Terra Incognita logo OPC logo  
Canada
    
montreal images
date and location  
 
 
 

dragon

TERRA INCOGNITA
Privacy Horizons

29th International Conference of
Data Protection and Privacy Commissioners

Workshop
Dragon Slayer
Audit

September 26
13h30 - 16h00

Terra Incognita, workbook series # 6

Table of contents

Biographies

  • Dr. Artemi Rallo Lombarte – Chair
  • Ms. Yim Chan
  • Mr. Nicholas Cheung
  • Mr. Chris Turner
  • Mr. Joel Winston

En Route to International Privacy Audits (Privacy Laws & Business)

  • Introduction
  • Terminology
  • Sample Definitions of “Compliance Audit”
  • Comparison of Privacy Auditing/Investigation Powers in Selected Jurisdictions
  • The Future in Europe and Beyond for Cross-Border Co-operation
  • Use of Auditing as a Compliance Tool
  • Conclusion
  • Suggestions for discussion: A model for DPA audits
  • Appendix: Country Reports
    1. France – CNIL
    2. UK – Office of the Information Commissioner
    3. Spain – Data Protection Authority
  • Bibliography

Biographies

Dr. Artemi Rallo Lombarte
Artemi Rallo Lombarte is Director of the Spanish Data Protection Agency. He has conducted research at international centres such as the International Human Rights Institute in Strasbourg, La Sapienza University (Rome) and the Centre de Recherche de Droit Constitutionnel at the Paris I-Pantheòn-Sorbonne University. He is the author of numerous monographs, books and scientific articles in specialised magazines and has participated in national and international research and projects on public administration, protection of fundamental rights in European integration, and political decentralisation in EU Member States. Mr. Lombarte has worked with European institutional support programmes in Latin America, aimed at promoting political decentralisation and strengthening parliamentary institutions, executive and judicial power. He graduated in Law with Extraordinary Prize Honours (1988) and Doctor in Law at the University of Valencia (1990). He is Professor of Constitutional Law at the Jaume I University of Castellón, where he was also Head of the Constitutional Law Department (1993-1998).

Ms. Yim Chan
Ms. Yim Chan, CIPP/C, is the Global Privacy Executive, IBM Corporation and the Chief Privacy Officer, IBM Canada. Chan’s responsibilities include developing and implementing programs at the enterprise level for IBM’s global privacy management system and embedding privacy into relevant business processes. In her capacity as the CPO for IBM Canada, Yim Chan guides information handling policies and practices across IBM Canada. During her 28 years with IBM, Yim Chan has held several positions in software compiler development, industry solutions, and was formerly the CIO for IBM Canada. Yim Chan holds two patents for a Business Application Dialogues Architecture and Toolset in the privacy assessment environment and has obtained CIPP/C certification. Ms. Chan is a member of the Canadian and U.S. CPO Councils and is on the Advisory Board of the International Association of Privacy Professionals’ (IAPP) which developed the Canadian certification program for privacy professionals (CIPP/C). She is a regular speaker at privacy-related conferences and is sought after for privacy-related interviews. Yim Chan graduated from the University of Waterloo with a Bachelor of Mathematics/Computer Science degree and earned a Master’s Certificate in Project Management from George Washington University. She has participated in the Women in Technology mentoring program in the Greater Toronto Area.

Mr. Nicholas Cheung
Nicholas Cheung is a Principal at the Canadian Institute of Chartered Accountants (CICA) where he is responsible for the development and implementation of projects related to assurance services. He currently leads the Privacy Services area where he is focused on developing and raising the awareness of new privacy resources and services offered by Chartered Accountants. These resources include Generally Accepted Privacy Principles (GAPP), a global privacy framework developed by the CICA and the American Institute of Certified Public Accountants to create a common North American privacy standard that takes into consideration international requirements. He is a Chartered Accountant and holds a Certified Information Privacy Professional/Canada designation.

Mr. Chris Turner
Chris Turner joined the Information Commissioners Office in late 2002 and worked initially in compliance management in the area of ’policing and judiciary’. After taking on a role for developing the Office’s audit capability he was appointed Head of Audit and Remedies within the Regulatory Action Division in 2005. Prior to his move to the ICO Mr. Turner spent over 30 years working in IT, primarily in project management and systems analysis, within a diverse range of organisations across sectors including leisure, finance and manufacturing.

Mr. Joel Winston
Joel Winston is Associate Director of the Division of Privacy and Identity Protection of the Federal Trade Commission’s Bureau of Consumer Protection. That Division has responsibility over consumer privacy and data security issues, identity theft, and credit reporting matters, among other things. Mr. Winston is currently serving on the federal government’s Identity Theft Task Force, which was created by President Bush in March 2006. Prior to his current position, Mr. Winston was Associate Director of the FTC’s Division of Financial Practices and, previous to that, Assistant Director in the FTC’s Division of Advertising Practices. Mr. Winston is a frequent speaker and provides guidance and advice to the business and legal communities on consumer protection issues. He received his undergraduate and law degrees from the University of Michigan.

TERRA INCOGNITA
Privacy Horizons

29th International Conference of
Data Protection and Privacy Commissioners

En Route to International Privacy Audits
by: Stewart Dresner and Valerie Taylor
Privacy Laws & Business

Paper commissioned by the Office of the Privacy Commissioner of Canada. The views and opinions contained in this document are those of the author and do not necessarily reflect the views and opinions of the Office of the Privacy Commissioner of Canada nor of the Government of Canada.

Introduction

This study was commissioned under a contract with the Office of the Privacy Commissioner of Canada in support of the 29th International Conference of Data Protection and Privacy Commissioners – September 25th to 28th, 2007 in Montreal, Canada.

Many countries’ Data Protection Authorities (DPAs) do not distinguish a compliance audit from an inspection visit resulting from a complaint which could lead to a penal sanction. DPAs’ legal powers to conduct audits differ in different countries–for example, whether they may audit without the consent of the organisation. Therefore, the objective of this report is to find common themes in privacy auditing in different countries.

Drawing a neat distinction between an audit and an inspection remains elusive. There are no common definitions and criteria to distinguish the two concepts. Language differences are only one factor; others include different:

  • legal concepts;
  • DPA powers;
  • resources for conducting audits; and
  • attitudes towards conducting audits.

The recent OECD Working Party paper and the Canadian Privacy Commissioner’s Study on Auditing go into detail about the ways in which audits are treated in different national laws, and give some impression about approach. However, the reader does not learn how the national DPAs conduct regular audits.

This report attempts to go beyond the legal provisions to study:

  • how the national DPAs in France, Spain and the United Kingdom conduct regular audits;
  • some examples from other countries;
  • experience of national DPAs co-operation when attempting an international audit;
  • the use of auditing as a compliance tool;
  • the anticipated benefits of audits both for DPAs, and data controllers and data processors.

