New code of practice on data protection audits (the consultation process continues)

As previously posted, the power to serve assessment notices and audit will come into force in April. Initially the powers will only apply to public sector bodies, but the new legislation provides for the powers to extend to private sector data controllers. The new code of practice will be published on 6 April 2010 at the same time as the ICO’s extended audit powers in relation to data protection enter into force. The draft code sets out the audit process from start to finish and clarifies when and how assessment notices will be used.
The draft code provides for two forms of audit, a voluntary or consensual audit and a compulsory audit. Assessment notices only apply in relation to the compulsory audit and will be issued when a data controller declines an audit. The ICO’s decision as to whether or not an organisation needs an audit will be based on a risk assessment process; organisations who are identified as high risk will then be invited to take part in a voluntary audit. If the audit arrangements cannot be agreed, an assessment notice will be issued and a compulsory audit will be likely to follow.
The scope of the code
The draft code provides an indication of the ICO’s approach to the audit process including the potential for consultation regarding the final report which includes the ICO’s findings and recommendations. It also includes details of how audits will be conducted including the documents and materials that will be inspected and the nature of the interview, inspection and examination process. The primary objectives for carrying out both forms of audit are: (i) to assess a data controller’s conformity with good practice; and (ii) to determine compliance with the DPA.
The high risk target
Risky data controllers will be identified using a number of methods including: (i) news items; (ii) data controller’s annual statements; (iii) data controller’s information security maturity models; (iv) information received from other regulators; (v) the number and nature of complaints received by the ICO; and (vi) “other relevant information.” Those organisations which have been selected for audit will be informed in writing; the letter will explain the basis for selection and a broad outline of the intended scope of the audit.
The ICO has stated that if an organisation is audited then monetary penalties will not be applied. Although a potential tactic for data controllers might be to request an audit in order to avoid a monetary penalty, all requested audits will be subject to a similar risk assessment process and depend on resource availability.
Voluntary audits
There is a much higher level of engagement between the ICO and the data controller in the voluntary audit process. Those data controllers who are identified under the risk assessment process will then be contacted by the ICO and, in most circumstances, a data controller will be invited to take part in a voluntary audit.
Assessment notices
The ICO will serve an assessment notice if a risky data controller has been identified but failed to respond to a written request from the ICO to undertake an audit or has not provided adequate reasons for the refusal.
The ICO will consider various factors including: (i) communications which highlight a lack of understanding of the DPA or a failure in compliance; (ii) the statement of internal control; (iii) notification details and history; (iv) the volume and nature of personal data being processed.
Assessment notices will set out the scope for the audit and any specific requirements for the assessment, such as which premises are to be entered and which equipment is to be inspected as well as the right to appeal. Data controllers may appeal within 28 days of the date the assessment notice was served.
The ICO may cancel an assessment notice or postpone the date of the audit in response to a legitimate request.
Compulsory audits
Compulsory audits will follow a similar process to voluntary audits but there is no consultation and no engagement letter process. The access requirements set out in the assessment notices provides scope to the ICO’s review of the data protection governance framework and the personal data handling practices within the organisation.
The audit process (both voluntary and compulsory)
Audits will be conducted in two stages, (i) the adequacy audit – conducted off site, this consists of a review of the relevant documents and other material information; (ii) the compliance audit – this will focus on the agreed scope and will be conducted on the data controller’s site, evidence of compliance will be gathered by conversations with staff and observance of the data handling process.
The audits will be conducted by ICO employees or contractors who all sign confidentiality clauses as part of their contract of employment. Access will be required to specific documents and/or classes of document. Types of document referred to in the code include privacy statements, job descriptions and training materials. The ICO may further require access to personal data and evidence of compliance. The ICO will not request information which is subject to legal privilege, classified as “top secret”, or has equivalent commercial sensitivity.
Inspections and examinations both on and off site are key elements of the audit process and will be used to evaluate how a data controller stores, adapts and alters information, retrieves or uses personal information and destroys personal data. Interviews will also be conducted with staff and contractors, the data processors staff (if different) and relevant service providers, if appropriate.
The report
The assessment report will be provided at the end of the audit process and will state an audit opinion as to whether or not a data controller has complied with data protection principles it will include detailed findings against the various risks which were identified and associated recommendations. The report will initially be presented in draft form and the data controller will have the opportunity to comment and respond. If the data controller fails to respond, the ICO will issue the report as a final report and circulate the report to the CEO and CFO.
Compulsory reports will be published for a year on the ICO’s website and may still be available on request after this time. The ICO will consider the data controller’s representations as to the suitability for publication of any section of the report.
Enforcement and monetary penalties
Audits are viewed by the ICO a “means of encouraging compliance and good practice” and should not be viewed as leading to enforcement action. In particular, the draft code explicitly states that the ICO will not impose a monetary penalty on a data controller where contravention was discovered in the course of carrying out an audit. However, the ICO will not provide an absolute assurance that no enforcement action will be taken as a result of the audit. The ICO can follow up on its recommendations by way of written assurances from the data controller or a further audit.
The new code is significant as it indicates how the ICO will approach its new audit powers. It may also provide further guidance for organisations on how to comply with data protection legislation and may include examples of what it considers to be good practice.

Leave a Reply

Your email address will not be published. Required fields are marked *