Audit figures from the Information Commissioner’s Office (ICO) show that security practices in the private sector are far better than in the public sphere, the ICO has said. However, a data protection lawyer disagrees, saying the numbers don’t justify such a claim.
Public bodies appear to have lower security standards in a set of four ICO reports, which combine the results of security audits of bodies in different sectors between February 2010 and July 2012. In local government and the NHS, 14 reports resulted in ‘limited assurance’ ratings -that’s the second worst ranking of four categories, just above ‘very limited assurance’.
There was only one case of ‘very limited assurance’, the ICO reported, which related to an audit of Wolverhampton City Council in January. The local authority was deemed to have “a substantial risk that the objective of data protection compliance will not be achieved”. A subsequent audit in August lifted it up to the ‘limited assurance’ category.
In 11 audits of central government departments, two received the top ‘high assurance rating’, with the remaining 9 on ‘reasonable assurance’.
The picture looks more positive in the private sector, where out of 16 audits, 11 received the highest rating, with three on ‘reasonable assurance’ – which included Google. Just two were found to offer ‘limited assurance’.
“The private sector organisations we have audited so far should be commended for their positive approach to looking after people’s data,” said Louise Byers, head of good practice at the ICO.
“While the NHS and central government departments we’ve audited generally have good information governance and training practices in place, they need to do more to keep people’s data secure. Local government authorities also need to improve how they record where personal information is held and who has access to it.”
But does the data really back up this conclusion? Critics have pointed to two weaknesses, which make any comparisons dubious: the number of audits carried out, and the conditions under which organisations underwent an audit.
The number of public sector audits is far greater than that of the whole private sector, and the number of reports overall is low, said data protection lawyer Stewart Room, partner in Field Fisher Waterhouse’s Privacy and Information Law Group.
“My first impression on reading the reports was that the number of organisations sampled was very low,” he told TechWeekEurope. “I’m not sure that the numbers are high enough for the reports to be statistically relevant, so that we can draw wider conclusions about the sectors involved.
Another weakness is that all the private sector bodies came forward voluntarily for a security audit, while some public bodies can be forced to let the ICO in to check them out. The ICO did not mention that it can enforce audits on central government departments.
“As far as the private sector is concerned, it’s important to bear in mind that the organisations that volunteered for audits probably made a higher investment in pre-audit preparations than those in the public sector and combining this with the obvious fact that no private sector organisation in its right mind would agree to an audit of shoddy compliance, you have to think that a high assurance rating was pretty much guaranteed,” said Room.
This week, the ICO fined a firm in the “third sector” (charities). It fined social care charity Norwood Ravenswood £70,000 for losing highly sensitive information about the care of four young children.
Like Internet anonymity? Try our Anonymous quiz!
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…
View Comments
TechWeekEurope has received the following message from elaine Kerr, whose company Norwood is mentioned in the above article.
Dear Sir/Madam,
I write in response to the article which appears on your website (Friday 12 October 2012).
Norwood has always taken the issue of Data Protection extremely seriously and deeply regrets what was an isolated breach within our Adoption Service. It is clear however, that the fine of £70,000 is disproportionate and we have reserved our right to appeal the amount on these grounds.
Contrary to the press release issued by the ICO, the incident did not occur due to inadequate training, but was an obvious lapse in judgement by one individual employed by Norwood. It is clear that the incident was in no way a reflection of our practice, policies or guidelines, but rather an act
of human error.
It should also be noted that Norwood reported itself voluntarily to the ICO when we discovered the breach and we took immediate measures to tighten our data protection procedures even further.
Norwood co-operated fully throughout the ICO’s investigation and appropriate action has been taken against the member of staff concerned. Most importantly, no harm was actually caused to any party involved in the breach. We should also state that this is the only incident of its kind at the Charity during its 200 years of operation.
The public can remain confident that Norwood will continue to provide world-class services to
the people who need it most, with absolute integrity and commitment to protect the privacy and
confidentiality of the people we support.
Elaine Kerr
Chief Executive
Norwood