Data Protection Audit

Self-assessment toolkit

online preferences security passport details

emergency contact details blood group email account number accuracy CCTV
images
tax records rights payroll number login details address criminal records
sickness records credit card number welfare records ethnicity passwords
loyalty card name record destruction health details sexual orientation
record retention telephone recordings mobile number religion date of birth
NI number principles registration
 Contents
Introduction to the self-assessment toolkit Error! Bookmark not defined.

Definitions and substitution words 5

Audit Section 1- Compliance and Awareness 8

Audit Section 2 - Information Governance 22

Audit Section 3 - Record Retention 39

Audit Section 4 - Security of Personal Data 44

Audit Section 5 - Requests for Personal Data 52

Audit Section 6 - Direct Marketing 58

Page 2 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
What is an audit?

An audit is an evaluation of how organisational assets or resources are managed in relation to a

particular set of standards or model.

Why undertake a data protection audit?

Information is a valuable asset and resource to any organisation. The Data Protection Act (“the Act”)
sets out rules regarding the managing, handling and utilisation of a particular form of information, i.e.
‘personal data’. These rules are the ‘data protection principles’.

Organisations may utilise personal data for many different reasons, for example staff administration,
the provision of goods or services to customers, marketing strategies, prevention of money
laundering etc. It is important to ensure that the utilisation of personal data accords with the
requirements of the Act.

What is the benefit of undertaking a data protection audit?

A data protection audit operates as a control mechanism and may identify irregularities or system
weaknesses regarding the organisation’s handling of personal data – i.e. compliance with the data
protection principles.

These weaknesses may include a lack of security, which may lead to inappropriate use of the
personal data, the collection of unnecessary or irrelevant personal data, or the over-long retention of
personal data.

The audit may also reveal weaknesses in respect of compliance with the rights of individuals, such as
the right of access, or the obligation to notify the Commissioner of the types of processing of
personal data undertaken by the organisation.

The audit may lead to the identification of processes, procedures or measures that need to be
implemented, supplemented or amended in such a way as to ensure compliance with the Act or
gauge the level of awareness of data protection as part of the business function within the
organisation.

The audit may also reveal opportunities for financial savings, for example, in the case of monitoring
retention periods the audit may result in the organisation taking steps to implement more effective
records management and free up office space or substantially reduce expensive archiving and/or
offsite storage costs.

Further detailed analysis of the benefits of undertaking a data protection audit can be found in the UK
Information Commissioner’s document, “The Privacy Dividend: the business case for investing in
proactive privacy protection”.

“The Privacy Dividend” includes calculation sheets to enable organisations to put a value on personal
data assets and on the privacy protection benefits. It also includes privacy failure cost calculation
sheets. This document is available free of charge at http://www.ico.org.uk

Page 3 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
What areas does this self-assessment audit toolkit cover?

Many business areas should be included when undertaking a data protection audit, although it may
prove difficult, and be resource-intensive, to undertake a full audit across the entire business function
at the same time.

This self-assessment toolkit is not a full data protection audit but identifies different areas to enable
an incremental approach to auditing. This allows the organisation to choose which area it feels
appropriate to address first. As with many other audits, there may already be significant
documentation in place that will enable the questions to be answered. However, depending upon the
size and nature of the organisation, it may not be necessary to include responses to all questions.

The audit areas are set out separately in the following sections:

• Compliance and awareness – Audit Section 1

• Information governance – Audit Section 2

• Record retention – Audit Section 3

• Security of personal data – Audit Section 4

• Requests for personal data – Audit Section 5

• Direct marketing – Audit Section 6

Each of these audit areas should be undertaken in respect of both client information and staff
information.

Page 4 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
A list of relevant legal definitions and word substitutions used in to this audit toolkit can
be found on the following page.

Definitions and substitution words

Legal Term Legal Definition Substitution word

(if different)

Data information which-

(a) is being processed by means of equipment operating
automatically in response to instructions given for that
purpose,
(b) is recorded with the intention that it should be
processed by means of such equipment,
(c) is recorded as part of a relevant filing system or with
the intention that it should form part of a relevant filing
system, or
(d) does not fall within paragraph (a), (b) or (c) but
forms part of an accessible record

Personal data “data” which relate to a living individual who can be

identified-
(a) from those data, or
(b) from those data and other information which is in
the possession of, or is likely to come into the Information
possession of, the data controller, and includes any
expression of opinion about the individual and any
indication of the intentions of the data controller or any
other person in respect of the individual

