Firms which breach data laws could soon be facing the prospect of officials raiding their offices and carrying out an instant data protection audit, if Information Commissioner Christopher Graham gets his way.
Currently, the ICO only has compulsory audit powers over central government, with consent required for an audit to be carried out in all other sectors. However, Graham argues that these sectors are sources of particular concern. The NHS accounted for 40% of data breaches since April this year, while two-thirds of data breach fines were issued to local government authorities.
“Something is clearly wrong when the regulator has to ask permission from the organisations causing us concern before we can audit their data protection practices,” Graham said. “With more data being collected about all of us than ever before, greater audit powers are urgently needed to ensure that the people handling our data are doing a proper job. I am preparing the business case for the extension of the ICO’s Assessment Notice powers under the Coroners and Justice Act 2009 to these problematic sectors.”
Earlier this year, Graham revealed that businesses are turning down free data protection audits. “Audits are not about naming and shaming,” Graham said at the time. “The fact that a company has undergone a consensual audit should count as a badge of honour, showing that the business takes data security seriously.”
The Information Commissioner also gave a six-month update on the ICO’s complaints handling performance.
The overall number of new data protection complaints is up by 2% compared to the same period last year, while the number of Freedom of Information complaints has also risen by around 5%.
Complaints about marketing texts have trebled in volume since 2008/9, and now account for nearly 13% of all data protection complaints to the ICO. Over 1,000 complaints have been received since April.
