An Introduction to Data Protection Auditing

1
An Introduction to Data Protection Auditing

• Stewart Dresner, Chief Executive
• Privacy Laws Business
• 5th Floor, Raebarn House, 100, Northolt Road,
• Harrow, Middlesex, HA2 0BX
• www.privacylaws.com
• ISACA, London, 22nd May, 2003

2
Data Protection Audit Aims (1)

• The aims of Data Protection Audits address the
  wider aspects of data protection including
• Mechanisms for ensuring that information is
  obtained and processed fairly, lawfully and on a
  proper basis
• Quality Assurance - ensuring that information is
  accurate, complete and up-to-date, adequate,
  relevant and not excessive

3
Data Protection Audit Aims (2)

• Retention - appropriate weeding and deletion of
  information
• Documentation on authorised use of systems, e.g.
  codes of practice, guidelines etc.
• Compliance with individuals rights, such as
  subject access
• Compliance with the data protection legislation
  in the context of other pieces of legislation
  such as the Human Rights Act, FOI Act etc.

4
Why Should We Audit?

• The key reasons for carrying out audit activities
  are
• To assess the level of compliance with the Data
  Protection Act 1998
• To assess the level of compliance with the
  organisations own data protection system
• To identify potential gaps and weaknesses in the
  data protection system
• To provide information for data protection system
  review

5
Audit Objectives

• When carrying out a Data Protection Audit in any
  area of an organisation the Auditor has three
  clear objectives
• To verify that there is a formal data protection
  system in place in the area
• the system should be documented
• the system should be up-to-date
• To verify that all the staff in the area involved
  in data protection
• Are aware of the existence of the data protection
  system
• Understand the data protection system
• Use the data protection system
• To verify that the data protection system in the
  area actually works and is effective

6
The Audit Methodology

• Methodology based on well-proven models from
  other sectors
• Aimed at both professional auditors and
  non-specialists
• Can be used by external auditors, internal
  auditors or Data Protection Managers
• Two part Audit methodology consisting of
• Adequacy Audit
• Compliance Audit

7
The Audit Method Audit Categories
8
Part 2 The Audit MethodFunctional Audit
9
Part 2 The Audit MethodProcess Audit
10
Part 2 The Audit MethodInteractions with Staff

• Interaction with staff will occur in 2 main ways
• Staff questioning during Functional or Process
  Audits using the Audit Checklists
• Staff Awareness Interviews via
• One-to-one interviews
• Focus Groups

11
The Audit ProcessThe Data Protection Audit
Lifecycle
12
Audit Planning

• The Audit Planning phase covers
• Risk Assessment
• Audit Schedule
• Selection of Auditor
• Pre-Audit Questionnaire
• Preparatory Meeting/Visit
• Audit Management Checklist

13
Audit Preparation

• The Audit Preparation phase covers
• Adequacy Audit
• Confirmation of Audit Schedule
• Audit Checklists
• Sampling Criteria
• Audit Plan

14
The Audit ProcessConduct of the Compliance Audit

• The Compliance Audit phase involves
• Opening Meeting
• Audit Environment
• Audit Execution
• Functional Audit
• Process Audit
• Staff Awareness Interviews
• Recording both positive and negative results

15
The Audit ProcessCompliance Audit Reporting

• The Audit Reporting phase covers
• Non-compliance Records
• Non-compliance Categories
• Compliance Audit Report
• Closing Meeting
• Audit Report Distribution
• Audit with no Non-compliances

16
The Audit ProcessAudit Follow-up

• The Audit Follow-up phase covers
• Scope
• Timescales
• Methodology
• Audit Closure

17
Guide to Auditing

• The Guide to Auditing covers
• The Role of an Auditor
• Auditing Tasks
• Obtaining evidence
• Assessing the evidence
• Human Aspects
• Audit Techniques
• Basis of questions
• Good questioning techniques
• Questions to avoid
• Black box auditing

