Data privacy: When will watchdog ICO get its teeth into private sector audits?

Legal Eye: Momentum is building behind greater data protection compliance...

For the moment businesses are steering clear of data protection audits. But pressure from customers and the Information Commissioner may change all that, says lawyer Cameron Craig.

The annual report of the UK Information Commissioner's Office (ICO), published earlier this month, outlines the ICO's desire to see an increase in the number of data protection audits being carried out by the ICO in the UK.

The ICO's mandatory audit powers currently only apply to public sector bodies. It needs the agreement of private sector business before carrying out an audit - in these cases known as a consensual audit.

The statistics in the report indicate that private sector businesses have yet to be persuaded. Only 19 per cent of private sector businesses accepted the ICO's offer of a consensual audit. The audit is free and the ICO has a skilled audit team - so why is there such a reluctance to take advantage of this offer?

Data protection audits

Even if businesses shun a consensual audit by the watchdog, they should think about conducting their own internal assessment to test compliancePhoto: Shutterstock

Perhaps part of the answer lies in the report itself. Before recent changes in the law, the ICO was seen by some as a soft touch compared with other European data protection regulators.

However, the new powers have been used by the ICO to ensure it is regarded as a European regulatory force to reckon with. The report highlights this tough new approach to enforcement referring to the Financial Times November 2010 headline, "Privacy watchdog with a bite", to illustrate the point.

In particular, the ICO has taken a firm approach to businesses that have breached data security requirements. Six fines totalling up to £120,000 have been issued since April 2010 and it's clear from these decisions that "having an improvement plan in place" is not seen as a defence by the ICO.

In an effort to reassure private sector businesses, the report clarifies that consensual audits "are not about naming and shaming those who are getting it wrong" and goes on to say, "The fact that a company has undergone a consensual audit with the ICO should count as a 'badge of honour'". Presumably, this view is based on the assumption that the outcome of the audit is reasonably favourable.

Perhaps the dilemma for private sector businesses is best characterised in the statement contained in the report that the ICO will "use the full range of our powers, carrot and stick to get a result".

It may not be entirely unexpected that the "privacy watchdog with a bite" is not being welcomed with open arms by private sector businesses. The nervousness on the part of the private sector is probably due to...