ICO Warns Businesses Over Data Protection Audits

The Information Commissioner has warned private businesses that they should be more willing to undergo data protection audits.

The warning comes after the Information Commissioner’s Office (ICO) published figures in its annual report which showed that private companies reported the most data security breaches of any sector in 2010/11.

At the moment UK businesses are under no obligation to tell the ICO if they have suffered a data breach. Instead the ICO operates a voluntary scheme under which serious breaches can be brought to the ICO’s attention.

Breach Disclosure Law

However this may well change after the European Commission said it is working on a law that will legally force companies to notify of any data breach.

Indeed EU justice and rights commissioner Viviane Reding, who was speaking in London recently, confirmed that banks and businesses will be legally obliged under new data protection laws currently being drawn up to warn customers when their personal information is lost or stolen.

The ICO annual report shows that of the 603 data security breaches reported to it in 2010/11, 186 (almost a third) occurred in the private sector. These figures counter the perception that it is the public sector, most notably the NHS, that is responsible for most of the data breaches in the UK.

Only last week the ICO warned the NHS that it must do more to prevent data breaches in future, after reprimanding another five NHS health bodies for breaching the Data Protection Act (DPA).

Badge Of Honour

But the ICO figures show that the private sector must do more, especially as only 19 percent of businesses contacted by the ICO accepted the offer to undergo free data protection audits.

In contrast, 71 percent of public sector organisations who were contacted voluntarily agreed to be audited.

“Lenders, general businesses and direct marketing companies account for almost a third of total complaints to the ICO, and businesses were the top sector for reporting data security breaches to us last year,” said Information Commissioner, Christopher Graham.

“Despite this, many of them are still resisting our offer to undergo audits,” he said. “We’ve written to organisations we consider to be high risk but the response has been disappointing.”

“These audits are not about naming and shaming those who are getting it wrong,” Graham added. “The fact that a company has undergone a consensual audit should count as a badge of honour, showing that the business takes data security seriously. After all, sound data protection practices are irrevocably linked to providing good customer service.”