I agree totally. It is a factor in the comment fields on the rather
extensive audit forms. The important thing is not to treat an audit as a
"thing that is done once". It is done, the first time. And usually this
points to the totally incomplete systems in place today and totally unaware
staff. That's fine (for audit purposes).
The audit should be accompanied by a report which highlights technical
breaches and areas we, at least, flag as "advisory" when providing results
to clients.
The next part of the process is prioritisation by the audited organisation
of lack of compliance versus business risk. And implementation!
On the anniversary of the first audit a further audit should be performed.
This can easily be by internal staff, or by a different auditor or different
organisation of auditors entirely. It shows(!) progress, and highlights
further areas for improvement. Audits become a desirable element, because
they show, or should show, continuous improvement.
What matters for an organisation is that the results of the audit are
communicated to the team internally, AND that it improves over time.
Remaining static is unlikely to provide a defence to charges unless it was
already perfect. Lack of audit shows zero interest in compliance, whether
notified or not.
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Ian Welton
Sent: Wednesday, February 18, 2004 2:41 PM
To: [log in to unmask]
Subject: Re: [data-protection] Where next?
Tim Trent on Wednesday, February 18, 2004 at 1:50 PM said:-
> Frankly it doesn't matter WHO does it. It matters THAT it is done.
And that generic information becoming available during the collection
process is utilised.
E.g. the ease of collection/update possibly used as a measure of the
accuracy of any risk analysis which may have been conducted. (Or as part of
a risk analysis)
Ian W
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|