The Information Commissioner’s Office could be granted the power to carry out surprise inspections of charities and other organisations under proposed changes to its powers in the Data Protection Bill.
It might also become an offence for any organisation, including charities, to destroy or falsify information that the ICO is investigating.
The bill, due to reach the report stage in the House of Commons tomorrow, will enshrine into British law the General Data Protection Regulation, which comes into force on 25 May.
The GDPR will allow the ICO to issue fines of up to 4 per cent of an organisation’s annual turnover, or £17m, whichever is greater.
In a blog on the ICO’s website, James Dipple-Johnstone, deputy commissioner for operations at the ICO, said: "It’s useful to have the option of larger fines and sanctions under the GDPR, but unless we have the powers to move at pace and obtain the information and evidence to determine what’s happened, we will be hampered in our future ability to issue those fines or sanctions."
He said that over the past few months it had become increasingly clear that its powers were not fit for purpose in the digital age and that the government had responded positively by including the proposals in the bill.
The bill contains provision for the ICO to issue urgent assessment notices, which would require organisations to hand over documents and equipment or allow the ICO access to their premises.
"An ‘urgent’ assessment notice may require access to non-domestic premises on less than seven days’ notice, which in effect may allow the ICO to carry out a no-notice inspection," the draft regulatory action policy says.
It adds that the proposed legislation contains a criminal offence of destroying or falsifying information and documents once a person has been given an information notice or assessment notice.
"This offence acts a deterrent against a person taking such steps with the intention of preventing the ICO from viewing or having access to information or documents once they are on notice of the ICO’s interest," the draft policy says.
Organisations would be able to appeal against the urgency of a notice in court, the policy says.
Dipple-Johnstone said: "We’ve worked with government to strengthen our powers so that we can issue information notices to individuals as well as organisations, and we can issue urgent notices to be complied with within 24 hours.
"We have the ability to inspect and assess compliance without notice and it will be a criminal offence for an organisation to destroy or alter information we wish to pursue a warrant to remove. These powers will assist in the conclusion of this investigation and future investigations."
The consultation on the regulatory action policy will close on 28 June and can be found here.