Tuesday, August 26, 2008

Privacy Audits

OPINION: With the recent incident surrounding the loss of data on a USB memory stick, one of the discussions that have been absent from the debate is privacy audits of government departments. What do I mean by privacy audits? This is often referred to as "Privacy Impact Assessments" :

"PIAs are a process of ensuring that privacy concerns are identified at the early stage of an initiative so that these can be addressed and safeguards built in rather than bolted on as an expensive afterthought. We have called for the use of these in the past with major public policy developments like ID cards and reinforced the need for these impact assessments in evidence to parliamentary enquiries and in our other publications such as the Information Sharing Framework Code of Practice.

PIAs go wider than simply a data protection compliance check and are aimed at looking at all aspects affecting privacy. The approach we are recommending involves a number of elements including an initial screening process and, depending upon the results, two possible levels of assessment (small scale and full scale) together with a data protection law checklist. The important thing about PIAs is the process of undertaking the assessment where the organisation considers the impact on privacy and whether there are more privacy friendly alternatives. Although a report is produced at the end and is usually published this is will not be subject to an approval process by the ICO."

Other than the handbook, some of the basic procedures still need to be addressed:

1) WHO are your data protection officers? HOW regular is the training about data protection laws?

2) What are the security procedures? Do we understand the data protection principles laid down under the Data Protection Act 1998? In particular, the 7th Data Protection principle that provides that
"appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

3) What are the complaints procedures? How many data subject access requests do we have? Do we keep a regular record? Is personal information accessible on the internet?

Privacy compliance check is available here, but certainly more needs to be done not simply at an organisational level, but also a recognition that privacy (storage of personal information) should be kept securely.

No comments: