ICO submits Ministry of Justice request for compulsory audit powers

The Information Commissioner's Office (ICO) has officially submitted its request to the Ministry of Justice (MoJ) for the right to carry out compulsory data audits of NHS and local government authorities in order to help prevent data breaches.

The data watchdog announced in November it was going to request the increased powers from the government after data revealed that over 1,000 breaches had occurred from local authorities since 2008, underlining the extent of the problem.

The document shows that the ICO used the numerous examples of when it had issued fines or made authorities sign undertakings after it was made aware of data breaches as proof the current system isn't working.

"The evidence set out [...] clearly demonstrates that the NHS and local government are two areas where there are already significant and widespread data protection compliance concerns," it said.

"Data controllers in these sectors are managing huge quantities of complex and often sensitive personal data, they are often involved in wide-scale data sharing initiatives and engaging multiple data processors."

It argued that given these risks and the poor performance of public sector authorities to put adequate data protection policies in place, it was vital the ICO had the power to carry out audits before incidents occur.

"Simply relying on organisations agreeing to an audit is not sufficient. A power of compulsion is needed even if in practice this serves mainly as an incentive to organisations to sign up to a consensual audit," it said.

"The value of the audit process is clearly illustrated and the extension of the assessment notice power will provide a clear basis for the information commissioner to improve data protection compliance in these areas of significant risk."

Data protection lawyer Stewart Room, a partner at law firm Field Fisher Waterhouse, told V3 that while the ICO was right to request the powers it would have to work hard to make this a useful addition to its remit.

"The ICO's case for compulsory audit powers for the NHS and local authorities makes sense because these organisations have been regular offenders in cases of data mishandling," he said.

"However, to be truly effective ICO will need to carry the trust and confidence of data controllers and will need a new cash injection. Achieving these outcomes will require a significant effort of re-engagement with key stakeholders."

The submission comes on the same day the ICO issued an update to its cookie guidance and warned businesses that they must do more to prepare for the new law or risk possible fines in 2012.