Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy Audit and Privacy Seal Barbara Körffer & Dr. Thomas Probst Independent Centre for Privacy Protection Independent Centre for Privacy ProtectionSchleswig-Holstein.

Published byMalcolm Reeves Modified over 8 years ago

Similar presentations

Presentation on theme: "Privacy Audit and Privacy Seal Barbara Körffer & Dr. Thomas Probst Independent Centre for Privacy Protection Independent Centre for Privacy ProtectionSchleswig-Holstein."— Presentation transcript:

1

2 Privacy Audit and Privacy Seal Barbara Körffer & Dr. Thomas Probst Independent Centre for Privacy Protection Independent Centre for Privacy ProtectionSchleswig-Holstein

3 ICPP ICPP = Independent Centre for Privacy Protection Schleswig-Holstein ICPP = Independent Centre for Privacy Protection Schleswig-Holstein Service provider for the citizens of Schleswig-Holstein instituted by the Land Government Service provider for the citizens of Schleswig-Holstein instituted by the Land Government Independent supervisory authority (as defined under the EU Data Protection Directive) Independent supervisory authority (as defined under the EU Data Protection Directive)

4 Overview 1. Auditing Privacy-compliance 2. Privacy Public Authority Audit Legal Basis Legal Basis Steps of the audit process Steps of the audit process Privacy Protection Management Privacy Protection Management 3. Privacy Seal Legal Basis Legal Basis Process Process Products, Experts, Examinations Products, Experts, Examinations 4. Relation to other auditing schemes

5 Auditing Privacy-Compliance Management Audit vs. Product Audit Management Audit vs. Product Audit Privacy Audit: Management Audit Privacy Audit: Management Audit Privacy Seal: Product Audit Privacy Seal: Product Audit

6 Legal Basis of the Privacy Audit

7 What is the privacy audit? The privacy protection system of a public authority is checked and audited in a formal procedure by the ICPP The privacy protection system of a public authority is checked and audited in a formal procedure by the ICPP If the process is successful, the authority is awarded an audit label If the process is successful, the authority is awarded an audit label The label certifies that the privacy protection system corresponds the requirements of data protection law The label certifies that the privacy protection system corresponds the requirements of data protection law

8 Subject of the audit Available for public authorities in Schleswig- Holstein Available for public authorities in Schleswig- Holstein Audits for private companies are regulated by federal law. Federal law for data protection audits by the German Federal Government is in discussion. Audits for private companies are regulated by federal law. Federal law for data protection audits by the German Federal Government is in discussion.

9 Object of the audit Single process of data processing or Single process of data processing or Specific section of a public authority or Specific section of a public authority or Entire processing of personal data within a public authority Entire processing of personal data within a public authority

10 Steps of the audit process 3 Steps carried out by the public authority: 3 Steps carried out by the public authority: – Stocktaking – Defining privacy protection targets – Setting up a privacy protection management system The 3 steps are summarised by the public authority in a privacy policy The 3 steps are summarised by the public authority in a privacy policy Assessment of audit process by the ICPP Assessment of audit process by the ICPP If successful: Audit label is awarded, valid for 3 years If successful: Audit label is awarded, valid for 3 years

11 Stocktaking Examination of the current status of data processing Examination of the current status of data processing Comparison with the target state (legal and technical requirements for data processing) Comparison with the target state (legal and technical requirements for data processing) Weak-Point-Analysis Weak-Point-Analysis

12 Privacy Protection Management System Entire concept including Duties, Duties, competences, competences, responsibilities and responsibilities and processes processes in order to sustainably fulfil the privacy protection targets

13 Privacy Protection Management System Elements: Precise duties to fulfil the legal or higher requirements of privacy protection Precise duties to fulfil the legal or higher requirements of privacy protection General duties, e.g. General duties, e.g. Continuous stocktaking and updating of the privacy targets Continuous stocktaking and updating of the privacy targets Watching the development of legal or technical requirements Watching the development of legal or technical requirements Training of employees Training of employees

14 Assessment by ICPP Assessment of the privacy policy Assessment of the privacy policy If necessary: Inspection on the spot If necessary: Inspection on the spot Results are described and evaluated by ICPP in a report Results are described and evaluated by ICPP in a report

15 Awarding the label The audit label is awarded for three years The audit label is awarded for three years ICPP publishes a register of the awarded labels ICPP publishes a register of the awarded labels ICPP publishes report of the audit process ICPP publishes report of the audit process

16 Legal Basis of the Privacy Seal

17 What is the privacy seal? IT products usable by a public authority can be checked and audited in a formal procedure by external experts and the ICPP IT products usable by a public authority can be checked and audited in a formal procedure by external experts and the ICPP If the process is successful, the product is awarded an audit label If the process is successful, the product is awarded an audit label The label certifies that the product can be used in way compliant to data protection regulations The label certifies that the product can be used in way compliant to data protection regulations

18 Subject of the seal Available “only” for IT products which can be used by public authorities in Schleswig- Holstein Available “only” for IT products which can be used by public authorities in Schleswig- Holstein Audits for other products and for federal public authorities are regulated by federal law. Plans for a federal law for data protection audits by the German Federal Government. Audits for other products and for federal public authorities are regulated by federal law. Plans for a federal law for data protection audits by the German Federal Government.