In addition, the study authors offer a suggested model of good data protection audit practices (see pages 12-13) for discussion at the audit workshop at the Data Protection and Privacy Commissioners’ 29th International Conference in Montreal in September 2007.

Terminology

An assessment of the powers in various jurisdictions suggests the following distinctions in terminology.

Compliance Audit
This is a proactive assessment by the DPA of the data processing activities, processes and procedures within an organisation to determine its general compliance with data protection legislation, and to establish and encourage good practice. Audits could be initiated in different circumstances:

  1. Enforced” audit: used by the DPA to improve an organisation’s levels of compliance. It may be imposed on the organisation as part of enforcement or regulatory activity, or the organisation may be persuaded to “volunteer” for the audit.
  2. Voluntary audit: carried out at the request of the organisation as a means of establishing or improving its own level of compliance.

Investigation/Inspection
This is an investigation into a specific area of data processing activity within an organisation where there is a suspected breach of the data protection legislation. It may lead to sanctions or other enforcement action being taken. An investigation could be initiated in one of two ways:

  1. Complaint-initiated: caused by a complaint from an aggrieved individual who has been affected by the suspected breach.
  2. Self-initiated: resulting from press enquiries or initiated by the DPA in areas of substantial public debate or concern.

Differences
Compliance audits are typically broad in scope, encompassing an entire organisation or function, whereas investigations or inspections are usually more focused.

Also, any enforcement action resulting from an investigation or inspection is usually open to challenge–not always the case in a compliance audit.

Sample Definitions of “Compliance Audit”

Office of the Canadian Privacy Commissioner
A formal and systematic examination of an organisation’s personal information management practices and related policies, systems and holdings, to determine and report formally on the extent of compliance with applicable privacy legislation and standards.

Oxford English Dictionary
An audit is an official inspection [of an organisation’s accounts], typically by an independent body.

UK Information Commissioner
A systematic and independent examination to determine whether activities involving the processing of personal data are carried out in accordance with an organisation’s data protection policies and procedures, and whether this processing meets the requirements of the Data Protection Act 1998. The UK Data Protection Act describes it as an assessment of the following of good practice.

Comparison of Privacy Auditing/Investigation Powers in Selected Jurisdictions

Status of Privacy Audits in Canada

Around two-thirds of the various privacy laws in Canada provide audit powers for the federal, provincial and territorial supervisory authorities. The remaining laws do not make any provision for privacy audits, without which the supervisory authorities have no legal authority to conduct audits.

Audits have only been carried out to any measurable extent by the federal Privacy Commissioner and Quebec’s Access to Information Commission, and only the federal Commissioner appears to have an ongoing programme of formal compliance auditing. Audits have tended to focus on the public sector but are now starting to involve private sector organisations also.

There is legislative potential for Canadian supervisory authorities to carry out a much greater level of auditing, but this is not being taken up in practice. The likely reason for this seems to be a lack of resources.

However, there are significant variations between the audit powers available to the different supervisory authorities in Canada. This may make the sharing of knowledge and best practice more difficult and could discourage cross-boundary audits. It is perhaps not surprising, therefore, that most audits have been carried out by the federal supervisory authority which has the clearest and most wide-ranging powers. These powers concern not only the legal authority to carry out audits, but also ancillary powers such as the power to summon witnesses, compel evidence, enter premises and demand the production of documents and records.

Status of Privacy Audits in France

French privacy laws provide the DPA (the CNIL) with inspection powers which are considered to include the power to carry out audits using either the powers of entry or on invitation by an organisation.

Inspection teams usually consist of three people, a legal expert, an IT expert and a former police officer. The inspection programme is not published in advance, nor are the inspection results made public. The DPA issues a report to the organisation on conclusion of the inspection unless the audit identified no issues.

The CNIL has conducted a number of major inspections in the last few years, covering both the public and private sectors. Organisations or sectors are selected for inspection based on complaints received (from individuals or the press) or problems identified by the CNIL during the notification or prior authorisation processes. Therefore these inspections fall in the category of “self-initiated inspections” in the enforcement arena. Compliance audits have not been carried out.

There is legislative potential for the CNIL to conduct compliance audits. Its enforcement powers have been strengthened in the last few years and it is currently exploring the use of those enforcement powers. The CNIL does not have the resources to conduct more wide-ranging audits and so it is focusing on enforcement-related investigations where potential risks to individuals have been identified, such as criminal records information, health data and financial information. This approach may change in future as its enforcement powers mature and if they gain additional resources.

Status of Privacy Audits in the United Kingdom

The UK privacy law gives the Information Commissioner’s Office (ICO) specific power to carry out audits which are defined as an “assessment” of processing to determine the following of good practice. This power is in addition to enforcement powers to conduct self-initiated or complaint-initiated investigations.

The audit team usually consists of two or three trained data protection specialists, one of whom may have an IT background, although the ICO is considering bringing in specialists where more specific technical knowledge is required. Reports are provided to the organisation following the audit but are not made public. Typically audits reveal problems with data subjects’ access to personal data, data retention, and internal governance issues.

The IOC has conducted a significant number of audits over the last few years and has a mature audit programme in place. Audits may be initiated by a complaint or other enforcement action, and used as a way of improving compliance, or they may be requested by the organisation. Some audits may be carried out in sectors that are generating substantial public debate or where there is a great deal of change underway, such as in the health sector.

All audits are carried out with the consent of the organisation and all information is provided voluntarily. Legal warrants to gain entry to premises are usually obtained only where there are serious breaches or the legislation or criminal investigations. The ICO has published a comprehensive audit methodology (see bibliography p.26).

The ICO has found that auditing provides an opportunity to observe organisations and the way in which they handle personal data in practice, and helps improve relationships. This helps to educate ICO staff on the practical difficulties of day to day compliance. It also provides useful insights which can feed into the ICO’s guidance. The ICO’s audit team is expanding and they will continue to promote auditing as a tool to raise awareness of data protection and to encourage compliance and good practice.

Status of Privacy Audits in Spain

Spain’s rules on inspections and audit are specified in the law and a Royal Decree. This has the merit of legal certainty and Spain’s Data Protection Agency has more staff to conduct audits than most other European Union countries. However, as the law requires the Agency to assess every complaint on the grounds that the Agency must serve the citizen, it prevents the Director from allocating resources to audits on the basis of priorities and the merits of a case. New regulations expected to be adopted by the end of 2007 should enable the Director to become more flexible in his approach to complaints.

There are two types of audits: reactive audits resulting from a complaint, which may lead to a penal sanction; and preventive audits which involve the investigation of a specific sector, which are more likely to lead to recommendations on good practice.

Armed with the Director’s authorisation document, the inspectors have the powers they need to enter premises and obtain documents. There is an incentive for organisations to co-operate in the process because obstructing inspectors is a separate infraction of the law which can lead to an additional fine.

