Powers of the DPC
The Data Protection Commissioner (the “DPC”) has specific ‘investigative powers' under the Data Protection Acts 1988 and 2003 (the “Acts”) such as the power of authorised officers to inspect the premises of data controllers or data processors, to test any data storage or processing equipment on the premises, to access data and to obtain information necessary to perform their duties. There are a number of ways in which these powers may be exercised by the DPC: through a scheduled audit, an ‘on the spot’ inspection, or through a formal investigation of a complaint by issuing a formal legal notice. In January 2009, the DPC published a useful guide to data protection audits, entitled Data Protection Audit Resource.
Purpose of DPC audits
The DPC undertakes audits to:
- ensure appropriate policies and procedures are in place for the processing of personal data;
- ensure that the entity is complying with these policies and procedures;
- test whether there are adequate controls in place;
- identify breaches in compliance, whether actual or potential; and
- make recommendations for changes in policies and procedures.
There are a number of measures open to the DPC to ensure compliance with the Acts following an audit. The DPC may seek corrective measures (such as rectification, blocking or deletion of data) and may issue recommendations of an advisory nature. However, unlike the Information Commissioner in the UK, the DPC does not issue administrative fines. The DPC may also issue public statements and warnings and publish the principal findings of an audit in his annual report. Such publication and the reputational damage it is likely to entail often acts as a deterrent. As a last resort, the DPC may use his legal enforcement powers to bring about a change in policy or practice.
Types of entity audited and prevalence of audits
The DPC has audited a wide range of entities, including county councils, GAA clubs, airlines, hostels, insurance companies, universities and law firms. 28 audits were carried out in 2011 compared to just two such audits in 2003, and there is no indication that the significant increase in the number of entities audited is set to slow.
Audit target list
An audit target list is maintained by the audit unit of the DPC. Entities are added to the list for a wide range of reasons. For example, the DPC might receive a complaint in relation to a particular entity; it might become known to the DPC that an entity holds a substantial amount of personal data, or media reports might come to light featuring specific allegations in relation to a particular entity or sector.
On the spot inspections
In some instances, the DPC may use powers conferred under the Acts and order an inspection team comprised of authorised officers to arrive unannounced at the premises of a particular data controller or data processor. In such cases, authorised officers will carry official photo identification and a signed letter from the DPC on headed paper. Authorised officers are then required to inform the data controller or data processor of their intention to audit the entity immediately.
The DPC audit team uses a questionnaire-based approach. Most questions will be typically structured around the eight data protection principles. This is in addition to visual inspections and examinations of selected uses of personal data within the audited entity. An inspection of security procedures will also be undertaken. A “targeted” compliance audit will focus on a particular issue (or issues) of concern that the audit team has been alerted to in advance, whereas a “general” compliance audit will cover a whole range of data protection issues.
The DPC will issue a letter of intention to audit to the entity selected for inspection setting out the date of the inspection. The letter of intention to audit will also contain a request that the entity forward to the inspection team in advance of the inspection “any documented data protection policies, codes of practice, guidelines, website privacy statements or privacy-related training materials”.
On the day of the inspection, authorised officers will arrive at the premises of the entity to be audited. Authorised officers will then present their official photo identification. If the audit is an “on-the-spot” inspection a signed letter from the Commissioner on headed paper with the office logo will also be produced by authorised officers.
After the inspection has been completed, the audit team will indicate to the entity being audited that a draft report will issue within a given time frame (usually 10 weeks). The draft report may contain requests for further clarification from the audited entity. The audited entity will also have the opportunity to submit their own view of the areas and practices assessed. The draft report will issue with a deadline for responses.
The final report will contain an account of the units or areas visited by the inspection team and a description of data protection practices. The final section of the report usually outlines the DPC’s findings, as well as containing a set of recommendations.
After the DPC has issued its final report, audited entities should expect to be contacted by staff from the DPC for an audit follow-up. Audit follow-up procedures establish what actions have been taken by the entities to implement the recommendations as set out in the final audit report and may require a repeat inspection.
All authorised officers carry corresponding obligations of confidentiality in terms of personal data they view or copy as part of their investigations. The Acts provide that an authorised officer shall not disclose to a person other than the DPC any information that is obtained by him or her in his capacity as authorised officer that could reasonably be regarded as confidential without the consent of the person to whom it relates. An authorised officer contravening this provision shall be guilty of an offence.
It is the current practice of the DPC to treat audit reports as confidential documents. Audits are therefore not published, although the entity concerned is free to do so. However, the DPC reserves the right to comment on any aspect of a particular named audit in the annual report and has absolute privilege in this respect. For example, in its 2011 Annual Report, the DPC commented on its audit of Facebook Ireland and INFOSYS and also mentioned that it had audited a number of named entities, including the Dublin GAA County Board, the Grand Lodge of the Masons of Ireland and a number of law firms.
Common Audit Recommendations
In its audit of Google in July 2011, the Information Commissioner’s Office in the UK recommended that Google provide a “privacy story” for each new product to ensure users have information about product privacy features. Similar recommendations have been made in Ireland. The DPC listed the following common audit recommendations in the Data Protection Audit Resource:
- A centralised function with responsibility for data protection matters should be established within the entity (for example, in its audit of the Revenue Commissioners conducted between November 2008 and May 2009, the DPC praised the presence of a “dedicated Data Protection Unit, with designated contact points in the event of any issues”);
- Formal staff training structure requirements under data protection legislation should be in place at induction stage for all employees;
- Entities should have specific criteria in place to judge what is adequate, relevant and not excessive in terms of personal information held;
- Consistency with regard to marketing opt-ins and opt-outs should be applied across all channels;
- All significant data protection incidents of security breach should be reported to the DPC immediately (this is in line with the Breach Notification Guidance published by the DPC which states that all incidents in which personal data has been put at risk should be reported to the Office of the Data Protection Commissioner. The only exceptions are when the data subjects have already been informed and the loss affects no more than 100 data subjects and the loss involves only non-sensitive, non-financial personal data. The Guidance sets a timeframe of two days for a data controller to inform the Office of the Data Protection Commissioner once the data controller has become aware that personal data has been put at risk);
- A laptop security policy should be in place accompanied by an inventory listing the type of personal information held on each laptop. The laptop security policy should outline access controls in place including encryption;
- All disk and USB ports on all staff computers should be disabled, unless there is a clearly defined and compelling business reason that they should be accessible;
- Appropriate audit trails to log access as well as amendments to personal data should be implemented on all relevant systems within the entity;
- Appropriate measures should be put in place to limit access to sensitive personal data to a strictly direct business need; and
- Where telephone conversations are being recorded, the customer should be made clearly aware of this practice at the outset of the call.