Whilst not disagreeing with the other posts I would go further and
argue that in fact we have 'explicit consent'. In the sense we are
talking about I do not see audit as a separate function but a necessary
and inherent part of the primary function.
So for example we collect and hold sensitive personal data for issuing
blue badges. We have explicit consent to process the data for that
purpose. But in my view that does not simply mean that the only person
who can view that data is the person who receives it assesses and
verifies, and issues the badge. It is also inherently visible to his/her
line manager / supervisor e.g. as part of quality control and also,
where the process needs to be audited for regulatory requirement, by the
auditor.
Phillip Bradshaw
Information Manager
Clerk to the Council
Room CY4A, County Hall
EMail: [log in to unmask]
Phone: 029 2087 3346
Mobile : 07890 265987
Fax: 029 2087 3349
Mae Cyhoeddi Cynnar yn Codi Canfod Cadarnhaol
Proactive Publishing Promotes Positive Perceptions
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Paul Ticher
Sent: 06 October 2009 16:40
To: [log in to unmask]
Subject: Re: [data-protection] DP Exemptions for auditing purposes
I wouldn't be inclined to pussy-foot around. Of course internal audit
can see the files; that's their job. The issue is, how best to do that.
I think the absolute minimum might be:
* minimal intrusion - i.e. a sufficient sample to satisfy the
audit,
but no more
* strict confidentiality
* no impact on the individual (i.e. identifying details not
included
in any reports, for example)
In terms of Schedules 2 and 3 I can find no problem in meeting Condition
6 of Sch.2. It's in your legitimate interests, and has no appreciable
effect on the Data Subject. Schedule 3 is a bit harder, but Chris
Spray's proposal looks reasonable.
Principle 2 is not a problem. Surely auditing is 'compatible' with the
original purpose, therefore there is no need to inform the Data Subject,
and no need for consent, although I believe some set-ups do allow people
the option of withholding their files from audit. (They are asked at
the outset, when they are having confidentiality, etc, explained to
them.)
Data Protection very rarely (if ever) prevents you from doing the right
thing, and auditing (whether financial or for quality control), if done
properly, is clearly the right thing to be doing.
Paul Ticher
0116 273 8191
22 Stoughton Drive North, Leicester LE5 5UB
----- Original Message -----
From: "Ward, Ciaran" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Tuesday, October 06, 2009 1:03 PM
Subject: DP Exemptions for auditing purposes
I've been asked to provide advice on whether our internal auditors
should be allowed access to look at volunteer registration forms and
records. These records contain sensitive personal data on medical
history and CRB checks.
I was initially of the view that the auditors shouldn't be allowed such
access, but then looked through the DPA for any loopholes and found the
following:
Section 31 on regulatory activity:
S. 31 (1) "Personal data processed for the purposes of discharging
functions to which this subsection applies are exempt from the subject
information provisions in any case to the extent to which the
application of those provisions to the data would be likely to prejudice
the proper discharge of those functions.
(2) Subsection (1) applies to any relevant function which is
designed -
(e) for securing the health, safety and welfare of persons at work, or
(f) for protecting persons other than persons at work against risk to
health or safety arising out of or in connection with the actions of
persons at work
I would interpret these "functions" to include auditing.
Schedule 2 of the act covers "Conditions relevant for the...processing
of any personal data" which include cases where :
"The processing is necessary for compliance with any legal obligation to
which the data controller is subject"
or if processing is necessary:
"for the exercise of any functions conferred on any person by or under
any enactment"
As the Authority is the data controller in this case I would again
interpret legal obligations and functions mentioned above to include
auditing.
The internal auditor is treated as a member of the organisation who must
independently verify for management and the elected Members that our
systems of internal control work efficiently and effectively.
So I came to the conclusion under these provisions the auditors could
carry out the check without breaching DP laws.
Does anyone disagree or have any further comments to add?
Any feedback would be appreciated.
Thanks.
Ciaran Ward - Information Officer
Direct: 01992 709819 Mobile: 07845 872686
Lee Valley Regional Park Authority
Myddelton House, Bulls Cross, Enfield, Middlesex, EN2 9HG
Tel: 01992 717711 Fax: 01992 709922
www.leevalleypark.org.uk <http://www.leevalleypark.org.uk/>
P please don't print this e-mail unless you really need to
Lee Valley Regional Park Authority E-mail Disclaimer.... This email and
any
files transmitted with it are confidential and intended solely for the
use
of the individual or entity to whom they are addressed. If you are not
the
intended recipient, the use of the information by disclosure, copying or
distribution is prohibited and may be unlawful. If you have received
this
email in error please notify the systems manager at
[log in to unmask] The email should then be deleted.
The views expressed in this message are personal and not necessarily
those
of Lee Valley Regional Park Authority unless explicitly stated.
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list
owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your
needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list
owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your
needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
**********************************************************************
Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer does not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of the Council of the City and County of Cardiff shall be understood as neither given nor endorsed by it. All e-mail sent to or from this address will be processed by Cardiff County Councils Corporate E-mail system and may be subject to scrutiny by someone other than the addressee.
**********************************************************************
Mae'n bosibl bod gwybodaeth gyfrinachol yn y neges hon. Os na chyfeirir y neges atoch chi'n benodol (neu os nad ydych chi'n gyfrifol am drosglwyddo'r neges i'r person a enwir), yna ni chewch gopio na throsglwyddo'r neges. Mewn achos o'r fath, dylech ddinistrio'r neges a hysbysu'r anfonwr drwy e-bost ar unwaith. Rhowch wybod i'r anfonydd ar unwaith os nad ydych chi neu eich cyflogydd yn caniatau e-bost y Rhyngrwyd am negeseuon fel hon. Rhaid deall nad yw'r safbwyntiau, y casgliadau a'r wybodaeth arall yn y neges hon nad ydynt yn cyfeirio at fusnes swyddogol Cyngor Dinas a Sir Caerdydd yn cynrychioli barn y Cyngor Sir nad yn cael sel ei fendith. Caiff unrhyw negeseuon a anfonir at, neu o'r cyfeiriad e-bost hwn eu prosesu gan system E-bost Gorfforaethol Cyngor Sir Caerdydd a gallant gael eu harchwilio gan rywun heblaw'r person a enwir.
**********************************************************************
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
