|
Definitions as per Data Protection Act 2004
-
A "data controller" means a person who, either alone or jointly with any other person, makes a decision with regard to the purposes for which and in the manner in which any personal data are, or are to be, processed.
-
A "data processor" means a person, other than an employee of the data controller, who processes the data on behalf of the data controller.
-
A "data subject" means a living individual who is the subject of personal data.
Each answer in green below in the filled questionnaire:
• Elaborate on data protection procedures
Each answer is likely to indicate that you are meeting your data protection obligations in a particular area.
However, before resting on your successes, are you confident that you can prove, if necessary to a data
protection authority that all reasonable steps have been taken to meet the obligation?
If not, why not?
data protection procedures / obligations need to be reviewed in your organisation
Each answer in red below in the filled questionnaire:
• Expose to data protection procedures
• Indicate practical problems
• Indicate technical problems
You are advised:
1. to study the relevant detail from the Guide about the data protection obligation in question; this will identify the key issues.
2. to investigate the current procedure with respect to the processing of personal data, and to assess whether modifications to this procedure are needed.
3. if still unsure what to do, to seek advice from a data protection practitioner.
General Management
1. Do you have a policy on data protection in your organisation?
1.1 How do you judge the policy?
1.2 When was the policy last reviewed?
2. Is the policy adequately resourced, and supported by a management infrastructure
that can sustain, monitor and review the Policy and generate reports on its effectiveness?
2.1 How well do you think the policy is promoted and supported by management?
3. Is there an identifiable person responsible for data protection within your organisation?
3.1 How is that person supported by management for data protection matters?
4. Do all individuals who are authorised to process personal data (e.g. staff) receive appropriate training,instruction or guidance on data protection?
4.1 How do you judge the training given?
4.2 Are you confident that all individuals (e.g. staff) who process personal data understand their data protection obligations associated with that processing?
5. If there are contracts associated with the processing of personal data which allow third parties access to personal data, for example data processors, do these specify data protection requirements?
6. Is there a folder of documents, or other documentation, which will help to manage and demonstrate compliance with data protection obligations?
6.1 What is your view on the quality of the information in the folder or in other documentation?
Lawfulness of Processing
1. Has the full extent of the processing, which is permitted by law and/or regulations, been identified?
2. Has proof of lawful processing been retained?
Transparency of Processing
1. Are data subjects made aware, before they provide personal data, of why personal data is being collected and which organisations will use their data?
2. Are there significant practical or technical difficulties in providing the required information to the data subjects?
3. Are there legal reasons for not providing such information?
Quality of Personal Data
1. Is personal data assessed as to whether it is ‘adequate, relevant and not excessive’ in the context of each particular purpose?
2. Are there significant practical or technical difficulties in carrying out such assessments?
3. Do formal criteria/procedures for the deletion of personal data exist?
4. Is personal data assessed for its accuracy and checked whether it is up to date?
5. Are there significant practical or technical difficulties in complying with the above?
6. Are there legal reasons for not complying with the above?
Security of Personal Data
1. Is there a security policy that covers all aspects of the processing of personal data?
1.1 How do you judge the security policy?
1.2 How well is the security policy promoted and supported by management?
2. Do security controls or procedures include measures to ensure the integrity of the personal data and of its processing?
3. Do security controls or procedures include measures to permit user identification and authorisation processing?
4. Do security controls or procedures include measures to safeguard operating procedures?
5. Do security controls or procedures include measures to facilitate the use of encryption?
6. Do security controls or procedures include measures to invoke a business continuity/disaster recovery plan?
7. Do security controls or procedures include measures to establish adequate audit and monitoring arrangements?
8. Do security controls or procedures include measures to safeguard the physical security of the processing environment?
9. How physically secure do you consider your processing of personal data to be?
10. Are staff trained in the necessary security controls and procedures?
10.1 How do you judge the training given?
11. When did you last receive training/instruction on IT security requirements?
12. Are there significant practical or technical difficulties in forming such a plan?
Data Subjects' Rights
1. Do procedures allow for data subjects to be informed of the nature of the processing of personal data, and to receive confirmation as to whether or not personal data about them is processed?
2. Do procedures allow data subjects to exercise their right of access to personal data which relate to them?
3. Do procedures allow Data Subjects to object to the processing of personal data?
4. Are there legal reasons for not complying with the above?
5. Do procedures have the capability to correct, block or erase personal data (e.g. in compliance with requests from data subjects and/or from Data Protection Office), and to notify third parties who have received the data subject's personal data?
Notifications
1. Has a comprehensive census of the processing of personal data been carried out?
2. When was the census carried out?
3. Do procedures anticipate the need to notify details of the processing to the Data Protection Office?
4. Are there practical or technical difficulties in providing such notification?
5. Are there legal reasons for not providing such a notification?
System Design
1. Are data protection considerations taken into account during the development, purchase or acquisition of hardware and software?
2. Are changes to the software or processing environment considered in the context of data protection obligations?
|