Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Introduction to Data Protection Auditing Stewart Dresner, Chief Executive Privacy Laws & Business 5th Floor, Raebarn House, 100, Northolt Road, Harrow,

Published byShon Nichols Modified over 9 years ago

Similar presentations

Presentation on theme: "An Introduction to Data Protection Auditing Stewart Dresner, Chief Executive Privacy Laws & Business 5th Floor, Raebarn House, 100, Northolt Road, Harrow,"— Presentation transcript:

1 An Introduction to Data Protection Auditing Stewart Dresner, Chief Executive Privacy Laws & Business 5th Floor, Raebarn House, 100, Northolt Road, Harrow, Middlesex, HA2 0BX www.privacylaws.com ISACA, London, 22nd May, 2003

2 Privacy Laws & Business2 Data Protection Audit Aims (1) The aims of Data Protection Audits address the wider aspects of data protection including: –Mechanisms for ensuring that information is obtained and processed fairly, lawfully and on a proper basis –Quality Assurance - ensuring that information is accurate, complete and up-to-date, adequate, relevant and not excessive

3 Privacy Laws & Business3 Data Protection Audit Aims (2) –Retention - appropriate weeding and deletion of information –Documentation on authorised use of systems, e.g. codes of practice, guidelines etc. –Compliance with individual’s rights, such as subject access –Compliance with the data protection legislation in the context of other pieces of legislation such as the Human Rights Act, FOI Act etc.

4 Privacy Laws & Business4 Why Should We Audit? The key reasons for carrying out audit activities are: To assess the level of compliance with the Data Protection Act 1998 To assess the level of compliance with the organisation’s own data protection system To identify potential gaps and weaknesses in the data protection system To provide information for data protection system review

5 Privacy Laws & Business5 Audit Objectives When carrying out a Data Protection Audit in any area of an organisation the Auditor has three clear objectives: To verify that there is a formal data protection system in place in the area: the system should be documented the system should be up-to-date To verify that all the staff in the area involved in data protection: Are aware of the existence of the data protection system Understand the data protection system Use the data protection system To verify that the data protection system in the area actually works and is effective

6 Privacy Laws & Business6 The Audit Methodology –Methodology based on well-proven models from other sectors –Aimed at both professional auditors and non- specialists –Can be used by external auditors, internal auditors or Data Protection Managers –Two part Audit methodology consisting of: Adequacy Audit Compliance Audit

7 Privacy Laws & Business7 The Audit Method Audit Categories

8 Privacy Laws & Business8 Part 2: The Audit Method Functional Audit

9 Privacy Laws & Business9 Part 2: The Audit Method Process Audit

10 Privacy Laws & Business10 Part 2: The Audit Method Interactions with Staff Interaction with staff will occur in 2 main ways: –Staff questioning during Functional or Process Audits using the Audit Checklists –Staff Awareness Interviews via: One-to-one interviews Focus Groups

11 Privacy Laws & Business11 The Audit Process The Data Protection Audit Lifecycle

12 Privacy Laws & Business12 Audit Planning The Audit Planning phase covers: –Risk Assessment –Audit Schedule –Selection of Auditor –Pre-Audit Questionnaire –Preparatory Meeting/Visit –Audit Management Checklist

13 Privacy Laws & Business13 Audit Preparation The Audit Preparation phase covers: –Adequacy Audit –Confirmation of Audit Schedule –Audit Checklists –Sampling Criteria –Audit Plan

14 Privacy Laws & Business14 The Audit Process Conduct of the Compliance Audit The Compliance Audit phase involves: –Opening Meeting –Audit Environment –Audit Execution: Functional Audit Process Audit Staff Awareness Interviews Recording both positive and negative results

15 Privacy Laws & Business15 The Audit Process Compliance Audit Reporting The Audit Reporting phase covers: –Non-compliance Records –Non-compliance Categories –Compliance Audit Report –Closing Meeting –Audit Report Distribution –Audit with no Non-compliances

16 Privacy Laws & Business16 The Audit Process Audit Follow-up The Audit Follow-up phase covers: –Scope –Timescales –Methodology –Audit Closure

17 Privacy Laws & Business17 Guide to Auditing The Guide to Auditing covers : –The Role of an Auditor –Auditing Tasks Obtaining evidence Assessing the evidence –Human Aspects –Audit Techniques Basis of questions Good questioning techniques Questions to avoid Black box auditing

18 Privacy Laws & Business18 Guide to Auditing Practical Considerations: Layout of Interview Room Note Taking What to Take to the Audit Auditor’s Code of Conduct –Honesty –Conflict of Interest –Inducements –Confidentiality –Concealment –Professionalism

19 Privacy Laws & Business19 Audit Materials Part 5 includes the following: –A.Risk Assessment –B.Sampling Criteria –C.Audit Proformas –D.Meeting Proformas –E.Adequacy Audit Checklist –F.Compliance Audit Checklists: Organisational & Management Issues –G.Compliance Audit Checklists: The 8 Data Protection Principles –H.Compliance Audit Checklists: Other Data Protection Issues –J.Process Audit Checklist

20 Privacy Laws & Business20 Audit Proformas Eight model Audit Proformas are provided: –C.1Audit Schedule –C.2Pre-Audit Questionnaire –C.3Audit Management Checklist –C.4Adequacy Audit Report –C.5Audit Plan –C.6Non-compliance Record –C.7Observation Note –C.8Compliance Audit Report

21 Privacy Laws & Business21 Meeting Proformas Four model meeting forms are provided: –D.1Preparatory Meeting Agenda –D.2Opening Meeting Agenda –D.3Closing Meeting Agenda –D.4Interview/Focus Group Record Sheet

