1 / 36

The Good Practice Guide – what we look for during an Audit of a Credit Union

The Good Practice Guide – what we look for during an Audit of a Credit Union. Billy Hawkes Data Protection Commissioner. Credit Unions. Why Audit?. Part of overall supervision strategy Accountability of Organisations “Selective to be Effective” Assist organisation audited

elsa
Download Presentation

The Good Practice Guide – what we look for during an Audit of a Credit Union

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Good Practice Guide – what we look for during an Audit of a Credit Union Billy Hawkes Data Protection Commissioner Credit Unions

  2. Why Audit? • Part of overall supervision strategy • Accountability of Organisations • “Selective to be Effective” • Assist organisation audited • Draw lessons for Sector • Improve Sectoral Guidance

  3. Audit Statistics 2005 - 3 2006 - 8 2007 - 25 2008 - 28 2009 - 30 2010 - 33 2011 - 28 2012 - 40

  4. Department of Social Protection Customs Information System (CIS) Local Authorities Schools Sporting Bodies Range of organisations audited. • Credit Unions • Banks • Health Sector • Charities • Supermarkets • LinkedIn • Facebook

  5. Data Controller/Processor Contracts (section 2C) Data Retention Policy Key recommendations in Credit Union Audit Reports • Network Security • CCTV • Recording of Calls • Audit Trails

  6. Audit Resource To assist organisations selected for audit by the Irish DPA http://www.dataprotection.ie/documents/enforcement/AuditResource.pdf

  7. Appendices • Sample Illustrative Audit Questions • Self-Help Checklist on Data Protection Policy • Common Audit Recommendations • “Need to Know” Access Control Policies • Internal Access Security Checklist

  8. Data Breaches Data Security Breach Code of Practice: non-mandatory but recommended all breaches reported to DPA http://www.dataprotection.ie/docs/07/07/10_-_Data_Security_Breach_Code_of_Practice/1082.htm • Breach Notification Guidance- ePrivacy Regulations 2011 (SI 336 of 2011) http://www.dataprotection.ie/docs/Breach_Notification_Guidance/901.htm

  9. Selection Criteria • Sectoral / Geographical approach • Complaints • Media reports - public interest • Developing Data Protection Codes of Practice

  10. Selecting Organisation for Audit • Informal contact with Organisation • Letter of intention to audit • Date and time for audit • Duration of audit

  11. Pre-audit Planning and Scope • Request for documentation • Examine received documentation • Check Data Protection registration details

  12. Pre-audit Planning and Scope • Check for any ongoing or previous complaints • In house discussion to determine potential issues • Assign appropriate personnel for audit (2) • Engage external expertise?

  13. Pre-audit Planning and Scope • Develop audit manual for inspection team (audit resource document appendix 8) • Questions based on the eight Data Protection principles • Possible pre-audit ‘overview’ meeting

  14. Data Protection Acts 1988 & 2003 - Section 10(1A) "The Commissioner may carry out or cause to be carried out such investigations as he or she considers appropriate in order to ensure compliance with the provisions of this Act and to identify any contravention thereof".

  15. Data Protection Acts 1988 & 2003 - Section 24 All authorised officers have specific powers and associated rights of access, including: • Arriving unannounced at the premises of a particular data controller or data processor • Inspecting, copying or taking extracts of data.

  16. The Audit • Co-operative • Face to face discussion • Audit an aid to both parties • Opportunity for target organisation to raise Data Protection issues

  17. ‘Amicable Resolution’ • Strong enforcement powers if necessary to achieve compliance. • Irish approach: “speak softly but carry a big stick” • Achieve “best practice” rather than mere compliance. • “Best practice” cannot not be enforced.

  18. The Audit – High Level • Meet with Managers with relevant responsibility / expertise of the areas under inspection • Introduction and step through of areas to be covered in the audit • Examine high level data protection policies

  19. The Audit – Local Level • Meet with local managers & frontline staff with responsibility/expertise of the areas under inspection • Discuss data protection policies locally • Meet staff with day to day experience of local procedures

  20. The Audit Question? Does High Level Policy = Local Level Procedure?

  21. Audit Process • An organisation selected for audit is usually given a number of weeks notice of the audit.  • They may be asked to provide in advance any relevant documentation on its data protection practices.  • The audit normally includes one or more on-site visits by an audit team from the Office. During these visits, the Audit Team will meet with selected staff of the organisation. They will also usually inspect electronic and manual records.

  22. The Audit • Draft report issued • Follow up questions - clarification • In house discussion • Final report issued

  23. The Audit - Recommendations • Data Retention Policy • Data Collection Methods • Staff Training and Awareness • Use of PPSN • Transfers of personal data to/from third parties

  24. The Audit - Recommendations • Policies relating to the disclosure of personal data • Security of data including access controls • Appropriate data controller to data processor contracts • Disclosure and breach policies • CCTV

  25. The Audit – Follow up • Audit noted in Commissioner’s Annual Report • Further contact with organisation re: implementation of Report recommendations • Follow-up audit if necessary

  26. How to prepare for an audit • Read our Audit resource http://www.dataprotection.ie/viewdoc.asp?DocID=894&m=f • Self assess against the questions posed in the Audit resource before we arrive! • Be open and transparent with us. • Ensure all staff are aware of the powers to inspect personal data available to the audit Team

  27. Use of PPSN: Data Controller/Processor Contracts (section 2C) Data Retention Policy Key Areas of Recommendations in Credit Union Audit Reports • Network Security • CCTV • Recording of Calls • Audit Trails

  28. Guidance – Key Points (1) • The Board of Management is the entity legally responsible for how the credit union as a data controller processes all personal information • Not the Manager or staff

  29. Guidance – Key Points (2) The Board of Management in each credit union should ensure a Data Protection Policy is drawn up outlining how all personal data is processed within the credit union.

  30. Guidance – Key Points (3) PPSNs: • Provision of PPSN not mandatory to set up membership account • Detailed guidance re PPSNs issued to ILCU/CUDA August 2010

  31. Guidance – Key Points (4) Copies of photo id may be sought for anti-money laundering purposes (Criminal Justice Act, 1994) but the practice where members have their photograph taken and scanned onto CU systems should not be mandatory. All members should be given an opportunity to refuse consent.

  32. Guidance – Key Points (5) • Contracts should be drawn up and signed between credit unions and all third parties processing personal data on behalf of credit union e.g. debt collection services. • Any processing of information by debt collectors, when undertaken on behalf of a credit union must be undertaken in full compliance with the Data Protection Acts.

  33. Guidance – Key Points (6) • If a credit union is using a debt collector, under the Data Protection Acts 1988 & 2003, the debt collector must be registered with the Office of the Data Protection Commissioner as a data processor. • If a credit union uses an unregistered debt collector, the credit union is disclosing the information to a debt collector who is already breaching the law.

  34. Published Audit Reports Department of Social Protection Office of the Revenue Commissioners Facebook Carlow Institute of Technology http://www.dataprotection.ie/docs/Audit- Reports/1293.htm

  35. Thank You Office of the Data Protection Commissioner Canal House Station Road Portarlington Co Laois Phone: LoCall 1890 252231 057 8684800 Fax: 057 8684757 Email: info@dataprotection.ie Website: www.dataprotection.ie

More Related