The Data Protection Commissioner (the DPC) has published new guidance on its powers to carry out privacy audits into organisations' data protection compliance.
The legal basis for audits by the DPC is contained in Section 10 (1A) of the Data Protection Acts 1988 and 2003 (the Acts), which provides that:
"The Commissioner may carry out or cause to be carried out such investigations as he or she considers appropriate in order to ensure compliance with the provisions of this Act and the Electronic Communications Networks and Services Regulations of 2003and to identify any contravention thereof."
An organisation selected for an audit is usually given a number of weeks' notice. However, the DPC is also empowered to carry out unscheduled inspections pursuant to section 24 of the Acts.
The purpose of audits is to detect any weaknesses in how organisations handle personal data and reduce the likelihood of potential breaches of the Acts. At the close of an audit, the audit team produces a written report, with its findings and recommendations aimed at improving data protection practices. The preparation for an audit, the questions from the audit team, and the final Audit Report, all serve to increase awareness within organisations of data protection responsibilities.
The DPC has taken a proactive role in regard to privacy audits. During 2013, he carried out 44 scheduled audits and inspections (a 10% increase on 2012). The DPC's Annual Report for 2013 notes that factors for selecting the targets of an audit include the amount and nature of personal data processed by an organisation, and the number of complaints and enquiries received by the DPC.
The guide will no doubt serve as a useful tool for organisations, selected for an audit by the DPC, to prepare for same. The appendices to the guide contain sample audit questions and checklists, which enable organisations to conduct self-assessments of their compliance with their data protection obligations.