Most audits are carried out as a result of individuals’ complaints to the Agency. The telecommunications and financial services sectors are the two sectors which receive the most inspections.

International Cooperation

Spain led the European Union’s project to audit the medical insurance sector in 2006 and 2007. The audit was conducted by a written questionnaire as the powers of the national authorities differ considerably. The report was approved by the Article 29 Data Protection Working Party on June 21st 2007. The announcement stated: “Although for the most part the companies are aware of data protection rules, nevertheless there are shortcomings in some areas. The Working Party, therefore, will continue its cooperation with the health insurance industry by issuing recommendations to promote privacy enhancing policies, and to raise awareness among customers.”

Spain’s Agency has concluded that:

  1. international co-operation on audits, and much else, is much easier if only a few countries are involved (with similar enforcement tools), and
  2. a shortage of people and financial resources means that an international audit is most usefully conducted on an issue which is a high priority for all the national partners involved in the project.
Audit methodology

Audits are conducted by a team of two IT experts with training in data protection law. There is no distinction between a legal and a data security audit. The inspectors give the evidence to the legal team at the Agency which recommends action to the Director.

Typical findings are poor data security, staff misuse of data, and no or few logs–so no audit trails.

Conclusion

The agency considers inspections and audits to be valuable because they are a “way of ensuring compliance without resulting in fines”. The resulting recommendations help to raise awareness in all sectors of the benefits of good data protection practice.

The Agency’s most important objective for the future is the ability to choose its own auditing priorities and methods rather than being required by law to investigate every complaint, however trivial. Ideally, the Director wants a dialogue rather than an adversarial relationship, reserving the latter approach for when the facts of the case dictate rather than rigid legal prescription.

Status of Privacy Audits in Other Jurisdictions

Of 14 countries surveyed in the Canadian Privacy Commissioner’s Study on Auditing (December 2006), only two have neither express nor implied powers to conduct privacy compliance audits.

In most countries, the supervisory authority’s audit powers are inferred from the power to conduct self-initiated investigations or reviews. As the study found, the scope of audit and ancillary powers available to the supervisory authorities differs widely from one country to another. The focus of most legislation (as can be seen from the OECD Report mentioned below) is on complaint handling and associated breaches of privacy legislation, and regulatory supervision. It is likely that resource issues also play a part in the apparently low priority for compliance auditing.

Australia

Very few countries seem to have published audit manuals or procedures, or to have established formal programmes of compliance auditing. The Office of the Privacy Commissioner (OPC) in Australia is one of the few, having published a self-audit manual for three industry sectors which raise particular concerns in Australia. The OPC also conducts regular audits of government agencies and has published the audit reports on its website since 2002. During 2005-6, it conducted audits only where it received separate funding to do so. While auditing may have measurable benefits both for the OPC and the audited organisation, the OPC has made a policy decision to focus its resources on complaint handling.

The Netherlands

The Dutch Data Protection Authority has published a privacy audit framework to assist those wishing to carry out privacy compliance audits, although the DPA itself focuses on investigations rather than audits (see bibliography page 26).

New Zealand

New Zealand uses self-auditing as part of the authorisation process for information matching and credit reporting activities, to ensure that such processing is carried out in compliance with the privacy legislation. Audits are submitted to the Privacy Commissioner and it is considered that the process will enhance regulatory oversight in these areas.

European Data Protection Supervisor

The European Data Protection Supervisor (EDPS) is the supervisory authority devoted to protecting personal data and privacy and promoting good practice in EU institutions and bodies. EDPS is conducting an audit of Eurodac, the database of fingerprints of illegal immigrants and applicants for asylum found in the EU. The in-depth security audit is due to report by the middle of 2007. The development of audit expertise within EDPS could lead to further audit projects in the future.

Is There a Future in Europe and Beyond for Cross-Border Co-operation?

Article 29 Working Party Declaration on Enforcement [25 November 2004]
The Article 29 Working Party looked (among other things) at the value of investigation and audit programmes as a means for encouraging compliance. Such programmes could be aimed at giving organisations a more accurate picture of how data protection rules should be implemented in a particular sector. They could also help DPAs create appropriate policies and guidance by emphasising how data controllers should comply.

Organisation for Economic Co-operation and Development Working Party on Information Security and Privacy report on cross-border enforcement of privacy laws [16 October 2006]
More recently, the OECD WPISP produced a report on cross-border enforcement of privacy laws. The report aimed to investigate the possibility of facilitating the co-ordination of cross-border privacy compliance and enforcement mechanisms.

Most supervisory authorities indicated in the report that they did not have–but would benefit from–appropriate powers to enable them to exchange information and carry out investigations jointly with, or at the request of, foreign authorities. Efforts to increase cross-border enforcement activity may therefore be hampered by the lack of powers available to supervisory authorities and inconsistent legal regimes, as well as a lack of resources and differing priorities within supervisory authorities.

While supervisory authorities generally did not report receiving a significant number of cross-border complaints, advances in technology and the globalisation of business suggest that the volume of cross-border data flows will continue to increase. The development of business and technological efficiencies brings with it increased privacy risks thus making it important to address the challenges of cross-border enforcement and co-operation.

European Commission report on the implementation of the European Data Protection Directive and follow-up work programme [7 March 2007]
One of the tasks identified by the European Commission is to reduce national divergences and improve harmonisation of data protection laws within Europe. The principle of Europe-wide synchronisation of national enforcement actions was agreed, and data protection authorities are encouraged to adapt their domestic practices to the common position.

However, as a practical matter, even where national laws set out to apply the same principles (e.g. the EU Data Protection Directive 95/46/EC or the OECD Guidelines), differences of interpretation and emphasis for cultural, historical and legal reasons may hinder co-operation between authorities or complicate the implementation of joint or concurrent audits.

European supervisory authorities have a duty under the Data Protection Directive to co-operate with each other. However it is less common that a European supervisory authority would undertake proactive co-operation with an equivalent authority outside Europe because of fewer legal powers. However, there are examples of such cooperation. One is the formal Memorandum between Spain’s Data Protection Agency and the United States Federal Trade Commission on cooperating in the fight against unsolicited e-mail communications, or “spam”.

One possibility within Europe would be to seek assistance from the Article 29 Working Party for pan-European audit or enforcement initiatives. The Working Party has recently investigated the health insurance sector across all European Member States. The national data protection authorities sent out written questionnaires to gather information from health insurance companies within their jurisdiction–this was the only way to collect consistent information across all countries because of the varying powers of European DPAs.

Co-operation among Data Protection Authorities on cross-border audits may be more successful in practice if only two or three–rather than many–countries are involved.

