Whilst not disagreeing with the other posts I would go further and argue that in fact we have 'explicit consent'. In the sense we are talking about I do not see audit as a separate function but a necessary and inherent part of the primary function. So for example we collect and hold sensitive personal data for issuing blue badges. We have explicit consent to process the data for that purpose. But in my view that does not simply mean that the only person who can view that data is the person who receives it assesses and verifies, and issues the badge. It is also inherently visible to his/her line manager / supervisor e.g. as part of quality control and also, where the process needs to be audited for regulatory requirement, by the auditor. Phillip Bradshaw Information Manager Clerk to the Council Room CY4A, County Hall EMail: [log in to unmask] Phone: 029 2087 3346 Mobile : 07890 265987 Fax: 029 2087 3349 Mae Cyhoeddi Cynnar yn Codi Canfod Cadarnhaol Proactive Publishing Promotes Positive Perceptions -----Original Message----- From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Paul Ticher Sent: 06 October 2009 16:40 To: [log in to unmask] Subject: Re: [data-protection] DP Exemptions for auditing purposes I wouldn't be inclined to pussy-foot around. Of course internal audit can see the files; that's their job. The issue is, how best to do that. I think the absolute minimum might be: * minimal intrusion - i.e. a sufficient sample to satisfy the audit, but no more * strict confidentiality * no impact on the individual (i.e. identifying details not included in any reports, for example) In terms of Schedules 2 and 3 I can find no problem in meeting Condition 6 of Sch.2. It's in your legitimate interests, and has no appreciable effect on the Data Subject. Schedule 3 is a bit harder, but Chris Spray's proposal looks reasonable. Principle 2 is not a problem. Surely auditing is 'compatible' with the original purpose, therefore there is no need to inform the Data Subject, and no need for consent, although I believe some set-ups do allow people the option of withholding their files from audit. (They are asked at the outset, when they are having confidentiality, etc, explained to them.) Data Protection very rarely (if ever) prevents you from doing the right thing, and auditing (whether financial or for quality control), if done properly, is clearly the right thing to be doing. Paul Ticher 0116 273 8191 22 Stoughton Drive North, Leicester LE5 5UB ----- Original Message ----- From: "Ward, Ciaran" <[log in to unmask]> To: <[log in to unmask]> Sent: Tuesday, October 06, 2009 1:03 PM Subject: DP Exemptions for auditing purposes I've been asked to provide advice on whether our internal auditors should be allowed access to look at volunteer registration forms and records. These records contain sensitive personal data on medical history and CRB checks. I was initially of the view that the auditors shouldn't be allowed such access, but then looked through the DPA for any loopholes and found the following: Section 31 on regulatory activity: S. 31 (1) "Personal data processed for the purposes of discharging functions to which this subsection applies are exempt from the subject information provisions in any case to the extent to which the application of those provisions to the data would be likely to prejudice the proper discharge of those functions. (2) Subsection (1) applies to any relevant function which is designed - (e) for securing the health, safety and welfare of persons at work, or (f) for protecting persons other than persons at work against risk to health or safety arising out of or in connection with the actions of persons at work I would interpret these "functions" to include auditing. Schedule 2 of the act covers "Conditions relevant for the...processing of any personal data" which include cases where : "The processing is necessary for compliance with any legal obligation to which the data controller is subject" or if processing is necessary: "for the exercise of any functions conferred on any person by or under any enactment" As the Authority is the data controller in this case I would again interpret legal obligations and functions mentioned above to include auditing. The internal auditor is treated as a member of the organisation who must independently verify for management and the elected Members that our systems of internal control work efficiently and effectively. So I came to the conclusion under these provisions the auditors could carry out the check without breaching DP laws. Does anyone disagree or have any further comments to add? Any feedback would be appreciated. Thanks. Ciaran Ward - Information Officer Direct: 01992 709819 Mobile: 07845 872686 Lee Valley Regional Park Authority Myddelton House, Bulls Cross, Enfield, Middlesex, EN2 9HG Tel: 01992 717711 Fax: 01992 709922 www.leevalleypark.org.uk <http://www.leevalleypark.org.uk/> P please don't print this e-mail unless you really need to Lee Valley Regional Park Authority E-mail Disclaimer.... This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient, the use of the information by disclosure, copying or distribution is prohibited and may be unlawful. If you have received this email in error please notify the systems manager at [log in to unmask] The email should then be deleted. The views expressed in this message are personal and not necessarily those of Lee Valley Regional Park Authority unless explicitly stated. ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm Any queries about sending or receiving messages please send to the list owner [log in to unmask] Full help Desk - please email [log in to unmask] describing your needs To receive these emails in HTML format send the command: SET data-protection HTML to [log in to unmask] (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm Any queries about sending or receiving messages please send to the list owner [log in to unmask] Full help Desk - please email [log in to unmask] describing your needs To receive these emails in HTML format send the command: SET data-protection HTML to [log in to unmask] (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ********************************************************************** Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer does not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of the Council of the City and County of Cardiff shall be understood as neither given nor endorsed by it. All e-mail sent to or from this address will be processed by Cardiff County Councils Corporate E-mail system and may be subject to scrutiny by someone other than the addressee. ********************************************************************** Mae'n bosibl bod gwybodaeth gyfrinachol yn y neges hon. Os na chyfeirir y neges atoch chi'n benodol (neu os nad ydych chi'n gyfrifol am drosglwyddo'r neges i'r person a enwir), yna ni chewch gopio na throsglwyddo'r neges. Mewn achos o'r fath, dylech ddinistrio'r neges a hysbysu'r anfonwr drwy e-bost ar unwaith. Rhowch wybod i'r anfonydd ar unwaith os nad ydych chi neu eich cyflogydd yn caniatau e-bost y Rhyngrwyd am negeseuon fel hon. Rhaid deall nad yw'r safbwyntiau, y casgliadau a'r wybodaeth arall yn y neges hon nad ydynt yn cyfeirio at fusnes swyddogol Cyngor Dinas a Sir Caerdydd yn cynrychioli barn y Cyngor Sir nad yn cael sel ei fendith. Caiff unrhyw negeseuon a anfonir at, neu o'r cyfeiriad e-bost hwn eu prosesu gan system E-bost Gorfforaethol Cyngor Sir Caerdydd a gallant gael eu harchwilio gan rywun heblaw'r person a enwir. ********************************************************************** ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm Any queries about sending or receiving messages please send to the list owner [log in to unmask] Full help Desk - please email [log in to unmask] describing your needs To receive these emails in HTML format send the command: SET data-protection HTML to [log in to unmask] (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^