Christopher Graham is urging local authorities to accept his offer of a free audit. Launching his annual report in July, the information commissioner stressed the benefits of this free compliance check and the practical advice he could offer; being audited should be seen as a "badge of honour", he said.
Though the Information Commissioner's Office (the ICO) can audit government departments without their consent, its focus is on voluntary audits, where both the scope of the procedure and the final report are agreed between the two parties.
Under these agreements, the ICO will not normally take enforcement action over any failings discovered, but will give the organisation a chance to put things right. Receiving an invitation does not necessarily mean the ICO has specific concerns about your organisation – you may just be considered to be high risk because of the nature of the personal information you hold.
After the audit, the ICO publishes an executive summary of the findings (agreed between the parties) on its website. Although they do not intend to publish full reports, there is a risk that the ICO could be required to release a report under the Freedom of Information Act. So is it worth taking the ICO up on its offer?
The potential upside
An independent compliance assessment may be useful, highlighting success as well as weakness within your council. It may allow a data protection manager to demonstrate that they are doing a good job or - on the contrary - that the organisation is significantly under resourced in this area.
If you volunteer you will get credit for this; if something goes wrong in the future, the way in which you acted upon recommendations will count in your favour. If you are confident about your authority's compliance with the law then having a statement published which gives your organisation a clean bill of health could also prove good publicity.
The potential downside
Yet you may have good reason to be cautious. An audit will take up time and resources and may be inconvenient. You will probably already be addressing known shortcomings and you may have recently been subject to an internal audit which has provided a thorough appraisal of your compliance.
If the audit were to identify weaknesses, the publication of an executive summary could damage your council's reputation. If, in the light of the findings, you refused to agree to the publication of an executive summary this would be clear from the ICO website, possibly prompting others to request it under the Freedom of Information Act. In fact, it is the mandatory publication of an executive summary that has deterred so many private sector organisations from saying yes to the ICO's offer of a free audit.
Negotiate your terms
You may have no choice but to accept an audit, but you should still discuss and document the exact scope of the exercise. Afterwards, if you do not believe the draft executive summary is fair you can negotiate to amend it and – ultimately – refuse to allow publication. As for the full report, you should not be shy about pressing the ICO to alter it if you think it genuinely unfair.
The choice is yours. If you believe independent scrutiny could be of overall benefit then you should agree. But if not, you should not feel embarrassed about declining and establishing if the ICO wishes to enforce the audit upon you. Finally, if you would welcome an audit but have not received an invitation, you can proactively ask to be audited.
Simon McDougall is managing director of Promontory. Phil Jones is a special adviser to Promontory and was formerly an assistant information commissioner at the Information Commissioner's Office
This content is brought to you by Guardian Professional. Join the local government network for more like this direct to your inbox
