Data Protection - new powers of Information Commissioner push data protection up the risk register

Until now, the Information Commissioner's Office (ICO) could only envy other regulators with powers to impose fines and conduct audits. This is set to change. Legislation expected to receive Royal Assent later this year will empower the ICO to conduct audits of government departments and other public sector bodies. Under separate legislation, a new power to issue fines is likely to come into force in the spring.

New rights of audit

The Coroners and Justice Bill is expected to receive Royal Assent shortly. Once in force, the new legislation will grant the ICO new powers to audit public sector bodies (subject to some exceptions). Public sector bodies suspected of data protection breaches may find themselves on the receiving end of an assessment notice from the ICO, followed by a visit from the ICO audit team and subjection to an investigation over several days. These investigations could involve data protection compliance information gathering (or non-compliance as the case may be), as well as staff interviews.

Data protection breach fines

Under s144 of the Criminal Justice and Immigration Act 2008 the ICO is granted new powers to fine entities which deliberately or recklessly breach the Data Protection Act principles and cause (or could cause) substantial damage or distress.

It is anticipated that the new power to fine will come into force in April 2010. Although the level of fines has not been confirmed, it is likely that they will be significant, in a move to bring the ICO's powers more in line with those of regulators such as the Health and Safety Executive, the Office of Communication (OFCOM) and the Financial Services Authority.

During the past year, a significant number of public sector bodies have been 'named and shamed' on the ICO's enforcement action web-page and the numbers continue to rise. This trend is likely to accelerate in light of the ICO's new powers of audit and to impose fines. What is more, the estimated additional £16 million per annum generated by recent notification fee increases (applicable from 1 October 2009), means the regulator will have increased resources to pursue data protection breaches and to exercise its new powers.

Many public sector organisations, recognising the potential new risks on the horizon, are conducting data protection health checks to make sure they are in good shape should the ICO come knocking. Others would be wise to follow suit.

Wragge & Co's local government experts provide the latest information on issues affecting the sector: regulation, pensions, energy, health and safety, employment, and planning.