Data controller a person who(either alone or jointly or in common with

other persons) determines the purposes for which and Organisation
the manner in which any personal data are, or are to be,
processed

Data subject an individual who is the subject of “personal data” Individual

Data processor any person (other than an employee of the data

controller) who processes the data on behalf of the data
controller

Processing obtaining, recording or holding the information or data

or carrying out any operation or set of operations on the
information or
Page 5 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
 data, including-
(a) organisation, adaptation or alteration of the
information or data,
(b) retrieval, consultation or use of the information or
data,
(c) disclosure of the information or data by transmission,
dissemination or otherwise making available, or
(d) alignment, combination, blocking, erasure or
destruction of the information or data

Sensitive personal data consisting of information as to-

personal data (a) the racial or ethnic origin of the data subject,
(b) his political opinions,
(c) his religious beliefs or other beliefs of a similar
nature,
(d) whether he is a member of a trade union (within the
meaning of the Trade Unions Act 1991), Sensitive
(e) his physical or mental health or condition, information
(f) his sexual life,
(g) the commission or alleged commission by him of any
offence, or
(h) any proceedings for any offence committed or
alleged to have been committed by him, the disposal of
such proceedings or the sentence of any court in such
proceedings

Data protection the principles set out in Part 1 of Schedule 1 to the Act Principles
principles

Information Commissioner
Commissioner

Page 6 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
Audit Section 1- Compliance and awareness

This section is divided into the following parts:

• Compliance – corporate compliance and privacy awareness

This part seeks to identify the mandates for privacy protection and assesses the level of
understanding and awareness at senior level.

• Staff training and awareness

This part seeks to assess the level of awareness of staff and identify what training is in place.

Page 8 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
Audit Section 1

Procedural issues and awareness

Compliance – corporate compliance and privacy awareness

Identify the mandates for privacy relevant to the organisation

Type Name Applicable Notes

Corporate Strategic objectives

Statutory obligations

Policies (e.g. privacy, security,

ethical)

Internal standards

Contractual requirements

Service agreements

Business change programmes

Initiatives

Business “trust seal” or “privacy

seal” programmes and
guarantees

Employee agreements

Page 11 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
External Standards BS10012:2009

ISO/IEC 27000 series

Legislation Data Protection Act 2002

Unsolicited Communications
Regulations 2005

Human Rights Act 2002

Isle of Man Companies Acts

Sectoral legislation
e.g. banking, insurance, anti-
money laundering, health,
gaming or gambling

Statutory codes

Page 12 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
Regulators which Common regulators include the
compel or Financial Supervision Commission,
recommend Insurance and Pensions Authority,
compliance with the Press Complaints Commission,
DPA etc.

Trade Organisations
and Associations
which compel or
recommend
compliance with the
DPA

Other (Employees Organisation’s employees may be

Professional members of professional,
Associations and employee or interest groups that
Unions and stipulate compliance with
International legislation in their code of
Aspects) conduct.

Page 13 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
Audit Section 1

Procedural issues and awareness

Compliance – corporate compliance and privacy awareness

Audit Questions Response Example Evidence

Is senior management fully aware of

• the obligations imposed by the Act upon the organisation?

• the liabilities imposed by the Act at both corporate and individual level?

• the rights provided to individuals by the Act?

Is data protection a fixed, frequent or rare item on meeting agendas at senior

Meeting agendas/minutes
management level?

Does the organisation need to maintain a data protection register entry?

If required to have a register entry, is the register entry reviewed in a Copy of register entry supplied by
meaningful way on an annual basis to ensure that the processing undertaken the Information Commissioner’s
by the organisation is reflected appropriately? office

Page 15 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
Has a data protection compliance officer been identified or appointed? Organisation chart

Are all staff aware of his, or her, role? Policy/procedures

Are there mechanisms in place for formal review of data protection activities
Policy/procedures
within the organisation by the compliance officer?

Policies and Procedures

What policies and procedures does the organisation have in place with regard
to ensuring compliance with the Act?

How often are such policies and procedures reviewed and updated?

Does the organisation provide fair processing notices to individuals in respect

of the processing of their information?

• What format are these notices in?

• How often are such notices reviewed and updated?

Page 16 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
Project Management

• Are all new projects and initiatives that entail processing information
“privacy-proofed” at the planning stage?

• Is a privacy impact assessment (PIA) conducted at development, PIA

testing and delivery stage, i.e. pre- and post-implementation?

