Download
slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Privacy Audit and Privacy Seal PowerPoint Presentation
Download Presentation
Privacy Audit and Privacy Seal

Privacy Audit and Privacy Seal

149 Views Download Presentation
Download Presentation

Privacy Audit and Privacy Seal

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Privacy Audit and Privacy Seal Barbara Körffer & Dr. Thomas Probst Independent Centre for Privacy Protection Schleswig-Holstein

  2. ICPP • ICPP = Independent Centre for Privacy Protection Schleswig-Holstein • Service provider for the citizens of Schleswig-Holstein instituted by the Land Government • Independent supervisory authority (as defined under the EU Data Protection Directive)

  3. Overview 1. Auditing Privacy-compliance 2. Privacy Public Authority Audit • Legal Basis • Steps of the audit process • Privacy Protection Management 3. Privacy Seal • Legal Basis • Process • Products, Experts, Examinations 4. Relation to other auditing schemes

  4. Auditing Privacy-Compliance • Management Audit vs. Product Audit • Privacy Audit: Management Audit • Privacy Seal: Product Audit

  5. Legal Basis of the Privacy Audit

  6. What is the privacy audit? • The privacy protection system of a public authority is checked and audited in a formal procedure by the ICPP • If the process is successful, the authority is awarded an audit label • The label certifies that the privacy protection system corresponds the requirements of data protection law

  7. Subject of the audit • Available for public authorities in Schleswig-Holstein • Audits for private companies are regulated by federal law. Federal law for data protection audits by the German Federal Government is in discussion.

  8. Object of the audit • Single process of data processing or • Specific section of a public authority or • Entire processing of personal data within a public authority

  9. Steps of the audit process • 3 Steps carried out by the public authority: • Stocktaking • Defining privacy protection targets • Setting up a privacy protection management system • The 3 steps are summarised by the public authority in a privacy policy • Assessment of audit process by the ICPP • If successful: Audit label is awarded, valid for 3 years

  10. Stocktaking • Examination of the current status of data processing • Comparison with the target state (legal and technical requirements for data processing) • Weak-Point-Analysis

  11. Privacy Protection Management System Entire concept including • Duties, • competences, • responsibilities and • processes in order to sustainably fulfil the privacy protection targets

  12. Privacy Protection Management System Elements: • Precise duties to fulfil the legal or higher requirements of privacy protection • General duties, e.g. • Continuous stocktaking and updating of the privacy targets • Watching the development of legal ortechnical requirements • Training of employees

  13. Assessment by ICPP • Assessment of the privacy policy • If necessary: Inspection on the spot • Results are described and evaluated by ICPP in a report

  14. Awarding the label • The audit label is awarded for three years • ICPP publishes a register of the awarded labels • ICPP publishes report of the audit process

  15. Legal Basis of the Privacy Seal

  16. What is the privacy seal? • IT products usable by a public authority can be checked and audited in a formal procedure by external experts and the ICPP • If the process is successful, the product is awarded an audit label • The label certifies that the product can be used in way compliant to data protection regulations

  17. Subject of the seal • Available “only” for IT products which can be used by public authorities in Schleswig-Holstein • Audits for other products and for federal public authorities are regulated by federal law. Plans for a federal law for data protection audits by the German Federal Government.

  18. Process of the Privacy Seal IT Product

  19. Process of the Privacy Seal Independent Expert examines IT Product … IT Product

  20. Process of the Privacy Seal IT Product is legally and technicallyprivacy-compliant Independent Expert examines IT Product … IT Product

  21. Process of the Privacy Seal IT Product is legally and technicallyprivacy-compliant Independent Expert examines IT Product … ICPP grantsPrivacy Seal for2 Years IT Product

  22. Process of the Privacy Seal IT Product is legally and technicallyprivacy-compliant Independent Expert examines IT Product … ICPP grantsPrivacy Seal for2 Years IT Product Certified ITProduct

  23. Process of the Privacy Seal Private Customers IT Product is legally and technicallyprivacy-compliant Privacy Protectionas Competition Advantage Independent Expert examines IT Product … ICPP grantsPrivacy Seal for2 Years IT Product Certified ITProduct

  24. Process of the Privacy Seal Private Customers IT Product is legally and technicallyprivacy-compliant Privacy Protectionas Competition Advantage Independent Expert examines IT Product … ICPP grantsPrivacy Seal for2 Years IT Product Certified ITProduct Public Authorities Certified Productsare deployedpreferably

  25. Which products? • Hardware • Software • Procedures (e. g., commissioned data processing such as document destruction) Products IT Product

  26. Which experts? • Both legal and technical experts • Experts with  3 years professional experience either in data protection legislation (legal expert) or in privacy-related IT security (technical expert) • Experts accredited by the ICPP • Currently 14 experts and organisations Experts Independent Expert examines IT Product … IT Product

  27. Which examinations? • Privacy law requires: • Lawful collection of data (permitted by law or by informed consent) • Lawful processing (storage, disclosure, limitation of use to special purposes, ...) • Data avoidance and data economy • Ensuring data subjects' rights (information, transparency, blocking, erasure) • Technical and organisational measures to • ensure security and safety Examination Independent Expert examines IT Product … IT Product

  28. Technical and Organisational measures to • ensure security and safety: • User authorisation • Encryption in mobile devices • Creation of backups • Logging if data are recorded only automatically: Who changed which data? • Supervision of proper usage by the data-processing body (=> knowledge of IT and its configuration) Examination Independent Expert examines IT Product … IT Product

  29. Two experts (legal and technical) examines the product and report • their findings • Expert‘s reports are checked by ICPP‘s experts with respect to examination methods and plausibility Double-check Independent Expert examines IT Product … IT Product

  30. Privacy Seals 2002-2004 • welfare & employment administration • firewall • data and file destruction • SAP testing tools • distributed storage of radiographs • remote file server (encrypted data) • PDA system for hospitals

  31. Audit schemes ISO 9000 ISO 13335 ISO 17700 CobiT IT Baseline Protection (BSI) System Task Force FIPS 140 ITSEC/CC Product non-technical technical

  32. Privacy Audit Privacy Audit Schemes System Privacy Seal Product non-technical technical