22 Privacy Laws & Business22 Compliance Audit Checklists Divided into 3 categories: F:Organisational & Management Issues G:8 Data Protection Principles H:Other Data Protection Issues What is covered? Checklist F covers the following : –F.1Organisational & Management Issues –F.2Documentation Issues –F.3 Key Business Processes

23 Privacy Laws & Business23 Compliance Audit Checklists What is covered? Checklist G covers the following: –G.1 through to G.8 - the 8 DP Principles Checklist H covers: –H.1 Using Data Processors –H.2 Notification –H.3 Transitional Provisions

24 Privacy Laws & Business24 Experience from using the Audit Manual Our experience from using the Manual has shown that the DP Audit methodology can: –Be applied to a wide range of organisations, public and private sector, large and small –Be applied to a wide range of business processes e.g. Recruitment/HR process Marketing services Staff subject access requests House-bound Library services Contracts with third party processors Police Enquiries re loyalty card holder Call Centre handling of customer enquiries

25 Privacy Laws & Business25 Case Study – Royal Mail Draft audit manual tested with 5 organisations of different kinds Royal Mail approached to take part in 1999 Planning – select an area of the organisation to be audited Address Management Centre – Postcode Address File and database of Redirection information

26 Privacy Laws & Business26 Case Study – Royal Mail Pre-audit questionnaire and preparatory meeting Preparation – review of DP policy, IS policies, Redirection application form, contracts for supply of data Compliance Audit – opening meeting with senior DP staff and management of AMC; check operation of DP systems; interviews with staff to establish how things are actually done

27 Privacy Laws & Business27 Case Study – Royal Mail Observe process from start to finish Don’t take anything for granted Report – no major non-compliance; one minor non-compliance Benefits for Royal Mail – measure of compliance; increase staff awareness; generates goodwill with the ICO!

28 Privacy Laws & Business28 How can DP Auditing help you comply with Data Protection Laws? Facilitates compliance with the Data Protection Act and similar laws in other countries Helps compliance with your organisation’s Data Protection System Increases the level of Data Protection awareness among management and staff Provides information for a Data Protection System review Reduces data errors leading to complaints

29 Privacy Laws & Business29 How can the DP Audit Manual help you? Manual can be used by organisations to form the basis of an internal audit programme User-friendly flowcharts guide you through each stage of the process Complete set of Audit Checklists and proformas provided to: –Serve as “Models of Best Practice” –Act as templates for organisations to adapt to their own requirements

30 Privacy Laws & Business30 Conclusions The methodology in the IC’s Audit Manual can be a very effective way of assessing data protection compliance The methodology is suited to a wide range of organisations, large or small, public or private sector The methodology can be used for external, supplier or internal audits with equal success The methodology is easy to adapt to individual organisation’s specific requirements

Download ppt "An Introduction to Data Protection Auditing Stewart Dresner, Chief Executive Privacy Laws & Business 5th Floor, Raebarn House, 100, Northolt Road, Harrow,"

Similar presentations

STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)

STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)
Internal Audit Documentation and Working Papers

Internal Audit Documentation and Working Papers
Auditing Computer Systems

Auditing Computer Systems
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.

What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Dr. Julian Lo Consulting Director ITIL v3 Expert

Dr. Julian Lo Consulting Director ITIL v3 Expert
ISO General Awareness Training

ISO General Awareness Training
IS Audit Function Knowledge

IS Audit Function Knowledge
OAG Office of the Auditor-General Promoting Accountability in the Public Sector Using Audit to Oversee Public Procurement Edward Ouko Auditor-General Kenya.

OAG Office of the Auditor-General Promoting Accountability in the Public Sector Using Audit to Oversee Public Procurement Edward Ouko Auditor-General Kenya.
Tipologie di Audit e loro caratteristiche Riunione sottogruppo GCP-GIQAR 21 Marzo 2006 Francesca Bucchi.

Tipologie di Audit e loro caratteristiche Riunione sottogruppo GCP-GIQAR 21 Marzo 2006 Francesca Bucchi.
Purpose of the Standards

Purpose of the Standards
Software Process Reviews/Audits

Software Process Reviews/Audits
Audit Programme. Audit Assertions  As part of the planning stage, auditors need to prepare audit tests to test the account areas.  To assist the auditors.

Audit Programme. Audit Assertions  As part of the planning stage, auditors need to prepare audit tests to test the account areas.  To assist the auditors.
TC176/IAF ISO 9001:2000 Auditing Practices Group.

TC176/IAF ISO 9001:2000 Auditing Practices Group.
Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.

Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.
RJC Certification - (COP 9) Bribery and Facilitation Payments Training Module – March 2014.

RJC Certification - (COP 9) Bribery and Facilitation Payments Training Module – March 2014.
Conducting the IT Audit

Conducting the IT Audit
Fundamentals of ISO.

Fundamentals of ISO.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Carmichael Centre for Voluntary Groups Implementing the Guiding Principles for Fundraising Sheila Nordon Executive Director 9 th November 2010.

Carmichael Centre for Voluntary Groups Implementing the Guiding Principles for Fundraising Sheila Nordon Executive Director 9 th November 2010.
1 AUDIT PROCESS. 2 3 4 5 6 7 8 Quality  Degree to which a set of inherent characteristics fulfils a need or expectation that is stated, generally.

1 AUDIT PROCESS Quality  Degree to which a set of inherent characteristics fulfils a need or expectation that is stated, generally.

Similar presentations

Ads by Google