ICO claims private sector leads the way on Data Protection Act compliance

Interestingly, a report from the ICO published yesterday has stated that the private sector appears to be more compliant with the requirements of the Data Protection Act than public sector bodies.

The ICO press release reports the findings of a series of audits the Office has carried out between Feb 2010 and Jul 2012, on both public and private sector bodies, and states:

Within the private sector, the ICO had a high level of assurance that 11 out of the 16 companies audited had policies and procedures in place to comply with the Act. This included having robust security measures in place and providing thorough training for their staff.

The Public Sector bodies didnt fare so well in the audits:

In the health service only one of the 15 organisations audited provided a high level of assurance to the ICO, with the local government sector showing a similar trend with only one out of 19 organisations achieving the highest mark. Central government departments fair little better with two out of 11 organisations achieving the highest level of assurance.

Despite the poor results, there is not significantly more in the way of “recommendations” for the public sector than the private sector and, like the good practice they are largely a summary of good security practices.

Although the ICO is correct to applaud the audited parts of the private sector for their excellent results, it is worth bearing in mind that a lot of the good practice commendations are infrequently implemented.

As an example, these are some of the commendations from the Private Sector report:

  • A comprehensive and robust indexing and scanning process to ensure all documentation is handled accurately and securely.
  • An embedded risk management framework and supporting management information that incorporates an inherent and residual risk scoring matrix approach and includes DPA risks which are assigned to owners.
  • Quantified inherent and residual information governance risk scoring to determine financial impact/loss to the business.
  • Out of hours ‘clean desk’ checks carried out for any data or items that may cause a security risk that have been left out on desks or in offices.
  • IT Quality standards e.g. ISO27001 implemented and regularly reviewed for application.
  • Disablement or removal of CD burners on equipment and full encryption of all Blackberries, PCs and laptops. Use of network firewalls and virus protection and user password complexity above the required industry standards.
  • User activity monitored and logged and URL filtering software in place to prevent access to inappropriate or malicious sites.

While these are all very good practice and certainly recommended to any organisation (with or without a data protection act obligation), the unfortunate fact is that it is very rare for businesses to implement these measures.

Without knowing who the ICO audited, or even what industry sectors made up the sample, it is hard to make any comment on the findings, however this does provide an excellent opportunity for all organisations, large or small, public or private sector, to review their existing security practices and make sure that the good practices are in place.

Take the time to look through the good practice tips and see which ones apply to your business and make sure you have implemented good controls.

At a basic level, if you have implemented a good risk management framework, with aware and trained staff, the rest will fall into place.

If you dont have a good risk management framework (whether or not you think it is good…), then pretty much everything else will have problems.

Taz Wake - Halkyn Security

Certified Information Systems Security Professional with over 19 years experience providing in-depth security risk management advice to government and private sector organisations. Experienced in assessing risks, and producing mitigation plans, worldwide in both peaceful areas and war zones. Additionally, direct experience carrying out investigations into security lapses, producing evidential standard reports and conducting detailed interviews to ascertain the details of the incident. Has a detailed understanding of the Security Policy Framework (SPF) and JSP440, as well as in depth expertise in producing cost-effective solutions in accordance with legislative and regulatory guidelines. Experienced in accrediting establishments and networks as well as project managing the development of secure, compliant, workable business processes.