Should the ICO allow auto-renewal of registration without declaration?
The Information Commissioner’s Office ( ICO ) website is a great resource but we wonder if the ICO could reinforce the responsibilities of data controllers more effectively when registration is renewed every year.
It is surprising that this process is simply an email informing you that your annual renewal has come round, and that this will automatically be renewed and payment taken.
“Data protection registration-confirmation of renewal
We have renewed your register entry and the new expiry date is …… A copy of the renewed entry is attached.”
It then asks you to check your contact and registration details carefully and finally invites you to have a look at the website for more information about your responsibilities under the Data Protection Act.
There is no declaration that you meet the requirements listed on their website, and an optional opportunity to update yourself with all the new information they have been adding to their website.
This auto-renew does not give the whole registration the gravitas it should have. When you renew with a professional body, each year you would at least have to sign that you have met CPD requirements etc. But there is no requirement to declare that you comply with the Data Protection Act.
‘How To Comply’ Checklist
However, if you go to the link on the website for those that are registered, there is a ‘how to comply checklist’ for you to use to check that you have met the requirements, with tick boxes, but I wonder how many organisations go back to the website to look to see if they have complied…or even know it exists.
There is, on the page for organisations that are members, a link to IT security Top Tips which includes help on:
- firewall and virus-checking
- automatic updates.
- downloading the latest patches or security updates
- staff access and not to let them share passwords.
- Encrypt any personal information
- regular back-ups
- disposing of old computers
- anti-spyware tool
- Encrypting personal information etc
Staff training and security
- social engineering
- strong passwords
- not opening spam emails
Self Assessment Toolkit
Finally, there is a Data Protection Self Assessment Toolkit to help you assess whether your organisation meets the requirements of the Data Protection Act including Information Security as one of five checklists. This checklist goes through risk management, infosec policy and responsibilities, incident management, awareness, physical access, secure disposal, home and mobile working, secure configuration, removable media, user access controls, passwords, malware protection, back-up and restoration, monitoring, patch management and finally boundary firewalls and is, as you can see, very comprehensive.
Cyber Essentials Certification/ISO 27001:2013
This is a comprehensive list, and of this only 5 of these controls are required for Cyber Essentials Certification, these are secure configuration, user access controls, malware protection, patch management and boundary firewalls, but this is a great way to get started and show that you take the security of your sensitive data seriously
ISO 27001:2013 goes further to meet these requirements and would be embedded within your organisation’s policies and processes, from top management down. The process would help you identify your sensitive data and the risks to that data within your organisation,ensuring that you were constantly reviewing your security and that you comply with the these requirements.
When your renewal email comes through, take some time to check that you meet the Data Protection Act requirements, and know what is required of you. Consider implementing one of the IT security standards such as Cyber Essentials, Cyber Essentials Plus or ISO27001:2013 to get you on track and help to keep you there.
There really are some great tools on the ICO’s website, it is surprising that completion of their checklists is not part of the renewal process each year.