Skip navigation Spacer Spacer Spacer
Data Protection Logo Spacer Guide to Data Protection Auditing

Data Protection Homepage  Bullet  
Audit Guide Homepage  Bullet  
Download print version  Bullet  

What is a Data Protection Audit? Why Audit? Beginner's guide Step-by-step Process Forms and Checklists Site Map

SpacerPlanning | Preparation: Conducting the Adequacy Audit | Preparation: Compliance Audit | Conducting the Compliance Audit | Audit Execution | Reporting | Audit follow-up
Spacer Spacer

< Previous | Next >
 

 Spacer
Spacer

Staff Awareness Interviews (print ref: Part 3, Section 3.3.3)

During the Compliance Audit the Auditor needs to measure the awareness of Data Protection issues within the organisation, and the level of commitment to the Data Protection System. This is best achieved by assessing the attitude of management and employees to Data Protection either singly via one-to-one interviews or in small Focus Groups.

  1. Interview Sample Size

    When conducting one-to-one interviews or Focus Groups the Auditor(s) will have to decide how many staff should be included. The table below can be used to help determine a suitable sample size.

    Total number of staff in area
    /department being audited

    Recommended sample size

    1 - 5

    100%

    6 - 15

    50%

    16 - 50

    25%

    51 - 100

    15%

    101 - 500

    10%

    501 - 2500

    5%

    Auditors should realise that the above table is only a guideline and that the sample size should be altered depending upon individual circumstances.

  2. One-to-one Interviews

    The key features of the Interviews are:

    • One-to-one format
    • Duration of between 15 and 30 minutes
    • Structured interview using directed questioning techniques
    • Use of pre-set questions to establish:
      • Roles and responsibilities
      • Awareness of general Data Protection issues
      • Understanding of the Data Protection Principles directly relevant to their job
      • Understanding of the organisation's Data Protection System
      • Training received
    • The interviewer's questions and the interviewee's answers are recorded on the Interview/Focus Group Record Sheet shown in Annex D.4

    The recommended approach to conducting these interviews is for the Auditor to work through the questions on the Interview/Focus Group Record Sheet. These start off dealing with general aspects of Data Protection and then become more specific and ask about the interviewee's own work and training. The interviewee's answers and the Auditor's comments should be recorded on the sheet against each question.

  3. Focus Groups

    The key features of the Focus Groups are:

    • Applicable in larger organisations or departments where many people carry out the same tasks
    • Groups of between 3 and 6 staff
    • Duration of about 30 minutes and one hour
    • Group discussion facilitated by one of the Auditors using directed questioning techniques
    • Use of pre-set questions to establish:
      • Roles and responsibilities
      • Awareness of general Data Protection issues
      • Understanding of the Data Protection Principles directly relevant to their jobs
      • Understanding of the organisation's Data Protection System
      • Training Received
    • The interviewer's questions and the interviewee's answers are recorded on the Interview/Focus Group Record Sheet shown in Annex D.4

    The recommended approach to conducting Focus Groups is very similar to one-to-one interviews except that the Auditor should adopt the role of a Facilitator rather than an Interviewer. This is to ensure that the members of the group do most of the talking while the Auditor keeps the conversation moving in the desired direction. The Auditor should also be aware that those who do not believe they know the answers to questions usually keep quiet, and this may give a false impression of the overall levels of knowledge of staff.

    The most difficult aspect of conducting a Focus Group is to make sure that all the members of the group are able to express their views rather than the discussion being dominated by one or two "leaders". One suggestion for achieving this is to make sure that Managers or Supervisors do not participate in groups with their own staff. In other words, try and restrict each Focus Group to staff with the same level of seniority within the organisation.

  4. Outcomes

    The results of both the One-to-one interviews and the Focus Groups are recorded in the same way as answers to checklist questions but using the Record Sheets shown in Annex D.4. The Auditor(s) need to analyse all of the completed Record Sheets and triangulate evidence between them in order to identify common trends and attitudes. For example, if the staff is fully aware of Data Protection Issues and how the system works it is likely to be efficient and well planned, and they will have received adequate training.

Return to top
 
Toolbox top border
Spacer

Audit Execution

Spacer 		Spacer
Toolbox bottom border


< Previous | Next >

 Spacer
Spacer

What is a Data Protection Audit? | Why Audit? | Beginner's Guide | Step-by-step Process | Forms and Checklists | Site Index
Copyright