Extended audit powers and custodial sentences on the way?

Updated November 2011

UK Information Commissioner, Christopher Graham, has announced that he is preparing a business case for the extension of his statutory powers to carry out compulsory audits, following a failure of organisations in “problem sectors” to agree to voluntary audits. The problem areas identified in the private sector are banks and building societies and the car insurance sector – these are the most complained about. In the public sector it is the NHS and local government. The results of compulsory audits will be published.

At present, the Information Commissioner's Office (ICO) only has the power to conduct compulsory data protection audits in relation to central government departments. The ICO must have consent for all other organisations before an audit can take place.

Christopher Graham explained that statutory powers are necessary due to the very poor response received by the ICO from insurance companies and banks which it invited to undergo a voluntary audit. According to the Information Commissioner "Something is clearly wrong when the regulator has to ask permission from the organisations causing us concern before we can audit their data protection practices".

The Information Commissioner's calls for extended powers have been backed by the Select Justice Committee in a report published on 27 October. Sir Alan Beith, chair of the Justice Committee said:

"The Information Commissioner's lack of inspection power is limiting his ability to identify problems or investigate potential data abuses. Ministers must examine how to enable the Commissioner to investigate properly without increasing the regulatory burden on business or the public sector."

The Justice Committee also echoed the Information Commissioner's call for custodial sentencing powers to be implemented for unlawful trading in personal data:

"Using deception to obtain personal information – sometimes known as blagging – or selling it on without permission are serious offences that can cause great harm… Magistrates and Judges need to be able to hand out custodial sentences when serious misuses of personal information come to light. Parliament has provided that power, but Ministers have not yet brought it into force – they must do so."

It is likely to be only a matter of time before compulsory audit powers and custodial sentences for unlawful trade in personal data come into force. Organisations in all sectors but particularly those identified by the Information Commissioner as 'problem sectors' need to take steps to put their houses in order before these powers take effect. Should your organisation require any assistance with the preparation for an audit, please contact Alison Deighton, head of TLT's Data Protection and Privacy team.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at November 2011. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.

TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.