Should the ICO allow auto-renewal of registration without declaration?

ICO renewal.001

The Information Commissioner’s Office ( ICO ) website is a great resource but we wonder if the ICO could reinforce the responsibilities of data controllers more effectively when registration is renewed every year.

It is surprising that this process is simply an email informing you that your annual renewal has come round, and that this will automatically be renewed and payment taken.

“Data protection registration-confirmation of renewal

We have renewed your register entry and the new expiry date is …… A copy of the renewed entry is attached.”

It then asks you to check your contact and registration details carefully and finally invites you to have a look at the website for more information about your responsibilities under the Data Protection Act.

There is no declaration that you meet the requirements listed on their website, and an optional opportunity to update yourself with all the new information they have been adding to their website.

This auto-renew does not give the whole registration the gravitas it should have. When you renew with a professional body, each year you would at least have to sign that you have met CPD requirements etc. But there is no requirement to declare that you comply with the Data Protection Act.

‘How To Comply’ Checklist

However, if you go to the link on the website for those that are registered, there is a ‘how to comply checklist’ for you to use to check that you have met the requirements, with tick boxes, but  I wonder how many organisations go back to the website to look to see if they have complied…or even know it exists.

There is, on the page for organisations that are members, a link to IT security Top Tips which includes help on:

Computer security

  • firewall and virus-checking
  • automatic updates.
  • downloading the latest patches or security updates
  • staff access and not to let them share passwords.
  • Encrypt any personal information
  • regular back-ups
  • disposing of old computers
  • anti-spyware tool

Email security

  • Encrypting personal information etc

Staff training and security

  • social engineering
  • strong passwords
  • not opening spam emails

Self Assessment Toolkit

Finally, there is a Data Protection Self Assessment Toolkit to help you assess whether your organisation meets the requirements of the Data Protection Act including  Information Security  as one of five checklists. This checklist goes through risk management, infosec  policy and responsibilities, incident management, awareness, physical access, secure disposal, home and  mobile working, secure configuration, removable media, user access controls, passwords, malware protection, back-up and restoration, monitoring, patch management and finally boundary firewalls and is, as you can see, very comprehensive.

Cyber Essentials Certification/ISO 27001:2013

This is a comprehensive list, and of this only 5 of these controls are required for Cyber Essentials Certification, these are secure configuration, user access controls, malware protection, patch management and boundary firewalls, but this is a great way to get started and show that you take the security of your sensitive data seriously

ISO 27001:2013 goes further to meet these requirements and would be embedded within your organisation’s policies and processes, from top management down. The process would help you identify your sensitive data and the risks to that data within your organisation,ensuring that you were constantly reviewing your security and that you comply with the these requirements.

ICO Renewal

When your renewal email comes through,  take some time to check that you meet the Data Protection Act requirements, and know what is required of you. Consider implementing one of the IT security standards such as Cyber Essentials, Cyber Essentials Plus or ISO27001:2013 to get you on track and help to keep you there.

There really are some great tools on the ICO’s website, it is surprising that completion of their checklists is not part of the renewal process each year.

 Securious is a cyber security compliance company based in Devon serving businesses and organisations across the South West and beyond. We offer rapid Cyber Essentials certification, ISO 27001 Compliance and PCI DSS Compliance as well as PEN testing (penetration testing) and cyber security consultancy.