Privacy Audit and Privacy Seal Barbara Körffer & Dr. Thomas Probst Independent Centre for Privacy Protection Independent Centre for Privacy ProtectionSchleswig-Holstein.

Slides:

Advertisements

Similar presentations

Pentti Mäkinen Central Chamber of Commerce of Finland Benefits of low regulation environment Brussels

Advertisements

ICPP ICPP = Independent Centre for Privacy Protection Schleswig-HolsteinICPP = Independent Centre for Privacy Protection Schleswig-Holstein Service.

STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)

Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.

Welcome to ISO 9000 for Managers

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.

Auditing Computer Systems

Conformity Assessment Practical Implications InterAgency Committee on Standards Policy June 2007 Gordon Gillerman Conformity Assessment Advisor Homeland.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.

Spring Conference of the European Privacy Commissioners 2002 in Bonn 1 Privacy Protection Audit/Seal of Quality - Practical Experience Dr. Helmut Bäumler.

The Demand for Audit and Other Assurance Services Chapter 1.

9.401 Auditing Chapter 1 Introduction. Definition of Auditing The accumulation and evaluation The accumulation and evaluation Of evidence about information.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

Philippe LE TERTRE IS Governance Consultant  Founder and managing partner of VADEGIS (company specialized in Information System Management.

Licensing & Regulation Division Senior Sergeant Brett Kahan Presentation to the Association of Investigators & Security Professionals.

1 Human resources management in NSOs Training workshop for SADC member states. Luanda, 2-6 Dec 2006 Olav Ljones, Deputy Director General, Statistics Norway.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

5.2 Personnel Use competent staff Supervise as necessary

Fraud Prevention and Risk Management

"certification service provider" Electronic Signatures

Information Security Update CTC 18 March 2015 Julianne Tolson.

Information Systems Security Computer System Life Cycle Security.

Safety-Critical Systems 6 Safety and Quality Management and Certification T

Overview of existing assessment schemes Rolf Bienert, John Lin.

Professional Qualifications System in Estonia European Bank for the Development of Modular Curricula and Educational Technologies EMCET-2 Svetlana Kozlovskaja.

1 - 1 ©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Legal localization of P3P as a requirement for its privacy enhancing effect 1 W3C Workshop on the long term Future of P3P and Enterprise Privacy Languages.

FOURTH EUROPEAN QUALITY ASSURANCE FORUM "CREATIVITY AND DIVERSITY: CHALLENGES FOR QUALITY ASSURANCE BEYOND 2010", COPENHAGEN, NOVEMBER IV FORUM-

Copyright © 2007 Pearson Education Canada 1 Chapter 1: The Demand for Auditing and Assurance Services.

1 Analysis of Consumer Issues and Paths for Concrete Approaches Dr. Carsten Orwat Forschungszentrum Karlsruhe in the Helmholtz Association, Institute for.

Privacy vs. Confidentiality.  IRB review of privacy and confidentiality protections is required under the Common Rule and the FDA regulations, as well.

“The Quality Infrastructure in Lebanon” Export Norms, Quality Control and Competitiveness FUTURE PROGRAMME Prepared By Ali Berro Director of Quality Programme.

Deregulation to the Economy and removal of Administrative Barriers, Russian Federation EuropAid/114008/C/SV/RU Setting up of national accreditation system.

Chapter 2 Securing Network Server and User Workstations.

Management Information Systems The Islamia University of Bahawalpur Delivered by: Tasawar Javed Lecture 19.

Integrated and Planned Enforcement of Environmental Law Phare Twinning Project CZ03/IB/EN/01 1 EMS as part of Integrated permitting and inspections Rob.

4th Conference on Information Society Infobalt, Vilnius 1 Privacy Protection Audit and IT Security Problems in Germany Dr. Thilo Weichert Independent Centre.

Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.

Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.

Objectives  Legislation:  Understand that implementation of legislation will impact on procedures within an organisation.  Describe.

Deputy Head of Federal Accreditation Service Sergey V. Migin Approximation of accreditation systems of European Union and Russia.

Bulding blocks of e- government Ingmar Pappel. Bulding blocks of e-government  Personal Code  Digital Identity  Digital signature  X-Road  Organizations.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Harmonised use of accreditation for assessing the competence of various Conformity Assessment Bodies Dr Andreas Steinhorst, EA ERA workshop 13 April 2016,

Monika W ó jtowicz, LL.M. European Privacy Seal Certification of evaluators and the application procedure from the perspective of an EuroPriSe evaluator.

Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.

Section 4 Policies and legislation AQA ICT A2 Level © Nelson Thornes Section 4: Policies and Legislation Legislation – practical implications.

Hallgrímur Snorrason Management seminar on global assessment Session 6: Institutional and legal framework of the national statistical system Yalta

(3.6) General requirements on resources for the establishment of IMS

Integrated permitting and inspections

Promoting Evidence-Based Policymaking by Sharing State Administrative Data Dr. Marty Romitti January 25, 2017.

Mirjana Boshnjak Skopje, 20 to 22 September 2017

Internal Control Principles

Session 5 – Data safety / security

The Demand for Audit and Other Assurance Services

UNIT V QUALITY SYSTEMS.

Unit 27: Network Operating Systems

Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .

Developing & implementing business strategy

PROTECTION OF PRIVACY IN AN EMPLOYMENT RELATIONSHIP

Information Handling Research Student Induction Day

Themes for training on data protection

ACCREDITATION PROCESS

Data Protection in Law Enforcement Area Chapter 9a of the draft law

Overview of the recommendations regarding approximation of the Law on personal data protection to the new EU General data protection regulation Valerija.

Neopay Practical Guides #2 PSD2 (Should I be worried?)

Transformation of the National Statistical System: Experience

System of independent assessment of qualifications in the field of AML/CFT Godina Elena Head of the Center for Assessment of Qualifications in the field.

Presentation transcript:

Privacy Audit and Privacy Seal Barbara Körffer & Dr. Thomas Probst Independent Centre for Privacy Protection Independent Centre for Privacy ProtectionSchleswig-Holstein

ICPP ICPP = Independent Centre for Privacy Protection Schleswig-Holstein ICPP = Independent Centre for Privacy Protection Schleswig-Holstein Service provider for the citizens of Schleswig-Holstein instituted by the Land Government Service provider for the citizens of Schleswig-Holstein instituted by the Land Government Independent supervisory authority (as defined under the EU Data Protection Directive) Independent supervisory authority (as defined under the EU Data Protection Directive)

Overview 1. Auditing Privacy-compliance 2. Privacy Public Authority Audit Legal Basis Legal Basis Steps of the audit process Steps of the audit process Privacy Protection Management Privacy Protection Management 3. Privacy Seal Legal Basis Legal Basis Process Process Products, Experts, Examinations Products, Experts, Examinations 4. Relation to other auditing schemes

Auditing Privacy-Compliance Management Audit vs. Product Audit Management Audit vs. Product Audit Privacy Audit: Management Audit Privacy Audit: Management Audit Privacy Seal: Product Audit Privacy Seal: Product Audit

Legal Basis of the Privacy Audit

What is the privacy audit? The privacy protection system of a public authority is checked and audited in a formal procedure by the ICPP The privacy protection system of a public authority is checked and audited in a formal procedure by the ICPP If the process is successful, the authority is awarded an audit label If the process is successful, the authority is awarded an audit label The label certifies that the privacy protection system corresponds the requirements of data protection law The label certifies that the privacy protection system corresponds the requirements of data protection law

Subject of the audit Available for public authorities in Schleswig- Holstein Available for public authorities in Schleswig- Holstein Audits for private companies are regulated by federal law. Federal law for data protection audits by the German Federal Government is in discussion. Audits for private companies are regulated by federal law. Federal law for data protection audits by the German Federal Government is in discussion.

Object of the audit Single process of data processing or Single process of data processing or Specific section of a public authority or Specific section of a public authority or Entire processing of personal data within a public authority Entire processing of personal data within a public authority

Steps of the audit process 3 Steps carried out by the public authority: 3 Steps carried out by the public authority: – Stocktaking – Defining privacy protection targets – Setting up a privacy protection management system The 3 steps are summarised by the public authority in a privacy policy The 3 steps are summarised by the public authority in a privacy policy Assessment of audit process by the ICPP Assessment of audit process by the ICPP If successful: Audit label is awarded, valid for 3 years If successful: Audit label is awarded, valid for 3 years

Stocktaking Examination of the current status of data processing Examination of the current status of data processing Comparison with the target state (legal and technical requirements for data processing) Comparison with the target state (legal and technical requirements for data processing) Weak-Point-Analysis Weak-Point-Analysis

Privacy Protection Management System Entire concept including Duties, Duties, competences, competences, responsibilities and responsibilities and processes processes in order to sustainably fulfil the privacy protection targets

