ICO asks government to extend powers of compulsory audit

The UK’s Information Commissioner’s Office has submitted a business case to the government for extending the privacy watchdog’s powers to carry out compulsory audits.

The UK’s Information Commissioner’s Office has submitted a business case to the government for extending the privacy watchdog’s powers to carry out compulsory audits.

In October last year, Information Commissioner Christopher Graham Powers told the 10th annual data compliance conference in London that the ICO needed powers to conduct compulsory data protection audits in local government, the health service and the private sector to ensure compliance with the law.

The only compulsory data protections audit powers the ICO currently has are for central government departments.  For all other organisations the ICO has to get consent before an audit can take place.

The Information Commissioner has also written to councils to remind them of the need to comply with their legal obligations under the Data Protection Act.

“At a time when councils are increasingly working with community partners, when data is shared it is vital that they uphold their legal responsibilities under the Data Protection Act,” said Graham.

Failures not only put local residents’ privacy at risk, but also mean that councils could be in line for a sizeable monetary penalty, he said.

Two of the biggest monetary penalties issued by the ICO since it was granted the power to do so in April 2010 have been for £140,000 against the Midlothian Council in January this year and £130,000 against the Powys County Council the month before.

The application by the Information Commissioner to extend the ICO’s powers to tackle the issue comes as the privacy watchdog serves enforcement notices on five more councils found to be in breach of the Data Protection Act.

The five data breaches at local authorities all relate to incidents where the councils failed to take appropriate steps to ensure that personal information was kept secure, the ICO said.

Basingstoke and Deane Borough Council breached the Data Protection Act on four separate occasions during a two-month period last year. The breaches included an incident in May when an individual was mistakenly sent information relating to 29 people who were living in supported housing.

The Council has now signed an undertaking committing them to take action to address the problems highlighted in each incident. This includes introducing appropriate checks to make sure personal information is handled in compliance with the Act.

In July 2011, an employee of Brighton and Hove Council emailed the details of another member of staff’s personnel data to 2,821 council workers. A third party also informed the ICO of a breach which took place in May 2009 when an unencrypted laptop was stolen from the home of a temporary employee. The Council has now committed to ensuring that the personal information they process is secure, including making sure that all portable devices used to store personal data are encrypted.

Undertaking have also been signed by Dacorum Borough Council, Bolton Council and Craven District Council, while an enforcement notice has been issued to Staffordshire County Council over its mishandling of a subject access request.

The ICO said it has carried out a number of audits with local authorities to help them identify ways in which they can improve their handling of personal information.

The ICO has also produced guidance for local authorities explaining their obligations to keep personal information secure, including advice on the security measures that must be in place.

Read more on IT suppliers