Many of the UK’s leading companies believe the Information Commissioner’s Office plans to spot-check the customer data they hold are a step too far, and are demanding a radical rethink on how the regulator works.
To date, the ICO has pursued a “softly, softly” approach to data audits, but the seemingly haphazard way many NHS trusts and local government authorities have handled data has led the watchdog to demand greater powers.
According to reports in the technology press, private sector concerns were raised during a recent meeting with the Ministry of Justice to discuss reforms to the UK’s data laws.
The summit was designed to debate how the UK should adopt the proposed EU Data Protection Regulation currently being put through its paces in Brussels.
The meeting consisted of over 20 businesses, including Tesco and Experian, as well as Facebook, Microsoft, BT and IBM. They were joined by charities including Cancer Research and lobby groups.
As part of this discussion, the group debated whether the ICO should be given powers to spot-check private sector firms.
The meeting’s minutes are reported to have said: “Concerns were raised about the ICO’s powers and the group agreed that a power of entry should only be granted with a warrant, applied for an approved by a court. If this is not accepted then more checks and balances on the ICO’s powers were needed and these should be included in the Regulation.”
This discussion was part of a break-out session, attended by only some firms in the group; the ICO was not present. But an ICO spokesman refuted claims that the regulator was demanding spot-check audit powers for businesses in the short-term.
He said: “We are calling now for the extension of compulsory audit powers, particularly to local government and the NHS. We’ve got no plans to try and extend spot checks to businesses but this is not to say we won’t look at doing this in the future.”
Firms which breach data laws could soon be facing the prospect of officials raiding their offices and carrying out an instant data protection audit, if Information Commissioner Christopher Graham gets his way.
Currently, the ICO only has compulsory audit powers over central government, with consent required for an audit to be carried out in all other sectors.
As far back as October 2011, he said: “Something is clearly wrong when the regulator has to ask permission from the organisations causing us concern before we can audit their data protection practices. With more data being collected about all of us than ever before, greater audit powers are urgently needed to ensure that the people handling our data are doing a proper job.”
Related stories
ICO tries ‘softy, softly’ audit plan
Brands face threat of ‘data raids’
