The ICO flexes its muscles – but when will it be taken seriously?

28 November 2011

By Graeme Stewart

The Information Commissioner's Office (ICO) is now seeking the power to conduct compulsory data protection audits in the health service, local government and the private sector. Information Commissioner Christopher Graham said: "Helping the healthcare sector, local government and businesses to handle personal data better are top priorities, and yet we are powerless to get in there and find out what is really going on." At present, the only compulsory audit powers the ICO has are for central government departments, and so this request caused quite a reaction when it was announced.

But isn't this negative reaction inevitable? Even if companies have absolutely nothing to hide from the ICO, it is hardly likely that any company, regardless of sector, would be willing to invite an audit of all of its information due to the amount of work this creates and the inevitable disturbance caused to day- to-day operations. Furthermore, given the amount of pressure decision makers at the NHS and local authorities are currently under, it's hardly surprising that this suggestion was met with some resistance.

It's easy to see why the ICO is seeking to flex its muscles and grasp further authority as, until the ICO gets some serious powers, it will continue to struggle to have a real effect. Even if the ICO is able to conduct compulsory audits, with the limited fines that these organisations could face, it is unlikely that a voluntary audit will top boardroom agendas anytime soon. Currently, the ICO's maximum fine is £500,000 and it seems that it still has to hold back on the biggest penalty, as there will be nowhere to go when the next big data breach comes along.

Even if the ICO's remit expands and audits of organisations outside of central government departments are allowed, the current fines will remain merely a metaphorical slap on the wrist and a mild chiding. Unless there is another major breach, similar in scale to the 2007 HMRC breach, it is unlikely that the ICO will see a major increase in power in the near future.

There is, however, a potential glimmer of hope for the ICO as there seems to have been a recent shift in attention at Whitehall to focus on fighting cyber crime, and the first steps towards genuinely tackling data breaches in the UK. David Cameron announced that he was giving InfoSec and cyber a tier one status, highlighting its importance to create a safer business environment, with the aim to attract UK investment and encourage economic growth. And more recently the Justice Select Committee has waded in with a report recommending stronger penalties for individuals breaching the Data Protection Act and greater powers for the ICO in this respect.

With the increase in mobility and the use of web based services across UK companies, and a focus on increasing use of the PSN network in the public sector, it's essential that we start to concentrate more on the protection of corporate and individual information. However, it will not be until we see these two silos – the government and the ICO – truly connect, that we will we see real investment in technology and data loss prevention in order to facilitate this.

Ideally, this investment will result in a decrease in the number of data breaches, and an increase in public awareness and confidence, as firms take more care of their corporately held information, with the repercussions rightfully weighing heavier. If the ICO can hook data loss prevention into the wider government agenda of information security in the UK, it will stand a better chance of increasing its power – and UK enterprises will need to start taking notice.

Graeme Stewart is public sector business development director at Sophos