The Information Commissioner’s Office issued a press release today on the results of its voluntary audit program:
A series of reports published by the Information Commissioner’s Office (ICO) today has highlighted the positive approaches many private sector companies are adopting to look after people’s data. However concerns remain about data protection compliance within the local government sector and the NHS.
The findings are included in four reports which summarise the outcomes of over 60 ICO audits carried out in the private, NHS, local and central government sectors.
Announcing the reports, Louise Byers, Head of Good Practice, at the ICO said:
“We have been providing free audits to help organisations look after the personal information they collect and publishing the results for two years now. During this time we have seen some innovative and well thought out approaches to keeping people’s personal information secure and complying with the Data Protection Act. Today’s reports allow for this knowledge to be shared, while raising areas of continued concern.”
Each report provides a summary of the level of assurance the organisations in each sector have provided during their audit, along with relevant examples of good practice and existing areas for improvement. The audits were all carried out between February 2010 and July 2012.
Within the private sector, the ICO had a high level of assurance that 11 out of the 16 companies audited had policies and procedures in place to comply with the Act. This included having robust security measures in place and providing thorough training for their staff.
Commenting on the report for the private sector, Louise Byers continued:
“The private sector organisations we have audited so far should be commended for their positive approach to looking after people’s data. However this does not mean that businesses in the UK should rest on their laurels. We are still seeing relatively few companies agree to an ICO audit and further improvements can be made, particularly when it comes to the retention and deletion of data.”
In the health service only one of the 15 organisations audited provided a high level of assurance to the ICO, with the local government sector showing a similar trend with only one out of 19 organisations achieving the highest mark. Central government departments fair little better with two out of 11 organisations achieving the highest level of assurance.
Louise Byers continued:
“While the NHS and central government departments we’ve audited generally have good information governance and training practices in place, they need to do more to keep people’s data secure. Local government authorities also need to improve how they record where personal information is held and who has access to it.
“The results of these reports show why we have requested an extension to our compulsory audit powers to cover the NHS and local government sectors. Organisations in these areas will be handling sensitive information, often relating to the care of vulnerable people. It is important that we have the powers available to us to help these sectors improve.”
The reports can be found here:
- Audit outcomes – central government (February 2010 – July 2012)
- Audit outcomes – local authorities (February 2010 – July 2012)
- Audit outcomes – NHS (February 2010 – July 2012)
- Audit outcomes – private sector (February 2010 – July 2012)
So…. maybe this helps explain why we see fewer fines in the private sector than in the govt and NHS sectors? I wonder how skewed these results are by the fact that it was a voluntary audit.
Update: Jon Baines thinks the press release is irresponsible. Now I regret not changing the headline for the release before I posted it, because I think Jon’s concerns are valid and I, too, had wondered about the validity of the findings based on the methodology.