Private firms doing well on data protection, but NHS and public sector not so much: ICO

The data protection regulator, which is lobbying for powers to force NHS and local-authority bodies to submit to compulsory audits, has released an overview of the 60 audits its has carried out over the past two years.
Written by David Meyer, Contributor

Companies in the UK are doing a great job at data protection but compliance in the NHS and local government sectors is a bit shakier, the Information Commissioner's Office has said.

The privacy watchdog released four reports on Thursday, detailing the results of 60 audits it has carried out over the last two years. Of the 16 private-sector firms audited, 11 were shown to have a 'high level of assurance' that they were handling people's data correctly and safely.

"Local government authorities also need to improve how they record where personal information is held and who has access to it" — Louise Byers, ICO

That accolade was missing for almost everyone else. A high level of assurance was found at one health-service organisation out of 15 audited, one local-government organisation out of 19, and two central government departments out of 11.

"The private sector organisations we have audited so far should be commended for their positive approach to looking after people's data," ICO 'head of good practice' Louise Byers said in a statement.

As for the NHS and central government departments that were audited, Byers said they "generally have good information governance and training practices in place [but] need to do more to keep people's data secure".

"Local government authorities also need to improve how they record where personal information is held and who has access to it," she added.

Why get audited?

Of these four groups, only one — central government departments — is forced to submit to ICO audits. The rest all apply voluntarily, leaving the ICO unable to examine them closely unless they are caught out over a serious data protection breach.

Byers warned private firms not to "rest on their laurels", and complained that "relatively few companies" agree to an audit.

A spokesman for the ICO conceded to ZDNet UK on Thursday that, if firms were "in real trouble", they would be far more likely to go to a private company for an audit than to approach the data protection regular. However, he added that getting a clean bill of health from the ICO was a "badge of honour" that the firm could then show off.

One reason the ICO publicised its findings on Thursday was to lobby for powers to force NHS and local government bodies to submit to audits.

"Organisations in these areas will be handling sensitive information, often relating to the care of vulnerable people," Byers said. "It is important that we have the powers available to us to help these sectors improve."

Editorial standards