Dear Information Commissioner’s Office,

At the Information Commissioner's Data Protection Practitioner's Conference in Manchester today, the Deputy Information Commissioner David Smith was reported by several delegates as having stated that the public sector is worse at complying with Data Protection than the private sector.

I appreciate that Mr Smith was answering a question and not necessarily referring to any specific evidence. However, I doubt that the Deputy Commissioner would make such a claim without being able to point to something concrete to back it up.

Therefore, I would like to request the following information:

Any surveys, analyses, research or studies carried out by, commissioned by or obtained by the Information Commissioner's Office about private sector compliance with Data Protection as compared with public sector compliance.

Any surveys, analyses, research or studies carried out by, commissioned by or obtained by the Information Commissioner's Office about whether private sector organisations routinely report incidents involving personal data to the ICO.

Any other information that might represent evidence that private sector compliance with Data Protection is any way superior to the public sector's compliance.

Yours faithfully,

Tim Turner

Information Commissioner’s Office

PROTECT

 

6 March 2014

 

Case Reference Number IRQ0533241

 

Dear Mr Turner

Request for Information
 
Thank you for your correspondence dated 3 March 2014. You have requested:
 
“Any surveys, analyses, research or studies carried out by, commissioned
by or obtained by the Information Commissioner's Office about private
sector compliance with Data Protection as compared with public sector
compliance.

Any surveys, analyses, research or studies carried out by, commissioned by
or obtained by the Information Commissioner's Office about whether private
sector organisations routinely report incidents involving personal data to
the ICO.

Any other information that might represent evidence that private sector
compliance with Data Protection is any way superior to the public sector's
compliance.”
 
Your request is being dealt with in accordance with the Freedom of
Information Act 2000. We will respond promptly, and no later than 1 April
which is 20 working days from the day after we received your request.
 
Should you wish to reply to this email, please be careful not to amend the
information in the ‘subject’ field. This will ensure that the information
is added directly to your case.
 
Yours sincerely
 
Steven Dickinson                 Lead Information Governance Officer
 
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF.
T. 01625 545676 F. 01625 524510 [1]www.ico.org.uk
 
 
 

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.org.uk

References

Visible links
1. http://www.ico.org.uk/

Information Commissioner’s Office

PROTECT

 

31 March 2014

 

Case Reference Number IRQ0533241

Dear Mr Turner
 
I am writing further to our 6 March acknowledgement of your correspondence
dated 3 March 2014. You have requested:
 
“[1] Any surveys, analyses, research or studies carried out by,
commissioned by or obtained by the Information Commissioner's Office about
private sector compliance with Data Protection as compared with public
sector compliance.

[2] Any surveys, analyses, research or studies carried out by,
commissioned by or obtained by the Information Commissioner's Office about
whether private sector organisations routinely report incidents involving
personal data to the ICO.

[3] Any other information that might represent evidence that private
sector compliance with Data Protection is any way superior to the public
sector's compliance.”
 
I have numbered the parts of your request for convenience.
 
As you know we are dealing with your request under the Freedom of
Information Act 2000 (FOIA). We are now in a position to provide our
response.
 
We do not hold information described in parts 1, 2 and 3 of your request.
 
In particular, after careful consideration of part 3 of your request, we
have concluded that while we hold information about the DPA compliance of
specific individual public sector and private sector bodies, we do not
hold any analysis or other information which compares the findings in that
information and which ‘might represent evidence that private sector
compliance with Data Protection is any way superior to the public sector's
compliance’.
 
I can, by way of advice and assistance, direct you to information which
might provide some insight into the performance of private and public
sector bodies with respect to DPA compliance, which is published on the
ICO website. For the avoidance of doubt, because this does not contain
analysis to support the conclusions described at part 3 of your request,
we do not consider this information to be within the scope of your
request. The information can be accessed by following the links below:
 
Summaries of both private and public sector audits:
[1]http://ico.org.uk/what_we_cover/audits_a...
Summaries of both private and public sector advisory visits:
[2]http://ico.org.uk/what_we_cover/audits_a...
Our audit outcome reports which cover public and private sectors:
[3]http://ico.org.uk/for_organisations/data...
See also:
[4]http://ico.org.uk/enforcement/trends
 
Noting your remarks about the context in which the request was submitted:
 
“At the Information Commissioner's Data Protection Practitioner's
Conference in Manchester today, the Deputy Information Commissioner David
Smith was reported by several delegates as having stated that the public
sector is worse at complying with Data Protection than the private sector.

I appreciate that Mr Smith was answering a question and not necessarily
referring to any specific evidence. However, I doubt that the Deputy
Commissioner would make such a claim without being able to point to
something concrete to back it up.”
 
By way of further advice and assistance, I have consulted Mr Smith who is
happy for me to clarify that the actual context of the remarks at the DPP
conference was that they were specifically about compliance with the
seventh principle and not about DP compliance in general. The question and
answer session at which Mr Smith made the remarks was recorded and is
available online at:
 
[5]http://www.youtube.com/embed/QmdISLDa5NQ...
 
Mr Smith confirms that his remarks were made on the basis of his
(considerable) personal experience as Deputy Commissioner for Data
Protection, and were informed by his broad knowledge and experience of the
CMPs, undertakings, analysis of reported data breaches etc. which are
routinely published on the ICO website. You will find the following link a
good starting point for this material:
 
[6]http://ico.org.uk/enforcement
 
This concludes our response to your request.
 
If you are dissatisfied with the response you have received and wish to
request a review of our decision or make a complaint about how your
request has been handled you should write to the Information Governance
Department at the address below or e-mail
[7][ICO request email]
 
Your request for internal review should be submitted to us within 40
working days of receipt by you of this response.  Any such request
received after this time will only be considered at the discretion of the
Commissioner.
 
If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation.  To make such an application, please write
to the First Contact Team, at the address below or visit the ‘Complaints’
section of our website to make a Freedom of Information Act or
Environmental Information Regulations complaint online.
 
A copy of our review procedure is available [8]here.
 
Yours sincerely
 
Steven Dickinson                 Lead Information Governance Officer
 
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF.
T. 01625 545676 F. 01625 524510 [9]www.ico.org.uk
 
 
 

show quoted sections

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF
Tel: 0303 123 1113 Fax: 01625 524 510 Web: www.ico.org.uk

References

Visible links
1. http://ico.org.uk/what_we_cover/audits_a...
2. http://ico.org.uk/what_we_cover/audits_a...
3. http://ico.org.uk/for_organisations/data...
4. http://ico.org.uk/enforcement/trends
5. http://www.youtube.com/embed/QmdISLDa5NQ...
6. http://ico.org.uk/enforcement
7. mailto:[ICO request email]
8. http://www.ico.gov.uk/about_us/~/media/d...
9. http://www.ico.org.uk/

Looking for an EU Authority?

You can request documents directly from EU Institutions at our sister site AskTheEU.org . Find out more .

AskTheEU.org