Information commissioner: Compulsory data protection audits needed

  • Published
Memory stick
Image caption,

There have been cases of sensitive information being lost by public bodies

Compulsory data protection audits of councils and the NHS are needed to help eliminate "really stupid basic errors", the Information Commissioner has said.

Christopher Graham told MPs taxpayers were losing out when public bodies were fined for mistakes in handling sensitive information.

He said "consensual" voluntary audits in some areas had proved a success.

But he said the Department for Communities and Local Government was "surprisingly opposed" to the proposal.

The watchdog currently only has the power to launch compulsory audits across central government. For all other organisations it has to secure consent before an audit can take place.

Giving evidence to the Commons Justice Select Committee, Mr Graham said that a process of regular audit was a "darn sight more helpful" than public bodies continuing to be fined for mistakes and the money effectively being returned to the Treasury.

Nineteen local councils have been fined a total of £1.8m for breaches of the data protection act, the most recent sanctions coming in December.

Compulsory audits, he suggested, would not eliminate all problems but could cut out on incidences of sensitive information "being sent to the wrong fax machine or dropped in the street or left on an unencrypted memory stick".

While the Department of Health had been supportive of the principle of audits in parts of the health service he said the Department for Local Government "remained to be convinced" and he hoped to persuade ministers of their value.

"Until local government gets the message, local council taxpayers will continue to be hit by civil monetary penalties for really basic stupid errors".

'Blacklisting'

The Information Commissioner also defended the watchdog's investigation into alleged union blacklisting in the construction industry, saying it had taken "all reasonable steps" to examine complaints over the issue.

He said the watchdog did not have the powers, when the allegations first emerged in 2009, to impose fines and other penalties but had issued warning notices of future action against 14 companies. He also said a raid by the watchdog had led to the closure of a database of 3,000 names used to vet workers in the construction sector for more than 15 years.

Mr Graham said it was not the Commissioner's job to conduct a public inquiry into the issue - which some MPs have called for. But he noted that the law had since changed to explicitly outlaw blacklisting and the watchdog would have "no hesitation" to pursue companies in future.

"We cannot re-write history. We did what we could at the time."

He also addressed criticisms about how his office worked, telling MPs his view was that "it ain't broke so don't fix it".

Giving evidence to the Leveson inquiry into press standards in 2011, former deputy commissioner Francis Aldhouse suggested the watchdog had effectively been a "one-man band" in the past, with the commissioner deciding which matters to pursue.

Mr Graham said it was untrue to suggest he had too much personal power and decisions were not taken on a collective basis, saying the Leveson report had not examined its extensive management structure or how responsibilities for both data protection and Freedom of Information had grown.

"That is a wrong description of how things were and how things are," he said, adding that the watchdog now had more than 380 full-time staff.