I am going to make a simple prediction; within 19 months Local Authorities will be subject to compulsory data protection audit.
Why do I think that? Well I think it is obvious if one reads the MoJ’s consultation document that argues that the ICO should have the power to audit NHS data controllers on demand.
For instance, if you consider a “complaint” to the ICO as a possible data protection compliance issue, then the following Table shows that Local Government are the main offenders with respect to data protection failure. They are well ahead of NHS bodies which are likely to be subject to compulsory audit (when the consultation process is complete).
Secondly, with respect to data loss, Local Authorities, the table below shows that Local Government is second in the list of “reportable data losers”. So, who is next in line if the ICO gets wider powers?
As an aside, note that 78% of all reportable data losses relate to either error in disclosure procedure, lost data or hardware and stolen data or hardware. So, procedures and counter-measures in this area should reduce three quarters of the data loss risk.
Finally, Local Government is blessed with a Secretary of State, Mr Pickles, who likes a good headline or two. Mandatory data protection audits for Local Government would reinforce his “Protecting the tax-payer from careless town-hall bureaucrats” image.
The only real question I think, is which type of organisation is after Local Government for a compulsory audit? Why not the Banks that we all own!
Consultation document widening the powers of audit to NHS bodies on: https://consult.justice.gov.uk/digital-communications/ico-assessment-notices
This document is to be discussed at our Data Protection Update session (April 18th; London) – details on http://www.amberhawk.com/uploads/Brochures/Amber_Update%2015%20April%202013.pdf