Law Management Blog

Just another Blog for Lawyers

ICO could extend data audits to all businesses

leave a comment »

A consultation launched by the Information Commissioner’s Office (ICO) will discuss a new draft code of practice to be introduced alongside auditing powers, which come into effect from April.

The new powers will work in conjunction with the existing Data Protection Act to ensure organisations process personal information properly whilst offering advice on best practice.

If an organisation refuses to work with the auditing team, but is believed to be at significant risk of compromising personal data, the ICO will be able to serve an Assessment Notice, or Compulsory Audit Notice.

The ICO will initially serve Compulsory Audit Notices to central government departments but could extend to other sectors if needed.

“We will, where we can make a good case, seek to extend our powers to undertake compulsory audits in the rest of the public and private sectors,” said David Smith, Deputy Commissioner at the ICO.

When determining a company’s data risks, the ICO will consider several factors, including:

• The compliance ‘history’ of the data controller based on complaints made to the Commissioner and ‘self reported’ breaches.

• Communications with the data controller which highlight a lack of compliance controls and/or a weak understanding of the Act in respect of the principles.

• Business intelligence documentation such as news items in the public domain which highlight problems in the processing of personal data by the data controller and information from other regulators.

• Notification details and history.

• The volume and nature of personal data being processed.

• Evidence of recognised and relevant external accreditation.

• The perceived impact on individuals of any potential non compliance.

This month’s consultation has asked stakeholders to give feedback on the proposed framework for the audit process by the 24th March this year.

“Auditing plays a key role in educating and assisting organisations to meet their obligations under the Data Protection Act,” added Mr Smith. “We will work with organisations that want to get it right and are keen to follow best practice.”


Written by Andrew Hodges

February 27, 2010 at 12:16 pm

Posted in Comment, LinkedIn

Tagged with , ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: