Data-protection spot checks due this year

Companies in the UK will face spot checks on their compliance with data-protection law this year, with the Information Commissioner's Office almost certainly relying on independent contractors to carry out the checks.

Speaking at the Infosecurity Europe conference in London on Tuesday, information commissioner Richard Thomas confirmed that the spot checks will begin "later this year". Responding to comments that his office may lack the necessary technical knowledge to carry out the checks, Thomas said: "When we begin these spot checks I am 99.9 percent certain that we will engage independent contractors to carry them out."

Thomas confirmed that the Ministry of Justice "will shortly" be bringing in powers to enable his office to carry out these checks.

The government agreed to increase the powers of the information commissioner to inspect organisations holding sensitive data on members of the public in response to the Personal Internet Security report published by the House of Lords Science and Technology Committee in August 2007. Currently the Information Commissioner's Office is in the unusual — and uncomfortable — position of having to ask permission of organisations before it could inspect their provisions for data protection. "What other regulatory body needs the consent of the organisations it regulates to find out what is going on?" said Thomas.

Funding is another major issue Thomas hopes to tackle — and will need to tackle, if spot checks are to have much effect. "My office is funded entirely by the £35 each data controller pays," said Thomas. "That makes a total of £10.5m. Compare that to the budget of the Health and Safety Executive, which is £875m, and clearly I do think we need an increase."

A data controller is an organisation or person with legal responsibility for the keeping and use of personal information on computer or in manual files. Examples of data controllers include companies, government departments or voluntary organisations.