Data Protection Consulting

The Justice Select Committee, in its report to parliament in October 2011, noted that the Information Commissioner does not currently have the power to compel private sector organistions to undergo audits.  In the opinion of the Committee, many abuses are therefore going unidentified.  The insurance industry was singled out in the light of the proposed ban on referral fees and it was noted that no insurance company has agreed to an audit by the Information Commissioner.

Again this is a topic that the Information Commissioner campaigns on.  Currently he has the power to carry out mandatory audits of central government departments but in the remaining public and private sectors the Information Commissioner’s Office can only audit with their agreement.  

At the 10th Annual Data Protection Compliance Conference held in London in October 2011, the Information Commissioner called for compulsory audit powers. He noted that banks and building societies, the health service and insurance companies have a low take up rate of offers to conduct consensual audits.  Christopher Graham said: "Something is clearly wrong when the regulator has to ask permission from the organisations causing us concern before we can audit their data protection practices.  Helping the healthcare sector, local government and businesses to handle personal data better are top priorities, and yet we are powerless to get in there and find out what is really going on."  As well as these comments from the Information Commissioner and the Justice Select Committee, the review of data protection law in Europe may well recommend the introduction of mandatory audit powers for national data protection authorities.