|
AUDIT ISSUES The initial issue to be resolved is the purpose or purposes for which the various audited departments process personal data. In relation to which individuals is personal data held? For example customers, employees, suppliers and so on. What type of information is collected? What kind of data is collected: for example, are there names, addresses, telephone numbers, details of occupation? It is particularly important to establish whether any "sensitive" data is collected, as more stringent compliance burdens are placed on controllers who process data relating to matters such as racial or ethnic origin, political opinions, religious beliefs, trade union membership, health matters or sexual orientation. How is the data collected? Ascertain whether the information is collected directly or indirectly from the data subject, and by which medium the data is collected (in hard copy form, by telephone, via the internet, and so on). In addition, where data is collected directly from a data subject, find out whether consent to the intended processing was obtained at the point of collection. Finally, if data has been collected from a third party, investigate whether that party gave a warranty or other appropriate form of assurance as to data protection compliance. How relevant is the data? Ascertain whether the data exceeds what is necessary for the purposes for which it was collected (for example, if the data was collected for the purposes of sales fulfillment, it is not relevant to know the hobbies of the individual concerned). Also ask whether it is necessary to collect personalised data or whether the purposes could be achieved just as easily by collecting "anonymised" data (for example, it may not be necessary for an organisation conducting market research to know the names of individuals). How long is data retained? Ask for how long data is held and whether it is strictly necessary to hold the data for this period. Further, ask whether the organisation's databases are regularly cleansed and, if so, how frequently. Finally, ascertain the location in which data is stored, as this may raise issues relating to the international transfer of data. What steps are taken to ensure that data is kept accurate? Find out whether there are procedures in place to ensure that data is kept accurate for the period of retention (for example, prompting online customers to update their details every six months). Are there procedures in place to ensure compliance with data subjects' rights? Ask whether there are procedures in place to allow data subjects to:Gain access to the data held about them. Prevent the use of their personal data for the purposes of direct marketing. Request deletion of irrelevant and inaccurate data held in relation to them. What security measures are in place? Consider what technical and organisational measures are in place to ensure that personal data is protected against unauthorised access, damage or erasure. Technical measures would include encryption, use of secure passwords and so on. Organisational measures would include contingency plans, and procedures to ensure the reliability of employees. To which third parties is personal data disclosed? Ascertain the types of third parties to whom data may be disclosed, and the purposes of such disclosure. Further, consider whether the relevant data subjects have consented to the disclosure. Finally, establish whether the third-party recipients have given warranties or other appropriate forms of assurance as to data protection compliance. Is personal data disclosed to data processors? A data processor is a party who does not determine the manner and purposes for which data is processed, but rather processes the data under the control and instruction of a data controller. An example of a data processor is a producer of payslips - the data disclosed may only be used to produce the payslips, and the data processor is not allowed to retain or use it for any other purpose. Determine the identity of data processors used by the organisation. In addition, check that there are written contracts with data processors which specify that the data processor: Will act only on the instruction of the data controller. Has in place appropriate security measures to protect the data from unauthorised access, damage or deletion? Is data transferred outside the EEA? Identify any transfers of data outside the EEA, and ascertain whether consents to those transfers have been obtained. Audit reporting Following completion of the various departmental audits, all the resulting information should be consolidated into an easily understandable audit report. This can take the form of a table or a more detailed written report. The aim of the audit report is to help the organisation to identify potential issues as well as to revise or update the information at a later stage. Assessment and evaluation The audit report should draw together the main findings of the audit and identify any non-compliant procedures. Ensure that the report is factual and fair and reflects that it is ultimately just a snapshot of the situation taken at a particular time and place. Ensure that the summary is as evaluative as possible and not merely descriptive. State in what way the situation has changed since the last audit: that is, is it improving, getting worse or staying the same? Corrective action Once the audit information has been consolidated, problem areas for each of the departments will become apparent. Draft department-specific compliance profiles which outline practical ways of correcting non-compliant procedures, and distribute these to the relevant departments for implementation. Compliance profiles should identify: The agreed corrective action to be taken in each case. The person responsible for ensuring that corrective action is taken. The date when the corrective action must be completed.
|
Free resources 
