General overview on the conduct of audits
1. Introduction
Monitoring data controllers and ensuring that they take appropriate security measures, in accordance with law, is of course one aspect of effective enforcement. Monitoring tasks can broadly be distinguished between two different types, i.e. audits and inspections. An Audit is a encompassing and detailed form of monitoring performed in accordance with a certain methodology. Inspections on the other hand consists basically of a field visitation to a controllers premises and a routine questioning regarding the security of his processing. The aim of this paper is to illustrate the process of audits.
The Icelandic DPA has issued rules no. 299/2001, on the security of personal data, to further specify the obligations laid down in Article 11 of the Data Protection Act no. 77/2000. These rules incorporate, in a very simplified form, the methodology of the International Standard ISO/IEC 17799 "Information technology – Code of practice for information security management", which was prepared by the British Standards Institution (as BS 7799). The DPA conducts audits within the framework of rules no. 299/2001 with the assistance of specialists in the standard BS 7799, i.e. so called Lead Auditors.
2. The framework for audits
2.1. The obligation to document the security system
Audits are conducted on the grounds of rules no. 299/2001 that stipulate the standards by which security systems should be organized. The main characteristic of these rules is that they require data controllers to assess both the need for and the content of Security Measures and to document them as further specified in the rules. A description of a security system shall comprise of the following documents:
2.1.1. Security Statement: This document describes in general terms the security policy and states the commitment of the controller's chief management to follow it. In this statement the controller is supposed to evaluate which of the different factors concerning the data matters the most, f. ex. its confidentiality, integrity, availability or security.
2.1.2. Risk Analysis: This document contains the controller's analysis of the various circumstances that might compromise the security of the data, such as unauthorized access, modification or deletion of the data. The analysis addresses both the level and extent of these risks and possible consequences of security breaches, with regards to the nature of the data concerned. The objective of a Risk Analysis is to create a premise for selecting suitable security measures.
2.1.3. Security Measures: This document in essence describes the security system by referring to the measures taken to counter each of the possible risks that have been identified and categorized in the Risk Analysis. The description shall include information on how these measures have been designed and developed, how they are operated, maintained and monitored.
2.2. Audits of documented security systems
The main goal of an audit is to verify that a controller has implemented the Security Measures he has specified and to test their effectiveness. The DPA also determines whether the Security Measures are sufficient and based on a sound Risk Analysis. A controllers own assessment of his processing, as manifested in his Security Statement, can be a helpful tool when concluding whether his Risk Analysis, and his choice Security Measures thereof, are appropriate or even tenable.
If these documents give a detailed and exhaustive account of a security system it can be inspected more efficiently. The specialist is then able to focus his attention on certain parts of the system, perhaps by examining the security of the most sensitive data or by targeting possible weak links in the system. If a well documented security system does not warrant such emphasis an audit is often restricted to checking specific security measures selected at random.
2.3. Inspections of undocumented security systems
If a data controller produces no documents, or if they seriously lack completeness, the DPA can do either of two things.
If no documents are produced the DPA may decide to impose daily fines on a controller to force him to comply with the Authority's request.
Alternatively the DPA can decide to continue the audit regardless, although it then becomes more complicated. In this case it falls to the DPA to identify and analyze possible risks to the data in question. Customary and undefined practices followed by the controller are then tested in light of this analysis. This procedure is of course more time consuming and expensive.
3. The criteria for selecting data controllers for auditing
3.1. Audits begun at the DPA's own initiative
Audits initiated by the DPA are focused on the security and processing of personal data in a particular sector of activities. In order to gain a comprehensive view of the processing and for reasons of comparison the DPA usually selects 3-5 comparable controllers for auditing. To cover as much of the processing as possible the DPA selects those controllers who have the largest shares of the market or are processing the greatest proportion of the data. The DPA looks to the following factors when deciding on a sector of activities feasible for auditing:
Does the processing involve sensitive personal data, such as health records or social problems.
3.1.2. Scope of the processing
Scope of the processing, i.e. whether the processing extends to a large number of people, for instance the security of credit card data or telecommunication traffic data.
3.1.3. Distinct individual interests
Does the processing involve distinct individual interests, such as the security of personal data in custody of employment agencies.
3.2. Inspections initiated in connection to a particular incident
Sometimes a serious lapse of security occurring in a controllers processing calls for a further investigation by the DPA. As a result the authority may decide to conduct an audit of the processing, often extending to other controllers operating in the same field. Example of this is a complaint received from a psychiatrist who claimed that a telecommunication company had forwarded his e-mail, containing very sensitive data, to another address without his knowledge, which lead to an audit not only focusing on the company in question but also 3 other internet service providers.
3.3. Other reasons
In some cases controllers have voluntarily asked for an audit to make sure that their security systems fulfil all necessary standards. The motivation is usually to maintain a good image. The DPA must however be cautious when accepting such offers because, after all, the rationale behind audits is to verify the security of personal data, but not to help controllers to maintain their good image. Finally the DPA has in some cases made an audit a prerequisite for issuing a license for a particular processing or renewing such a license.
