Data audits and data sharing code: now on the statute book

Claire Walker

You wait ages for the ICO to have decent enforcement powers…then several new ones come along at once. Well, sort of…

Hot on the heels of the proposals to give the ICO power to fine organisations up to £500,000 and proposals on custodial sentences for serious DP breaches , the ICO’s new powers to audit organisations for DP compliance have now reached the statute book, as have the provisions relating to the code of practice on data sharing. The necessary additions to the Data Protection Act are contained in the Coroners and Justice Act 2009, which received royal assent on 12 November. The commencement date for these provisions is not yet known. Datonomy wonders whether it will be the next “red tape” day (6 April 2010) which is when the provisions on monetary penalties and custodial sentences are expected to go live.
For data protection geeks, Schedule 20 to the CJA also contains a number of consequential amendments to various other sections of the DPA.

Assessment notices

The relevant amendments to the Data Protection Act (in the form of new sections 41 A to C) are set out in Part 8 of the Coroners and Justice Act 2009

The new provisions allow the ICO to serve an assessment notice on a data controller. The notice may require the organisation to allow the ICO to, among other things, enter premises, inspect documents and equipment, observe the processing of data and interview those who process personal data on the data controller’s behalf, in order to assess the data controller’s compliance with data protection rules. The assessment notice must specify a time or period by/within which the requirements of the notice must be complied with, allowing time for an appeal.
Under the original draft Bill these assessment notices were to be applicable only to the public sector. However, following ICO lobbying, the amendments were extended to other organisations. Designations for private sector organisations will relate to “persons of a [particular] description” – e.g. a class or industry sector – and will be made by the Secretary of State on the recommendation of the ICO. Such a recommendation in turn requires: prior consultation with the affected group; and for the ICO and Secretary of State to be satisfied that the particular designation is necessary, having regard to the nature and quantity of data under the control of such persons and the damage and distress which may be caused by any breaches of the data protection principles by them.
The changes to the Act also give the ICO the power to apply for a warrant where a data controller fails to comply with a requirement imposed by an assessment notice. The ICO is required to issue a code of good practice on the exercise of its assessment notices powers.

Data sharing

The CJA also inserts new sections 52A to E of the Data Protection Act, which require the ICO to issue a code of practice on data sharing. The code itself will not have the force of law but will in effect be a benchmark against which a court or the ICO may assess an organisation’s compliance with the Act in legal proceedings or enforcement action.

Leave a Reply

Your email address will not be published. Required fields are marked *