I'm a long-time reader of this mailgroup, but first-time contributor, so forgive
me for not introducing myself earlier. I work in the division of Deloitte & Touche that handles consultancy on IT risk, and have practical experience of providing DP audits to clients.
My main advice consists of two points:
1) Assume low quality of information without face-to-face help
Most organisations assume it is sufficient to give staff a quick briefing and then ask them to fill out a standard form. Having looked at the data compiled in real cases, do not underestimate how difficult it will be for untrained staff
to appeciate the importance or reason behind questions. The quality and kind of
answers given to "standard" questions will vary very greatly. It is very common
for staff (who have other, "better" things to do with their time) to underestimate the cases where personal data is held or processed by them.
I would always advise that, if you really want a reliable database of all information held, noting everyone who has access, you need to ensure there is some face-to-face review of what personal data is held by each department. As it is not feasible to do this with everyone, try to make someone within each department, who will have a good understanding of its workings, responsible for the data provided, and go through it face-to-face with them. If necessary, arrange a follow-up so they have time to find answers where they do not know them. The interview will improve information, by enabling you to standardise, remove repetition between departments, and ask questions based on what you would
you expect from that department's workings and your general expectations.
2) Know why you are doing this audit
This question is rarely properly answered before the work begins. You need to know what you are hoping to acheive. Some (non-exclusive) answers are:
- improve registration
- identify some areas of non-compliance
- ensure overall compliance
- target training
- identify risk areas for detailed review
- harmonise and simplify record keeping
Remember also that compliance is based on what data is processed, not "held". A
database on what each member of staff holds may miss areas of non-compliance as a result.
Design your questions and interviews to meet your objective. Be realistic - the
more you intend to achieve, the more information you need, and the more work is required, on the part of the respondents (so you need increased buy-in) and on your part.
Hope this helps.
Eric Priezkalns
Enterprise Risk Services
Deloitte & Touche
______________________________ Reply Separator _________________________________
Subject: DP Audit
Author: [log in to unmask] at DTT.UK.INTERNET
Date: 19/10/2000 17:15
Good afternoon ladies & gentlemen,
Can anyone share with me their experiences of data protection audits. I am going to be contacting all staff asking them what types of manual and computerised records they hold. I am conscious of the need to avoid unnecessary paperwork. What are the problems involved with asking staff to complete a form via a staff intranet ? Could I form some kind of database in this way ? Any thoughts appreciated.
Sorry for the vagueness, I hope I have got my point across,
Matthew Nunn
DP Officer
---------------------------------------------------------------------
IMPORTANT NOTICE.
This communication contains information which is confidential
and may also be privileged.
It is for the exclusive use of the intended recipient(s).
If you are not the intended recipient(s) please note that any
form of distribution, copying or use of this communication or
the information in it is strictly prohibited and may be unlawful.
If you have received this communication in error please
return it to the sender.
We would be grateful if you would also copy the communication
to [log in to unmask] then delete the email
and destroy any copies of it.
This communication is from Deloitte & Touche whose principal office
is at Stonecutter Court, 1 Stonecutter Street, London EC4A 4TR, United
Kingdom. A list of partners' names is available at this address.
Authorised by the Institute of Chartered Accountants in England
and Wales to carry on investment business.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|