Font Size

Businesses must open their doors to audits says ICO


The Information Commissioner’s Office

Legal Articles
Submit Articles   Back to Articles

Businesses must open their doors to audits, says ICO - Companies reported most security breaches in 2010/11

Issued 6 July 2011

Businesses should be more willing to undergo data protection audits, the Information Commissioner, Christopher Graham, said today. The warning comes as figures published in the ICO’s annual report show that private companies reported the most data security breaches of any sector in 2010/11.

A data security breach is an incident that results in the loss, release or corruption of personal data. In the absence of a legal obligation on data controllers to report them, the Information Commissioner operates a voluntary scheme under which serious breaches are brought to his office’s attention.

Figures from the annual report show that of the 603 data security breaches reported to the ICO in 2010/11, 186 – almost a third – occurred in the private sector. Despite this, just 19% of businesses contacted by the ICO accepted the offer to undergo free data protection audits. In contrast, 71% of public sector organisations who were contacted voluntarily agreed to be audited.

Information Commissioner, Christopher Graham, said:

“Lenders, general businesses and direct marketing companies account for almost a third of total complaints to the ICO, and businesses were the top sector for reporting data security breaches to us last year. Despite this, many of them are still resisting our offer to undergo audits. We’ve written to organisations we consider to be high risk but the response has been disappointing.

“These audits are not about naming and shaming those who are getting it wrong. The fact that a company has undergone a consensual audit should count as a badge of honour, showing that the business takes data security seriously. After all, sound data protection practices are irrevocably linked to providing good customer service.”

The ICO’s good practice audits are designed to help organisations and businesses to meet their data protection obligations through sharing good practice and making helpful and practical recommendations. During 2010/11, the ICO wrote to over 100 public and private sector organisations to offer its services. Of those approached, 30% have agreed to undergo an audit.

The ICO is committed to making it easy for organisations to comply with their data protection obligations and offers a free audit service. ICO staff can advise on how to keep things simple, reducing unnecessary bureaucracy.

In 2010/11, the Information Commissioner’s Office completed 26 audits, a 60% increase on 2009/10. Following the audits, the ICO found that 92% of its recommendations were being acted upon.

In the last financial year, the ICO also launched a monitoring exercise to help support the public authorities that were taking too long to respond to freedom of information requests. Of the 33 authorities monitored, well over half have already significantly improved their performance, and seven have committed to putting action plans in place.

Today’s annual report also highlights the significant improvement the ICO has made in the time it takes to handle freedom of information complaints. There are now no cases over 12 months old, compared with three at the end of 2010/11, 117 at year end 2009/10 and 418 two years ago. Process improvements and changes to the ICO’s organisational structure made during the year enabled the ICO to complete more decision notices than ever before without sacrificing quality and no increase in the rate of appeals.

A full copy of the 2010/11 annual report, including financial statements and a webcast with the Information Commissioner, will be available on the ICO’s website at 2.30pm.


1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

3. The ICO is on Twitter, Facebook and LinkedIn

4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

• Fairly and lawfully processed

• Processed for limited purposes

• Adequate, relevant and not excessive

• Accurate and up to date

• Not kept for longer than is necessary

• Processed in line with your rights

• Secure

• Not transferred to other countries without adequate protection

About the Author

The Information Commissioner’s Office is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. We do this by promoting good practice, ruling on complaints, providing information to individuals and organisations and taking appropriate action when the law is broken.

The ICO enforces and oversees the following legislation:

  •  Data Protection Act 1998
  •  Freedom of Information Act 2000
  •  Privacy and Electronic Communications Regulations 2003
  •  Environmental Information Regulations 2004

Follow us @Scopulus_News

Article Published/Sorted/Amended on Scopulus 2011-07-08 10:46:58 in Legal Articles

All Articles

Copyright © 2004-2021 Scopulus Limited. All rights reserved.