Credit Unions - Data Protection Commissioner

advertisement
The Good Practice
Guide – what we look
for during an Audit of
a Credit Union
Billy Hawkes
Data Protection Commissioner
Credit Unions
Why Audit?
• Part of overall supervision strategy
– Accountability of Organisations
•
•
•
•
“Selective to be Effective”
Assist organisation audited
Draw lessons for Sector
Improve Sectoral Guidance
Audit Statistics
2005
2006
2007
2008
2009
2010
2011
2012
-
3
8
25
28
30
33
28
40
40
35
30
25
20
15
10
5
0
'05 '06 '07 '08 '09 '10 '11 '12
Range of organisations audited.
• Department of Social
Protection
• Customs Information
System (CIS)
• Local Authorities
• Schools
• Sporting Bodies
• Credit Unions
• Banks
• Health Sector
• Charities
• Supermarkets
• LinkedIn
• Facebook
Key recommendations in Credit
Union Audit Reports
• Data
Controller/Processor
Contracts (section
2C)
• Data Retention
Policy
• Network Security
• CCTV
• Recording of Calls
• Audit Trails
Audit Resource
To assist organisations selected for audit
by the Irish DPA
http://www.dataprotection.ie/documents/enforcement/Audit
Resource.pdf
Appendices
•
•
•
•
•
Sample Illustrative Audit Questions
Self-Help Checklist on Data Protection Policy
Common Audit Recommendations
“Need to Know” Access Control Policies
Internal Access Security Checklist
Data Breaches
Data Security Breach Code of Practice: non-mandatory
but recommended all breaches reported to DPA
http://www.dataprotection.ie/docs/07/07/10__Data_Security_Breach_Code_of_Practice/1082.htm
• Breach Notification Guidance- ePrivacy Regulations
2011 (SI 336 of 2011)
http://www.dataprotection.ie/docs/Breach_Notification_Guidance/901.htm
Selection Criteria
• Sectoral / Geographical approach
• Complaints
• Media reports - public interest
• Developing Data Protection Codes of Practice
Selecting Organisation for Audit
• Informal contact with Organisation
• Letter of intention to audit
• Date and time for audit
• Duration of audit
Pre-audit Planning and Scope
• Request for documentation
• Examine received
documentation
• Check Data Protection
registration details
Pre-audit Planning and Scope
• Check for any ongoing or previous complaints
• In house discussion to determine potential issues
• Assign appropriate personnel for audit (2)
• Engage external expertise?
Pre-audit Planning and Scope
• Develop audit manual for inspection team (audit
resource document appendix 8)
• Questions based on the eight Data Protection
principles
• Possible pre-audit ‘overview’ meeting
Data Protection Acts 1988 & 2003 Section 10(1A)
"The Commissioner may carry out or cause to be
carried out such investigations as he or she
considers appropriate in order to ensure
compliance with the provisions of this Act and to
identify any contravention thereof".
Data Protection Acts 1988 & 2003 Section 24
All authorised officers have specific powers
and associated rights of access, including:
• Arriving unannounced at the premises of a
particular data controller or data
processor
• Inspecting, copying or taking extracts of
data.
The Audit
•
Co-operative
•
Face to face
discussion
•
Audit an aid
to both parties
•
Opportunity for target organisation to
raise Data Protection issues
‘Amicable Resolution’
• Strong enforcement powers if necessary to
achieve compliance.
• Irish approach: “speak softly but carry a
big stick”
• Achieve “best practice” rather than mere
compliance.
• “Best practice” cannot not be enforced.
The Audit – High Level
• Meet with Managers with relevant responsibility /
expertise of the areas under inspection
• Introduction and step through of areas to be covered
in the audit
• Examine high level data protection policies
The Audit – Local Level
• Meet with local managers & frontline staff with
responsibility/expertise of the areas under inspection
• Discuss data protection policies locally
• Meet staff with day to day experience of local
procedures
The Audit
Question?
Does High Level Policy
= Local Level Procedure?
Audit Process
• An organisation selected for audit is usually given a number
of weeks notice of the audit.
• They may be asked to provide in advance any relevant
documentation on its data protection practices.
• The audit normally includes one or more on-site visits by an
audit team from the Office. During these visits, the Audit
Team will meet with selected staff of the organisation. They
will also usually inspect electronic and manual records.
The Audit
• Draft report issued
• Follow up questions
- clarification
• In house discussion
• Final report issued
The Audit - Recommendations
• Data Retention Policy
• Data Collection Methods
• Staff Training and Awareness
• Use of PPSN
• Transfers of personal data to/from third parties
The Audit - Recommendations
• Policies relating to the disclosure of personal data
• Security of data including access controls
• Appropriate data controller to data processor contracts
• Disclosure and breach policies
• CCTV
The Audit – Follow up
• Audit noted in Commissioner’s Annual Report
• Further contact with organisation re:
implementation of Report recommendations
• Follow-up audit if necessary
How to prepare for an audit
• Read our Audit resource
http://www.dataprotection.ie/viewdoc.asp?DocID
=894&m=f
• Self assess against the questions posed in the
Audit resource before we arrive!
• Be open and transparent with us.
• Ensure all staff are aware of the powers to inspect
personal data available to the audit Team
Key Areas of Recommendations in
Credit Union Audit Reports
• Use of PPSN:
• Data
Controller/Processor
Contracts (section 2C)
• Data Retention Policy
• Network Security
• CCTV
• Recording of Calls
• Audit Trails
Guidance – Key Points (1)
• The Board of Management is the entity legally
responsible for how the credit union as a data
controller processes all personal information
– Not the Manager or staff
Guidance – Key Points (2)
The Board of Management in each credit union
should ensure a Data Protection Policy is
drawn up outlining how all personal data is
processed within the credit union.
Guidance – Key Points (3)
PPSNs:
• Provision of PPSN not mandatory to set up
membership account
• Detailed guidance re PPSNs issued to ILCU/CUDA
August 2010
Guidance – Key Points (4)
Copies of photo id may be sought for anti-money
laundering purposes (Criminal Justice Act, 1994) but
the practice where members have their photograph
taken and scanned onto CU systems should not be
mandatory. All members should be given an
opportunity to refuse consent.
Guidance – Key Points (5)
• Contracts should be drawn up and signed between
credit unions and all third parties processing personal
data on behalf of credit union e.g. debt collection
services.
• Any processing of information by debt collectors,
when undertaken on behalf of a credit union must be
undertaken in full compliance with the Data
Protection Acts.
Guidance – Key Points (6)
• If a credit union is using a debt collector, under the
Data Protection Acts 1988 & 2003, the debt collector
must be registered with the Office of the Data
Protection Commissioner as a data processor.
• If a credit union uses an unregistered debt collector,
the credit union is disclosing the information to a debt
collector who is already breaching the law.
Published Audit Reports
Department of Social Protection
Office of the Revenue Commissioners
Facebook
Carlow Institute of Technology
http://www.dataprotection.ie/docs/AuditReports/1293.htm
Thank You
Office of the Data Protection Commissioner
Canal House
Station Road
Portarlington
Co Laois
Phone: LoCall 1890 252231
057 8684800
Fax:
057 8684757
Email:
info@dataprotection.ie
Website: www.dataprotection.ie
36
Download