JISCMail - DATA-PROTECTION Archives

Dave,

Thank you for your thoughts.

I hadn't done the maths myself, but when you put it that way noone could
realistically accept that all records must be exhaustively checked.

It is interesting however, that you have not received an accuracy check.  The
organisation I am associated with performs a check of data kept on main
computer system every 2-3 yrs by sending it out to all employees and asking
for an update.

Thanks,

Andrea

>===== Original Message From "Dave Wyatt" <[log in to unmask]> =====
>Andrea:
>
>Re data audit
>
>Whilst processing occurs on all data it is appears better to focus on the
>census problem from the direction of the purposes of processing using the
>Commissioners list of standard purposes. In general terms departments of
>organisations are set up to perform specific functions (purposes). There are
>also some general uses which are generally common across departments e.g.
>Employee data admin. I work in Insurance sector and we have several million
>records but the prime purposes of processing on customer  records are mainly
>Insurance Admin and Fraud prevention and Marketing. Under the 84 Act we all
>had to register our purposes so it gives us a reasonable starting point.
>Still not easy though.
>
>Manual files give an interesting challenge in what is the correct
>interpretation of the Act in relation to how you bring them into compliance
>with the principles by 2007. The Data quality principles such as accuracy,
>adequacy and retention seem impossible to fully comply with if taking the
>Act acts drafting at face value.
>
>I raised this is a presentation at the CBI in 1997 in respect of the costs
>for an organisation if vetting structured manual files. Estimating 8 million
>structured manual files (conservative estimate based on 1 per customer for
>our organisation pre merger) we would have to vet at a rate of 5000 a day
>currently to hit the 2007 compliance date. At only 15 mins a file one person
>can achieve 28 assessments in a 7 hour day (assuming they have something to
>check data against). This requires 178 persons per day full time on such a
>task until 2007 target. Assume a 260 day working year and ?4 an hour. Gives
>a wage bill of approx ?7.75 million. Government departments / NHS will have
>even more files to handle with costs to taxpayer. The estimates which were
>given to Parliament on the cost of the Act to UK business when it was
>drafted did not appear to use the same assessment base. Logical conclusion
>is that perhaps data controllers do not have to vet all structured manual
>files for accuracy / adequacy.
>
>How then do you comply unless historical research use arguable?
>
>The response from the Commissioners office on presenting these cost
>estimates was that this was an unrealistic approach and they did not expect
>an organisation to have to do this as this assumed chance of errors in every
>file (the Act as drafted does not appear to support this interpretation).
>Unfortunately they never clarified specifically how you acheive compliance
>without checking. The response I received later in converstation was to
>undertake to check files as they are recalled for use as this is the point
>when individuals may be impacted by the information they contain. This
>however is still no small task and not practical in many cases. I also do
>not believe that this has yet been publically stated as acceptable practice.
>
>Gives food for thought re what are the limits of practical steps on census
>and audit activities. The only saving grace is that a breach of principle
>only becomes an offence when enforced, so data controllers may get some
>further guidance as complaints arise.
>
>Will anyone comply or will all deal on a risk acceptance basis, if so the
>data subject has a strong hand. I as a data subject have received no
>requests by any organisation or government departments to assist confirming
>the accuracy of data held on me or indeed any requests for consents to hold
>the sensitive data. The implications are clear.
>
>David Wyatt
>
>
>
>> -----Original Message-----
>> From: This list is for those interested in Data Protection issues
>> [mailto:[log in to unmask]]On Behalf Of Andrea Owen
>> Sent: 15 March 2001 13:09
>> To: [log in to unmask]
>> Subject: EXISTING RECORDS
>>
>>
>> Has anyone had any experience of trying to audit existing
>> information?  I am trying to advise, realistically, how certain
>> departments should act in order to comply with the code, but am
>> faced with the fact that some departments have in the range of 1
>> million personal records to potentially check through.
>>
>> ??
>>
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>     If you wish to leave this list please send the command
>>        leave data-protection to [log in to unmask]
>>             All user commands can be found at : -
>>     www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
>> all commands go to [log in to unmask] not the list please!
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>

This message was sent by Andrea Owen

-----------------------
InterMutual Healthcare from Totalise. Peace of mind at an affordable price.
Visit http://www.intermutual.com/health/

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
    www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
all commands go to [log in to unmask] not the list please!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^