The Good Practice Guide – what we look for during an Audit of a Credit Union Billy Hawkes Data Protection Commissioner Credit Unions.

Slides:



Advertisements
Similar presentations
Public Administration use of Social Networks - Data Protection Implications European Public Administration Network, Dublin Castle, 5 April 2013 Billy Hawkes.
Advertisements

IMPS Information Management and Policy Services Information Services Directorate A briefing for all University staff November 2004 New Information Legislation.
Data Security Breach Code of Practice. Data Security Concerns Exponential growth in personal data holdings Increased outsourcing 3 rd countries cloud.
The Data Protection (Jersey) Law 2005.
Data Protection.
Data Protection and Records Management
Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.
ACFID CODE OF CONDUCT Changes to the Code Effective Jan 2015.
Office of Inspector General (OIG) Internal Audit
Compliance Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.
Purpose of the Standards
Audiences NI Data Protection Workshop
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)
The ICO and the DPA Ken Macdonald Assistant Commissioner Information Commissioner’s Office ScotStat Public Sector Analysts Network 30 th September 2010.
First steps for a data protection commissioner: Some suggestions from New Zealand Katrine Evans Assistant Commissioner (Legal and Policy) Kuala Lumpur,
NHS England & Customer Contact Centre FOI Introduction 2013.
G17: Recordkeeping for Business Activities Carried out by Contractors Patrick Power, Manager Government Recordkeeping Programme Archives New Zealand.
Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.
Designing Smart Cities Conference University of Strathclyde, Glasgow 31 st March 2015 “Regulating Smart Cities: Policing & Privacy” Paul Mackie Chief Executive.
Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.
Lecture #9 Project Quality Management Quality Processes- Quality Assurance and Quality Control Ghazala Amin.
Public rights of access to information Grisilda Ponniah, Corporate Information Governance Manager Mary Elliott, FOI Officer Legal & Democratic Services.
2008 New York - Member Forum Council for Responsible Jewellery Practices, Ltd. Overview of CRJP.
CCAB Training Providers Event 17 November 2008 Reviews Required by QAC Heather Briers Director Chartered Accountants Regulatory Board.
Procedures and Forms 2008 FRCC Compliance Workshop April 8-9, 2008.
1 Office of the Privacy Commissioner for Personal Data Hong Kong SAR Tony LAM Deputy Privacy Commissioner for Personal Data Asian Personal Data Privacy.
1 Understanding CQC registration Summer Introduction to CQC.
Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.
Information Commissioner’s Office Sheila Logan Operations and Policy Manager Information Commissioner’s Office Business Matters 20 May 2008.
The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
Data Protection and Records Management. Key Responsibilities - Record Management Keep Information Accurate Disclose only if compatible with purpose for.
Guide - Recordkeeping for business activities carried out by contractors Natalie Dewson Senior Advisor Government Recordkeeping Programme Archives New.
OPEN UP! Introduction to handling Freedom of Information requests.
UMBC POLICY ON ESH MANAGEMENT & ENFORCEMENT UMBC Policy #VI
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
Data Protection Guidance for Principals and Deputy Principals Anne Lyne Partner & Breda O’Malley Partner Kilkenny - 3 October 2015.
Publication Schemes Natasha Bodden Freedom of Information Unit November, 2009.
1 Office of the Privacy Commissioner for Personal Data Hong Kong SAR Tony LAM Deputy Privacy Commissioner for Personal Data Briefing to Asian Data Privacy.
An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.
A New Standard for Disposal Mark Crookston Senior Advisor Appraisal Government Recordkeeping Group.
Sharing Information (FERPA) FY07 REMS Initial Grantee Meeting December 5, 2007, San Diego, CA U.S. Department of Education, Office of Safe and Drug-Free.
Implementing the New EU General Data Protection Regulation Conference 2016 Preparing for a DP audit Ashley Roughton Nabarro LLP.
© University of Reading Lee Shailer 06 June 2016 Data Protection the basics.
Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.
Data protection—training materials [Name and details of speaker]
1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.
Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.
Health and Social Care Act 2008 Registration and Compliance Monitoring Maggie Hannelly Compliance Manager Bedfordshire 6 December 2010.
1 Audits : Ireland Eunice Delaney, Assistant Commissioner, Office of the Data Protection Commissioner, Ireland TAIEX Seminar Skopje, th February.
Understanding Privacy An Overview of our Responsibilities.
Nassau Association of School Technologists
Pat Nestor MSCSI MRICS Head of Building Control Dublin City Council
Preparing for a data protection audit 28 September 2017
Director, Regulation and Strategy
General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.
APP entities (organisations)
GDPR support January GDPR support January 2018.
Radar Watchkeeping: Have you monitored your Communication department’s radar to avoid collisions with the new Regulation? 43rd EDPS-DPO meeting, 31 May.
GMP Inspection Process
G.D.P.R General Data Protection Regulations
Disability Services Agencies Briefing On HIPAA
Compliance Policy & Procedures
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
Data Protection and Audit
Overview of the recommendations regarding approximation of the Law on personal data protection to the new EU General data protection regulation Valerija.
Neopay Practical Guides #2 PSD2 (Should I be worried?)
General Data Protection Regulation “11 months in”
Colorado “Protections For Consumer Data Privacy” Law
Presentation transcript:

The Good Practice Guide – what we look for during an Audit of a Credit Union Billy Hawkes Data Protection Commissioner Credit Unions

Why Audit? Part of overall supervision strategy –Accountability of Organisations “Selective to be Effective” Assist organisation audited Draw lessons for Sector Improve Sectoral Guidance