(Information about PIAs issued by the UK Information Commissioner’s Office

can be found on the website www.inforights.im )

Page 17 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
Audit Section 1

Procedural issues and awareness

Staff training and awareness

Audit Questions Response Example Evidence

Are staff aware of their data protection responsibilities?

How often is data protection awareness training provided and is

Training materials
there ongoing refresher training for staff?

Does induction training for new staff include awareness of their

Training materials
data protection responsibilities?

If a member of staff has a query regarding data protection, do Policy/procedures, Organisational

they know who to seek advice from? chart

Is information security addressed in any training sessions? Training materials

Are staff aware that unauthorised access to information is not

Policy/procedures
allowed?

Page 20 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
Are staff leaving employment aware that any customer information
Contracts
remains subject to confidentiality?

Is there a clause to this effect built into employment contracts? Contracts

Page 21 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
Audit Section 2 - Information governance

This section looks at compliance with the following data protection principles:

• Principle 1 – fair and lawful processing

o Personal data shall be processed fairly and lawfully and, in particular, shall not be
processed unless-
at least one of the conditions in Schedule 2 is met, and
in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also
met.

• Principle 2 – purpose for which data are obtained and processed

o Personal data shall be obtained only for one or more specified and lawful purposes, and
shall not be further processed in any manner incompatible with that purpose or those
purposes.

• Principle 3 – adequacy and relevance of data

o Personal data shall be adequate, relevant and not excessive in relation to the purpose or
purposes for which they are processed.

• Principle 4 – accuracy of data

o Personal data shall be accurate and, where necessary, kept up to date.

• Principle 8 – transfer of data abroad

o Personal data shall not be transferred to a country or territory outside the Island unless
that country or territory ensures an adequate level of protection for the rights and
freedoms of data subjects in relation to the processing of personal data.

An adequate level of protection is further interpreted in Part 2 of Schedule 1 to the

Act

It is recommended that this Audit Section 2 is completed prior to Audit Sections 3 and 4 as
the information obtained in Audit Section 2 feeds into Audit Sections 3 and 4.

Page 22 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
Audit Section 2

Information governance

Principles 1 and 2 are intertwined and are dealt with in three sections:

▪ Lawfulness

▪ Fair obtaining and fair processing

▪ Further processing

Each of these areas should be reviewed separately in respect of customers and staff.

Page 25 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
Audit Section 2

Information governance

Principles 1 and 2

Audit Questions Response Example Evidence

Lawfulness

Why do you obtain and process information?

Identify and list the purposes for obtaining and processing

information.
Data protection register entry,
Do you know which relevant statutory obligation or industry
fair processing notice
standard requires information to be obtained and processed for
these purposes?

(e.g. sales or accounting records, employment, health and

safety, insurance, anti money-laundering, vetting obligations)

Why do you obtain and process sensitive information?

Identify and list the purposes for obtaining and processing

Data protection register entry,
sensitive information.
fair processing notice
Do you know which relevant statutory obligation or industry
standard requires sensitive information to be obtained and
processed for these purposes?
Page 27 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
Fair obtaining and fair processing

Application or membership forms,

website form, telephone
What types of information do you obtain and process?
recording systems, CCTV, swipe
card access

For each purpose identified above, list the types of information

you obtain and process

(e.g. name, address, email, date of birth, bank details, NI

number, opinions about the person)

For each purpose identified above, list the types of sensitive

information you obtain and process

(e.g. details of physical or mental health or conditions, ethnicity,

trade union membership, criminal offences or allegations, etc.)

Is verification documentation sought for any of the purposes

identified above?
Customer files
If so:-
• What happens to the verification documentation?

Page 28 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
 • Is a photocopy or scan retained for your records?

How do you obtain information?

What means and methods are used to obtain

Application or membership forms,
▪ information
website form, telephone
recording systems, CCTV, swipe
▪ sensitive information
card access
from the individual?

Do you obtain information about individuals from third parties?

(e.g. credit reference agencies, job references, mailing lists)

Fair Processing

Clear and simple fair processing

Can the collection of individuals’ information be described as
notice, privacy policies, terms and
open, up-front and fair?
conditions

Application or membership forms,

At the time you collect information, are individuals made aware
website form, over the telephone
of the use(s) for that information?

Page 29 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
(e.g. account administration, direct marketing)

If an individual asks why you need certain information, are staff

in a position to be able to correctly explain?

Further processing

Is an individual’s consent sought for further secondary uses of

Application or membership form,
their information that may not be obvious to them?
fair processing notice
(e.g. direct marketing)

Are any routine disclosures of information made to third

parties?

