ICO Praises Private Sector Security

Audit figures from the Information Commissioner’s Office (ICO) show that security practices in the private sector are far better than in the public sphere, the ICO has said. However, a data protection lawyer disagrees, saying the numbers don’t justify such a claim.

Public bodies appear to have lower security standards in a set of four ICO reports, which combine the results of security audits of bodies in different sectors between February 2010 and July 2012.  In local government  and the NHS, 14 reports resulted in ‘limited assurance’ ratings -that’s the second worst ranking of four categories, just above ‘very limited assurance’.

There was only one case of ‘very limited assurance’, the ICO reported, which related to an audit of Wolverhampton City Council in January. The local authority was deemed to have “a substantial risk that the objective of data protection compliance will not be achieved”. A subsequent audit in August lifted it up to the ‘limited assurance’ category.

In 11 audits of central government departments, two received the top ‘high assurance rating’, with the remaining 9 on ‘reasonable assurance’.

Private sector ICO love

The picture looks more positive in the private sector, where out of 16 audits, 11 received the highest rating, with three on ‘reasonable assurance’ – which included Google. Just two were found to offer ‘limited assurance’.

“The private sector organisations we have audited so far should be commended for their positive approach to looking after people’s data,” said Louise Byers, head of good practice at the ICO.

“While the NHS and central government departments we’ve audited generally have good information governance and training practices in place, they need to do more to keep people’s data secure. Local government authorities also need to improve how they record where personal information is held and who has access to it.”

But does the data really back up this conclusion? Critics have pointed to two weaknesses, which make any comparisons dubious: the number of audits carried out, and the conditions under which organisations underwent an audit.

The number of public sector audits is far greater than that of the whole private sector, and the number of reports overall is low, said data protection lawyer Stewart Room, partner in Field Fisher Waterhouse’s Privacy and Information Law Group.

“My first impression on reading the reports was that the number of organisations sampled was very low,” he told TechWeekEurope. “I’m not sure that the numbers are high enough for the reports to be statistically relevant, so that we can draw wider conclusions about the sectors involved.

Another weakness is that all the private sector bodies came forward voluntarily for a security audit, while some public bodies can be forced to let the ICO in to check them out. The  ICO did not mention that it can enforce audits on central government departments.

“As far as the private sector is concerned, it’s important to bear in mind that the organisations that volunteered for audits probably made a higher investment in pre-audit preparations than those in the public sector and combining this with the obvious fact that no private sector organisation in its right mind would agree to an audit of shoddy compliance, you have to think that a high assurance rating was pretty much guaranteed,” said Room.

This week, the ICO fined a firm in the “third sector” (charities). It fined social care charity Norwood Ravenswood £70,000 for losing highly sensitive information about the care of four young children.

Like Internet anonymity? Try our Anonymous quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

View Comments

  • TechWeekEurope has received the following message from elaine Kerr, whose company Norwood is mentioned in the above article.

    Dear Sir/Madam,

    I write in response to the article which appears on your website (Friday 12 October 2012).

    Norwood has always taken the issue of Data Protection extremely seriously and deeply regrets what was an isolated breach within our Adoption Service. It is clear however, that the fine of £70,000 is disproportionate and we have reserved our right to appeal the amount on these grounds.

    Contrary to the press release issued by the ICO, the incident did not occur due to inadequate training, but was an obvious lapse in judgement by one individual employed by Norwood. It is clear that the incident was in no way a reflection of our practice, policies or guidelines, but rather an act
    of human error.

    It should also be noted that Norwood reported itself voluntarily to the ICO when we discovered the breach and we took immediate measures to tighten our data protection procedures even further.

    Norwood co-operated fully throughout the ICO’s investigation and appropriate action has been taken against the member of staff concerned. Most importantly, no harm was actually caused to any party involved in the breach. We should also state that this is the only incident of its kind at the Charity during its 200 years of operation.

    The public can remain confident that Norwood will continue to provide world-class services to
    the people who need it most, with absolute integrity and commitment to protect the privacy and
    confidentiality of the people we support.

    Elaine Kerr

    Chief Executive

    Norwood

Recent Posts

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

1 hour ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

4 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

4 hours ago

Dutch PM Raises Cyber Espionage Case With China’s Xi

Beijing visit sees Dutch Prime Minister Mark Rutte discuss cyber espionage incident with Chinese President…

5 hours ago

Vodafone Germany Confirms 2,000 Job Losses, Amid European Restructuring

More downsizing at Vodafone after German operation announces 2,000 jobs will be axed, as automation…

21 hours ago

AI Poses ‘Jobs Apocalypse’, Warns Report

IPPR report warns AI could remove almost 8 million jobs in the United Kingdom, with…

22 hours ago