 |
Gathering evidence
Interactions with Staff (print ref: Part 2, Section 3.3)
It is very important to realise that no matter how well thought out and documented an organisation's data protection procedures might be, they still rely on people for their operation. It is impossible therefore, for an Auditor to do a thorough job unless they speak to the staff involved in the activities being audited, and this dialogue should occur in two distinct ways.
Staff Questioning
Whether conducting Functional or Process Audits it will be necessary to ask staff to answer a series of questions based on the Checklists provided in Annexes F, G, H and J. The purpose of this questioning is to obtain sufficient evidence to decide whether what is actually taking place complies with what the data protection system says should occur in practice. In this situation the Auditor is effectively behaving like an interviewer. It is therefore important that a good rapport is established with the interviewee so that the required information can be obtained as quickly as possible. The Auditor will also need to have a good questioning technique, and tips about this and the other human aspects of auditing will be found in Part 4.
Staff Awareness Interviews
As well as speaking to members of staff to obtain specific items of information, Auditors need to assess the general level of staff awareness of data protection issues and their commitment to protecting the privacy of personal data. Perhaps the best way of assessing staff awareness during an audit is by means of either:
- One-to-one interviews
- Focus groups
- depending upon the number of staff in the organisation and the amount of time available. The Audit guide provides guidance for conducting these sessions in Section 3.3 of Part 3, and also supplies a series of suitable interview questions in Annex D.4.
In circumstances where it is just not possible to conduct staff interviews then Auditors may wish to prepare Data Protection Awareness Questionnaires based on the material supplied in Annex D.4. However, this approach should only be used as a last resort as it is inferior to direct face-to-face contact.
Return to top
|
|
