Privacy Guideline Page 3
1.6 Definition of Privacy in an IS Auditing Context—Limits and Responsibilities1.6.1
Personal data is any information relating to an identified or identifiable individual.
The IS auditor is not responsible for what is stored in the personal databases, he/she should check whether personal dataare correctly managed with respect to legal prescriptions by adoption of the correct security measures.
IS auditors should review the privacy impact analysis or assessment carried out by management. Such assessmentsshould:
Identify the nature of personally identifiable information associated with business processes
Document the collection, use, disclosure and destruction of personally identifiable information
Provide management with a tool to make informed policy, operations and system design decisions based on anunderstanding of privacy risk and the options available for mitigating that risk
Provide reasonable assurance that accountability for privacy issues exists
Create a consistent format and structured process for analysing both technical and legal compliance with relevantregulations
Reduce revisions and retrofit the information systems for privacy compliance
Provide a framework to ensure that privacy is considered starting from the conceptual and requirements analysis stageto the final design approval, funding, implementation and communication stage
IS auditors should determine whether these assessments are conducted as part of an initial privacy review and on anongoing basis for any change management project, such as:
Changes in technology
New programs or major changes in existing programs
Additional system linkages
Business process reengineering
New products, services, systems, operations, vendors and business partners
In assessing applicable privacy laws and regulations that need to be complied with by any particular organisation,particularly for organisations operating in different parts of the globe, IS auditors should seek an expert opinion as to therequirement of any laws and regulations and should carry out the necessary compliance and substantive tests to form anopinion and report on the compliance of such laws and regulations.
Data controller is a party who is competent to decide about the contents and use of personal data regardless of whether or notsuch data are collected, stored, processed or disseminated by that party or by an agent on its behalf.
2. AUDIT CHARTER
2.1 Privacy in the Connected World2.1.1
The advancement of communication technology such as the World Wide Web and electronic mail allows the efficientdissemination of information on a global scale. Controls should be in place to ensure the ethical use of this technology andthe projection of electronic/digitalised and hard copy personal information. Furthermore, the global promulgation of legislation requires that organisations implement controls to protect individual privacy. This guideline provides a common setof criteria that the IS auditor can apply to assess the effectiveness of security controls designed to ensure personal privacy.
3. INDEPENDENCE3.1 Sources of Information3.1.1
The auditor should consider local regulations about privacy and, after that, global regulations that the organisation isadopting. If the organisation is international, it should consider that local regulations take precedent over enterprise policies,but in this case, the organisation additionally must comply with both (i.e., Sarbanes Oxley for EEUU companies).
4. PROFESIONAL ETHICS AND STANDARDS4.1 Need for Personal Data Protection4.1.1
An increasing number of connections between internal and external registries/data sources and use of the Internet increasesthe need for privacy in both public and private enterprises. Information regarding life, health, economy, sexual predilection,religion, political opinion, etc., may, if exposed to unentitled people, cause irretrievable harm for individuals.
Laws and regulations regarding privacy exist in many countries, but these are often not well known or specific enough.Therefore, an IS auditor must have a basic knowledge of privacy matters and, when necessary, be aware of the basicdifferences between various countries' regulations
to evaluate the level of protection regarding personal information in anenterprise.