The Information Commissioner’s Office (ICO) has launched a consultation on its proposed framework for how it will serve compulsory audit notices.
An Assessment Notice will be served if an organisation, which is considered to be at "significant risk" of compromising personal data, refuses to work with the ICO’s auditing team.
The consultation is part of a drive by the ICO to get its powers beefed up, as data leaks show no sign of diminishing. In April, the data protection organisation will get the power to fine organisations it judges to have recklessly or deliberately mishandled data.
The ICO carries out audits to assess whether organisations are processing personal information in line with the Data Protection Act and to advise on best practice.
As well as providing the procedure framework for the serving of compulsory audits, the code will outline opportunities for consultation in relation to the audit report findings and recommendations.
Although the draft code provides advice for all public and private sector organisations, initially, the compulsory audits will only be possible on central government departments. This is the limit of its powers as outlined in the Coroners and Justice Act of 2009.
However, the ICO said that if it were to receive information to suggest that a private organisation required an audit, the ICO may have the powers to request an audit.
"We will, where we can make a good case, seek to extend our powers to undertake compulsory audits in the rest of the public and private sectors," said David Smith, deputy commissioner at the ICO.
Meanwhile, the ICO will continue to ask for consent to conduct an audit if a risk to personal information is identified.
Its approach to auditing will be based on information it gathers, such as complaints received, business and media reports and annual statements issued by organisations.
The consultation, which launched on 11 February, will close on 24 March 2010. The code will then be published in April.
Comments on the consultation can be made here.
The Labour Party was recently served an enforcement notice by the ICO for making unsolicited automated marketing calls.