Last October, the ICO’s audit team published an analysis of
the audits they had carried out earlier in 2012. For comparison purposes, those
audited were placed in 4 categories: Private Sector, NHS, Central Government
& Local Authorities. The statistics, when shown in the way I have presented
them (see image), do not look promising as far as Local Authorities are
concerned. Since the aim of an audit is to try to get as many “high assurance” marks
(ie marks on the left of the table), and as few “very limited assurance” marks (ie
marks on the right of the table) as possible, they have a compliance pattern which
is very different to the other categories.
Yes, I know, there are lies, damn lies and statistics. I don’t
know how the ICO’s audit team chose the 16 Private Sector, 15 NHS, 11 Central Government
or 19 Local Authorities that were visited between last February and July. And
yes, I also know that as there are some 350,000 registered data controllers in
the UK, it’s hard to make anything other than general observations from a
sample size this small (ie 0.02% of registered controllers). But it does offer
some useful indicators.
“Best of breed” award
goes to the Private Sector. ICO auditors: “Observed good practice in all scope areas, in particular governance,
training and awareness and security of personal data as a result of the existence and periodic review of DPA policies and procedures,
which were made available to all staff; active monitoring of compliance with
DPA policies and processes to provide assurance to senior management; and the
implementation of data protection and information security training programmes.”
The common area for improvement is records management: “This is frequently attributed to lack of controls or process for
disposal of electronic and / or manual records; and the absence of a clear
retention schedule for manual or electronic data.”
Next best appears to be
the NHS. ICO auditors: “Observed
good practice in all scope areas, in particular governance and training and
awareness as a result of the existence and periodic review of DPA
policies and procedures, which were made available to all staff; and the
implementation of data protection and information security training programmes.”
The common area for improvement is security of personal data: “This
is frequently attributed to limited network access controls; and poor records
management in relation to security and access.”
Following shortly behind was Central
Government. Again, ICO auditors “Observed good practice in all scope areas, in particular governance and training and awareness as
a result of active monitoring of compliance with DPA policies and processes to provide
assurance to senior management; the implementation of data protection and
information governance training programmes; and information governance and data
protection management structures in place with responsibilities assigned at
Board level.”
The common area for improvement is security of personal data: In
particular we noted poor network access controls; a lack
of specialised information security and systems training; and the absence of
effective information security compliance testing or asset management.”
Bringing up the rear are the Local Authorities. Just one Authority was
identified as having a high level of assurance. Worryingly: 37% fell within the reasonable assurance
range; 53%
fell within the limited assurance range; and 5% were identified as providing
very limited assurance.
ICO auditors:
“observed good practice in security
of personal data and records management. In
particular ongoing development of effective network access controls; implementation
of end point controls and device encryption; and fair processing information
made readily available to the public.”
The common area for improvement is governance: “In particular
we noted: poor monitoring of compliance with DPA policies and processes; a lack
of assurance testing; and the absence of effective information asset management.”
So, what does this tell us?
It tells us three things.
First, Local Authorities appear to have particular challenges. They use a great deal of sensitive personal information, but they can’t necessarily access the resources that larger organisations have when seeking advice on what good data protection practice looks like - or if they can, it's very hard to put it into practice. What can be done to encourage the greater sharing of information systems and best practice? Local DPOs often have a range of other tasks to deal with each day, too. Groups of local authorities should pool their resources and share a Data Protection (or Information Rights) Department, staffed with a team of experienced professionals who could offer bespoke advice and support to the relevant units. I’m all for the Subsidiarity principle, where policy decisions are devolved to the local level, but local bodies should be able to access to great data protection advice and support when they need it, too.
It tells us three things.
First, Local Authorities appear to have particular challenges. They use a great deal of sensitive personal information, but they can’t necessarily access the resources that larger organisations have when seeking advice on what good data protection practice looks like - or if they can, it's very hard to put it into practice. What can be done to encourage the greater sharing of information systems and best practice? Local DPOs often have a range of other tasks to deal with each day, too. Groups of local authorities should pool their resources and share a Data Protection (or Information Rights) Department, staffed with a team of experienced professionals who could offer bespoke advice and support to the relevant units. I’m all for the Subsidiarity principle, where policy decisions are devolved to the local level, but local bodies should be able to access to great data protection advice and support when they need it, too.
Despite constraints in public expenditure, sloppy data protection standards are not acceptable. Expenditure to meet good standards is, in Local Authority funding terms, a statutory requirement. So, legally, investment in data protection ranks higher in importance than the provision of cultural or recreational services. But I can’t imagine that many local officials will share that mindset.
Second, the ICO’s auditors tend to look for evidence of compliance with data protection standards by following the guidance they have previously published which explains what it is that they will be looking for. If you don’t actually know what that guidance is, or if you need any help in refining (or rewriting) the documentation that you may have which explains how you meet these standards, then get in touch.
Finally, the audit team’s analysis underscores the Information Commissioner’s point that the higher standards required by the current draft of the General Data Protection Regulation are unimplementable, unless all parties (and particularly the public sector) commit themselves to making very considerable investments. Higher standards are concepts I do look forward to – but, given the current economic climate, I won’t be holding my breath.
Footnote:
This article does not compare British data protection
standards with that of other countries. I have not seen any evidence to suggest
that, in terms of actual implementation of the relevant legal standards, we Brits
are any worse (or any better) than anyone else. The ICO’s audit team should be thanked,
though, for publishing such interesting reports.
Sources:
http://www.ico.gov.uk/for_organisations/sector_guides/~/media/documents/library/Data_Protection/Research_and_reports/outcomes_report_private_sector.ashx
http://www.ico.gov.uk/for_organisations/sector_guides/~/media/documents/library/Data_Protection/Research_and_reports/outcomes_report_local_government.ashx
.
Posts