18
Guide to Auditing

• Practical Considerations
• Layout of Interview Room
• Note Taking
• What to Take to the Audit
• Auditors Code of Conduct
• Honesty
• Conflict of Interest
• Inducements
• Confidentiality
• Concealment
• Professionalism

19
Audit Materials

• Part 5 includes the following
• A. Risk Assessment
• B. Sampling Criteria
• C. Audit Proformas
• D. Meeting Proformas
• E. Adequacy Audit Checklist
• F. Compliance Audit Checklists Organisational
  Management Issues
• G. Compliance Audit Checklists The 8 Data
  Protection Principles
• H. Compliance Audit Checklists Other Data
  Protection Issues
• J. Process Audit Checklist

20
Audit Proformas

• Eight model Audit Proformas are provided
• C.1 Audit Schedule
• C.2 Pre-Audit Questionnaire
• C.3 Audit Management Checklist
• C.4 Adequacy Audit Report
• C.5 Audit Plan
• C.6 Non-compliance Record
• C.7 Observation Note
• C.8 Compliance Audit Report

21
Meeting Proformas

• Four model meeting forms are provided
• D.1 Preparatory Meeting Agenda
• D.2 Opening Meeting Agenda
• D.3 Closing Meeting Agenda
• D.4 Interview/Focus Group Record Sheet

22
Compliance Audit Checklists

• Divided into 3 categories
• F Organisational Management Issues
• G 8 Data Protection Principles
• H Other Data Protection Issues
• What is covered?
• Checklist F covers the following
• F.1 Organisational Management Issues
• F.2 Documentation Issues
• F.3 Key Business Processes

23
Compliance Audit Checklists

• What is covered?
• Checklist G covers the following
• G.1 through to G.8 - the 8 DP Principles
• Checklist H covers
• H.1 Using Data Processors
• H.2 Notification
• H.3 Transitional Provisions

24
Experience from using the Audit Manual

• Our experience from using the Manual has shown
  that the DP Audit methodology can
• Be applied to a wide range of organisations,
  public and private sector, large and small
• Be applied to a wide range of business processes
  e.g.
• Recruitment/HR process
• Marketing services
• Staff subject access requests
• House-bound Library services
• Contracts with third party processors
• Police Enquiries re loyalty card holder
• Call Centre handling of customer enquiries

25
Case Study Royal Mail

• Draft audit manual tested with 5 organisations of
  different kinds
• Royal Mail approached to take part in 1999
• Planning select an area of the organisation to
  be audited
• Address Management Centre Postcode Address File
  and database of Redirection information

26
Case Study Royal Mail

• Pre-audit questionnaire and preparatory meeting
• Preparation review of DP policy, IS policies,
  Redirection application form, contracts for
  supply of data
• Compliance Audit opening meeting with senior DP
  staff and management of AMC check operation of
  DP systems interviews with staff to establish
  how things are actually done

27
Case Study Royal Mail

• Observe process from start to finish
• Dont take anything for granted
• Report no major non-compliance one minor
  non-compliance
• Benefits for Royal Mail measure of compliance
  increase staff awareness generates goodwill with
  the ICO!

28
How can DP Auditing help you comply with Data
Protection Laws?

• Facilitates compliance with the Data Protection
  Act and similar laws in other countries
• Helps compliance with your organisations Data
  Protection System
• Increases the level of Data Protection awareness
  among management and staff
• Provides information for a Data Protection System
  review
• Reduces data errors leading to complaints

29
How can the DP Audit Manual help you?

• Manual can be used by organisations to form the
  basis of an internal audit programme
• User-friendly flowcharts guide you through each
  stage of the process
• Complete set of Audit Checklists and proformas
  provided to
• Serve as Models of Best Practice
• Act as templates for organisations to adapt to
  their own requirements

30
Conclusions

• The methodology in the ICs Audit Manual can be a
  very effective way of assessing data protection
  compliance
• The methodology is suited to a wide range of
  organisations, large or small, public or private
  sector
• The methodology can be used for external,
  supplier or internal audits with equal success
• The methodology is easy to adapt to individual
  organisations specific requirements