The Information Commissioner’s Office has submitted a business case to the government for extending its powers to carry out compulsory audits. Does this mean the ICO is finally planning to tackle data protection failures in the private sector with the same vigour as it has in the public sector?
Since gaining the power in April 2010 to issue monetary penalties of up to £500,000 for serious data protection failures, local councils have almost exclusively been in the firing line.
In the past three months alone, the ICO has issued five such penalties against local councils, including the highest penalty so far of £140,000 against the Midlothian Council in January, and required five local local authorities to sign undertakings to comply with data protection principles.
In the same period, the ICO has required only four private companies, a college, a charity organisation, a healthcare provider and an industry association to sign undertakings to comply with the data protection principles. A Romford woman was also prosecuted for unlawfully obtaining her sister-in-law’s medical records.
In total, eleven monetary penalties have been issued against local councils, compared with just two for non public sector organisations, namely solicitors firm ACS Law and employment services company A4e Limited.
But the ICO insists it is not purposefully targeting public sector organisations. "The Data Protection Act (DPA) places legal obligations on both private and public sector organisations," the ICO said in a statement.
According to the ICO, the high number of public sector organisations hit with monetary penalties is due to the fact that these organisations typically handle the type of sensitive personal information that, if leaked, would qualify as a serious breach of the DPA.
To attract a monetary penalty, a breach must be of a kind likely to cause substantial damage or substantial distress. The contravention must also have been deliberate, or the ICO must be able to demonstrate that the data controller either knew or ought to have known that there was a risk that a contravention would occur but failed to take reasonable steps to prevent it.
"The enforcement department considers all cases on an individual basis and can only look into cases that we are made aware of – either through cases that are reported to us or through other channels, including the media," the ICO told Computer Weekly.
On that basis, it may be argued that another reason relatively few private sector organisation have been hit by monetary penalties is that the ICO is not able to collect data breach information as easily as it can for public sector organisations.
Stewart Room, partner at legal firm Field Fisher Waterhouse also points out that many parts of the public sector has been working under a de facto breach disclosure regime since late 2007, unlike the private sector, except for the specific breach disclosure rule that came into effect last year for telcos and ISPs. "Perhaps ICO has received more notifications of breaches from the public sector than the private sector," he said.
This idea is supported by the fact that in October last year, Information Commissioner Christopher Graham told the 10th annual data compliance conference in London that the ICO needed powers to conduct compulsory data protection audits in local government, the health service and the private sector to ensure compliance with the law.
The only compulsory data protections audit powers the ICO currently has are for central government departments. For all other organisations the ICO has to get consent before an audit can take place, or alternatively get a warrant from a district judge to enter premises to carry out a search, to inspect, examine, operate and test equipment, and to seize documents, under Section 50 of the DPA 1998.
However, the ICO must have reasonable grounds for suspecting an offence under the DPA has been committed or the data protection principles have been contravened, according to Nigel Parker, senior associate at legal firm Allen & Overy.
"Based on my experience, this is a power which is rarely used. I assume the reason for this is that the ICO has to present a judge with evidence, given on oath, to obtain a warrant. This is no doubt often difficult, as the ICO may not be able to gather sufficient evidence," he said
In other words, as long as the ICO lacks the power to audit private businesses without obtaining a warrant, government departments and public authorities will remain easier targets, and in the light of that fact, it is no surprise that the ICO is asking government to extend its powers to carry out compulsory audits.
If the government grants the ICO's request for extended audit powers, armed with additional means to assess the data protection capabilities of private sector companies, private companies may well see an increase in scrutiny by the ICO.
Increased scrutiny may lead to an increase in the number of private sector organisations that are hit with monetary penalties for series failure to protect personal data, but at the very least, the move could further boost the business case for investing in data protection technology and processes.
"Like the increased fines proposed by the Commission, if the ICO were to gain powers similar to those enjoyed under Section 41A in relation to private business, this would certainly also grab the attention of senior executives," said lawyer Nigel Parker.
Private businesses may also get a shake-up from the coming new European data protection legislation, said lawyer Stewart Room.
The EU seems to have sympathy with the ICO's positions that the absence of compulsory audit powers across the entire economy reduces their effectiveness as a regulator.
The proposed EU data protection regulation, he said, contains specific provisions that, if introduced, will give the data protection regulators the kind of audit powers that ICO is seeking.
Even if the government does not grant the ICO extended powers to audit in the short term, the coming European standard data protection regulation in the longer term will undoubtedly mean greater scrutiny of private sector companies in the longer term.