Binding Corporate Rules
The Article 29 Working Party has produced various guidelines and reports on the use of Binding Corporate Rules as a means of ensuring adequate protection for international transfers of personal information within a group of companies. An organisation’s Binding Corporate Rules must provide for the use of either internal auditors, external auditors or a combination of both. The organisation’s audit plan must also allow for audit by data protection authorities. There is a possibility, therefore, that as Binding Corporate Rules become more popular in Europe, there will be an increasing demand for DPA audits as part of verifying compliance.

Use of Auditing as a Compliance Tool

In jurisdictions where audits are carried out, there are many perceived benefits.

Promoting Audits

Where auditing is already carried out:

There is little need to promote auditing where the DPA has the authority to conduct audits at its discretion at any time. However, the ability to complete efficient and effective audits is highly dependent on an organization’s cooperation, maintaining good working relationships, and securing an agreement to act on audit recommendations. This is particularly true if recommendations are not binding because the DPA has no order making power — the case in Canada at the federal level.

Carrying out audits on a consensual basis encourages participation. Organisations that volunteer to be audited are indicating a willingness to comply and adopt good practice.

Not publishing names and audit results may also help encourage organisations to participate voluntarily in audits. “Naming and shaming” could deter participation in an audit programme. However, this approach should be distinguished from publication of formal enforcement action.

Audits help to educate DPA staff on the practical difficulties of day-to-day compliance. They also provide useful insights which can feed into good practice guidance issued by the DPA.

Audits are often described as a tool for promoting compliance. Their effectiveness might be measured to some degree by comparing the number of complaints received about the organisation pre- and post-audit.

An audit’s effectiveness might also be gauged initially by the extent to which an organization accepts the audit’s recommendations and implements them either immediately or once the auditors have delivered their report and “gone away”.

Where there is little or no auditing:

Resources are an issue for all DPAs. They concentrate their enforcement activity on those problems which have a significant impact on individuals. Auditing is proactive and the DPA may not have time or resources to devote to this activity. However, it does offer benefits:

  • Creating and developing relationships and communication links with organisations;
  • Encouraging good practice; and
  • Encouraging openness and collaboration.

Auditing that targets high risk sectors could possibly lead to a reduction in time spent on enforcement activities.

In addition, auditing could be developed into an official certification programme where organisations audited by the DPA receive a “seal of approval”. This could be of commercial value to organisations and, as such, they may be prepared to pay for the service. This in turn could provide resources for the DPA to use in other areas of enforcement or promotion of good practice.

Promoting self-assessment:

Nothing prevents a DPA from also promoting and supporting organisational self-audit (self-assessments). This can be a potent tool. Given the myriad of organizations, it is likely to be more productive for organizations to assess their own privacy practices with a view to compliance and continuous improvement. This would characterize a strong privacy management framework. Ideally, organizations should “police” themselves. A potentially powerful “simple question” for a DPA to ask an organization is this–how do you govern and manage privacy?

Scope of an Audit

An audit can help raise awareness of data protection within an organisation. Those involved in an audit will think about the issues before the audit commences, during the audit itself, and after the audit has finished.

There are generally two recognised approaches to deciding the scope of an audit.

Narrow & Deep:
The narrower the scope of the audit, the more successful it will be in making clear and precise recommendations to the organisation. Recommendations are more useful and easy to understand and implement when they focus on a specific aspect of an organisation’s processing activities, rather than those gleaned from a snapshot of the entire organisation.

Wide & Shallow:
An audit with a wide remit will involve more individuals in an organisation and so will help raise the profile of data protection across the organisation.

Wide & Deep:
If time and resources permit (or limited resources can be concentrated), an audit that is both wide and deep is likely to have the greatest and most lasting impact. DPAs appear to conduct few of these although the Office of the Privacy Commissioner of Canada has used such comprehensive type audits (see website www.privcom.gc.ca).

There is always a tension between wanting to conduct a wide-ranging audit in few organisations and covering more organisations in a narrower and/or shallower audit. This is particularly true when an authority has jurisdiction across all sectors, as in Europe, but limited time and insufficient human and financial resources,

All approaches have advantages and disadvantages. Whichever approach is adopted, it is critical to interview the right personnel in the organisation to gain a thorough understanding of its personal data processing.

Conclusion

The majority of jurisdictions reviewed do not carry out “compliance audits” in the true sense. Many audits result from complaints or suspected breaches of privacy legislation which might be better categorised as investigation or enforcement activity.

There are a number of challenges raised by the use of audits as a tool for promoting data protection compliance and good practice.

  1. Lack of legal powers for the DPA may limit auditing and ancillary matters such as access to premises and documents.
  2. Restrictions on information sharing inhibit cross-border activity in particular.
  3. Incompatible legal regimes, either within or outside a country, restrict co-operation on audit projects.
  4. Inadequate resources require directing those resources first at complaint handling, necessarily giving auditing a lower priority.
  5. Differing compliance priorities.

However, compliance auditing conveys clearly identifiable benefits. They:

  • encourage compliance and good practice within the audited organisation;
  • serve as an instrument of change, improving privacy systems and promoting accountability for privacy;
  • reduce privacy risks;
  • educate the DPA’s staff;
  • help to inform guidance and practice recommendations issued by the DPA; and
  • develop relationships and open communication with organisations.

Without increased resources for DPAs it seems unlikely that the widely varying levels of audit activity, will change.

Suggestions for discussion: A model for DPA audits

In every case, an audit is a systematic assessment of an organization’s personal data processing. It is a regular process for the DPA and generally a one time experience for the organisation and its management. Therefore, it is fair to discuss a model for DPA audits which brings more order and predictability to the process.

Each national DPA could assess its own audit practice against the model and then consider whether it wishes to introduce the new features into its audit system should its legal powers permit, or seek amendment to the relevant law.

In addition, the workshop at the Data Protection and Privacy Commissioners’ 29th International Conference in Montreal, 25th-28th September 2007 could usefully add to and refine the following outline DPA Audit Model.

DPA Audit Model

The DPA should have the authority to:

  1. choose the data controllers and data processors to audit;
  2. enter a data controller’s or data processor’s premises;
  3. demand the production of documents and records;
  4. obtain answers to questions;
  5. publicise the results without revealing any trade secrets or confidential information;
  6. conduct a follow-up audit, if necessary, and
  7. other points?

An audited organisation should be obliged to:

  1. cooperate with the auditors, for example, by providing auditors with information and access to systems;
  2. explain to the auditors how personal data is processed, by whom and for which purposes, and
  3. other points?

