ICO blog: Audit improvements proving successful

When I blogged in January, I talked about how we had made some big changes to how we deliver our data protection audit programme. The changes were brought in to encourage more organisations to take up the free service we offer.

Listening to feedback from those we’ve audited is crucial to make sure we continue to deliver a good service to the organisations we work with. With that in mind, we recently commissioned qualitative research to establish whether we are providing the best service we can to our customers. Researchers spoke to 18 organisations that had experienced an audit or an advisory visit (our short one-day visits for smaller organisations) in the past few months.

The results were overwhelmingly positive. We were pleased to see that the ease of working with ICO staff was highlighted, as was the impression of the audits being a consultation rather than an inspection. That is exactly what we’re looking to achieve: the audits are very much part of our education programme, and our aim is to work with the organisations to improve compliance with the law.

The research identified some areas we could improve on, notably around making our final reports a little clearer, with more succinct executive summaries. That’s something we’re working to improve now, along with other minor tweaks suggested by the research.

Ultimately, the research showed the organisations who had undergone an audit or advisory visit saw it to be of significant benefit in learning how closely they’re meeting their data responsibilities. That’s as good an endorsement of our new approach as we could hope for.

Part of our programme of work includes delivering audits where this has been agreed as part of the terms of an undertaking, like the audit of Google Inc. in July 2011. This audit was agreed as part of the terms of an undertaking that Google signed in November 2010 after the company reported that its Street View cars had collected Wi-Fi payload data alongside the location mapping information. This month we have completed a follow-up of this audit to see the progress made in implementing the recommendations we made last year.

The investigation into whether the Street View data gathering breached data protection laws is ongoing, but the audit process is now completed.

The follow up audit found that Google Inc. had made progress to put in place the steps to enhance privacy that the ICO had requested in the initial audit of July 2011. The final audit report on Google Inc. concludes:

“Based on the implementation of the agreed recommendations made in the original audit report, the arrangements continue to provide a reasonable assurance that that Google have implemented the privacy process changes outlined in the Undertaking.”

Over the next few months we will be starting to plan next year’s work. This involves writing to organisations to make them aware of our audit service and asking them if they would like to take part in the programme. Hopefully the feedback we have received will help encourage even more organisations to get involved and show them the benefits of the work we do.

Get involved

Our good practice team is now offering a range of services to suit the different types and sizes of organisations we work.

If you’d like to get in touch, please email us at audit@ico.org.uk or advisory@ico.org.uk.

Louise ByersLouise Byers has responsibility for the delivery of a programme of audits and advisory work aimed at educating and assisting organisations to meet their data protection obligations. She is also responsible for conducting audits using the Assessment Notice powers.
This entry was posted in Louise Byers and tagged , . Bookmark the permalink.