Guide to Data Protection Auditing


			Data Protection Homepage Audit Guide Homepage Download print version

The Role of an Auditor | Auditing Tasks | Human Aspects | Audit techniques | Practical Considerations


< Previous \| Next >

Assessing the Evidence (print ref: Part 4, Section 2.2)

Once the evidence has been gathered it has to be assessed objectively by the Auditor to decide whether it demonstrates compliance with the requirements of the Data Protection Act or not. While carrying out this assessment the Auditor should bear the following points in mind.

Sources and Reliability

It is very important that the evidence gathered is of high quality if it is going to be used to make a robust judgement. The source of the evidence will be a significant factor affecting its reliability, and it may come from a variety of places including:

Documentation
One-to-one interviews
Focus Groups

When assessing the reliability of documentary evidence an Auditor should take various factors into account such as whether it is a formal or informal document, its age, authorship and distribution within the organisation.

When assessing the reliability of information obtained from staff in interviews or focus groups it should be remembered that in these situations people can be argumentative, undisciplined, dishonest, opinionated, impatient, inarticulate, lazy, apathetic, domineering or downright rude. Equally, auditees might appear to be very helpful and co-operative because they are trying to tell the Auditor what they think they want to hear.

Weaknesses in Information

The previous section has dealt with some of the factors that may affect the reliability of any information gathered during an audit from the point of view of its origin. It is also important to take into account any lack of objectivity that might be introduced by the Auditor themselves. For example:

Are they bringing any "baggage" with them from their own organisation or other organisations that they have audited in the past?
Are they trying to impose their own ideas of best practice?
Are they looking for an unachievable "gold standard" rather than assessing compliance with the Act?
Have they allowed an initial impression gained from the Adequacy Audit to narrow the subsequent evidence gathering during the Compliance Audit?

All of these factors may cause an Auditor to lose their objectivity and need to be guarded against carefully when assessing evidence.

Strengthening the Evidence Base

If an Auditor is to make a robust judgement then there needs to be a strong evidence base on which to make that judgement. The factors that will help to strengthen evidence include:

Multiple Instances: The Auditor should check whether what they have found is an isolated, "one off " incident or whether it is systematic. One off incidents can often be put down to human error, whereas multiple or systematic occurrences frequently indicate a breakdown of a particular system or process.
Triangulation: The Auditor should also seek to triangulate evidence from different sources to strengthen their findings. For example, is there independent corroboration about a particular piece of evidence from different members of staff obtained during different interviews or focus groups? Can the existence of a particular activity be confirmed from two or more separate documents?

Validity, Reliability and Repeatability

A useful final check for a piece of major evidence that is going to be used as the basis for a non-compliance is to subject it to a Validity, Reliability and Repeatability test as follows:

Validity: Make sure that the evidence presented is really valid for the area being assessed. For example, does it come within the scope of the Data Protection Act?
Reliability: Ensure that the evidence is accurate and consistent and not subject to any of the flaws mentioned in sections 2.2.1 and 2.2.2.
Repeatability: Ask yourself whether another Auditor would arrive at the same conclusion when presented with the evidence that has been found.

Return to top

Auditing Tasks

< Previous | Next >