Andrea:

Re data audit

Whilst processing occurs on all data it is appears better to focus on the
census problem from the direction of the purposes of processing using the
Commissioners list of standard purposes. In general terms departments of
organisations are set up to perform specific functions (purposes). There are
also some general uses which are generally common across departments e.g.
Employee data admin. I work in Insurance sector and we have several million
records but the prime purposes of processing on customer  records are mainly
Insurance Admin and Fraud prevention and Marketing. Under the 84 Act we all
had to register our purposes so it gives us a reasonable starting point.
Still not easy though.

Manual files give an interesting challenge in what is the correct
interpretation of the Act in relation to how you bring them into compliance
with the principles by 2007. The Data quality principles such as accuracy,
adequacy and retention seem impossible to fully comply with if taking the
Act acts drafting at face value.

I raised this is a presentation at the CBI in 1997 in respect of the costs
for an organisation if vetting structured manual files. Estimating 8 million
structured manual files (conservative estimate based on 1 per customer for
our organisation pre merger) we would have to vet at a rate of 5000 a day
currently to hit the 2007 compliance date. At only 15 mins a file one person
can achieve 28 assessments in a 7 hour day (assuming they have something to
check data against). This requires 178 persons per day full time on such a
task until 2007 target. Assume a 260 day working year and ?4 an hour. Gives
a wage bill of approx ?7.75 million. Government departments / NHS will have
even more files to handle with costs to taxpayer. The estimates which were
given to Parliament on the cost of the Act to UK business when it was
drafted did not appear to use the same assessment base. Logical conclusion
is that perhaps data controllers do not have to vet all structured manual
files for accuracy / adequacy.

How then do you comply unless historical research use arguable?

The response from the Commissioners office on presenting these cost
estimates was that this was an unrealistic approach and they did not expect
an organisation to have to do this as this assumed chance of errors in every
file (the Act as drafted does not appear to support this interpretation).
Unfortunately they never clarified specifically how you acheive compliance
without checking. The response I received later in converstation was to
undertake to check files as they are recalled for use as this is the point
when individuals may be impacted by the information they contain. This
however is still no small task and not practical in many cases. I also do
not believe that this has yet been publically stated as acceptable practice.

Gives food for thought re what are the limits of practical steps on census
and audit activities. The only saving grace is that a breach of principle
only becomes an offence when enforced, so data controllers may get some
further guidance as complaints arise.

Will anyone comply or will all deal on a risk acceptance basis, if so the
data subject has a strong hand. I as a data subject have received no
requests by any organisation or government departments to assist confirming
the accuracy of data held on me or indeed any requests for consents to hold
the sensitive data. The implications are clear.

David Wyatt



> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]]On Behalf Of Andrea Owen
> Sent: 15 March 2001 13:09
> To: [log in to unmask]
> Subject: EXISTING RECORDS
>
>
> Has anyone had any experience of trying to audit existing
> information?  I am trying to advise, realistically, how certain
> departments should act in order to comply with the code, but am
> faced with the fact that some departments have in the range of 1
> million personal records to potentially check through.
>
> ??
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>     If you wish to leave this list please send the command
>        leave data-protection to [log in to unmask]
>             All user commands can be found at : -
>     www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
> all commands go to [log in to unmask] not the list please!
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
    www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
all commands go to [log in to unmask] not the list please!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^