Privacy & Information Security Law Blog

Throughout 2011, the UK Information Commissioner’s Office (“ICO”) escalated its use of data protection audits, encouraging organizations to submit to voluntary audits and seeking to increase its ability to conduct compulsory audits. Currently, the ICO has the authority to compel central government departments to undergo audits, but it would like to extend compulsory audits to include local government, the national health service and the private sector.

Voluntary audits are conducted free of charge and the ICO has indicated that it will not issue monetary penalties if it discovers compliance breaches during a voluntary audit. Following a voluntary audit, the ICO produces a comprehensive report of findings and an executive summary.  The executive summaries are made available to the public on the ICO’s website (with the relevant organization’s permission), and full reports on audits of public authorities may be subject to freedom of information requests.

The ICO is eager to use audits as an educational and best practice-sharing tool, to encourage organizations to improve their data protection procedures. Despite convincing organizations to submit to 52 voluntary audits last year, the ICO is keen to see greater participation in its audit service, noting that it “can still be an uphill struggle to get organisations to see the benefits.”

With this in mind, the ICO has recently begun to roll out “advisory visits” as an alternative to voluntary audits. Advisory visits are aimed at small and medium-sized organizations (“SMEs”) for whom a full audit may be too comprehensive. As with voluntary audits, advisory visits are conducted free of charge. A member of the ICO’s good practice team conducts a day visit to the organization and provides basic, practical advice focusing on three key areas: (1) data security, (2) records management and (3) subject access mechanisms. Following the visit, the ICO prepares a short report with guidance and next steps for the organization. As with voluntary audits, the fact that a visit has been conducted is published on the ICO’s website, together with a summary of the visit (with the consent of the organization). The first two advisory visits were undertaken in December 2011, and the ICO hopes to encourage more SMEs to follow suit during 2012.