Parliamentary committee’s cyber security report says information commissioner should not require consent for local authority and healthcare investigations
A group of MPs has said the Information Commissioner’s Office (ICO) should have powers to carry out “non-consensual” audits of public authorities that it fears could be vulnerable to data breaches.
The Commons Culture, Media and Sport Committee has made the recommendation in its Cyber Security: Protection of Online Data Report, amid a series of others coming in response to last year’s cyber attack on telecoms and internet provider TalkTalk.
The company had to take down its website in October, and acknowledged there was a chance that customer names, addresses, dates of birth, credit card and bank details had been compromised.
While the committee’s investigation was prompted by an attack on a commercial company, the report makes clear that many of the lessons learned apply to all large organisations, including those in the public sector.
Its most specific recommendation for the sector is that the ICO should be able to carry out an audit, especially for healthcare and local government bodies, without their consent if necessary.
Big Brother call
This follows a call made last year by privacy group Big Brother Watch for the ICO to use its assessment notice powers for compulsory audits in dealing with local authorities, in the way it does for central government.
Among the other recommendations in the report are that:
- Government should urgently look at the vulnerability of large pools of data collected under the Investigatory Powers Bill.
- The ICO should introduce a series of escalating fines for cyber breaches, based on an organisation’s lack of attention to threats and vulnerabilities.
- Custodial sentences of up to two years should be included in the possible sanctions for unlawfully obtaining and selling personal data.
- Organisations holding large amounts of personal data should report annually to the ICO on issues such as staff cyber-awareness and training, audits of their security processes, incident management plans and the number of attacks and breaches of which they are aware.
Jesse Norman MP (pictured), chair of the committee, said: "Companies must have robust strategies and processes in place, backed by adequate resources and clear lines of accountability, to stay one step ahead in a sophisticated and rapidly evolving environment.
“Failure to prepare for or learn from cyber attacks, and failure to inform and protect consumers, must draw sanctions serious enough to act as a real incentive and deterrent.”
The report attracted support from BCS – The Chartered Institute for IT. Its policy and community director David Evans said: “This report includes some very welcome suggestions to support organisations in keeping people’s data safe, and increases the penalties for those that don’t.
“It also underscores that the organisation-centric way we manage data is increasingly under pressure. The measures proposed – while sound – will incrementally help rather than eliminate the underlying dysfunction.”
Picture from Policy Exchange, CC BY 2.0, via Wikimedia