'Councils and NHS must face compulsory data protection audits'

06 February 2013

Information Commissioner Christopher Graham

By Matthew D'Arcy

Data breaches in local councils and NHS bodies which have led to serious distress for people and substantial fines against public bodies could be avoided, the Information Commissioner has told MPs. He wanted new powers to conduct compulsory data protection audits in order to make this happen.

Christopher Graham repeated a call for the new powers when giving evidence to the Commons Justice Select Committee. The Information Commissioner's Office (ICO) can already conduct compulsory audits on central government bodies. But it still has to obtain consent from other organisations, including local councils and NHS bodies, areas that have been identified as particularly problematic and where serious breaches of the Data Protection Act have been leading to a growing list of monetary penalties which can reach £500,000.

Breaches in local authorities have on multiple occasions seen sensitive information on vulnerable children sent to the wrong people. And in the NHS similar problems have been seen, with trusts fined for putting sensitive patient information at risk. On one occasion medical records were found in a disused hospital and in another case hard drives containing patients' personal data were found on an internet auction site.

Graham told MPs that compulsory audits could help stop "really stupid basic errors". The Department for Communities and Local Government was nevertheless "surprisingly opposed" to the idea, he was quoted as saying by the BBC.

It was the taxpayer that would lose out from continued breaches. "Until local government gets the message, local council taxpayers will continue to be hit by civil monetary penalties for really basic stupid errors," he said.

The ICO has been calling for compulsory audit powers for some time to help organisations prevent breaches before they happen. Dawn Monaghan, the ICO's strategic liaison group manager for public services, argued for this in an interview with Publicservice.co.uk last year.

But opposition to the plans has been voiced before. Robin Smith, who has led on information governance in several NHS bodies told Publicservice.co.uk in May that the health service already had a number of imposed audits that it had to contend with. He also said information governance managers were "absolutely terrified" of the ICO and were "living in fear" of the regulator.

COMMENTS

The string of data security breaches that made the headlines in the past few years has highlighted the need for more effective enforcement of data security policies across public organisations. Introducing mandatory data protection audits is a step towards combating this issue and is likely to help improve transparency of data protection practices in the UK public sector.

However, it's essential that such audits focus on ensuring that organisations have the right security controls to manage access to sensitive information and enforce privacy protection rules. By leveraging technology that monitors and analyses access risk in almost real-time, public organisations will be able to better understand security risk and focus their IT security efforts on the most problematic areas that need immediate attention. This will not only reduce the risk of security breaches, but will also provide greater transparency into how sensitive data is being accessed and used which is essential for security audits.
Marc Lee - Courion