1 / 33

Privacy Audit and Privacy Seal

Privacy Audit and Privacy Seal. Barbara Körffer & Dr. Thomas Probst Independent Centre for Privacy Protection Schleswig-Holstein. ICPP. ICPP = Independent Centre for Privacy Protection Schleswig-Holstein

israel
Download Presentation

Privacy Audit and Privacy Seal

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy Audit and Privacy Seal Barbara Körffer & Dr. Thomas Probst Independent Centre for Privacy Protection Schleswig-Holstein

  2. ICPP • ICPP = Independent Centre for Privacy Protection Schleswig-Holstein • Service provider for the citizens of Schleswig-Holstein instituted by the Land Government • Independent supervisory authority (as defined under the EU Data Protection Directive)

  3. Overview 1. Auditing Privacy-compliance 2. Privacy Public Authority Audit • Legal Basis • Steps of the audit process • Privacy Protection Management 3. Privacy Seal • Legal Basis • Process • Products, Experts, Examinations 4. Relation to other auditing schemes

  4. Auditing Privacy-Compliance • Management Audit vs. Product Audit • Privacy Audit: Management Audit • Privacy Seal: Product Audit

  5. Legal Basis of the Privacy Audit

  6. What is the privacy audit? • The privacy protection system of a public authority is checked and audited in a formal procedure by the ICPP • If the process is successful, the authority is awarded an audit label • The label certifies that the privacy protection system corresponds the requirements of data protection law

  7. Subject of the audit • Available for public authorities in Schleswig-Holstein • Audits for private companies are regulated by federal law. Federal law for data protection audits by the German Federal Government is in discussion.

  8. Object of the audit • Single process of data processing or • Specific section of a public authority or • Entire processing of personal data within a public authority

  9. Steps of the audit process • 3 Steps carried out by the public authority: • Stocktaking • Defining privacy protection targets • Setting up a privacy protection management system • The 3 steps are summarised by the public authority in a privacy policy • Assessment of audit process by the ICPP • If successful: Audit label is awarded, valid for 3 years

  10. Stocktaking • Examination of the current status of data processing • Comparison with the target state (legal and technical requirements for data processing) • Weak-Point-Analysis

  11. Privacy Protection Management System Entire concept including • Duties, • competences, • responsibilities and • processes in order to sustainably fulfil the privacy protection targets

  12. Privacy Protection Management System Elements: • Precise duties to fulfil the legal or higher requirements of privacy protection • General duties, e.g. • Continuous stocktaking and updating of the privacy targets • Watching the development of legal ortechnical requirements • Training of employees

  13. Assessment by ICPP • Assessment of the privacy policy • If necessary: Inspection on the spot • Results are described and evaluated by ICPP in a report

  14. Awarding the label • The audit label is awarded for three years • ICPP publishes a register of the awarded labels • ICPP publishes report of the audit process

  15. Legal Basis of the Privacy Seal

  16. What is the privacy seal? • IT products usable by a public authority can be checked and audited in a formal procedure by external experts and the ICPP • If the process is successful, the product is awarded an audit label • The label certifies that the product can be used in way compliant to data protection regulations

  17. Subject of the seal • Available “only” for IT products which can be used by public authorities in Schleswig-Holstein • Audits for other products and for federal public authorities are regulated by federal law. Plans for a federal law for data protection audits by the German Federal Government.

  18. Process of the Privacy Seal IT Product

  19. Process of the Privacy Seal Independent Expert examines IT Product … IT Product

  20. Process of the Privacy Seal IT Product is legally and technicallyprivacy-compliant Independent Expert examines IT Product … IT Product

  21. Process of the Privacy Seal IT Product is legally and technicallyprivacy-compliant Independent Expert examines IT Product … ICPP grantsPrivacy Seal for2 Years IT Product

  22. Process of the Privacy Seal IT Product is legally and technicallyprivacy-compliant Independent Expert examines IT Product … ICPP grantsPrivacy Seal for2 Years IT Product Certified ITProduct

  23. Process of the Privacy Seal Private Customers IT Product is legally and technicallyprivacy-compliant Privacy Protectionas Competition Advantage Independent Expert examines IT Product … ICPP grantsPrivacy Seal for2 Years IT Product Certified ITProduct

  24. Process of the Privacy Seal Private Customers IT Product is legally and technicallyprivacy-compliant Privacy Protectionas Competition Advantage Independent Expert examines IT Product … ICPP grantsPrivacy Seal for2 Years IT Product Certified ITProduct Public Authorities Certified Productsare deployedpreferably

  25. Which products? • Hardware • Software • Procedures (e. g., commissioned data processing such as document destruction) Products IT Product

  26. Which experts? • Both legal and technical experts • Experts with  3 years professional experience either in data protection legislation (legal expert) or in privacy-related IT security (technical expert) • Experts accredited by the ICPP • Currently 14 experts and organisations Experts Independent Expert examines IT Product … IT Product

  27. Which examinations? • Privacy law requires: • Lawful collection of data (permitted by law or by informed consent) • Lawful processing (storage, disclosure, limitation of use to special purposes, ...) • Data avoidance and data economy • Ensuring data subjects' rights (information, transparency, blocking, erasure) • Technical and organisational measures to • ensure security and safety Examination Independent Expert examines IT Product … IT Product

  28. Technical and Organisational measures to • ensure security and safety: • User authorisation • Encryption in mobile devices • Creation of backups • Logging if data are recorded only automatically: Who changed which data? • Supervision of proper usage by the data-processing body (=> knowledge of IT and its configuration) Examination Independent Expert examines IT Product … IT Product

  29. Two experts (legal and technical) examines the product and report • their findings • Expert‘s reports are checked by ICPP‘s experts with respect to examination methods and plausibility Double-check Independent Expert examines IT Product … IT Product

  30. Privacy Seals 2002-2004 • welfare & employment administration • firewall • data and file destruction • SAP testing tools • distributed storage of radiographs • remote file server (encrypted data) • PDA system for hospitals

  31. Audit schemes ISO 9000 ISO 13335 ISO 17700 CobiT IT Baseline Protection (BSI) System Task Force FIPS 140 ITSEC/CC Product non-technical technical

  32. Privacy Audit Privacy Audit Schemes System Privacy Seal Product non-technical technical

More Related