Isn’t coming back to work after a two week holiday a drag?
One of the things I should have blogged about before the summer break was the discussion at launch of the Information Commissioner’s Annual Report about “mystery FOI shoppers”. You should realise that ICO staff are already mystery FOI shoppers but in my view, it is only a matter of time before such activity extends to data protection.
The Commissioner stated at the Annual Report launch that in the context of FOI, “his office will begin proactive monitoring of the adoption of, and publication in accordance with, the new publication scheme, as well as proactive dissemination under the EIR”. He added that “such monitoring will also provide an important opportunity to review more general compliance with the FOIA and the EIR and to assess the practices of public authorities”.
The ICO guidance on such monitoring (on his web-site) adds that certain sectors will be targeted for specific periods of time (for example, police forces for 3 months) and that the Commissioner expects to monitor at least 20 public authorities per month. To this I would observe that through the work relating to a vast array of Decision Notices, the ICO has a readymade list of target authorities whose procedures might not pass muster.
The ICO expects that remote monitoring of public authority websites is likely to involve:
• confirming that the public authority has adopted the model publication scheme and has produced a guide to information.
• an initial check against the types of information identified in the ICO sector-specific guidance or template guides, e.g. about the availability of information about directorate structures, expenses and allowances paid to senior personnel, or an authority’s performance against official targets.
• a review of an authority’s guide to information and policies with particular emphasis on accessibility and any charging regime.
• establishing that FOI procedures and timeframes conform to ICO guidance (e.g. concerning internal review, transfer of requests, performance statistics in relation to requests and complaint handling).
If the ICO gets a “taste” for this kind of activity, it would be easy to extend mystery shopping to data protection. For instance, the checking of a data controller’s fair processing notice against the standards of the new Fair Processing Code of Practice or seeing whether subject access points advertised on a web-site actual can deal with a request. Perish the thought, if mystery shoppers started to look at the nonsense that often appears on the Register of Data Controllers!
In summary, I think that as the ICO’s audit functionality in data protection gains more experience, one would expect ICO staff to become mystery shoppers before undertaking any inspection.
So your next inquiry might be from a mystery shopper working for the ICO? Nice to be back, isn’t it.
Comments
You can follow this conversation by subscribing to the comment feed for this post.