Information Commissioner 'blocked' from auditing key sectors

Also in this channel

• News
• In Depth
• How-Tos
• Blogs
• Slideshows

 

Virtualisation, Big Data and BYOD

Check out our Business IT Hub for opinions and briefings. Read more

---

The only compulsory data protection audit powers the ICO currently has are for central government departments. For all other organisations the ICO has to win consent before an audit can take place.

Graham said data breaches in the NHS continue to be "a major problem". Of the 47 undertakings the ICO has agreed with organisations that have breached the Data Protection Act since April, over 40 percent (19) were in the healthcare sector.  

In addition, the most serious personal data breaches that have resulted in an ICO fine have occurred in the local government sector. Four of the six penalties served so far involved local authorities, said Graham.

Graham said businesses remain the sector generating the most data protection complaints though. Despite this, as reported in July, just 19 percent of companies contacted by the ICO accepted the offer of undergoing an audit.

The ICO has written to 29 banks and building societies and so far only six (20 percent) have agreed to undergo an audit. The insurance sector has also shown reluctance in this area. Of the 19 companies contacted this year by the ICO, only two agreed to an audit.

Graham said: “Something is clearly wrong when the regulator has to ask permission from the organisations causing us concern before we can audit their data protection practices.

"Helping the healthcare sector, local government and businesses to handle personal data better are top priorities, and yet we are powerless to get in there and find out what is really going on."

Graham said he was "preparing the business case" for an extension of the ICO’s Assessment Notice powers under the Coroners and Justice Act 2009 to deal "with these problematic sectors".