A data controller and data processor being audited by a DPA should have the right to:

  1. be informed in advance, for example, a minimum of a week to arrange a mutually convenient day (this process is to be distinguished from a complaint about practices contrary to the law which may lead to a penal sanction and which would be handled by an investigation process with a different legal status);
  2. be informed of the DPA’s audit methodology;
  3. have discussed with the DPA in advance the audit’s scope (for example, processes, locations, numbers and positions of people to be interviewed);
  4. accompany the auditors on the premises to facilitate discussions with staff at different levels (but not be present when individual and groups of staff are interviewed so that they may speak freely);
  5. appoint IT staff to work with the audit team to ensure that any audit process involving an IT system does not damage that system;
  6. receive a copy of an initial written report at the conclusion of the audit to ensure that management sees the observations, and any points that may cause conflicting views be discussed and possibly resolved (this report should be signed to show that the report has been read and discussed);
  7. be given a period [four weeks?] to comment on a draft report before it is published [and that view to be published together with the DPA’s report?];
  8. be given a reasonable period to correct any identified faults before any follow-up audit, and
  9. other points?

Appendix: Country Reports

France – CNIL

Meeting on 5th June 2007
Clarisse Girot – Head of European & International Affairs, CNIL
Florence Fourets – Head of Inspection and Audit, CNIL
Valerie Taylor – Consultant, Privacy Laws & Business

Legislative background
The French data protection legislation was amended in 2004, in part to grant the regulatory authority (CNIL) new enforcement powers and sanctions. In the past, the CNIL relied largely on the notification process to establish whether there were any areas of concern about particular organisations.

The law does not specifically mention audits. There are powers to carry out “verifications” and the CNIL may enter premises (subject to giving appropriate notification to the public prosecutor) for the purposes of exercising these powers and copying any documents required. The power to carry out verifications is interpreted by the CNIL as an enforcement power. The CNIL considers that it has a power to carry out audits either using the powers of entry or on invitation by the organisation.

Terminology
The CNIL has initiated a number of inspections (verifications) where there have been suspected breaches or other potential areas of weakness. These inspections focus on specific issues or problem areas within an organisation and do not usually involve a review of the entire organisation.

Audits are viewed as assessments aimed at general compliance and good practice and would generally involve a thorough review of an entire organisation. The CNIL does not yet conduct general compliance audits, although some verifications have consisted of a full-fledged audit of the inspected party. The inspection/audit team is small (a total of six dedicated people but often including agents from other departments, such as the legal department). At present, the CNIL does not have the resources to conduct general compliance audits which are costly, time consuming and would tie up a significant number of team members.

Inspections carried out
In the last few years, the CNIL has carried out several major inspections in both the public and private sectors.

In the public sector, it conducted a detailed inspection of a major French city and local council suspected of non-compliance. The decision to inspect was prompted by a finding that the city council had an abnormally low rate of notification in CNIL’s notification register. Formal compliance notices were issued following the inspection and sanctions may be imposed if the city fails to comply.

Another inspection involved the electronic health records programme in France. This was selected for inspection because of its significance both nationally and within Europe, and because of the sensitive nature of the data involved. All parties involved were inspected, including sub-contractors.

Criminal investigation records held by the police (containing details of victims, suspects and, witnesses) are also inspected regularly. Such verifications essentially take place through the data subject’s exercise of an indirect right of access to police files. This access right may be exercised only by CNIL’s members with the authority of magistrates.

In the private sector, one thorough audit has involved online banking services. Again, this was identified as an area which presented particular risks to the security of confidential personal data.

The CNIL also conducted an inspection into the e-ticketing scheme used in the Paris public transport network. Here again, all parties involved were inspected, including sub-contractors. This series of inspections amounted in practice to a data protection audit of the whole scheme.

Rationale & Process
Organisations or sectors are selected for inspection based on complaints received (from individuals or the press) or problems identified by the CNIL during notification or prior authorisation processes.

The CNIL does not publish its programme of inspections in advance, nor does it make public the results of an inspection. In future, it will publish a list of organisations which have been inspected in its annual report.

In the vast majority of cases, the CNIL does not give advance notice to the organisations being inspected, nor are they given any specific guidance other than that which is generally available. Inspections tend to be carried out in areas where the CNIL has provided general guidance in the past, such as health records.

Inspection teams usually consist of three people, a legal expert, an IT expert and a former police officer. The organisation is fully involved in the inspection process and signs off on the inspection record. The team would also issue a report following the conclusion of the inspection, unless no issues were identified. Inspections may take one to four days, depending on the size of the organisation, location of the inspection and issues involved. The CNIL has an internal, unpublished methodology which teams use when carrying out inspections.

Sanctions may be issued following an inspection and there would be a constant exchange of communications with the organisation about this process. Typically, inspections reveal issues about security or a lack of internal procedures.

Data Protection Officers
There is a formal system of Data Protection Officers in France–organisations may appoint an internal DPO and this removes certain obligations from the organisation (for example, concerning notification). Part of a DPO’s job would be to conduct an internal audit of the organisation and so this role helps to promote auditing and good practice within organisations.

International Aspects
The electronic health records programme was investigated in France as part of the Article 29 Working Party investigation into the health insurance sector. Some complaints raise international issues but the CNIL has conducted no other audits across international borders.

Benefits of Auditing/Inspections & Problems
An inspection gives the CNIL the opportunity to understand how an organisation operates in practice, rather than by simply reading a notification. It also helps to forge good communication links with the organisation and helps compliance as the organisation becomes more aware of the CNIL and its powers of enforcement, and is encouraged to improve internal procedures.

The resource issue is the major problem–the CNIL is under-resourced and unable to conduct more wide-ranging audits. Therefore, they are focusing on the issues of significance to individuals, such as criminal records information, health data and financial information.

Future Developments
In France, the major change in recent years has been the increased use of sanctions. This has helped to raise the profile of data protection from a straightforward legal issue to a matter of broader general compliance.

It is possible that auditing could develop into an official certification programme of some kind, where organisations audited by the CNIL receive a “seal of approval”. This could be of commercial value to organisations. However, unless and until there are additional resources available, the CNIL will be unable to pursue the development of a formal audit programme.

Conclusion
The CNIL does not audit in the sense of a broad review of an organisation’s data processing activities for the purpose of promoting good practice. It focuses its limited resources on enforcement-related investigations where potential risks to individuals have been identified.

2. UK – Office of the Information Commissioner (ICO)

Meeting on 6th June 2007
Chris Turner – Head of Audit & Remedies, ICO
Sian Jones – Audit & Remedies Manager, ICO
Stewart Dresner – Chief Executive, Privacy Laws & Business
Valerie Taylor – Consultant, Privacy Laws & Business

Legislative background
The Data Protection Act 1998 gives the Information Commissioner the specific power to carry out audits, either with the consent of the organisation in question–or by obtaining a warrant from the courts which allows access to premises without consent. The ICO has not actively considered seeking a warrant.

The Office may charge a fee for carrying out audits, with the permission of the Secretary of State, but has never done so.

