Friday, 11 July 2008

UK: the Data Sharing Review and corporate governance

The Data Sharing Review Report was published today. It contains many recommendations but the first two are of particular importance within the field of corporate governance:

Recommendation 1: As a matter of good practice, all organisations handling or sharing significant amounts of personal information should clarify in their corporate governance arrangements where ownership and accountability lie for the handling of personal information. This should normally be at senior executive level, giving a designated individual explicit responsibility for ensuring that the organisation handles personal information in a way that meets all legal and good-practice requirements. Audit committees should monitor the arrangements and their operation in practice.

Recommendation 2: As a matter of best practice, companies should review at least annually their systems of internal controls over using and sharing personal information; and they should report to shareholders that they have done so. The Combined Code on Corporate Governance requires all listed companies to review ‘all material controls, including financial, operational and compliance controls and risk management systems’ ... It would be surprising and worrying not to see information risks addressed explicitly in the Statements of Internal Control for such companies. We hope that bodies such as the Confederation of British Industry will develop guidance to help companies ensure their controls and disclosures are adequate. If approaches on these lines are not successful in improving high-level accountability for giving assurance on information risks, we would expect the Financial Reporting Council to intervene.


For background information click here.

No comments: