Currently, the ICO only has compulsory audit powers over central government, with consent required for an audit to be carried out in other sectors. However, Graham argues that these sectors are sources of particular concern. The NHS accounted for 40% of data breaches since April this year, while two thirds thirds of data breach fines were issued to local government authorities.
"Something is clearly wrong when the regulator has to ask permission from the organisations causing us concern before we can audit their data protection practices," Graham said. "With more data being collected about all of us than ever before, greater audit powers are urgently needed to ensure that the people handling our data are doing a proper job."
Earlier this year, Graham revealed that businesses are turning down free data protection audits. "Audits are not about naming and shaming," Graham said at the time. "The fact that a company has undergone a consensual audit should count as a badge of honour, showing that the business takes data security seriously."