Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Audits : Ireland Eunice Delaney, Assistant Commissioner, Office of the Data Protection Commissioner, Ireland TAIEX Seminar Skopje, 13-14 th February.

Published byLaureen Fitzgerald Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Audits : Ireland Eunice Delaney, Assistant Commissioner, Office of the Data Protection Commissioner, Ireland TAIEX Seminar Skopje, 13-14 th February."— Presentation transcript:

1 1 Audits : Ireland Eunice Delaney, Assistant Commissioner, Office of the Data Protection Commissioner, Ireland TAIEX Seminar Skopje, 13-14 th February 2014

2 2 EU & Irish DP Legislation Data Protection Directive 95/46/EC –Being updated Electronic Privacy Directive 2002/58/EC (as amended) EUROPOL etc Police & Justice Decision 2008/977/JHA Data Protection Acts 1988 & 2003 EC Electronic Privacy Regulations 2011 (SI 336/2011) Corresponding Acts (To be transposed)

3 3 Data Protection Acts 1998 & 2003 - Section 10(1A) "The Commissioner may carry out or cause to be carried out such investigations as he or she considers appropriate in order to ensure compliance with the provisions of this Act and to identify any contravention thereof."

4 4 Data Protection Acts 1998 & 2003 - Section 24 All authorised officers have specific powers and associated rights of access, including: Arriving unannounced at the premises of a particular data controller or data processor. Inspecting, copying or taking extracts of data.

5 5 The Audit Co-operative Face to face discussion Audit an aid to both parties Opportunity for target organisation to raise Data Protection issues

6 6 ‘Amicable Resolution’ Strong enforcement powers if necessary to achieve compliance. Irish approach: “speak softly but carry a big stick” Achieve “best practice” rather than mere compliance. “Best practice” cannot not be enforced.

7 7 Notices Information Notice: provide DPA with whatever information the Commissioner needs to carry out his functions, such as to pursue an investigation. Enforcement Notice: correct the data, block the data from use for certain purposes, amend the data or erase the data altogether.

8 8 Audit Process An organisation selected for audit is usually given a number of weeks notice of the audit. They may be asked to provide in advance any relevant documentation on its data protection practices. The audit normally includes one or more on-site visits by an audit team from the Office. During these visits, the Audit Team will meet with selected staff of the organisation. They will also usually inspect electronic and manual records.

9 9 The Audit Draft report issued Follow up questions - clarification In house discussion Final report issued

10 10 Post-Audit Audit Follow-up. Irish DPA does not issue administrative fines. Other sanctions: public statements/warnings Publication of the principal findings in the annual report of the Commissioner. The potential harm to an organisation’s reputation is viewed as a sufficient deterrent in many cases.

11 11 Audit Statistics 2005-3 2006-8 2007-25 2008-28 2009-30 2010-33 2011-28 2012-40 2013-44

12 12 Range of organisations audited. Department of Social Protection Customs Information System (CIS) Local Authorities Schools Sporting Bodies Credit Unions Banks Health Sector Charities Supermarkets LinkedIn Facebook

13 13 Key recommendations in Credit Union Audit Reports Data Controller/Processor Contracts (section 2C) Data Retention Policy Network Security CCTV Recording of Calls Audit Trails

14 14 Key recommendations in Sports Clubs Audit Reports Direct marketing and arrangements with third parties (section 2C) – Security of Data Medical Data Police Vetting Image Rights

15 15 Health Sector Audits: 2007-1010 Large Public Hospital Large Voluntary Hospital 5 GP/General Clinics Health Insurer Nursing Home Repayment Scheme 2 Pharmacies Out-of-hours Medical Facility

16 16 Large Voluntary Hospital Audit “good organisational awareness of data protection principles” “good technical security measures were in place” Main concern: physical security –Access to Chart Room Positive response to specific recommendations

17 17 Large Public Hospital Audit (1) “Data protection, from a governance perspective, is falling well short of what would be expected in an organisation collecting and processing vast amounts of sensitive personal data” “Critically, it is unclear where responsibility lies for the practical application of data protection policies and procedures on a day to day basis …In order to correct the many data protection concerns which have been highlighted in the report, this issue of responsibility must first be addressed.” “Having regard to the primary goal of the audit “to establish whether care was delivered in a manner that gave due respect to the legitimate privacy expectations of patients”, the issues raised in this audit are of such a scale that this Office is not in a position at present to indicate that this is the case.”

