The ICO has only recently acquired powers to audit and fine organisations, and the two may not be entirely independent of each other. During the audit process, the ICO can enter your premises, access your information, documents and equipment, observe how data is processed and interview your staff. Although the ICO has said that it will not levy fines in respect of anything they discover to be lacking during the audit process, that organisation may then become part of a group more likely to have fines levied in the future. Public bodies can be audited by the ICO's team at will, while an audit of a private company can only go ahead once consent has been sought and obtained for the Information Commissioner's team to attend the premises.
The ICO can issue a fine where there has been a serious breach of the data protection principles as outlined in the Data Protection Act 1998, where that breach is of a kind likely to cause substantial damage or distress and where the breach was deliberate or reckless and no reasonable steps were taken to prevent it.
The ICO's first two fines show what constitutes unacceptable behaviour.
Firstly, in a case against Hertfordshire County Council (fined £100,000), the Commissioner made it clear that he will not condone reckless behaviour when sending faxes. One should phone ahead to confirm a fax number and ask that someone stand by in expectation of the fax, and afterwards the sender should telephone again to confirm safe receipt, particularly where the contents of the fax are sensitive.
Secondly, following the case of A4e (fined £60,000), the ICO has said that if you put personal data (as defined by the Data Protection Act 1998) on an unencrypted laptop and then lose that laptop (whether it is misplaced or stolen), then enforcement action will follow. While the ICO also criticized the home-worker's actions in A4e for not following their company IT policy, he considered that as a matter of course when there is the potential for an employee using a company laptop to process personal data on it, the laptop must not be issued unencrypted.
There are several ways to prepare an organisation for a potential audit in order to ensure that you are less vulnerable:
- Carry out a data protection compliance audit to establish what relevant personal data your organisation holds, who has access to it, where it is held and how it is processed.
- Regularly question whether data needs to be kept or whether it is out of date and needs to be securely destroyed, whether it needs to be consolidated into one hub and whether access to it should be restricted by password or other security feature.
- Document the fact that your organisation has carried out an audit, and action the recommendations which stem from it.
- Ensure that staff are trained on your organisation's policies regarding data protection, that there is regular monitoring and that contractors coming into your organisation also comply with your standards.
This groundwork should help avoid the highly public and expensive mistakes made by A4e and Hertfordshire County Council.