19 IT Product Process of the Privacy Seal

20 IT Product Independent Expert examines IT Product … Process of the Privacy Seal

21 IT Product Independent Expert examines IT Product … IT Product is legally and technically privacy-compliant Process of the Privacy Seal

22 IT Product Independent Expert examines IT Product … ICPP grants Privacy Seal for 2 Years IT Product is legally and technically privacy-compliant Process of the Privacy Seal

23 IT Product Independent Expert examines IT Product … ICPP grants Privacy Seal for 2 Years Certified IT Product IT Product is legally and technically privacy-compliant Process of the Privacy Seal

24 IT Product Independent Expert examines IT Product … ICPP grants Privacy Seal for 2 Years Certified IT Product Privacy Protection as Competition Advantage Private Customers IT Product is legally and technically privacy-compliant Process of the Privacy Seal

25 IT Product Independent Expert examines IT Product … ICPP grants Privacy Seal for 2 Years Certified IT Product Privacy Protection as Competition Advantage Public Authorities Certified Products are deployed preferably IT Product is legally and technically privacy-compliant Private Customers Process of the Privacy Seal

26 IT Product Products Which products? Hardware Software Procedures (e. g., commissioned data processing such as document destruction)

27 IT Product Independent Expert examines IT Product … Experts Which experts? Both legal and technical experts Experts with  3 years professional experience either in data protection legislation (legal expert) or in privacy-related IT security (technical expert) Experts accredited by the ICPP Currently 14 experts and organisations

28 IT Product Independent Expert examines IT Product … Examination Which examinations? Privacy law requires: Lawful collection of data (permitted by law or by informed consent) Lawful processing (storage, disclosure, limitation of use to special purposes,...) Data avoidance and data economy Ensuring data subjects' rights (information, transparency, blocking, erasure) Technical and organisational measures to ensure security and safety

29 IT Product Independent Expert examines IT Product … Examination Technical and Organisational measures to ensure security and safety: User authorisation Encryption in mobile devices Creation of backups Logging if data are recorded only automatically: Who changed which data? Supervision of proper usage by the data-processing body (=> knowledge of IT and its configuration)

30 IT Product Independent Expert examines IT Product … Double-check Two experts (legal and technical) examines the product and report their findings Expert‘s reports are checked by ICPP‘s experts with respect to examination methods and plausibility

31 Privacy Seals 2002-2004 welfare & employment administration firewall data and file destruction SAP testing tools distributed storage of radiographs remote file server (encrypted data) PDA system for hospitals

32 Audit schemes Audit schemes System Product technical non-technical ISO 9000 ISO 13335 ISO 17700 CobiT FIPS 140 ITSEC/CC IT Baseline Protection (BSI) Task Force

33 Privacy Audit Schemes System Product technical non-technical Privacy Seal Privacy Audit

Download ppt "Privacy Audit and Privacy Seal Barbara Körffer & Dr. Thomas Probst Independent Centre for Privacy Protection Independent Centre for Privacy ProtectionSchleswig-Holstein."

Similar presentations

Pentti Mäkinen Central Chamber of Commerce of Finland Benefits of low regulation environment Brussels 13.12.2006.

Pentti Mäkinen Central Chamber of Commerce of Finland Benefits of low regulation environment Brussels
ICPP ICPP = Independent Centre for Privacy Protection Schleswig-HolsteinICPP = Independent Centre for Privacy Protection Schleswig-Holstein Service.

ICPP ICPP = Independent Centre for Privacy Protection Schleswig-HolsteinICPP = Independent Centre for Privacy Protection Schleswig-Holstein Service.
STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)

STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)
Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.

Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.
Welcome to ISO 9000 for Managers

Welcome to ISO 9000 for Managers
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
Auditing Computer Systems

Auditing Computer Systems
Conformity Assessment Practical Implications InterAgency Committee on Standards Policy June 2007 Gordon Gillerman Conformity Assessment Advisor Homeland.

Conformity Assessment Practical Implications InterAgency Committee on Standards Policy June 2007 Gordon Gillerman Conformity Assessment Advisor Homeland.
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 1 - 1 The Demand for Audit and Other Assurance Services Chapter 1.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.
Spring Conference of the European Privacy Commissioners 2002 in Bonn 1 Privacy Protection Audit/Seal of Quality - Practical Experience Dr. Helmut Bäumler.

Spring Conference of the European Privacy Commissioners 2002 in Bonn 1 Privacy Protection Audit/Seal of Quality - Practical Experience Dr. Helmut Bäumler.
The Demand for Audit and Other Assurance Services Chapter 1.

The Demand for Audit and Other Assurance Services Chapter 1.
9.401 Auditing Chapter 1 Introduction. Definition of Auditing The accumulation and evaluation The accumulation and evaluation Of evidence about information.

9.401 Auditing Chapter 1 Introduction. Definition of Auditing The accumulation and evaluation The accumulation and evaluation Of evidence about information.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Www.adira.org Philippe LE TERTRE IS Governance Consultant  Founder and managing partner of VADEGIS (company specialized in Information System Management.

Philippe LE TERTRE IS Governance Consultant  Founder and managing partner of VADEGIS (company specialized in Information System Management.
Licensing & Regulation Division Senior Sergeant Brett Kahan Presentation to the Association of Investigators & Security Professionals.

Licensing & Regulation Division Senior Sergeant Brett Kahan Presentation to the Association of Investigators & Security Professionals.
1 Human resources management in NSOs Training workshop for SADC member states. Luanda, 2-6 Dec 2006 Olav Ljones, Deputy Director General, Statistics Norway.

1 Human resources management in NSOs Training workshop for SADC member states. Luanda, 2-6 Dec 2006 Olav Ljones, Deputy Director General, Statistics Norway.
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
5.2 Personnel Use competent staff Supervise as necessary

5.2 Personnel Use competent staff Supervise as necessary
Fraud Prevention and Risk Management

Fraud Prevention and Risk Management
certification service provider Electronic Signatures

"certification service provider" Electronic Signatures

Similar presentations

Ads by Google