An Introduction to Data Protection Auditing Stewart Dresner
- Slides: 30
An Introduction to Data Protection Auditing Stewart Dresner, Chief Executive Privacy Laws & Business 5 th Floor, Raebarn House, 100, Northolt Road, Harrow, Middlesex, HA 2 0 BX www. privacylaws. com Privacy Laws & Business ISACA, London, 22 nd May, 2003
Data Protection Audit Aims (1) The aims of Data Protection Audits address the wider aspects of data protection including: – Mechanisms for ensuring that information is obtained and processed fairly, lawfully and on a proper basis – Quality Assurance - ensuring that information is accurate, complete and up-to-date, adequate, relevant and not excessive Privacy Laws & Business 2
Data Protection Audit Aims (2) – Retention - appropriate weeding and deletion of information – Documentation on authorised use of systems, e. g. codes of practice, guidelines etc. – Compliance with individual’s rights, such as subject access – Compliance with the data protection legislation in the context of other pieces of legislation such as the Human Rights Act, FOI Act etc. Privacy Laws & Business 3
Why Should We Audit? The key reasons for carrying out audit activities are: • To assess the level of compliance with the Data Protection Act 1998 • To assess the level of compliance with the organisation’s own data protection system • To identify potential gaps and weaknesses in the data protection system • To provide information for data protection system review Privacy Laws & Business 4
Audit Objectives When carrying out a Data Protection Audit in any area of an organisation the Auditor has three clear objectives: • To verify that there is a formal data protection system in place in the area: • the system should be documented • the system should be up-to-date • To verify that all the staff in the area involved in data protection: • Are aware of the existence of the data protection system • Understand the data protection system • Use the data protection system • To verify that the data protection system in the area actually works and is effective Privacy Laws & Business 5
The Audit Methodology – Methodology based on well-proven models from other sectors – Aimed at both professional auditors and nonspecialists – Can be used by external auditors, internal auditors or Data Protection Managers – Two part Audit methodology consisting of: • Adequacy Audit • Compliance Audit Privacy Laws & Business 6
The Audit Method Audit Categories Privacy Laws & Business 7
Part 2: The Audit Method Functional Audit Privacy Laws & Business 8
Part 2: The Audit Method Process Audit Privacy Laws & Business 9
Part 2: The Audit Method Interactions with Staff Interaction with staff will occur in 2 main ways: – Staff questioning during Functional or Process Audits using the Audit Checklists – Staff Awareness Interviews via: • One-to-one interviews • Focus Groups Privacy Laws & Business 10
The Audit Process The Data Protection Audit Lifecycle Privacy Laws & Business 11
Audit Planning The Audit Planning phase covers: – Risk Assessment – Audit Schedule – Selection of Auditor – Pre-Audit Questionnaire – Preparatory Meeting/Visit – Audit Management Checklist Privacy Laws & Business 12
Audit Preparation The Audit Preparation phase covers: – Adequacy Audit – Confirmation of Audit Schedule – Audit Checklists – Sampling Criteria – Audit Plan Privacy Laws & Business 13
The Audit Process Conduct of the Compliance Audit The Compliance Audit phase involves: – Opening Meeting – Audit Environment – Audit Execution: • • Functional Audit Process Audit Staff Awareness Interviews Recording both positive and negative results Privacy Laws & Business 14
The Audit Process Compliance Audit Reporting The Audit Reporting phase covers: – Non-compliance Records – Non-compliance Categories – Compliance Audit Report – Closing Meeting – Audit Report Distribution – Audit with no Non-compliances Privacy Laws & Business 15
The Audit Process Audit Follow-up The Audit Follow-up phase covers: – Scope – Timescales – Methodology – Audit Closure Privacy Laws & Business 16
Guide to Auditing The Guide to Auditing covers: – The Role of an Auditor – Auditing Tasks • Obtaining evidence • Assessing the evidence – Human Aspects – Audit Techniques • • Basis of questions Good questioning techniques Questions to avoid Black box auditing Privacy Laws & Business 17
