Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

Privacy audits aid compliance [1998] PLBIRp 22; (1998) 45 Privacy Laws and Business International Report 13

Using privacy audits to encourage good compliance

IN CANADA, the Information and Privacy Commissioner of British Columbia may conduct audits in the public sector. Commissioner Dr. David Flaherty explains what can be achieved by a friendly approach.

On the basis of my academic studies of European and North American data protection during the 1980’s, I concluded that auditing for compli- ance is essential to successful data protection. I was especially inspired by the German federal and state models of auditing data protection practices at specific institutions in the public sector.

During my modest role in helping to advise the Attorney General of British Columbia in June 1992 during the final revisions of the British Columbia Freedom of Information and Protection of Privacy Act, I suc- cessfully urged the addition of explicit auditing powers to section 42 of the legislation. I have the authority to

“conduct investigations and audits to ensure compliance with any provision of the Act.”

No one of my professional staff has an auditing background. However, I have not given up on recruitment of a staff person with that particular set of skills.

THE GOAL IS TO RAISE CONSCIOUSNESS

The central goal of privacy audits is consciousness-raising about fair information practices and fulfilling the “privacy watchdog” function with public bodies. An audit alerts the organisations to the fact that com- pliance with the Act is monitored.

There are considerable benefits to visiting public bodies that may not have taken the Act very seriously to date. Audits also provide an opportu- nity to respond to questions, and promote a practical approach to implementation of the Act.

ADVANCE NOTICE

The focus is on privacy intensive public bodies, such as hospitals, social services and municipal police forces. Some visits are inspired by invitations from public bodies who wish to receive help, and some by suggestions from my staff who suspect problems. Public bodies which will be visited receive an advance notice. The announcement of the Commissioner’s visit may have more impact than the actual visit in terms of attracting the attention of political leadership and other senior management. It is impor- tant that the staff arranging the visit assure public bodies that “they have done nothing wrong,” and are not targeted. It is a good idea to encour- age public bodies to take an active role in organising the visit, and in determining areas of particular interest.

FRIENDLY APPROACH BRINGS BEST RESULTS

I have a legal authority to look at any records if I determine a need to do so. However, I do not look at highly stig- matising information, such as HIV status, because of the remote risk of recognising a name. After becoming quite familiar with the contents of hospital, personnel, and human resources files, I tend to discuss their contents without actually reviewing one. There is no need for the visit to become argumentative, because, at the end of the day, I have the power to order a change in existing practices if that is required. However, this is rarely done.

I always walk through the premis- es to check the physical security of manual and automated records. I take notes of peculiar practices for purpos- es of subsequent discussion and reporting to the public body.

An important part of the visit is to talk to the staff and ask about normal practices with respect to record han- dling, storage and disclosure. It is also useful to query the initial and on- going staff training, and individuals’ access to their personal records under the Act.

In addition, I encourage the prominent placement of signs about data collection, obligations under the Act, and the practice of video surveil- lance.

This is an edited version of the presentation given by Dr David Flaherty, Information & Privacy Commissioner of British Columbia, Canada, at the Privacy Laws & Business Annual Conference in

July 1998. Dr Flaherty can be contacted by E-mail:

david.flaherty@gems8.gov.bc.ca The full text of his presentation, as well as other conference papers, are available from Privacy Laws &

Business Tel: + 44 (0) 181 423 1300.