Data Protection Audit

Last year we were commissioned to carry out a data protection audit for a large public company and we have been asked to repeat the exercise again this year.

The Data Protection Act 1998 defines the Law on the processing of data on identifiable living people. It is the main piece of legislation that governs the protection of personal data in the UK. It follows the European Union directive of 1995 which required Member States to protect people's fundamental rights and freedoms and in particular their right to privacy with respect to the processing of personal data.

The Eight Data Principles are:

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –
   
   (a) at least one of the conditions in Schedule 2 is met, and
   (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
   
   
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
   
   
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
   
   
4. Personal data shall be accurate and, where necessary, kept up to date.
   
   
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
   
   
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
   
   
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
   
   
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
   
   

In auditing the requirements of the Act it was necessary to carry out two separate phases:

Adequacy Audit- Where the systems employed by the company were checked to see if they addressed all the requirements of the Act.

• Were the eight data protection principles addressed?
• Were there provisions for training of staff?
• Was the Company registered with the Information Commissioners Office?
• Was there a named Data Protection Officer?

Compliance Audit – where each of the eight data principles were tested to see what level of compliance had been achieved.

• What data was being processed?
• What level of Personal Data was being used?
• Had a risk assessment for data usage been undertaken?
• Did the staff understand what the eight data principles were?
• What training in the DPA (Data Protection Act) had taken place?
• What checks were in place to ensure the Act was being implemented?
• What action was required if a breach of the Act was suspected or had taken place?
• What corrective action would be taken to rectify a data breach?

Once the audit had been completed a number on non-conformities were declared and an action plan for rectification was agreed.

We checked back with the Company that the agreed actions had been completed and within the agreed timescale before concluding the audit.