Privacy Protection Management System Elements: Precise duties to fulfil the legal or higher requirements of privacy protection Precise duties to fulfil the legal or higher requirements of privacy protection General duties, e.g. General duties, e.g. Continuous stocktaking and updating of the privacy targets Continuous stocktaking and updating of the privacy targets Watching the development of legal or technical requirements Watching the development of legal or technical requirements Training of employees Training of employees

Assessment by ICPP Assessment of the privacy policy Assessment of the privacy policy If necessary: Inspection on the spot If necessary: Inspection on the spot Results are described and evaluated by ICPP in a report Results are described and evaluated by ICPP in a report

Awarding the label The audit label is awarded for three years The audit label is awarded for three years ICPP publishes a register of the awarded labels ICPP publishes a register of the awarded labels ICPP publishes report of the audit process ICPP publishes report of the audit process

Legal Basis of the Privacy Seal

What is the privacy seal? IT products usable by a public authority can be checked and audited in a formal procedure by external experts and the ICPP IT products usable by a public authority can be checked and audited in a formal procedure by external experts and the ICPP If the process is successful, the product is awarded an audit label If the process is successful, the product is awarded an audit label The label certifies that the product can be used in way compliant to data protection regulations The label certifies that the product can be used in way compliant to data protection regulations

Subject of the seal Available “only” for IT products which can be used by public authorities in Schleswig- Holstein Available “only” for IT products which can be used by public authorities in Schleswig- Holstein Audits for other products and for federal public authorities are regulated by federal law. Plans for a federal law for data protection audits by the German Federal Government. Audits for other products and for federal public authorities are regulated by federal law. Plans for a federal law for data protection audits by the German Federal Government.

IT Product Process of the Privacy Seal

IT Product Independent Expert examines IT Product … Process of the Privacy Seal

IT Product Independent Expert examines IT Product … IT Product is legally and technically privacy-compliant Process of the Privacy Seal

IT Product Independent Expert examines IT Product … ICPP grants Privacy Seal for 2 Years IT Product is legally and technically privacy-compliant Process of the Privacy Seal

IT Product Independent Expert examines IT Product … ICPP grants Privacy Seal for 2 Years Certified IT Product IT Product is legally and technically privacy-compliant Process of the Privacy Seal

IT Product Independent Expert examines IT Product … ICPP grants Privacy Seal for 2 Years Certified IT Product Privacy Protection as Competition Advantage Private Customers IT Product is legally and technically privacy-compliant Process of the Privacy Seal

IT Product Independent Expert examines IT Product … ICPP grants Privacy Seal for 2 Years Certified IT Product Privacy Protection as Competition Advantage Public Authorities Certified Products are deployed preferably IT Product is legally and technically privacy-compliant Private Customers Process of the Privacy Seal

IT Product Products Which products? Hardware Software Procedures (e. g., commissioned data processing such as document destruction)

IT Product Independent Expert examines IT Product … Experts Which experts? Both legal and technical experts Experts with  3 years professional experience either in data protection legislation (legal expert) or in privacy-related IT security (technical expert) Experts accredited by the ICPP Currently 14 experts and organisations

IT Product Independent Expert examines IT Product … Examination Which examinations? Privacy law requires: Lawful collection of data (permitted by law or by informed consent) Lawful processing (storage, disclosure, limitation of use to special purposes,...) Data avoidance and data economy Ensuring data subjects' rights (information, transparency, blocking, erasure) Technical and organisational measures to ensure security and safety

IT Product Independent Expert examines IT Product … Examination Technical and Organisational measures to ensure security and safety: User authorisation Encryption in mobile devices Creation of backups Logging if data are recorded only automatically: Who changed which data? Supervision of proper usage by the data-processing body (=> knowledge of IT and its configuration)

IT Product Independent Expert examines IT Product … Double-check Two experts (legal and technical) examines the product and report their findings Expert‘s reports are checked by ICPP‘s experts with respect to examination methods and plausibility

Privacy Seals welfare & employment administration firewall data and file destruction SAP testing tools distributed storage of radiographs remote file server (encrypted data) PDA system for hospitals

Audit schemes Audit schemes System Product technical non-technical ISO 9000 ISO ISO CobiT FIPS 140 ITSEC/CC IT Baseline Protection (BSI) Task Force

Privacy Audit Schemes System Product technical non-technical Privacy Seal Privacy Audit