The ICO has published a draft code of practice on the way it will use its soon-to-be acquired powers to audit organisations’ compliance with data protection legislation. The power to serve Assessment Notices, which is about to be introduced in new Sections 41A – C of the Data Protection Act (by virtue of the Coroners and Justice Act 2009) will go live in April, according the the ICO’s press release. Initially the powers will only apply to public sector bodies, but the new legislation provides for the powers to extend to private sector data controllers who are “designated” (by means of secondary legislation) on the ICO’s recommendation. In other words, any data controller appearing to present a high risk of DP breaches -in particular those unwilling to co-operate with the ICO – could potentially find themselves on the receiving end of an Assessment Notice, sooner or later.
As we have come to expect, however, the ICO will take a “proportionate and risk-based” approach to using its audit powers, based on “a range of intelligence” including complaints, media reports and statements by the organisation itself. The draft code of practice sets out the type of information and documents which are within the scope of an audit, the process for and the nature of the audit process. There is a handy flowchart showing the process for consensual and compulsory audits.
The draft code is the subject of a consultatation which ends on 24 March. Presumably we can expect the new powers to go live on “red tape” day, 6 April (along with a raft of other additions to the ICO’s weaponry, namely the monetary penalties for serious breaches of the DP principles and custodial sentences for the section 55 offence of unlawful obtaining of personal data.)