ICO’) rights of audit to cover local government, the health service and some organisations in the private sector. He highlighted the inadequacy of the current system under which the ICO only has the power to conduct compulsory audits for central government departments. Generally, if the ICO wishes to audit any other organisation it needs to obtain prior permission, and that permission is very rarely forthcoming: the take-up rate amongst the private sector (the sector which generates the most complaints) stands at 19%. This leads to a situation in which the ICO often cannot ascertain if there is a problem with an organisation and cannot therefore provide tailored solutions.
What is the problem?
Christopher Graham said, “Helping the healthcare sector, local government and businesses to handle personal data better are top priorities, and yet we are powerless to get in there and find out what is really going on.” Of the 47 undertakings that the ICO has agreed with organisations in the past year, over 40% were in the healthcare sector, and 4 out of the 6 financial penalties that the ICO has served for the most serious data protection breaches involve local authorities. Consequently, the ICO is preparing the business case for the extension of the ICO’s assessment notice powers under the Coroners and Justice Act 2009 to these problematic sectors.
What is an ICO audit?
Christopher Graham was at pains to point out that an ICO audit is intended to benefit the audited organisation giving it the opportunity to learn from the data protection knowledge and experience of the audit team at no expense. He was puzzled by the poor uptake, "Why wouldn't you sign up for a free health check?" One of the reasons why organisations are perhaps dissuaded from a free audit is fear of the ICO’s enforcement powers; it can issue fines of up to half a million GBP for serious breaches of the Data Protection Act 1998 (‘DPA’). However, according to the ICO’s Data Protection Regulatory Action Policy, the ICO will not impose a monetary penalty in respect of any contravention discovered in the process of carrying out an audit. A lead auditor from the ICO has confirmed verbally that this is the case, suggesting that if an audit revealed a serious breach, the organisation would be asked to remedy it as soon as possible but it would not receive a fine.
During an audit the ICO agrees a scope of work with the audited organisation; implements an off-site check of the organisation's documented policies and procedures; reviews the procedures in practice on-site; and provides a detailed report indicating whether the organisation is likely or not to be DPA compliant and an action plan to help the organisation comply. The ICO then publishes an executive summary on its website if the audited organisation gives it consent to do so. While the audited organisation does not have any input into the executive summary, it can provide a URL to its own website hosting its response - the ICO will then post this with its executive summary. Alternatively, it can withhold consent and instead the ICO will publish a comment stating that the audit took place but the organisation declined to have the executive summary published. The whole audit process takes approximately a month, and the ICO then carries out a follow-up review six months after the audit. ICO audits can be positive, as demonstrated by the recent audit of Google. If a company has nothing to hide, as Christopher Graham highlights, an ICO audit "should be a badge of pride", and can assist companies to achieve full compliance with the DPA in the most efficient way. Clearly, in the light of these developments, careful consideration needs to be given if organisations are approached by the ICO regarding a voluntary audit.