330 likes | 499 Views
Privacy Audit and Privacy Seal. Barbara Körffer & Dr. Thomas Probst Independent Centre for Privacy Protection Schleswig-Holstein. ICPP. ICPP = Independent Centre for Privacy Protection Schleswig-Holstein
E N D
Privacy Audit and Privacy Seal Barbara Körffer & Dr. Thomas Probst Independent Centre for Privacy Protection Schleswig-Holstein
ICPP • ICPP = Independent Centre for Privacy Protection Schleswig-Holstein • Service provider for the citizens of Schleswig-Holstein instituted by the Land Government • Independent supervisory authority (as defined under the EU Data Protection Directive)
Overview 1. Auditing Privacy-compliance 2. Privacy Public Authority Audit • Legal Basis • Steps of the audit process • Privacy Protection Management 3. Privacy Seal • Legal Basis • Process • Products, Experts, Examinations 4. Relation to other auditing schemes
Auditing Privacy-Compliance • Management Audit vs. Product Audit • Privacy Audit: Management Audit • Privacy Seal: Product Audit
What is the privacy audit? • The privacy protection system of a public authority is checked and audited in a formal procedure by the ICPP • If the process is successful, the authority is awarded an audit label • The label certifies that the privacy protection system corresponds the requirements of data protection law
Subject of the audit • Available for public authorities in Schleswig-Holstein • Audits for private companies are regulated by federal law. Federal law for data protection audits by the German Federal Government is in discussion.
Object of the audit • Single process of data processing or • Specific section of a public authority or • Entire processing of personal data within a public authority
Steps of the audit process • 3 Steps carried out by the public authority: • Stocktaking • Defining privacy protection targets • Setting up a privacy protection management system • The 3 steps are summarised by the public authority in a privacy policy • Assessment of audit process by the ICPP • If successful: Audit label is awarded, valid for 3 years
Stocktaking • Examination of the current status of data processing • Comparison with the target state (legal and technical requirements for data processing) • Weak-Point-Analysis
Privacy Protection Management System Entire concept including • Duties, • competences, • responsibilities and • processes in order to sustainably fulfil the privacy protection targets
Privacy Protection Management System Elements: • Precise duties to fulfil the legal or higher requirements of privacy protection • General duties, e.g. • Continuous stocktaking and updating of the privacy targets • Watching the development of legal ortechnical requirements • Training of employees
Assessment by ICPP • Assessment of the privacy policy • If necessary: Inspection on the spot • Results are described and evaluated by ICPP in a report
Awarding the label • The audit label is awarded for three years • ICPP publishes a register of the awarded labels • ICPP publishes report of the audit process
What is the privacy seal? • IT products usable by a public authority can be checked and audited in a formal procedure by external experts and the ICPP • If the process is successful, the product is awarded an audit label • The label certifies that the product can be used in way compliant to data protection regulations
Subject of the seal • Available “only” for IT products which can be used by public authorities in Schleswig-Holstein • Audits for other products and for federal public authorities are regulated by federal law. Plans for a federal law for data protection audits by the German Federal Government.
Process of the Privacy Seal IT Product
Process of the Privacy Seal Independent Expert examines IT Product … IT Product
Process of the Privacy Seal IT Product is legally and technicallyprivacy-compliant Independent Expert examines IT Product … IT Product
Process of the Privacy Seal IT Product is legally and technicallyprivacy-compliant Independent Expert examines IT Product … ICPP grantsPrivacy Seal for2 Years IT Product
Process of the Privacy Seal IT Product is legally and technicallyprivacy-compliant Independent Expert examines IT Product … ICPP grantsPrivacy Seal for2 Years IT Product Certified ITProduct
Process of the Privacy Seal Private Customers IT Product is legally and technicallyprivacy-compliant Privacy Protectionas Competition Advantage Independent Expert examines IT Product … ICPP grantsPrivacy Seal for2 Years IT Product Certified ITProduct
Process of the Privacy Seal Private Customers IT Product is legally and technicallyprivacy-compliant Privacy Protectionas Competition Advantage Independent Expert examines IT Product … ICPP grantsPrivacy Seal for2 Years IT Product Certified ITProduct Public Authorities Certified Productsare deployedpreferably
Which products? • Hardware • Software • Procedures (e. g., commissioned data processing such as document destruction) Products IT Product
Which experts? • Both legal and technical experts • Experts with 3 years professional experience either in data protection legislation (legal expert) or in privacy-related IT security (technical expert) • Experts accredited by the ICPP • Currently 14 experts and organisations Experts Independent Expert examines IT Product … IT Product
Which examinations? • Privacy law requires: • Lawful collection of data (permitted by law or by informed consent) • Lawful processing (storage, disclosure, limitation of use to special purposes, ...) • Data avoidance and data economy • Ensuring data subjects' rights (information, transparency, blocking, erasure) • Technical and organisational measures to • ensure security and safety Examination Independent Expert examines IT Product … IT Product
Technical and Organisational measures to • ensure security and safety: • User authorisation • Encryption in mobile devices • Creation of backups • Logging if data are recorded only automatically: Who changed which data? • Supervision of proper usage by the data-processing body (=> knowledge of IT and its configuration) Examination Independent Expert examines IT Product … IT Product
Two experts (legal and technical) examines the product and report • their findings • Expert‘s reports are checked by ICPP‘s experts with respect to examination methods and plausibility Double-check Independent Expert examines IT Product … IT Product
Privacy Seals 2002-2004 • welfare & employment administration • firewall • data and file destruction • SAP testing tools • distributed storage of radiographs • remote file server (encrypted data) • PDA system for hospitals
Audit schemes ISO 9000 ISO 13335 ISO 17700 CobiT IT Baseline Protection (BSI) System Task Force FIPS 140 ITSEC/CC Product non-technical technical
Privacy Audit Privacy Audit Schemes System Privacy Seal Product non-technical technical