Yesterday’s blog motivated some people to contact me to express
their concern that the ICO had rather unfairly compared data controllers in the
public sector with those the private sector, since the differences are increasingly
artificial.
As one person put it: “I certainly don't challenge your
points, but I do worry that the ICO focus on public sector (esp
Local Gov and NHS) compliance (as you reported in another blog post, counsel for the ICO at the recent CMP
appeal even suggested that the ICO thinks
the public sector should be subject to higher data protection standards than the private) implies a corresponding
lack of scrutiny of the private (or
other) sectors.”
Such sentiments were evidently present in an article entitled
“A Fairy Tale of Wilmslow”, which was posted on the excellent Information Rights and Wrongs blog last month.
I am assured that the ICO audit team does concentrate on organisations
that have actually invited them to carry out an audit, rather than as a
consequence of a self reported data breach.
But what messages does publication of the sectoral analysis send
to potential volunteers? Will it encourage more audit visits, or not?
If I were a senior leader (who didn’t
know much about data protection) in a local authority and were presented with a proposal from the
local data protection officer that the ICO’s audit team be invited to carry out a
friendly audit, what might I do?
First, I might well get my oik (or strategic adviser) to
carry out a quick internet search on this ICO thingey, to find out what it
does. If my oik is any good, they might pretty quickly come across a couple of
articles pointing out that when the ICO’s audit team carries out its work, it
usually finds that a number of issues need addressing as a matter of some
priority. And that it usually finds local authorities to be in a poorer state of assurance / compliance than the
private sector.
Being a senior leader, of course I would be aware that not
everything is always alright in every department in my authority, but would I
have the courage to have this officially noted, by means of a voluntary audit,
when there are plenty of other statutory audits going on, say in health,
environment and education, which unearth system defects issues that are equally
or more significant and need urgent redress?
This is a difficult issue, especially when local authority
budgets are under such scrutiny. I hope there are plenty of people who do have
the courage to say that additional resources are required to improve data protection
standards in their area, without worrying that to do so might be a career
limiting move.
So, I’m looking forward to learning of the longer term
implications of these audit reports.
Now the first wave have been analysed, will this result in a tsunami
of applications from data controllers asking for assurance from the ICO’s audit
team that their practices are up to scratch? Or will it result in a period of
introspection, followed by discrete enquiries from some organisations to
consultants, asking them to independently review internal standards before the
ICO is engaged?
I’ve already had one discrete enquiry, and do look forward to
receiving a few more.
Source: