A privacy audit is a technique for assuring that an organization’s goals and promises of privacy and confidentiality are supported by its practices, thereby protecting confidential information from abuse and the organization from liability and public relations problems. An audit ensures that information processing procedures meet privacy requirements by examining how information is collected, stored, shared, used, disclosed, and destroyed. Privacy auditing is a process, not a one-time solution, as services, data needs, and technology change. A designated Privacy Officer may lead the audit, but all stakeholders and aspects of privacy need to be represented, from information technology to public relations. The audit process needs to be capable of dealing with the full extent of the information system.
The audit process begins by evaluating the organization’s existing policies and procedures for legality and consistency with the organization’s mission and image. When policies have been reviewed (or established), the data collected can be categorized according to the degree of security necessary. The audit assesses the sensitivity, security risks, and public perceptions of the information the organization collects. The audit examines the necessity for each type of data, how it is collected, and what notice and options are provided to the individuals identified by the information. It also maps how data flows through the organization for access, storage, and disposal revealing security needs, both electronic and physical. The audit process itself must be managed so that it does not increase risks and its recommendations must be addressed quickly once risks are revealed.
The ultimate goal of any privacy audit should be transparency and stewardship. A program with transparency provides open communication to individuals regarding all activities surrounding the capture, collection, dissemination and use of personal information. With stewardship as a goal, an organization assumes a fiduciary-like responsibility when it handles personal information.
The result of a privacy audit will generally be a report containing:
- a description of the policies and practices of the organisation relating to privacy and information management;
- a ‘map’ of which privacy principles and Acts apply to the organisation;
- risk areas identified in the privacy control environment;
- gaps identified with respect to compliance with the privacy principles; and
- prioritised recommendations on how to address the gaps and risk areas
In Canada there are a number of organizations that conduct 3rd party privacy audits. There is an emphasis in today’s privacy world of being more proactive rather than reactive. Public bodies and health sectors understand the damage that is done through breaches. There are huge financial implications through lawsuits as well as the negative optics that are associated with reported breaches.
In 2014, the Information and Privacy Commissioner for British Columbia established an Audit and Compliance Program to assess the extent to which public bodies and private sector organizations are complying with the Freedom of Information and Protection of Privacy Act (FIPPA) and the Personal Information Protection Act (PIPA).
The Audit and Compliance Program measures compliance with B.C.’s information and privacy laws and makes recommendations to improve privacy and access practices, policies, guidelines, and legislation.
Some of the areas the Audit & Compliance Program assess include:
- management policies and procedures;
- collection, use, disclosure, retention;
- protections and safeguards;
- access processes; and
- accountability and compliance monitoring.
Here is a link to the British Columbia OIPC website and the page that describes their Audit and Compliance Program.
Trustees of the province can find information at the Canadian Institute for Health Information (CIHI), which is an independent, not-for-profit organization that provides essential information on Canada’s health system and the health of Canadians. CIHI has a program set up where they sign into an agreement that allows them to conduct a privacy audit with any of their partners: Information Sheet on CIHI’s Privacy Audit Program for Third-Party Record-level Data Recipients.
Best practice suggests that every organization considers a privacy audit every 5 years.