ICO Praises Private Sector Security

Audit figures from the Information Commissioner’s Office (ICO) show that security practices in the private sector are far better than in the public sphere, the ICO has said. However, a data protection lawyer disagrees, saying the numbers don’t justify such a claim.

Public bodies appear to have lower security standards in a set of four ICO reports, which combine the results of security audits of bodies in different sectors between February 2010 and July 2012.  In local government  and the NHS, 14 reports resulted in ‘limited assurance’ ratings -that’s the second worst ranking of four categories, just above ‘very limited assurance’.

There was only one case of ‘very limited assurance’, the ICO reported, which related to an audit of Wolverhampton City Council in January. The local authority was deemed to have “a substantial risk that the objective of data protection compliance will not be achieved”. A subsequent audit in August lifted it up to the ‘limited assurance’ category.

In 11 audits of central government departments, two received the top ‘high assurance rating’, with the remaining 9 on ‘reasonable assurance’.

Private sector ICO love

The picture looks more positive in the private sector, where out of 16 audits, 11 received the highest rating, with three on ‘reasonable assurance’ – which included Google. Just two were found to offer ‘limited assurance’.

“The private sector organisations we have audited so far should be commended for their positive approach to looking after people’s data,” said Louise Byers, head of good practice at the ICO.

“While the NHS and central government departments we’ve audited generally have good information governance and training practices in place, they need to do more to keep people’s data secure. Local government authorities also need to improve how they record where personal information is held and who has access to it.”

But does the data really back up this conclusion? Critics have pointed to two weaknesses, which make any comparisons dubious: the number of audits carried out, and the conditions under which organisations underwent an audit.

The number of public sector audits is far greater than that of the whole private sector, and the number of reports overall is low, said data protection lawyer Stewart Room, partner in Field Fisher Waterhouse’s Privacy and Information Law Group.

“My first impression on reading the reports was that the number of organisations sampled was very low,” he told TechWeekEurope. “I’m not sure that the numbers are high enough for the reports to be statistically relevant, so that we can draw wider conclusions about the sectors involved.

Another weakness is that all the private sector bodies came forward voluntarily for a security audit, while some public bodies can be forced to let the ICO in to check them out. The  ICO did not mention that it can enforce audits on central government departments.

“As far as the private sector is concerned, it’s important to bear in mind that the organisations that volunteered for audits probably made a higher investment in pre-audit preparations than those in the public sector and combining this with the obvious fact that no private sector organisation in its right mind would agree to an audit of shoddy compliance, you have to think that a high assurance rating was pretty much guaranteed,” said Room.

This week, the ICO fined a firm in the “third sector” (charities). It fined social care charity Norwood Ravenswood £70,000 for losing highly sensitive information about the care of four young children.

Like Internet anonymity? Try our Anonymous quiz!