Many private firms decline ICO audit, finds 2011 ICO annual report

The 2011 ICO annual report shows that of the private companies offered an ICO audit last year, only 19% accepted.

The Information Commissioners Office (ICO) has begun offering free audits to help organisations improve the way they handle personal and confidential data, but so far, few private companies have accepted the offer.

In the new 2011 ICO annual report, issued this week, Information Commissioner Christopher Graham describes the state of the ICO’s efforts to accomplish its mission, namely “to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.”

The report shows the ICO investigated 603 data breaches in the last year, with the public sector accounting for nearly two-thirds of the toll. The NHS was the biggest offender in the public sector, accounting for 165 breaches. Local government reported 146 breaches, and central government 32, with other public sector bodies making up another 45. NHS bodies and central government are obliged to report breaches, while it is still optional for other organisations.

Earlier this week, ahead of the report’s publication, the ICO announced it would be working closely with NHS bodies to try to resolve some of their persistent security problems.

According to the ICO report, the breaches resulted in five prosecutions – four against local authorities – and 46 public undertakings by offending organisations to improve their practices.

In a recent televised webinar, Graham said that although the ICO now has “sharp teeth” and can impose fines up to £500,000, it is adopting a “carrot-and-stick approach” and would prefer to offer organisations help and guidance rather than punish them.

Private businesses accounted for 186 breach investigations last year. To that end, he said, the ICO approached 100 organisations last year, both public and private, and offered them what he described as a “consensual audit” to help them determine how well they were managing personal and confidential information. Of the public sector bodies approached, 71% took up the offer, but only 19% of private companies did so, with the best response coming from the finance and telecommunications sectors.

“Encouraging businesses to engage with the audit process will be a continued focus for the year ahead,” Graham said.

Organisations that underwent the audits found the experience beneficial, he said, with 97% of all recommendations accepted. Follow-up visits found that 92% of the recommendations had been implemented.

The report said that common areas for improvement included:

  • Better policy awareness among employees.
  • Timely, relevant and specific data protection training.
  • Implementing encryption on portable devices.
  • Not sharing passwords.
  • Better physical security, including lockable storage.

“All the organisations who have provided feedback agreed our recommendations were constructive and addressed key risk areas,” the report said. “Nearly 90% of them also said the process had raised awareness of the importance of data protection within their organisation.”

Mathieu Gorge, managing director of Dublin-based compliance consultancy VigiTrust, encouraged more companies to take advantage of the free ICO audits.

“I’d certainly recommend it. It’s free of charge and it’s a good way to develop a relationship with the regulator,” Gorge said. “Navigating the Data Protection Act can be daunting, and so it’s better to engage with the ICO before you have a problem.”

The ICO report also outlines the work the organisation is doing as part of the Article 29 Working Party, which was set up under article 29 of the EU Data Protection Directive to review data protection laws. The group includes the 27 data protection authorities from the EU member states and the European Data Protection Supervisor.  It is widely expected to recommend mandatory disclosure of information breaches for all organisations within the next three years. 

Read more on Regulatory compliance and standard requirements