Terminology
Audit is defined as an “assessment” of processing to determine the following of good practice. An audit is a broad assessment that would generally involve a thorough review of an organisation’s processing activity, or a specific area of that activity. The audit team is small (three people) but they are dedicated almost entirely to audit activity. ICO expects to recruit two further people, most likely from within. Separate departments handle complaints and enforcement.

Audits carried out
In the past year the team conducted eight audits and plans a similar number of full audits in the coming year, along with 12-15 smaller audits into specific functions (for example, confidential waste disposal).

The ICO has recently publicised results of two of its audits, one involving a large public authority–Liverpool City Council–and another involving a major financial institution–Halifax Bank of Scotland (HBOS). The Liverpool City Council audit resulted from enforcement action against the authority following a complaint to the ICO. The HBOS audit followed press reports of security incidents at the bank which, if true, would breach an undertaking it previously gave the ICO.

Rationale
Organisations may be selected for audit in a number of ways:

  1. A complaint received by the Compliance Division may be referred to the Remedies team, leading to a recommendation for audit. Consideration will be given to the size of the organisation, the detriment to individuals, the severity of the issue, and whether the problems are systemic.
  2. An organisation which is subject to enforcement action or formal undertaking may agree to an audit as part of the sanctions imposed.
  3. The Practice & Development Teams may suggest potential areas for audit, particularly concerning sectors or specific forms of processing that are generating substantial public debate, or where there is a great deal of change, and associated risk, underway. Examples include the health sector and public sector information sharing initiatives.
  4. Organisations may approach the ICO directly to ask for an audit. This may be as a result of ICO publicity of their audit function. The ICO will then consider whether there are resources available to carry out the audit, the potential benefit to the organisations and how the audit could assist in developing its knowledge base.

The public sector is much more receptive to being audited than the private sector and, although the ICO has carried out many more audits in the public sector than the private sector, this is now beginning to change.

Sometimes an organisation’s own agenda may shape the scope of an audit. For example, if the organisation’s data protection contact believes it needs a high level commitment to data protection issues, the audit can be seen as a catalyst for change.

Process
While it is feasible for the ICO to obtain a warrant in order to carry out an audit, it has never done so. All audits have been carried out with the consent of the organisation. Warrant powers are usually reserved for serious breaches and criminal investigations. Information collected during an audit is provided voluntarily by the organisation. Again, it is possible for the ICO to use its enforcement powers to demand the production of documents, but this has never been done in connection with an audit and the ICO would prefer to operate on a consensual basis.

The ICO has published an audit methodology which is available on its website. This has been adapted and revised internally, particularly for use in smaller function-specific audits. The ICO has also developed its own internal checklists and questionnaires covering specific areas, such as information technology, and will consider updating the methodology when time permits.

The ICO would normally request information from the organisation being audited. There are powers to demand the production of documents and materials but it is unlikely that these would be used in a consent-based audit.

Audit teams consist of two or three people who are trained data protection specialists. One may have an IT background but the ICO is considering bringing in specialists where, for example, more specific technical knowledge is required. The ‘on site’ compliance aspect of the audits usually takes three days. Typically audits reveal problems with data subjects’ access to personal data, data retention, and internal governance issues.

Reports are provided to the organisation but are not made public. The current policy is not to publicise audit details in the majority of cases. Audits are conducted with the consent of the organisation and so they are treated as confidential. The ICO also considers that, with consensual audits, publicising the findings might act as a deterrent.

There is no guarantee that the ICO will not take enforcement action as a result of an audit because serious issues may be uncovered. However, because audits are carried out on a consensual basis, it would be very unusual for the organisation in question not to agree to resolve any issues that might be found. Agreeing to an audit indicates a willingness to address issues and establish good practice. The ICO would also look favourably upon an organisation that was open about its processing activities–and any problems–and had requested an audit.

International Aspects
The Article 29 Working Party has investigated the health insurance sector. A questionnaire was sent to the organisations in this sector–the only way of collecting information in a consistent manner across borders. The health insurance sector was selected because of the sensitive nature of information held and the perceived associated risks. Some of the health insurance companies also operate across Europe and this issue affects all European countries.

There could be a possibility of co-operating with other Data Protection Authorities on cross-border issues. This might work most successfully if only two or three countries were involved, rather than all EU countries, for example.

Benefits of Auditing & Problems
Auditing gives the ICO the opportunity to observe organisations and the way in which they handle personal data in practice. This helps educate ICO staff on the practical difficulties of day to day compliance. It also provides useful insights which can feed into guidance issued by the office on good practice.

An audit also helps improve relationships and encourages the organisation to stay in touch with the ICO if there are future problems or questions. If the audit can be carried out as a two-way dialogue, it helps encourage compliance and good practice and promotes data protection within the organisation.

The ICO does not currently have the resources to follow up on audit recommendations but ideally would wish to do so in some cases. Complaints monitoring can help by providing a mechanism for assessing whether recommendations have been implemented.

Future Developments
The ICO is hoping to expand the audit team and will continue to promote auditing as a tool for raising awareness of data protection and encouraging compliance and good practice.

It assessed demand for an audit accreditation scheme two years ago. Although audit companies expressed some support, data controllers showed little interest.

Conclusion
The ICO has conducted audits for several years and has a publicly available methodology. It publicises the audit function which is helping to raise awareness of the benefits of auditing and encouraging organisations to approach the ICO with audit requests. Audits are also used to resolve issues as part of enforcement activity.

3. Spain – Data Protection Authority

Meeting on 7th June 2007
Professor Artemi Rallo Lombarte – The Agency’s Director
Ms. Mercedes Ortuño Sierra – Head of the International Department
Stewart Dresner – Chief Executive, Privacy Laws & Business

Spain’s Data Protection Authority (the Agency) has jurisdiction over the private sector throughout Spain. Although there are three other Data Protection Authorities responsible for Madrid, Catalonia and the Basque country, they have jurisdiction solely for the public sector in these communities which are outside the scope of this study.

Legislative background
Data protection audits in Spain are conducted within the framework of Art. 40 of Spain’s Data Protection Act (Organic Law 15/1999 of 13th December 1999 on the Protection of Personal Data known by the abbreviation LOPD). This law provides the general framework for data protection and implements European Union Directive 95/46/CE into Spain’s law.

Art. 40 is entitled “Powers of inspection” and covers the powers of the Agency to:

  1. inspect personal data files and obtain any information they require;
  2. require the disclosure or transmission of documents and data and to examine them;
  3. inspect hardware and software used to process the personal data;
  4. obtain access to the premises where personal data is processed;
  5. order the cessation of improper or illegal data processing and the deletion of improper or illegal files (Article 37f, as a preventive measure), and
  6. block files in cases where a very serious violation is taking place (Article 49).

Inspectors are obliged to keep secret any information they acquire during and after conducting these tasks.

Secondary legislation is to be updated by the end of 2007 to provide more detailed rules on inspection procedures.

