Businesses must open their doors to audits, says ICO

Wed 6 Jul 2011 @ 12:30

Businesses should be more willing to undergo data protection audits, the Information Commissioner, Christopher Graham, said today. The warning comes as figures published in the ICO’s annual report show that private companies reported the most data security breaches of any sector in 2010/11.

A data security breach is an incident that results in the loss, release or corruption of personal data. In the absence of a legal obligation on data controllers to report them, the Information Commissioner operates a voluntary scheme under which serious breaches are brought to his office’s attention.

Figures from the annual report show that of the 603 data security breaches reported to the ICO in 2010/11, 186 – almost a third – occurred in the private sector. Despite this, just 19% of businesses contacted by the ICO accepted the offer to undergo free data protection audits. In contrast, 71% of public sector organisations who were contacted voluntarily agreed to be audited.

Information Commissioner, Christopher Graham, said: “Lenders, general businesses and direct marketing companies account for almost a third of total complaints to the ICO, and businesses were the top sector for reporting data security breaches to us last year. Despite this, many of them are still resisting our offer to undergo audits. We’ve written to organisations we consider to be high risk but the response has been disappointing.

“These audits are not about naming and shaming those who are getting it wrong. The fact that a company has undergone a consensual audit should count as a badge of honour, showing that the business takes data security seriously. After all, sound data protection practices are irrevocably linked to providing good customer service.”

The ICO’s good practice audits are designed to help organisations and businesses to meet their data protection obligations through sharing good practice and making helpful and practical recommendations. During 2010/11, the ICO wrote to over 100 public and private sector organisations to offer its services. Of those approached, 30% have agreed to undergo an audit.

The ICO is committed to making it easy for organisations to comply with their data protection obligations and offers a free audit service. ICO staff can advise on how to keep things simple, reducing unnecessary bureaucracy. In 2010/11, the Information Commissioner’s Office completed 26 audits, a 60% increase on 2009/10. Following the audits, the ICO found that 92% of its recommendations were being acted upon.

In the last financial year, the ICO also launched a monitoring exercise to help support the public authorities that were taking too long to respond to freedom of information requests. Of the 33 authorities monitored, well over half have already significantly improved their performance, and seven have committed to putting action plans in place.

Today’s annual report also highlights the significant improvement the ICO has made in the time it takes to handle freedom of information complaints. There are now no cases over 12 months old, compared with three at the end of 2010/11, 117 at year end 2009/10 and 418 two years ago. Process improvements and changes to the ICO’s organisational structure made during the year enabled the ICO to complete more decision notices than ever before without sacrificing quality and no increase in the rate of appeals.

If you need more information, please contact the ICO press office on 0303 123 9070 or visit the website at: www.ico.gov.uk.

Notes to Editors

1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

3. The ICO is on Twitter, Facebook and LinkedIn, and produces a monthly e-newsletter. Our For the media page provides more information for journalists.

4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is: