JISCMail - DATA-PROTECTION Archives

Message

Ian,

In completing work recently for a major insurance company, the question was raised regarding the audit trail for positive consents for processing of sensitive data. The consent was capture by an agent, working on-line, with the data subject present. A paperless environment, with no opportunity for old fashioned signatures! Tick boxes would also prove controversial, given that it would not be the data subject doing the ticking.

The guidance provided (and this is not in the Act!) was to ensure that where there was no hard copy audit trail present, a robust process could be demonstrated, showing that data subjects would always be provided with detailed fair processing information to allow explicit consent to be gained during the 'sign-up' conversation. This robust process includes records of training provided to the agents, and the 'scripting' they employ during the conversation.

Not strictly relevant, but hopefully of use.

Duncan S Smith
Principal Consultant

e-mail: [log in to unmask]
gsm: +44 (0)777 556 8180

Company Profiles
"The process of Improvement"
----------------------------------------------------------------
The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.

This footnote confirms that this email message has been swept by Norton Antivirus software for the presence of computer viruses.

Company Profiles Huntingdon UK +44(0)1480 461671
-----------------------------------------------------------------

-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Ian Welton
Sent: Monday, October 29, 2001 9:55 PM
To: [log in to unmask]
Subject: Audit Trails

Has anybody done any work on audit trail requirements for hard copy material?

Given that principle 7 requires all data controllers to provide sufficient audit trails to ensure the security of their data. For a data controller not to collect the relevant audit trail records for material within their control is a breach of principle.

In hard copy processes managing sensitive data, I perceive some difficulties.

This is probably not disimilar to computer audit trails across multiple individual data controllers where separate external organisations also have enquiry access. The audit trail requirements may be difficult but they are still a requirement for the data controller to collect if they are to comply with the principles, BS7799 and each organisations information security policies.

Hard copy files in an Occupational Health Unit are currently an area I am looking at, so I would appreciate any observations from others who may have already done this type of work, especially as relates to insurance type disclosures.

Ian W.