Home » Business » Corporate

Conducting an Effective Internal Privacy Audit

Jul 23, 2008
Before an organization can truly dedicate itself to the principles of privacy protection, it needs to take stock of its personal information holdings and the procedures it currently has in place. And in order to move forward on this road to privacy compliance, an organization needs to ask three basic questions: What type of personal information do we hold, where is it stored and how is it managed?

Enter the privacy audit. An audit allows an organization to take inventory of its personal information databank, identify the information needs of the different functions within the organization and understand current information practices, including how and why personal information is collected, used and disclosed. In establishing and conducting a privacy audit, an organization should make sure to keep one basic truism in mind: employees generally do what you inspect, not what you expect!

An internal privacy audit provides a critical self-assessment. It is essential to stress to staff members who have been asked to participate in the audit that they should have no fear of "failing a test" or being called to task for any of their current practices. On the contrary, what an organization needs to focus on at this stage is developing a comprehensive and accurate inventory, one that requires no judgments and no right or wrong answers. The primary objective of the audit must be reinforced: To collect information on current practices that can inform the planning and decision-making process regarding the future application of privacy best practices within the organization.

Once current on-line and off-line practices across the organization are understood, a comprehensive risk assessment can be undertaken. Business practices can be evaluated to identify the gaps in compliance with best practice benchmarks. Based on the level of risk, action steps and timelines for compliance initiatives can be prioritized.

To be most effective, privacy audits must be conducted by someone familiar with privacy issues but not heavily involved in managing day to day operations, such as the privacy office or an internal audit group.

Taking Inventory

The audit begins by taking an inventory of the personal information records currently in existence and of the organization's information management policies and practices. In some situations, the organization may collect personal information from a wide range of sources, such as customers, partners, contractors, employees, vendors, and even the public at large. Each department in the organization needs to be scrutinized by way of this inventory process in order to determine how and why personal information is collected and used; whether consents were obtained and what form they took; how that information is safeguarded; how long it is retained; and to whom it is released and why.

For an effective inventory, all documentation used to collect and disclose personal information in the course of day-to-day business operations must be reviewed. This important step consists of examining all forms, contracts, confidentiality agreements, third-party assignments, privacy codes of practice, written procedures, fax and e-mail templates etc. By assessing each carefully, one can determine whether the documents are complete and comprehensive in terms of privacy protection or whether they need to be re-drafted or revamped.

It is important when conducting the audit to examine personal information records held in hardcopy, in system folders and other electronic media, as well as any online collections or disclosures. Organizations need to think through all the methods through which personal information is collected. Some examples include:

- Order forms or application forms
- Contests
- E-mails
- Surveys
- Warranties
- Delivery services
- Websites
- Call centre activity and recordings
- Loyalty or referral programs

On of the critical question that needs to be answered during the audit is: What are the information needs of the different departments within the organization? Staff interviews, employee surveys and group discussions can help answer this question. By talking to employees, one can get a really good sense not only of the formal practices, but the informal, accepted norms adopted by the department.

Potential Audit Questions:

- How does your organization (or unit or department) collect personal information?
- Why does your organization collect personal information?
- Are individuals made aware that the organization is collecting their personal information?
- If so, are individuals informed of the purpose(s) for collecting their personal information?
- Is consent obtained from individuals before collecting or using their personal information? If so, what methods are used to obtain that consent?
- How does the organization use personal information?
- To whom does the organization disclose the personal information?
- Are individuals informed of the intended uses and disclosures of their personal information? If so, what methods are used to inform them?
- Is the personal information held by the organization accurate, complete and up-to-date?
- How does the organization store personal information? Where is it stored?
- Who has access to personal information held by the organization and who truly needs to have that access?
- Does the organization have measures in place to protect the personal information it holds from unauthorized access, collection use, disclosure or modifications?
- How long does the organization retain personal information?
- How does the organization destroy or dispose of personal information?

With the audit steps complete, a report is then created, summarizing the results and providing recommendations for the organization to follow based on the areas that need greater focus. Effectively, the report helps the organization devise a thorough and comprehensive privacy plan of attack, one that responds effectively to the organization's particular needs, and that helps it move forward in the direction of achieving a strong privacy management program.
About the Author
Fazila Nurani is a privacy consultant, lawyer and lead trainer with PrivaTech Consulting. Fazila has conducted privacy audits in a wide range of industries. She advises organizations on privacy best practices, and reducing the risk of a privacy or information security breach. She may be reached at +1.905.886.0751 or fnurani@privatech.ca.
Please Rate:
(Average: Not rated)
Views: 252
Print Email Report Share
Article Categories