Conducting a Privacy Audit of Your Personal Information Holdings
How to Conduct a Privacy Audit
In order for an organization to identify what it needs to do to comply with the Ten Principles for the Protection of Privacy, it is critical to determine the current state of its personal information holdings and related procedures. The organization needs to know what it has in the way of personal information, where it is stored and how it is currently managed.
A privacy audit involves the following three steps which may be performed together or in order: taking an inventory of your personal information holdings; identifying the information needs of the different functions within your organization; and identifying your current information practices (including how and why your organization collects, uses and discloses personal information).
A privacy audit should be an internal function. It is a self-assessment tool. There is no obligation to make the findings public. Therefore, it is important to stress to staff participating in this audit that it is not a test. Its purpose is not to embarrass them or to call people to task. What is needed at this stage in the development of the privacy program is an accurate and thorough inventory and analysis. There are no right answers. The sole purpose of the audit should be to collect information that can inform the planning and decision-making process regarding the future application of privacy legislation to the organization.
Taking an Inventory
Begin the audit by taking an inventory of the organization's existing records and information management policies and practices. The time and effort involved in this process will vary depending upon the complexity of the personal information holdings.
For example, the organization may collect personal information about the public, customers, partners, employees, contractors, shareholders, vendors, and many other types of individuals. For each function in the organization, you will need to determine if it collects, uses or discloses any personal information and, if so, how that information is managed and by whom.
When identifying the organization's personal information holdings, be sure to examine records in hardcopy, on computers and other electronic media, as well as any online resources (e.g., Web sites, chat rooms, news services, mailing lists, or bulletin boards) it operates.
While not an exhaustive list, the following areas commonly collect, use and disclose personal information:
- customer service;
- human resources;
- information technology;
- security; and
- legal services.
Additionally, you should think of all the points where the organization collects personal information. Examples may include:
- customer service numbers;
- video cameras;
- audio tapes;
- marketing lists;
- loyalty programs;
- delivery services;
- application forms;
- order forms;
- Web sites;
- bulletin boards;
- chat rooms;
- call centres; and
- technology enablers
The main benefit of this inventory is to enable you to determine the extent to which PIPA will apply to the organization's functions and the necessary scope of the privacy program you will need to develop. For example, if the organization only has personal information on its employees, the scope of the privacy program will be much more limited than an organization that also has personal information relating to customers or other types of individuals with whom it does business.
Follow Up the inventory by Identifying Information Needs and Practices
Once you have determined what personal information the organization has and where it is held, the next step is to fully understand how and why it collects, uses and discloses personal information. A necessary follow-up to the inventory is to identify the information needs of the different functions within the organization, along with its current information practices.
To do this, you will need to determine how and why all the types of personal information the organization has are necessary to a particular function and to the organization's operation. The reasons why personal information is collected, used and disclosed, along with who can see what, when, where, how and why, all need to be identified, documented and analyzed. This is an essential step if you want to know if the information management practices are compliant with the Ten Principles for the Protection of Privacy.
In order to audit the organization's information needs and practices, you could utilize questionnaires, in-depth interviews, group discussions, file and policy reviews, sampling, or other means of identifying information practices. Regardless of the methods, the review should be comprehensive and cover all of the organization's operations.
Audit questions could include:
- How does the organization collect personal information? (Common ways in which organizations collect personal information include standard forms, customer surveys, loyalty programs, online interaction, and video cameras.)
- Why does the organization collect the personal information? Does the organization need it for a function or activity?
- Are individuals made aware that the organization is collecting their personal information?
- Does the organization inform individuals of the purpose for collecting their personal information?
- Does the organization obtain consent from individuals before collecting or using their personal information? If so, what processes (verbal statements, paper or electronic notices) are used to obtain consent?
- How does the organization use personal information? (e.g., for specific business functions, for activities that solicit new business?)
- Does the organization disclose personal information to anyone outside the organization?
- Does the organization make individuals aware of the intended uses and disclosures of their personal information? If so, how are individuals informed?
- Is the personal information the organization holds accurate, complete and up-to-date?
- How does the organization store personal information? (e.g., paper files, cabinets, databases, audio, video).
- Where does the organization store personal information? (Organizations may keep personal information stored in a single cabinet or database or it may be spread across the organization in a number of sites.)
- Who has access to the personal information held by the organization and who actually needs to have that access?
- Does the organization have measures to protect the personal information it holds from unauthorised access, collection, use, disclosure, copying or modification from individuals both within and outside the organization?
- Does the organization contract out any functions or activities involving personal information? Does the organization take any privacy measures to protect this information?
- How long does the organization retain personal information?
- How does the organization destroy or dispose of personal information?