Data Protection Homepage 
Audit Guide Homepage
Download print version
|
|
|
|
|
|
|
Data Protection Homepage |
|
|
|
|
|
|
||
|
Obtaining Evidence (print ref: Part 4, Section 2.1)Auditors should never lose sight of the fact that the fundamental purpose of any type of audit is to obtain objective evidence. A certain amount of evidence will be obtained by reviewing documentation as in the initial Adequacy Audit. However, evidence of whether the Data Protection System is actually understood and being used by staff can only be established by asking direct questions. In a way, talking to a member of an organisation's staff to obtain information is similar to conducting an interview. Obviously, the Auditor will want to keep the process as relaxed an informal as possible, but it is probably helpful to approach each information gathering session as if it were a simple, structured interview. The sort of interview structure recommended for use during audits is shown graphically in Figure 4.1, and the key components of this are described below. Auditor Introduction The Auditor should always start off the session with a warm greeting to the member of staff and thank them for giving up their time to participate in the Audit. Opportunity for Member of Staff to Talk The Auditor should then try and relax the member of staff by giving them an opportunity to talk. This is best achieved by asking some innocent but relevant questions such as how long they have been doing their particular job etc. It should be remembered that most people find the process of being audited stressful even if it is being done by someone within the organisation that they already know. It is considerably more stressful for the member of staff when the Auditor is from an outside organisation as is the case for a second or third party audit. Explanation of Purpose It is always a good idea at this point for the Auditor to explain the purpose of the Audit and the structure of the information gathering session. This should set the member of staff's expectations in terms of the areas to be covered and the time available. It is always courteous to check that the proposed structure is acceptable to the member of staff. Auditor Gathers Information This section should form the main body of the session and as a rule of thumb should take up about 90% of the total time available. During this part of the session the member of staff should be talking for approximately 80% of the time and the Auditor for no more than 20%. Information Correlation As well as listening to the member of staff's replies the Auditor should be aware of non-verbal signals to see how well they correlate with what is being said, e.g.:
In particular, signs of irritation or stress should be looked for as these could indicate that the member of staff is unhappy about the area being discussed and their consequent answering. Summary and Closing The Auditor should conclude the session in a courteous manner by:
It should be noted that this structure could also be used for conducting both one-to-one interviews and focus groups with staff to assess their levels of data protection awareness. 
Fig. 4.1: Interview Structure |
|
|||||||||
|
|
