UK police forces fail to impress in ICO audit

Only one out of 17 UK police forces audited by the ICO achieved the top assurance rating for compliance with data protection laws

Only one out of 17 UK police forces audited by the Information Commissioner’s Office achieved the highest possible assurance rating for compliance with UK data protection laws.

More than one-third fell within the “limited assurance” range, and only 59% achieved a rating of “reasonable assurance”, but none was so bad as to be rated as having “very limited assurance”.

The ICO audits, conducted between April 2013 and April 2014, covered three of six key scope areas for which an assurance level is given and combined to form the overall assurance rating.

According to the report, not one of the forces audited scored a “high” assurance rating for the scope areas of “security of personal data” and “training and awareness”.

However, eight were rated as having a “reasonable” assurance rating for security of personal data, which covers the technical and organisational measures in place to ensure there is adequate security over personal data held in manual or electronic form.

Another area of weakness identified by the report is records management, where eight police forces were rated as having only “limited” assurance.

Conversely, only one force was rated as having “very limited assurance” for the data-sharing area, which covers the design and operation of controls to ensure that the sharing of personal data complies with the Data Protection Act.

“The ICO’s report raises almost as many questions as it answers,” says Chris McIntosh, chief executive of communications firm ViaSat UK.  

“For example, why are no forces out of those surveyed ranked ‘high’ for either security of personal data or training and awareness? Why does records management appear to be such a weakness?”

McIntosh said that although the audits do not cover all UK police forces, there are lessons that every public sector body, especially those that are custodians of highly sensitive personal data, should take from the results.

“First, an organisation is only as secure as its weakest link,” he said. “If data is not adequately protected at any point of its existence, or if workers are not aware of the need for data protection and best practices, sensitive information will be constantly at risk.

“Second, organisations must evolve with the times. As records make the move from paper to digital, they must be certain that not only are they evolving their data protection processes to deal with new technology, but that in this evolution, older data is not being left behind.”

Read more on Privacy and data protection