Updating is needed because the current relevant secondary legislation, Art. 18 Royal Decree 1332/1994, was adopted to operate with the former 1992 law.

Terminology
There are two types of inspections or audits:

  1. Reactive inspections result from a complaint of a privacy violation, or where the Agency learns of a privacy violation by other means, such as the media. In these cases, in addition to the powers cited in Art. 40 of the Data Protection Act, the Director of the Agency has a judicial power to issue a subpoena. He can also order that processing of personal data be stopped if it does not comply with the law.

    The most serious problem is the law’s requirement that the Director of the Agency investigate all requests and complaints about privacy, regardless of whether they are worth expending the required resources. The rationale is that the Agency must by law be “at the service of the citizen”. But, in practice, it means that the law prevents the Director from being an effective manager. He cannot choose his priorities nor allocate his resources according to his judgement of the importance of a complaint.
  2. Preventative audits are those involving investigations of a specific sector to assess the extent to which organisations in the sector meet their legal obligations. These audits are designed to be educational not punitive, given that the result is usually recommendations on good practice. The 2005 annual report describes this type of audit as being “for fulfilment of all the principles and rights of LOPD in a sector of activity previously selected. They are not aimed at declaring breaches, but rather at establishing a diagnosis of the situation of fulfilment, to detect deficiencies and provide recommendations that must be fulfilled to resolve them.”

Sectoral audits
The sectors which have been audited in recent years are:

2006: Public and private schools
2005: Personnel recruitment by Internet
2004: Hospital laboratories and firms that provide them services
National Public Administration Institute
Hotel chains
2003: National Statistics Institute
Censuses of population and housing
2002: Competitions, games and television raffles
Remote banking (banking on-line)
Common file on asset insolvency
2001: National Statistics Institute
Historic car insurance files
Large department stores
2000: Electronic commerce
Hospitals
National AIDS Register
Directorate General of Traffic
1998: Bingo halls
1997: Public hospitals

The Agency’s recommendations are at the following link: https://www.agpd.es/index.php?idSeccion=75

Preparing for an audit and the inspectors’ powers
The powers of the inspectors derive from the power vested in the Director of the Agency as the agent of the state. With his signature on the appropriate document (as his assessment of the inspection comes within his powers specified in the law and the Royal Decree above), the Agency’s inspectors have “state authority” to enter premises and carry out their investigations and audits.

The Agency’s Deputy Director is the Head of Inspections and he assembles a team appropriate to the sector being audited. They prepare by agreeing on:

  • the scope of the audit
  • how to divide the work among members of the audit team, and
  • the types of sample systems and material they will review.

The inspection team, empowered by the Director’s warrant, has the power to obtain documents from the data controller and even from third parties. For example, if an Internet company were to disappear, the inspectors would be able to access e-mail and web logs of third parties. Obstructing the inspectors is a separate infraction of the law which can lead to a higher fine. The national court treats such obstacles seriously–the maximum fine is 601,000 € per infraction of a provision of the data protection law.

The Agency never charges organisations a fee for conducting an audit.

A few times a year, an organisation may request an audit, usually as a result of informal discussions when both the Agency and the organisation agree that an audit would help clarify the situation. Such audits would not normally lead to a fine.

Rationale
The reasons for choosing a sector to audit can be due to:

  • individual complaints (93 per cent of cases quoted in the 2005 annual report), and
  • others (7 per cent of cases quoted in the 2005 annual report), problems identified by the media or, in the case of schools, as a result of a Congressional initiative expressed to the Agency’s Director during presentation of his annual report to the Congress.

The most common sectors to receive inspection visits in 2005, according to that year’s annual report, were:

  • telecommunications (24 per cent of inspections and 29 per cent of legal proceedings which could lead to sanctions);
  • financial services (19 per cent of inspections);
  • public authorities (11 per cent of inspections).

Occasionally public and private sector organisations request an audit even if they are not subject to an Agency investigation. They may be faced by a new technology or a new use of personal data and seek the Agency’s guidance. For example, Telefonica, (the major telecommunications company) asked for an audit of its new digital identity card which presented some novel privacy issues. And ENA, the public sector institute for training civil servants, also sought an audit.

Publication of audit results
The results and recommendations of sectoral audits are published to help improve standards across the sector.

If an audit results in a fine, then the name of the organisation is published. One example was a case involving serious security breaches in an online banking service.

The Agency publishes on its website (www.agpd.es) the names of the organisations which it audits, along with the full text of all of the Agency’s Resolutions. The information is anonymized when a sanction is imposed on a physical person but it names legal persons (such as corporations). The Annual Report refers to the most important cases in general terms and refers readers to the website. The Agency gives the identification number of the sanction procedure so it can be checked on the website but does not provide organisations’ names, although sectors are indicated where relevant. This policy is the result of an Agency Instruction in 2004 which stated that once a decision has been communicated to the affected parties, it must be made public in the following month.

Results of investigations/audits carried out
In 2006, 1,282 enforcement investigations were started, of which:

  • 281 led to penal sanctions legal proceedings;
  • 103 led to a public warning against public administration bodies (as it is the policy not to fine public authorities because ultimately the public pays in higher taxation)
  • 632 cases concerned refusing a person access to records about themselves.

International Data Protection Audits
Spain has some experience cooperating with other national Data Protection Authorities, particularly on investigating and prosecuting unsolicited e-mail marketing, or spam. For example, the Agency has cooperated with the Netherlands Data Protection Authority in investigating a website, hosted by a Dutch company, which included illegally-collected personal data. This collaboration resulted in the removal of the illegal content from the website.

A wider data protection audit exercise has been conducted over the last year initiated by the European Union’s Art. 29 Data Protection Working Party. The Agency’s International Department has led most of the 27-EU-member state initiative to audit the medical insurance industry.

This sector was chosen because it was considered to be reasonably comparable in the different member states and it processes sensitive data on millions of people. The audit was conducted in cooperation with the national medical insurance associations in each country and with the European confederation of medical insurance companies. The research examined many issues, including those related to employment–such as the extent to which medical data is shared with employers when medical insurance is a fringe benefit. For example, to whom does a medical insurance company release personal data in different circumstances?

The audit was conducted by a written questionnaire. Much time was spent on drafting and revising the questionnaire. The process was made more difficult because of national differences, such as:

  1. level of understanding of even one common language;
  2. data protection legal concepts;
  3. existence or lack of audit powers;
  4. appropriate methodology for the audit;
  5. national rules on medical confidentiality;
  6. national rules on interface between data protection law and freedom of information law;
  7. national rules on use of genetic information as a factor in assessing an insurance risk leading to discrimination against people with a predisposition towards a certain health condition;
  8. relationships between public authorities and private companies, and
  9. enthusiasm for the task.

Adding to these difficulties was a lack of experience in some national DPAs in drafting and conducting audits and managing such an ambitious international project.

