Data Protection Homepage 
Audit Guide Homepage
Download print version
|
|
|
|
|
|
|
Data Protection Homepage |
|
|
|
|
|
|
||
|
Non-compliance Records (print ref: Part 3, Section 4.1)Any Non-compliances discovered during the audit should be documented as soon as possible, ideally on the spot and certainly before the Closing Meeting. There should be sufficient detail in the report to clearly identify all the facts concerned especially the objective evidence. The information that needs to be recorded should, therefore, answer the following questions about each Non-compliance:
It is recommended that a pro-forma is used for the Non-compliance Record and the suggested layout is given in Annex C.6 the key features of which are described in the following sections. Header The top section of the Record is used to document the following information about the audit:
Details of Non-compliance This section of the Record should carry sufficient detail about each non-compliance to answer the questions: What, Where, When, Why, Who, and How. It should also list the evidence found to substantiate the non-compliance in terms of records or documents seen, activities observed, or staff spoken to. This section is then signed and dated by the Auditor once the details of the non-compliance have been discussed and agreed at the Closing Meeting of Section 4.4. It is important to realise that any occurrence observed that led to a non-compliance may have been the effect rather than the cause. The Auditor should therefore try to ensure that any evidence cited is objective and clearly relates to the causes of the non-compliance. An example of this would be where a data collection form does not provide an opportunity to decline unrelated uses of their information. The immediate "effect" of this is that clearly the form does not comply with the 1st Data Protection Principle. However, a good Auditor would delve deeper into the circumstances and investigate the organisation's form design and approval process. This might reveal that it does not include checking and sign-off by the Data Protection Manager, and that this is the ultimate "cause" of the non-compliance. Corrective Action Programme Each Non-compliance Record is discussed with the Data Protection Representative during the Closing Meeting in order to agree a Corrective Action Programme (see section 4.5). Once this has been done, the details of the Corrective Action Programme are entered onto this section of the form together with a proposed follow-up date. The name of the person responsible for the Corrective Action Programme should also be recorded in this section of the form that is then signed off by the Auditor and the Data Protection Representative. Corrective Action Follow-up The bottom section of the Non-compliance Record is used to record details of what the Auditor finds when the Audit Follow-up takes place and should include:
Once the Auditor is satisfied with the corrective action they sign it off together with the Data Protection Representative as described in Section 5.4.1. |
|
|||||||||
|
|
