'NHS and councils need help as they fall behind on data protection'

11 October 2012

By Matthew D'Arcy

The NHS, local government and Whitehall bodies are lagging behind private firms when it comes to data protection compliance, sparking new concerns about the security of personal data in the public sector, the UK's information watchdog has warned, re-emphasising its call for new compulsory audit powers to stop breaches of the Data Protection Act.

In an interview with Publicservice.co.uk, Louise Byers, head of good practice at the Information Commissioner's Office, said there was an "inherent risk" in sectors like the NHS and local government because of the "very sensitive" information held.

This was one reason why the two sectors were receiving the bulk of data breach fines, which can reach up to £500,000.

But there were other reasons, she said. The public sector now needed to better engage staff with data protection awareness and needed to accept help from the ICO to stop fines happening in the first place.

The private sector had "gone that step further" and had used "innovative ways of achieving compliance".

"It's not necessarily that they have spent lots more money, or have lots more people doing it, they have just been able to use some of the tools they have to promote compliance in a clever way," she said.

This included tools that public sector bodies "probably already have" but were not always using. Instead of just issuing training courses once a year, companies were using intranet sites to promote staff awareness. They were "promoting staff discussions on data protection".

"These are not complex or expensive solutions, they are just things that we have seen that organisations have been using to make sure data protection stays on the agenda," she said.

ICO audits had shown that around two thirds of private firms had high levels of assurance and were showing robust security.

But in the health service only one of 15 organisations provided a high level of assurance. Local government audits showed similar problems with only one out of 19 organisations achieving the highest mark. And central government audits came out only slightly better.

These sectors now needed to share and learn from best practice, said Byers.

"Not all NHS and local government organisations are doing this badly, where we have seen good practice things are in place, and we want to share that," she said.

But Byers also warned that as long as the ICO was unable to conduct compulsory audits on the NHS and local government, problems would persist.

"My fear is that the organisations that don't want to have their data protection policies and practices put under the spotlight in an audit, are probably those that need it the most," she said. "I wonder what is happening in the organisations that haven't wanted to engage with us."

"The ICO isn't just about issuing fines, but helping organisations to get it right in the first place," she added. It was now important that the ICO was given the powers it needed to help sectors improve which often help data on vulnerable people.