Friday 4 January 2013

Comments on the audits blog

Yesterday’s blog motivated some people to contact me to express their concern that the ICO had rather unfairly compared data controllers in the public sector with those the private sector, since the differences are increasingly artificial.

As one person put it: “I certainly don't challenge your points, but I do worry that the ICO focus on public sector (esp Local Gov and NHS) compliance (as you reported in another blog post, counsel for the ICO at the recent CMP appeal even suggested that the ICO thinks the public sector should be subject to higher data protection standards than the private) implies a corresponding lack of scrutiny of the private (or other) sectors.”  

Such sentiments were evidently present in an article entitled “A Fairy Tale of Wilmslow”, which was posted on the excellent Information Rights and Wrongs blog last month.

I am assured that the ICO audit team does concentrate on organisations that have actually invited them to carry out an audit, rather than as a consequence of a self reported data breach. 

But what messages does publication of the sectoral analysis send to potential volunteers? Will it encourage more audit visits, or not?

If I were a senior leader (who didn’t know much about data protection) in a local authority and were presented with a proposal from the local data protection officer that the ICO’s audit team be invited to carry out a friendly audit, what might I do? 

First, I might well get my oik (or strategic adviser) to carry out a quick internet search on this ICO thingey, to find out what it does. If my oik is any good, they might pretty quickly come across a couple of articles pointing out that when the ICO’s audit team carries out its work, it usually finds that a number of issues need addressing as a matter of some priority. And that it usually finds local authorities to be in a poorer state of assurance / compliance than the private sector.

Being a senior leader, of course I would be aware that not everything is always alright in every department in my authority, but would I have the courage to have this officially noted, by means of a voluntary audit, when there are plenty of other statutory audits going on, say in health, environment and education, which unearth system defects issues that are equally or more significant and need urgent redress?

This is a difficult issue, especially when local authority budgets are under such scrutiny. I hope there are plenty of people who do have the courage to say that additional resources are required to improve data protection standards in their area, without worrying that to do so might be a career limiting move. 

So, I’m looking forward to learning of the longer term implications of these audit reports. 

Now the first wave have been analysed, will this result in a tsunami of applications from data controllers asking for assurance from the ICO’s audit team that their practices are up to scratch? Or will it result in a period of introspection, followed by discrete enquiries from some organisations to consultants, asking them to independently review internal standards before the ICO is engaged?

I’ve already had one discrete enquiry, and do look forward to receiving a few more.