Audit Statistics

Range of organisations audited. Department of Social Protection Customs Information System (CIS) Local Authorities Schools Sporting Bodies Credit Unions Banks Health Sector Charities Supermarkets LinkedIn Facebook

Key recommendations in Credit Union Audit Reports Data Controller/Processor Contracts (section 2C) Data Retention Policy Network Security CCTV Recording of Calls Audit Trails

Audit Resource To assist organisations selected for audit by the Irish DPA Resource.pdf

Appendices Sample Illustrative Audit Questions Self-Help Checklist on Data Protection Policy Common Audit Recommendations “Need to Know” Access Control Policies Internal Access Security Checklist

Data Breaches Data Security Breach Code of Practice: non-mandatory but recommended all breaches reported to DPA _Data_Security_Breach_Code_of_Practice/1082.htm Breach Notification Guidance- ePrivacy Regulations 2011 (SI 336 of 2011)

Sectoral / Geographical approach Complaints Media reports - public interest Developing Data Protection Codes of Practice Selection Criteria

Selecting Organisation for Audit Informal contact with Organisation Letter of intention to audit Date and time for audit Duration of audit

Pre-audit Planning and Scope Request for documentation Examine received documentation Check Data Protection registration details

Pre-audit Planning and Scope Check for any ongoing or previous complaints In house discussion to determine potential issues Assign appropriate personnel for audit (2) Engage external expertise?

Pre-audit Planning and Scope Develop audit manual for inspection team (audit resource document appendix 8) Questions based on the eight Data Protection principles Possible pre-audit ‘overview’ meeting

Data Protection Acts 1988 & Section 10(1A) "The Commissioner may carry out or cause to be carried out such investigations as he or she considers appropriate in order to ensure compliance with the provisions of this Act and to identify any contravention thereof".

Data Protection Acts 1988 & Section 24 All authorised officers have specific powers and associated rights of access, including: Arriving unannounced at the premises of a particular data controller or data processor Inspecting, copying or taking extracts of data.

The Audit Co-operative Face to face discussion Audit an aid to both parties Opportunity for target organisation to raise Data Protection issues

‘Amicable Resolution’ Strong enforcement powers if necessary to achieve compliance. Irish approach: “speak softly but carry a big stick” Achieve “best practice” rather than mere compliance. “Best practice” cannot not be enforced.

The Audit – High Level Meet with Managers with relevant responsibility / expertise of the areas under inspection Introduction and step through of areas to be covered in the audit Examine high level data protection policies

The Audit – Local Level Meet with local managers & frontline staff with responsibility/expertise of the areas under inspection Discuss data protection policies locally Meet staff with day to day experience of local procedures

The Audit Question? Does High Level Policy = Local Level Procedure?

Audit Process An organisation selected for audit is usually given a number of weeks notice of the audit. They may be asked to provide in advance any relevant documentation on its data protection practices. The audit normally includes one or more on-site visits by an audit team from the Office. During these visits, the Audit Team will meet with selected staff of the organisation. They will also usually inspect electronic and manual records.

The Audit Draft report issued Follow up questions - clarification In house discussion Final report issued

The Audit - Recommendations Data Retention Policy Data Collection Methods Staff Training and Awareness Use of PPSN Transfers of personal data to/from third parties

The Audit - Recommendations Policies relating to the disclosure of personal data Security of data including access controls Appropriate data controller to data processor contracts Disclosure and breach policies CCTV

The Audit – Follow up Audit noted in Commissioner’s Annual Report Further contact with organisation re: implementation of Report recommendations Follow-up audit if necessary

How to prepare for an audit Read our Audit resource =894&m=f =894&m=f Self assess against the questions posed in the Audit resource before we arrive! Be open and transparent with us. Ensure all staff are aware of the powers to inspect personal data available to the audit Team

Key Areas of Recommendations in Credit Union Audit Reports Use of PPSN: Data Controller/Processor Contracts (section 2C) Data Retention Policy Network Security CCTV Recording of Calls Audit Trails

Guidance – Key Points (1) The Board of Management is the entity legally responsible for how the credit union as a data controller processes all personal information –Not the Manager or staff

Guidance – Key Points (2) The Board of Management in each credit union should ensure a Data Protection Policy is drawn up outlining how all personal data is processed within the credit union.

Guidance – Key Points (3) PPSNs: Provision of PPSN not mandatory to set up membership account Detailed guidance re PPSNs issued to ILCU/CUDA August 2010

Guidance – Key Points (4) Copies of photo id may be sought for anti-money laundering purposes (Criminal Justice Act, 1994) but the practice where members have their photograph taken and scanned onto CU systems should not be mandatory. All members should be given an opportunity to refuse consent.

Guidance – Key Points (5) Contracts should be drawn up and signed between credit unions and all third parties processing personal data on behalf of credit union e.g. debt collection services. Any processing of information by debt collectors, when undertaken on behalf of a credit union must be undertaken in full compliance with the Data Protection Acts.

Guidance – Key Points (6) If a credit union is using a debt collector, under the Data Protection Acts 1988 & 2003, the debt collector must be registered with the Office of the Data Protection Commissioner as a data processor. If a credit union uses an unregistered debt collector, the credit union is disclosing the information to a debt collector who is already breaching the law.

Published Audit Reports Department of Social Protection Office of the Revenue Commissioners Facebook Carlow Institute of Technology Reports/1293.htm

Thank You Office of the Data Protection Commissioner Canal House Station Road Portarlington Co Laois Phone: LoCall Fax: Website:

36

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.