Principal, Xamax Consultancy Pty Ltd, Canberra
Visiting Fellow, Department of Computer Science, Australian National University
Version of 11 October 1997, rev. 8 September 1999
© Xamax Consultancy Pty Ltd, 1997, 1999
These notes were prepared as input to Prof. Ron Weber when he was preparing the revised edition of his world-leading text on Information Systems Audit, subsequently published as Weber (1999)
This document is at http://www.anu.edu.au/people/Roger.Clarke/DV/Audit.html
Privacy has become very relevant to information systems audit, and indeed is increasingly important to corporate strategy. This section provides background to the phenomenon, and guidance as to the auditor's role.
Privacy is the interest that individuals have in sustaining a 'personal space', free from interference by other people and organisations. It is not a single interest, but has several dimensions. Privacy of the person is concerned with the integrity of the individual's body. Issues include compulsory immunisation, and blood transfusion without consent. Privacy of personal behaviour is particularly important in the context of such sensitive matters as sexual preferences and habits, political activities and religious practices, both in private and in public places.
The dimensions of relevance to information systems auditors are the privacy of personal communications and the privacy of personal data. Individuals claim that data about themselves should not be automatically available to other individuals and organisations, and that, even where data is possessed by another party, the individual must be able to exercise a substantial degree of control over that data and its use. With the close coupling that has occurred between computing and communications, particularly since the 1980s, the last two aspects have become closely linked, and are commonly referred to as 'information privacy'.
Since the beginning of the 1970s, legislatures have increasingly recognised the need for privacy protections. Most advanced countries have passed what are commonly called 'data protection' laws, which impose codes of 'fair information practice' on organisations. In some cases the scope is limited to the public sector, but regulatory regimes are increasingly impinging on the private sector as well.
A much fuller introduction is available.
Historically, auditing has been oriented towards financial and security aspects of business. This is slowly changing, however, as evidenced by standards (e.g. ISACA 1996, 1999) and text-books in the area (e.g. Weber 1999).
Regulatory regimes in relation to privacy vary widely in matters of detail. Some directly impose statutory obligations on organisations that handle personal data. Others establish a statutory framework, but delegate implementation details to a supervisory body, typically a Data Protection or Privacy Commissioner. Some involve the establishment of statutory codes of conduct applicable to particular industry sectors, or to classes of activity or record, in such areas as employment or health care. In some cases, industries are encouraged to establish self-regulatory codes, subject to some degree of supervision by a government agency.
The most widely respected set of general privacy protection principles is the OECD's Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (OECD, 1980). These were codified in 1980, as a means of encouraging harmonisation among the laws of different countries, and hence the avoidance of a new form of trade barrier emerging. They drew on the 'fair information practices' thinking that had emerged during the late 1960s and early 1970s on both sides of the Atlantic.
During the 1990s, momentum has been gathering, especially in Europe, for substantial upgrading to these limited protections, in order to provide enhanced protections against technologies whose privacy-invasiveness has increased dramatically in the intervening period. For a summary of the inadequacies of these 'fair information practices' formulations, see Clarke (1999).
Guidance in relation to a strategic approach to privacy is provided in Clarke (1996). The nature of Privacy Impact Assessments (PIAs) is outlined in Clarke (1998).
The Australian Legal Information Institute (AustLII) provides the best available reference to relevant laws of the world. A further source is AustLII's index of Privacy and Data Protection Commissioners.
Generally, laws impose responsibilities on organisations in the following areas:
[This section is taken almost directly from Ron's draft, because I couldn't improve on it!]
The impact of privacy legislation on the our work as information-systems auditors will depend on the particular forms of legislation existing in the country and state in which we work or the forms of the legislation applying to the organizations we audit. Nonetheless, privacy legislation is likely to have five broad implications for our work as information-systems auditors:
Audit firms in a number of countries, notably Australia and Canada, have established specialised practices in the area of data or information privacy. In some countries, guidance regarding the nature and conduct of privacy audits are available from the Privacy or Data Protection Commissioner.
Auditors are increasingly being called upon to examine corporate mission statements and strategic plans, in order to ensure that the organisation is adopting an appropriate stance in relation to personal data and privacy-intrusive technologies and practices.
Depending on the terms of reference of the audit, information systems auditors have a professional obligation to examine plans, policies, manual and automated procedures and practices, for compliance with the law, and with corporate privacy strategy and policy. They accordingly have a responsibility to keep themselves informed of developments in relevant law, and in privacy-relevant technologies.
A comprehensive listing of sources is available on the authors' Dataveillance page.
Clarke R. (1996) 'Privacy, Dataveillance, Organisational Strategy' Proc. I.S. Audit & Control Association Conf. (EDPAC'96), Perth, 28 May 1996. Revised version at http://www.anu.edu.au/people/Roger.Clarke/DV/PStrat.html
Clarke R. (1998) 'Privacy Impact Assessments' February 1998, at http://www.anu.edu.au/people/Roger.Clarke/DV/PIA.html
Clarke R. (1999) 'Internet Privacy Concerns Confirm the Case for Intervention' Commun. ACM 42, 2 (February 1999) 60-67, at http://www.anu.edu.au/people/Roger.Clarke/DV/CACM99.html
ISACA (1996, 1999) 'Control Objectives for Information and Related Technology', Information Systems Audit and Control Association, 2nd edition, 1996, 1999, at http://www.isaca.org/
Morison J. (1996) 'Developing and Implementing a Privacy Compliance Programme' Proc. IIR Conference on Information Privacy, 12-13 August 1996, Office of the Privacy Commissioner, Human Rights Australia, G.P.O. Box 5218 Sydney NSW 2001
OECD (1980) ' Guidelines on the Protection of Privacy and Transborder Flows of Personal Data' OECD, Paris, 1980, at http://www.oecd.org/dsti/sti/it/secur/prod/PRIV-en.HTM
Privacy Commissioner of Australia (1991) 'Privacy Audit Manual' Office of the Privacy Commissioner, Human Rights Australia, G.P.O. Box 5218 Sydney NSW 2001
Stewart B. (1996) 'Privacy impact assessments' Privacy Law & Policy Reporter, 3, 4 (July 1996)
Weber R. (1999) 'Information Systems Control and Audit', Prentice-Hall, 1999, pp. 9-10, 995-998, outline at http://www.prenhall.com/books/be_0139478701.html
Go to Roger's Home Page.
Go to the contents-page for this segment.
Created: 11 October 1997
Last Amended: 8 September 1999
These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content). |
The Australian National University Visiting Fellow, Faculty of Engineering and Information Technology, Information Sciences Building Room 211 | Xamax
Consultancy Pty Ltd, ACN: 002 360 456 78 Sidaway St Chapman ACT 2611 AUSTRALIA Tel: +61 6 288 6916 Fax: +61 6 288 1472 |