Cryptzone welcomes new ICO audit plans for the public sector, but cautions on the lack of skill sets required to implement this form of governance
Cryptzone has welcomed news that the Information Commissioner’s Office (ICO) has requested the right to conduct compulsory data audits of NHS and local government authorities, saying that the move comes after a litany of data breaches involving the NHS and councils.
According to Grant Taylor, UK VP of the IT threat mitigation specialist, research revealed at the Infosecurity Europe show back in April of this year discovered that, out of more than 2,500 reported data breaches in the 12 months prior to the show, just four had resulted in penalties (http://bit.ly/pfGRbd) and that the ICO had only wielded its power in less than one per cent of reported data breaches.
“And a year earlier, we had David Smith, the deputy Information Commissioner giving the keynote speech at the April 2010 Infosecurity show (http://bit.ly/pNIdIx), noting that the NHS had been responsible for one third of data breaches in the previous two and a half years,” he said.
“And here we are, more than 18 months after Smith’s speech, and we’re still seeing data breaches happening in the public sector, with three councils having just been hit by significant fines in recent weeks. This is not practical,” he added.
Taylor went on to say that the irony of the fines levied against the councils in recent weeks is that the taxpayer will end up having to pay the bill, regardless of how the councils raise the money from their diverse budgets.
So whilst fining a public body may seem a method of making the managers concerned sit up and take notice, the penalty methodology is not viable as a means of stopping breaches in the longer term.
With a revamp of the NHS hierarchy looming, and local councils cutting budgets with very sharp knives, there is little hope that the data breaches in the UK public sector will ease up any time soon.
In theory, at least, the internal audit function – often called the governance department in the NHS and local council arena – could liase with the Government Audit Office (GAO) to develop an effective data security enforcement strategy, but the reality is that there is lack of security checks carried out in the public sector, he explained.
Against this backdrop, Taylor says that allowing the ICO to carry out audit checks on public sector bodies makes sound business sense, but for this to happen - unless the ICO turns to an external agency - there may be a shortage of skilled manpower capable of performing the required audit checks.
“Fortunately for the ICO, however, there is an excellent audit and governance function in most NHS trusts and a similar viable resource within most councils, meaning that both of these resources - with suitable training - can support an internal IT governance function. But without specific funding, providing that degree of support is going to take a lot of doing,” he said.
“There is a danger that, without the funding to support these new powers, we could end up with another variation of a toothless tiger, with the ICO having the legislative facilities to investigate, but lacking the required manpower on the ground,” he added.