The Information Commissioner’s Office (ICO) had published four reports today highlighting the level of data protection compliance within central government, local authorities, the private sector and the NHS.
The reports are based on more than 60 ICO audits carried out in these areas and although the private sector has a handle on protecting data, the ICO has shown concern over compliance within local government and the NHS.
Each report provides a summary of the level of assurance the organisations in each sector have provided during their audit, along with relevant examples of good practice and existing areas for improvement. The audits were all carried out between February 2010 and July 2012.
The UK has seen a battering when it comes to data breaches. As we recently reported, ICO information states that there has been a sharp rise since 2007 with some sectors seeing over a 1000 percent increase.
Through the reports no individual organisations are named and a scale has been applied that shows the scope for improvement when it comes to keeping data safe.
The health service looks as though it has a lot of work to do to improve the safety of data. Earlier this year a record fine was dished out after patient records were found on hard drives for sale.
According to the ICO, only one of the 15 organisations audited provided a high level of assurance to the organisation, with the local government sector showing a similar trend with only one out of 19 organisations achieving the highest mark. Central government departments fair little better with two out of 11 organisations achieving the highest level of assurance.
Louise Byers Head of Good Practice, at the ICO said:
“While the NHS and central government departments we’ve audited generally have good information governance and training practices in place, they need to do more to keep people’s data secure. Local government authorities also need to improve how they record where personal information is held and who has access to it.
“The results of these reports show why we have requested an extension to our compulsory audit powers to cover the NHS and local government sectors. Organisations in these areas will be handling sensitive information, often relating to the care of vulnerable people. It is important that we have the powers available to us to help these sectors improve.”
Within the private sector, the ICO had a high level of assurance that 11 out of the 16 companies audited had policies and procedures in place to comply with the Data Protection Act. This included having robust security measures in place and providing thorough training for their staff.
Guidance on data
The organisation states that anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is fairly and lawfully processed, processed for limited purposes, adequate, relevant and not excessive, accurate and up to date, not kept for longer than is necessary, processed in line with your rights, secure and not transferred to other countries without adequate protection.
The ICO encourages good practice for data with guidance and a series of checks. Buyers explains:
“We have been providing free audits to help organisations look after the personal information they collect and publishing the results for two years now. During this time we have seen some innovative and well thought out approaches to keeping people’s personal information secure and complying with the Data Protection Act. Today’s reports allow for this knowledge to be shared, while raising areas of continued concern.”
Working out methods for data security can be costly and time-consuming, but as more personal information is dealt with digitally, keeping those details safe does need to be a priority. Hopefully there will be a time when headlines about data breaches happen less often, or maybe part of the answer would be to put data in the hands of individuals.
Either way, today’s ICO report doesn’t make for very happy reading and should hopefully provide some food for thought. Although most organisations would hope to avoid a fine, the effect on customers, patients and clients can have a far more detrimental impact.
Image Credit: LizJones112