18 18 Large Public Hospital Audit (2) “In terms of security alone, the inspection Team encountered numerous breaches of the Data Protection Acts during the course of the audit, including: –Files left in public / unsecure areas –Inoperative security mechanisms on file storage areas –Patient data stored in corridors –Medical data sent by unsecure email –USB ports not locked down –Lack of system access controls –Lack of physical access controls to sensitive areas”

19 19 Follow-up: Hospitals/General Input to HIQA work on Standards for Health Information Governance – http://www.hiqa.ie/standards/health-information- standardshttp://www.hiqa.ie/standards/health-information- standards –What you should know about Information Governance & Self-Assessment Tool(October 11) Input to Health Information Bill

20 20 GP Clinics “good awareness of data protection principles generally”. “one area requiring attention is the location and storage of the physical patient files” IT Security Extent of access to medical records by non-medical personnel Data Retention

21 21 Key recommendations in Medical Surgeries Audit Reports Patient Information Leaflet Research Access Controls Security

22 22 Post-Audit Irish DPA informed the Irish Council of General Practitioner’s of the outcome of the audits The ICGP developed data protection guidelines for GPs in consultation with Irish DPA http://www.icgp.ie/go/in_the_practice/information_technolo gy/data_protection

23 23

24 24 Key recommendations in Charities Audit Reports Direct marketing: consent Fair Obtaining: Online Donations Privacy Policy/ Privacy Statements Sensitive Data

25 25 Sectoral guidance Data Protection in the Charity & Voluntary Sector http://dataprotection.ie/docs/Data_Protection_in_the_Charit y_amp;_Voluntary_Sector/1128.htm

26 26 Audit Resource To assist organisations selected for audit by the Irish DPA http://www.dataprotection.ie/documents/enforcement/Audit Resource.pdf

27 27 Appendices Sample Illustrative Audit Questions Self-Help Checklist on Data Protection Policy Common Audit Recommendations “Need to Know” Access Control Policies Internal Access Security Checklist

28 28 Data Breaches Data Security Breach Code of Practice: non-mandatory but recommended all breaches reported to DPA http://www.dataprotection.ie/docs/07/07/10_- _Data_Security_Breach_Code_of_Practice/1082.htm Breach Notification Guidance- ePrivacy Regulations 2011 (SI 336 of 2011) http://www.dataprotection.ie/docs/Breach_Notification_Guidance/901.htm

29 29 Confidentiality Reports not published, though the organisation concerned is free to do so. The Commissioner reserves the right however to comment on any aspect of a particular named audit in the annual report and has absolute privilege in this respect.

30 30 Audit Reports Department of Social Protection Office of the Revenue Commissioners Facebook Carlow Institute of Technology Copies of reports at http://www.dataprotection.ie/docs/Audit-Reports/1293.htm

31 31 Thank You Office of the Data Protection Commissioner Canal House Station Road Portarlington Co Laois Phone: LoCall 1890 252231 057 8684800 Fax: 057 8684757 Email: info@dataprotection.ie Website: www.dataprotection.ie

Download ppt "1 Audits : Ireland Eunice Delaney, Assistant Commissioner, Office of the Data Protection Commissioner, Ireland TAIEX Seminar Skopje, 13-14 th February."

Similar presentations

Public Administration use of Social Networks - Data Protection Implications European Public Administration Network, Dublin Castle, 5 April 2013 Billy Hawkes.

Public Administration use of Social Networks - Data Protection Implications European Public Administration Network, Dublin Castle, 5 April 2013 Billy Hawkes.
Data Protection Billy Hawkes Data Protection Commissioner Irish Human Rights Commission 20 November 2010.

Data Protection Billy Hawkes Data Protection Commissioner Irish Human Rights Commission 20 November 2010.
DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Red Flag Rules: What they are? & What you need to do

Red Flag Rules: What they are? & What you need to do
SEMINAR NAIC/ASSAL/SVS REGULATION & SUPERVISION OF MARKET CONDUCT © 2014 National Association of Insurance Commissioners Overview and Purpose of Market.

SEMINAR NAIC/ASSAL/SVS REGULATION & SUPERVISION OF MARKET CONDUCT © 2014 National Association of Insurance Commissioners Overview and Purpose of Market.
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website: www.mc.vanderbilt.edu/HIPAA.

HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
HIPAA THE PRIVACY RULE Reviewed December 2012 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-
The Good Practice Guide – what we look for during an Audit of a Credit Union Billy Hawkes Data Protection Commissioner Credit Unions.

The Good Practice Guide – what we look for during an Audit of a Credit Union Billy Hawkes Data Protection Commissioner Credit Unions.
Data Protection and the GRA. 1. Commentary on Data Protection 2. The GRA’s Role The Register Investigations, Mediation and Compensation Enforcement Notices.

Data Protection and the GRA. 1. Commentary on Data Protection 2. The GRA’s Role The Register Investigations, Mediation and Compensation Enforcement Notices.
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.

What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Data Protection and Records Management

Data Protection and Records Management
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.

The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Audiences NI Data Protection Workshop

Audiences NI Data Protection Workshop
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Similar presentations

Ads by Google