UK: Compulsory Data Protection Audits
The UK's ICO is publishing a Code of Practice to Capture the Extended Data Protection Audit Powers it Now Has under the Coroners and Justice Act 2009
The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act 1998.
The Information Commissioner's Office (ICO) will have the power to audit government departments without their
consent from April 2010. The move follows the passage of the Coroners and Justice Act on 12 November 2009.
This new power can also be extended to other public and private sector
organisations but only following a 'designation' process. The ICO must first
serve an assessment notice. An 'assessment notices' code of practice, covering
areas such as the circumstances in which a notice can be served, the nature of
the assessment process and the publication of assessment reports will follow
The Code will provide the framework for how audits will be conducted when an Assessment Notice has been served on an organisation. It will outline the approach to the audit including opportunities for consultation in relation to the audit report findings and recommendations.
With these new powers the ICO
will be better placed to provide assurance to individuals that those holding their personal information respect their privacy and do not abuse their trust.
Data controllers will be informed in writing of the Information Commissioner's intention to cond
uct an audit. This letter will explain the audit process, the basis on which they have been selected and a broad outline of the intended scope and the projected dates of the various audit activities.
Audits undertaken by the Information Commissioner will be conducted in two phases; an 'adequacy audit' and a 'compliance audit'.
The 'adequacy audit' will normally be conducted off site and will consist of a review of relevant policies, procedures, guidance and training material. The key consideration will be how these documents provide a framework for delivering compliance with the Act; any significant findings will be detailed in the Audit Report. These documents and the output from the review will provide the framework for the 'compliance audit'
The 'compliance audit' will be focused on the agreed scope and conducted on the data controller's site(s) over a number of days. Evidence of compliance with the Act, the following of good practice and adherence to policies will be gathered through meetings with staff and the observance of personal data handling processes.
The findings of the Audit will be documented in an Audit Report with opportunities provided for the data controller to comment on accuracy and respond to the recommendations. Informal feedback on findings may also be provided during the course of the audit.
Assessment Notices will be served where it is deemed necessary by the Information Commissioner because:
- a risk assessment has been conducted and indicates a high probability that personal data is not being processed in compliance with the Act with a significant likelihood of damage and distress to individuals, and
- the data controller has failed to respond to a written request from the Information Commissioner to undertake an audit or has refused consent to such an audit, without adequate reasons.
For more information please refer to the: