A new report from the Information Commissioner has highlighted how councils and NHS Trusts across the UK could be forced to have compulsory audits for data security.
‘The Functions, powers and resources of the Information Commissioner’ report released by the Justice Select Committee raised concerns that a “significant number” of public sector bodies were found to have refused free audits.
The Commission has the statutory power to inspect central Government departments, but also offers free audits to rate standards of data protection for both public and private sector organisations.
The figures showed only 47% of local government organisations contacted had agreed to an audit from the Information Commissioner.
Such audits, which assess how private data is being handled and identifies potential security issues, have seen “reluctant” take-ups by both NHS Trusts and local councils.
The Justice Select Committee described the refusals of public sector organisations, which hold highly-sensitive data, as “shocking” and “even more so in cases where there are serious concerns” over the security of such data.
“We recommend that as a general rule public sector organisations should accept the offer of a free audit from the Information Commissioner, and we consider that it is,” it said.
The Information Commissioner cannot compel organisations outside central Government to accept an audit to assess how organisations handle personal data.
The Justice Select Committee has called for audits to be compulsory and extended to NHS Trusts and local councils across the UK. Any bodies who continue to decline free and consensual audits could be fined as a result.
“The case for extending compulsory audit to NHS Trusts and local councils is clear; while bodies continue to decline free and consensual audits, the only feasible recourse for the Information Commissioner is a civil monetary penalty which ultimately is at the expense of the taxpayer and council tax payer,” read the report.
“We recommend that the Secretary of State bring forward an order under section 41A of the Data Protection Act to meet the recommendation of the Information Commissioner that his power to serve Assessment Notices be extended to NHS Trusts and local councils.”
