ICO to request power to conduct compulsory data protection audits

Information commissioner Christopher Graham has called for his organisation to be given the power to conduct compulsory data protection audits of local government, NHS and private sector firms in order to ensure they are complying with the law.

At present only central government bodies must submit to requests from the Information Commissioner's Office (ICO) for compulsory audits, but Graham said he is frustrated at this situation as data breaches continue to occur.

"Something is clearly wrong when the regulator has to ask permission from the organisations causing us concern before we can audit their data protection practices," he said.

"Helping the healthcare sector, local government and businesses to handle personal data better are top priorities, and yet we are powerless to get in there and find out what is really going on."

As such, Graham said he is preparing a request to try to have the ICO's powers to conduct compulsory audits extended under the Coroners and Justice Act 2009.

"With more data being collected about all of us than ever before, greater audit powers are urgently needed to ensure that the people handling our data are doing a proper job," he added.

The ICO revealed in July the extent to which its requests for audits are ignored by organisations, with only 20 per cent of banks and building societies and just two of 19 insurance firms contacted agreeing to an audit.

Graham also revealed the organisation has received more than 1,000 complaints since April regarding spam text messages – a threefold increase since 2008-2009 – as the issue continues to cause concern for consumers.

He also spoke at an event organised by the Westminster Forum on Thursday, attended by V3, in which he warned businesses to ensure they are working to comply with the forthcoming "cookie law" during the year's grace period given by the ICO.

"We have given firms a one-year running-in period and we are about half-way through that. We will shortly be producing a half-term report, which will say that firms must try harder," he said.

"I think there are still a fair few number of businesses and web sites that are in denial about this and think it will just go away. But it's not going to go away and it's a challenge that must be addressed."

Graham added that the ICO will be issuing updated guidance in the coming weeks on the issues and potential solutions to help firms comply with the new legislation.