3.4. Controllers with certifications for having adopted the standards of BS 7799
Data controllers can independently seek certified verification that they have adopted the standards of BS 7799. Currently there are only two firms in Iceland that are certified to offer this kind of service. Several data controllers have, however, turned to specialists in Great Britain for the same service. The DPA has not considered it a priority to monitor certified security systems, which gives controllers incentive to choose this alternative.
4. The preparatory process of audits
4.1. Call for documents
An audit is initiated with a letter to the data controller informing him of the authority's decision to conduct an audit into the legality of his data processing and the security of the personal data in his custody. The letter calls for all the necessary information regarding the security system to be produced before the authority within a certain timeframe, usually 6 weeks.
4.2. Decision on the course of the audit
When the DPA has received and surveyed the documents it decides on the course of the audit. A decision whether to seek assistance of a specialist is taken with regards to the complicity, size and other relevant circumstances concerning the task.
The Data Protection Act no. 77/2000 grants the DPA the authority to place the cost of inspections, and other monitoring measures, on the data controller subject to the inspection. This gives the DPA the opportunity to out source such tasks and to confine its role to the supervision of audits and rendering decisions on whether data controllers are in compliance with the requirements of the Act and rules no. 299/2001.
4.3. Selection of a specialist and the estimated cost of his services
Due to the secretive nature of documents regarding a controller's security system the DPA is not able to select a specialist through an open competitive bidding process. Instead the DPA selects a qualified and trusted specialist, suitable for the particular task, and offers him the opportunity to make a bid for it. Upon his signature under an oath of confidentiality the specialist receives all the relevant documents and based on them he estimates the cost of his services.
4.4. How administrative law affects the process
In accordance with administrative law the data controller is provided with the opportunity to object to the Authority's decisions throughout the process, with regards to both procedural and substantive decisions. The data controller can thus object to the authority's decision to audit his processing, its choice of a specialist and the estimated cost and finally he is allowed to comment on the specialists report before the authority delivers a decision on whether he is in compliance with the law.
Data controllers frequently exercise this right with regards to the estimated cost of audits. Such objections usually comes from those controllers who believe that their security system is in good order. Their argument is that it is unfair to controllers, who have invested in expensive systems and perhaps have sought expert advice, to have to bare a considerable cost of having the effectiveness of a security system reaffirmed by the DPA.
Although paragraph 5 of Article 37 of the Data Protection Act is worded in a general manner it grants the DPA a clear authority to place the cost of inspections on data controllers. This authority, however, cannot be used without complications as the provision lacks a balancing criterion. This means that applying the provision is a delicate matter, as the DPA must carefully adhere to the principles of administrative law, such as proportionality and equality, when deciding on a reasonable cost. As a result the DPA has avoided applying the provision unilaterally and has instead, with recourse to the provision, sought to negotiate with controllers to pay a reasonable cost. To this end the DPA has allocated funds in its budget to share the cost of audits. The proportion of the DPA's participation in the cost can depend on various factors, such as whether the controller is a company or a non-profit organization, whether the controller has been subject to previous monitoring measures, how well the controller has documented and monitored his security system ect. Due to the principle of equality all comparable controllers subject to the same sector based audit are made to pay the same proportion of the cost.
5. Audits at the controllers premises
5.1. Controllers participation in audits
When an agreement regarding the cost is concluded a controller is, with adequate notice, informed about a proposed date and time for the audit to be carried out. He also receives a draft schedule of the audit containing all the necessary information on what is expected of him during the process.
Audits at controllers premises are never carried out without notice. For audits to be effective and efficient it is imperative to conduct them in good cooperation with controllers. It is practical, and sometimes even necessary, to notify the controller in advance about who of his employees have to be available for questioning and what equipment or additional data must be accessible for inspection. Subjectively audits are also more likely to deliver good results if the controller is made to feel as a participant in the process rather than a subject of it.
5.2. Reports on the results of audits
The specialist completes his participation in the process by handing over to the DPA a written report with his conclusions. The report shall contain his assessment of the Security Statement and the Risk Analysis, i.e. the documents that create the foundation of a security system, and his opinion on whether the Security Measures that the controller has taken are appropriate and adequate. In the report the specialist shall describe individually every particular Security Measure that he selected for testing, why he chose them, in what manner he tested them and of course his assessment of the results. Finally a report is supposed to include the specialists over all assessment on the quality of the security system.
6. Conclusion of audits
When a specialist has delivered his report a controller is given adequate time to object to his findings. The audit is then concluded with a formal decision on whether a controller is compliant with the requirements of law and regulations regarding the security of the personal data in his custody.
In a decision the DPA must first determine the legality of the processing before it can decide on the security of the personal data. Hence the legality of a particular processing is the premise for any deliberations regarding the security of it. If the processing is in it self illegal the question of its security becomes irrelevant.
A decision regarding the security of the processing is based on the findings of the specialist and possible opposing arguments on the half of controllers. The DPA is then in a relatively neutral position to make a balanced decision on any contended issues regarding the appropriateness and adequacy of the security system.
After a decision has been reached it is published on the Authority's website like every substantive decision of importance. A controller is however granted the opportunity, within a period of 15 days, to object to the publishing of specific matters in the decision with reference to valid security reasons.