The Information Commissioner’s Office should have greater powers to audit local government and health organisations, MPs have said.
The committee has called for the authority to be given more powers of investigation – Photo credit: Flickr, theilr
The House of Commons Culture, Media and Sport Committee’s report into cyber security and the protection of personal data online says that the ICO’s powers of non-consensual audits should be extended.
“The ICO should have additional powers of non-consensual audit, notably for health, local government and potentially other sectors,” the report stated.
The committee’s inquiry was launched following a cyber-attack on TalkTalk that saw the release of customer data, but the inquiry also aimed to assess cyber-security more generally.
The committee noted that many data breaches occur outside of the private sector, citing ICO research that shows the health sector has the most data breaches, followed by local government.
It adds that a number of breaches are not the cause of external actors, but come from staff, contractors or suppliers – either intentionally or accidentally.
A further recommendation is that organisations should proactively demonstrate what they are doing to tackle cybersecurity threats.
Those holding large amounts of personal data – including those holding information on taxpayers and patients – should report annually to the ICO on staff cyber-awareness training, auditing of security processes, incident management plans, guidance for suppliers, and the number of attacks they know about.
In addition, the committee said that, although the ICO did not complain about a lack of capacity when it gave evidence, “it seems evident that 30 enforcement staff are not enough to handle 1,000 cases and almost 12,000 public concerns a year”.
As such, the committee recommended that the information commissioner make an assessment of resources and priorities “as soon as possible”.
The ICO should also be given more power to hike up fines and offer incentives for early reporting of a breach, the report said.