Guide to Auditing Practical Considerations: • • Layout of Interview Room Note Taking What to Take to the Auditor’s Code of Conduct – – – Honesty Conflict of Interest Inducements Confidentiality Concealment Professionalism Privacy Laws & Business 18
Audit Materials Part 5 includes the following: – – – A. B. C. D. E. F. – G. – H. – J. Risk Assessment Sampling Criteria Audit Proformas Meeting Proformas Adequacy Audit Checklist Compliance Audit Checklists: Organisational & Management Issues Compliance Audit Checklists: The 8 Data Protection Principles Compliance Audit Checklists: Other Data Protection Issues Process Audit Checklist Privacy Laws & Business 19
Audit Proformas Eight model Audit Proformas are provided: – – – – C. 1 C. 2 C. 3 C. 4 C. 5 C. 6 C. 7 C. 8 Audit Schedule Pre-Audit Questionnaire Audit Management Checklist Adequacy Audit Report Audit Plan Non-compliance Record Observation Note Compliance Audit Report Privacy Laws & Business 20
Meeting Proformas Four model meeting forms are provided: – D. 1 Preparatory Meeting Agenda – D. 2 Opening Meeting Agenda – D. 3 Closing Meeting Agenda – D. 4 Interview/Focus Group Record Sheet Privacy Laws & Business 21
Compliance Audit Checklists Divided into 3 categories: • F: Organisational & Management Issues • G: 8 Data Protection Principles • H: Other Data Protection Issues What is covered? Checklist F covers the following: – F. 1 Organisational & Management Issues – F. 2 Documentation Issues – F. 3 Key Business Processes Privacy Laws & Business 22
Compliance Audit Checklists What is covered? • Checklist G covers the following: – G. 1 through to G. 8 - the 8 DP Principles • Checklist H covers: – H. 1 Using Data Processors – H. 2 Notification – H. 3 Transitional Provisions Privacy Laws & Business 23
Experience from using the Audit Manual Our experience from using the Manual has shown that the DP Audit methodology can: – Be applied to a wide range of organisations, public and private sector, large and small – Be applied to a wide range of business processes e. g. • Recruitment/HR process • Marketing services • Staff subject access requests • House-bound Library services • Contracts with third party processors • Police Enquiries re loyalty card holder • Call Centre handling of customer enquiries Privacy Laws & Business 24
Case Study – Royal Mail • Draft audit manual tested with 5 organisations of different kinds • Royal Mail approached to take part in 1999 • Planning – select an area of the organisation to be audited • Address Management Centre – Postcode Address File and database of Redirection information Privacy Laws & Business 25
Case Study – Royal Mail • Pre-audit questionnaire and preparatory meeting • Preparation – review of DP policy, IS policies, Redirection application form, contracts for supply of data • Compliance Audit – opening meeting with senior DP staff and management of AMC; check operation of DP systems; interviews with staff to establish how things are actually done Privacy Laws & Business 26
Case Study – Royal Mail • Observe process from start to finish • Don’t take anything for granted • Report – no major non-compliance; one minor non-compliance • Benefits for Royal Mail – measure of compliance; increase staff awareness; generates goodwill with the ICO! Privacy Laws & Business 27
How can DP Auditing help you comply with Data Protection Laws? • Facilitates compliance with the Data Protection Act and similar laws in other countries • Helps compliance with your organisation’s Data Protection System • Increases the level of Data Protection awareness among management and staff • Provides information for a Data Protection System review • Reduces data errors leading to complaints Privacy Laws & Business 28
How can the DP Audit Manual help you? • Manual can be used by organisations to form the basis of an internal audit programme • User-friendly flowcharts guide you through each stage of the process • Complete set of Audit Checklists and proformas provided to: – Serve as “Models of Best Practice” – Act as templates for organisations to adapt to their own requirements Privacy Laws & Business 29
Conclusions • The methodology in the IC’s Audit Manual can be a very effective way of assessing data protection compliance • The methodology is suited to a wide range of organisations, large or small, public or private sector • The methodology can be used for external, supplier or internal audits with equal success • The methodology is easy to adapt to individual organisation’s specific requirements Privacy Laws & Business 30