The national authorities co-operate more easily when they are conducting an enforcement action because normally few countries are involved.

Spain is now also co-operating in a separate OECD audit initiative which includes such non-European countries as Canada and Japan.

The Agency has also started conducting audits in some Latin American countries to check on the data protection procedures in place in countries to which data processing has been transferred from Spain but which do not meet the “adequacy” terms of the EU Data Protection Directive.

The Agency has concluded that:

  • international co-operation on audits, and much else, is much easier if all the authorities involved have the same enforcement tools and capabilities, and
  • a shortage of people and financial resources means that an audit is most usefully conducted on an issue which all the national partners consider a high priority.

Audit methodology
The Agency inspection team must work according to the specifications of the Royal Decree (see above), the text of which is available to all. The inspection team must follow these procedures because the investigation could result in a heavy fine, prompting the company to appeal to a court if the procedure had not been followed properly.

An inspection/audit team consists of two inspectors, meaning that the observations of one are always checked against those of the other inspector. There is no distinction in audit methodology between privacy and data security audits as the inspectors conduct both in the same visit. They enter the premises with a laptop computer and write a summary of the audit and present it to the company manager at the end of the visit. The inspectors give the organisation’s manager a list of practical points which need attention, regardless of whether a penal sanction will come later in the process. He or she must sign the document to confirm that they have received it.

There is more flexibility of approach if there has not been a complaint against the company because there is less likelihood of a penal sanction.

There are no plans to amend the audit methodology but the Agency hopes the new Regulations will give the Director and his inspectors more flexibility to decide whether to audit an organisation. An inspection team consists of IT specialists with knowledge of data protection law. During the audit, inspectors instruct an organization’s own staff member to interrogate and interact with computers and all types of IT systems. This ensures that a company cannot accuse an inspector of damaging company property.

On return to the Agency, team members present their factual report to a legal officer who conducts a legal analysis and recommends a sanction to the Director. If there is no evidence of a violation, the legal officer notes this conclusion in the Agency archive. Legal officers do not go on inspection/audit visits. The Agency always uses its own inspection/audit staff; it does not use outside auditors. Its inspection/audit team consist of 19 inspectors with IT skills, 14 legal experts and 17 auxiliary staff.

A company under audit appoints a manager to accompany the inspectors/auditors to check on the conduct of the inspection/audit. This ensures that the company understands the way in which the evidence is collected and the rationale for the observations and/or subsequent actions which are decided upon. An audit normally takes one to two days but the time from first receiving a complaint until the finalisation of a report, and subsequent decision on a sanction by the Director, often takes around six months (the maximum term permitted by the LOPD).

Reports and Resolutions
The factual report is shared with the audited organization which can then suggest amendments or propose an alternative version stating its viewpoint. The organization’s response is considered by the legal analysts as they draft the Agency’s resolution. Once the Director signs the Agency’s final resolution, it is published on the Agency’s website. The final resolution can be challenged in court. Typical findings are:

  • poor data security which could enable a hacker to enter the system easily;
  • staff misuse of data;
  • no or few logs, so no audit trails.

The Agency has published specific areas of concern from its 2006 national audit of data protection in schools. These include:

  1. weaknesses in information and consent to the processing of data;
  2. poor quality data during the different steps of the processing;
  3. lack of adequate safeguards regarding individuals’ data protection rights, for example, access, correction, deletion and objection to processing, and
  4. poor level of security, particularly regarding sensitive data.

However, this national school audit exercise led to the preparation and distribution of advice on the use of personal data to more than 14,000 schools.

The Agency’s website contains advice on data security for data controllers, as well as specific advice for each sector resulting from sectoral audits.

Benefits of audits
The Agency considers inspections and audits to be valuable because they are “a way of ensuring compliance without resulting in fines”. The resulting recommendations help raise awareness in all sectors of the benefits of good data protection practice in managing personal data for the benefit of the organisation, the individuals and compliance with society’s expectations expressed in the law.

The Agency’s audits can lead to a discussion of practical management steps companies need to take to comply with the law, rather than being hit with large fines, and so it would be logical to expect companies to accept Agency audits. A data protection regulator’s audit will never be welcome but can be regarded as acceptable in the same way as inspections in other fields–such as fire inspections in a factory or food hygiene in a restaurant. One result of this approach is that relations with companies improve the more an audit establishes practical steps a company can take to integrate data protection law into good management practices.

Future steps
The Agency’s most important objective for the future is the ability to choose its own auditing priorities and methods rather than being required by law to investigate every complaint– however trivial. Some complaints could be dealt with by letter and others may, indeed, require an audit team’s visit.

In future, smaller companies may outsource their data protection management to experts who could run a specialist service which a small company could not provide by itself. As a result, these experts would be in a better position to engage with inspectors from the Agency than small business owners.

The Agency’s new Director wants to concentrate on organisations whose processing of personal data has a great impact on large parts of the population; for example, an organisation managing a bio-bank or a DNA bank. The Agency was able to persuade a company managing a data bank of eight million blood donors that research could be conducted with anonymous data.

The new Director ideally wants a dialogue rather than an adversarial relationship, reserving the latter approach for when it is required by the facts of a case rather than a rigid legal prescription. Audits have their place in the larger objective stated by the Agency that “the future of privacy or data protection will depend on the credibility of the Supervisory Authorities in providing an effective protection against violations”.

Bibliography

This analysis is based on the following key materials:

  1. The Canadian Privacy Commissioner’s Study on Auditing, December 2006
  2. The OECD Working Party on Information Security and Privacy report on Cross-Border Enforcement of Privacy Laws, October 2006
  3. European Commission Communication on the follow-up of the Work Programme for better implementation of the Data Protection Directive, March 2007
  4. Article 29 Working Party Declaration on Enforcement [25 November 2004]
  5. Organisation for Economic Co-operation and Development Working Party on Information Security and Privacy report on cross-border enforcement of privacy laws [16 October 2006]
  6. European Commission report on the implementation of the European Data Protection Directive and follow-up work programme [7 March 2007]
  7. The Article 29 Working Party paper WP108 on Binding Corporate Rules
  8. Interview with representatives from the CNIL in France, June 2007
  9. Interview with representatives from the UK Information Commissioner’s Office, June 2007
  10. Interview with representatives from the Data Protection Agency in Spain, June 2007

Further information is available from the following sources:

UK
[http://www.ico.gov.uk/upload/documents/library/
data_protection/practical_application/
data_protection_complete_audit_guide.pdf]

The Netherlands
[http://www.dutchdpa.nl/downloads_audit/PrivacyAuditFramework.pdf]

European Committee for Standardisation (CEN)
[http://www.cen.eu/cenorm/businessdomains/
businessdomains/isss/cwa/dppcwa.asp]

 

Date modified: 2007-09-19   Important Notices