Submitting to a data protection audit

Data protection iStock 000011177922XSmall 146X219The Information Commissioner’s Office must ensure parity of treatment when it comes to local government data protection audits, writes Jonathan Baines.

The Information Commissioner's Office (ICO) has published a report drawing on findings of data protection audits conducted on 16 local authorities in the previous year. It says that there is “clear room for improvement for all”. This follows on from a similar report about audits of NHS bodies, earlier this year, and, before that, police, central government and “the private sector”. But how representative are these reports of data protection compliance in specific sectors?

All of the reports tend to show, as one would expect, the majority of bodies falling somewhere towards the middle on the ICO's four-category spectrum of compliance. In the case of the recent local authority report, none gave “high assurance”, nine gave “reasonable assurance”, six gave “limited assurance” and one gave “very limited assurance”. The ICO says “Our figures show that local authorities have much to do to improve data protection governance and training”, and that is probably true: local authorities have to handle, and share, enormous amounts of sometimes highly sensitive personal data, often across diverse and diffuse services. But given that more councils gave reasonable assurance than didn’t, the ICO could equally have said “Our figures show that local authorities are doing sufficient in terms of data protection governance and training”.

The ICO's powers to undertake these audits derive from section 51(7) of the Data Protection Act 1998 (DPA), which allows a good practice assessment to be undertaken with the consent of the data controller. The ICO does have mandatory audit powers under section 41A, DPA, but currently these are restricted to audits of government departments (although there are proposals to extend them to NHS bodies, and ultimately local authorities). In an interview with the BBC on 15 July the Information Commissioner himself, Christopher Graham, bemoaned these restrictions, and hinted that one problem was the fact that a number of organisations refused offers of audits.

However, a recent Freedom of Information request by consultant Tim Turner revealed that, since 2010, although only two organisations had actually refused an audit, 75 had failed to respond to an invitation by the ICO to conduct one. It appears that Tim is pursuing this, and has asked for the identities of these 75. There is certainly a possibility that public sector bodies, such as local authorities, who operate in a culture of transparency, are more likely to consent to a voluntary audit than private sector bodies accountable to owners and shareholders. If specific sectors or groups are disproportionately refusing the offer of a voluntary assessment, then opinions about compliance of those sectors who don’t refuse may well be skewed.

And this is not unimportant. It is a sign of a sensible data controller that it subjects itself to audits of its data protection compliance, and who better to do so than the statutory regulator? But if those data controllers subsequently find themselves as part of a group receiving criticism from the same regulator, they would not be blamed for asking whether it was worth the effort.

The ICO is in a difficult position. It too operates in a culture of transparency, and it cannot reasonably (nor legally) treat audits as entirely confidential matters between itself and the data controller. Moreover, it has a statutory duty to promote the following of good practice by data controllers: publication of audit outcomes, and summaries deriving from them, can be seen as part of that duty. But, if it is not to dissuade data controllers from submitting to a voluntary audit, it needs to be open about this issue of take-up of offers.

Jonathan Baines is an Information Law Expert at Buckinghamshire Law Plus (a company owned by Buckinghamshire County Council). He can be contacted This email address is being protected from spambots. You need JavaScript enabled to view it.. Jonathan blogs at Information Rights and Wrongs.