Identify any third parties to whom information may routinely be

disclosed.
Data protection register entry
▪ For what purpose(s) is information routinely disclosed to
third parties?

▪ Are these purposes compatible with the purpose for

which the information was originally obtained?

Application or membership form,

Are individuals made aware of any routine disclosures of their
fair processing notice
information to third parties at the time their information is
originally collected?
Page 30 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
Do you receive requests for information, or sensitive
information, about your customers from third parties?

If yes,

• Is there a legislative basis cited by any of these third

parties seeking information?

• Are there procedural guidelines for dealing with requests

for information from third parties? Policy/ procedures

• Do you document all requests handled and responded

to?

• How do you handle law enforcement requests for

disclosure of information?

Page 31 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
Audit Section 2

Information governance

Principle 3 – adequacy and relevance of data

Audit Questions Response Example Evidence

In relation to the purposes identified and listed in the

audit questions for Principle 2 -

• For each purpose, is all the information sought relevant

to the identified specific purpose?

• Do you have sufficient information in relation to each

identified specific purpose to enable you to undertake
the relevant business function?

• Do you obtain information for which you are unable to

identify a legitimate purpose?

Do you regularly review any forms or web pages that are used
to obtain information to ensure that the information sought is
Service application forms,
not excessive for the specific purpose?
membership forms, job application
forms
For example, do you use all the information collected via your
website or application forms?

Page 33 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
Audit Section 2

Information governance

Principle 4 – accuracy of data

Audit Questions Response Example Evidence

What reasonable steps do you take to check the accuracy of

information obtained from
Procedures
• the individual

• a third party

Can you identify what information is time sensitive, i.e. likely to

become inaccurate over time unless it is updated?

Annually completed membership

What steps are taken to ensure that any information is up to
forms / requests sent to individuals
date?
for any changes to be advised

If information is disclosed to a third party, what reasonable

steps are taken to ensure the accuracy of the information before
that information is disclosed?

Page 35 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
Audit Section 2

Information governance

Principle 8 – transfer of data abroad

Audit Questions Response Example Evidence

Does the organisation transfer information outside the

Isle of Man?
(For example, is any processing outsourced to data
processors in other countries?)

If information is transferred or outsourced –

• For what purpose(s), identified and listed in the audit

Contract
questions for Principle 2, is the processing outsourced?

• What type(s) of information is transferred /outsourced?

• Does the organisation transfer this information outside

the European Economic Area (EEA)?
Contract/ standard EU contractual
clauses
• Does the country to which the information is transferred
have adequate data protection legislation in place?
Fair processing notices/ terms and
conditions
• What arrangements are in place to ensure that the
information is processed in accordance with the
requirements of the Isle of Man Data Protection Act?

Page 37 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
 • Are checks undertaken to ensure that there are
appropriate security measures in place?

• Are customers made aware that their information may be

transferred outside the Isle of Man?

Page 38 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
Audit Section 3 - Record Retention

This section looks at compliance with the fifth data protection principle – time for keeping data.

The fifth principle states “Personal data processed for any purpose or purposes shall not be kept for
longer than is necessary for that purpose or those purposes.”

The Act does not specify how long personal data should be retained as the Act applies to many
different organisations.

The time for retention also depends on what type of information is held, the purpose for holding it and
whether there are legal obligations requiring the retention of that particular information. The fifth
principle applies to any personal data held, whether that is computerised or paper records, digital
images, cctv or voice recordings.

At the end of its lifetime, information must be destroyed securely and appropriately in accordance with
the Act.

It is therefore important that any organisation understands what information it holds and why, and
therefore be able to identify any relevant legal or industry-standard retention periods.

A records’ retention policy and a records’ destruction policy targeted at the organisation’s particular
requirements and obligations should be developed, and regularly reviewed, to ensure compliance with
this principle.

It is recommended that audit section 2 is completed prior to this section, as the

information obtained in Audit Section 2 feeds into this section.

The UK Information Commissioner’s document, “The Privacy Dividend: the business case for investing
in proactive privacy protection”, which is available at www.ico.org.uk and on our website at
www.inforights.im , includes calculation sheets to enable organisations to put a value on its personal
data assets.

Page 39 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
Audit Section 3

Record Retention

Audit Questions Response Example Evidence

Information and knowledge management

• Have you ever conducted an information and/or

knowledge audit?
Asset register
• Do you have a list, or register, of information assets such
as account details, client lists, marketing lists, etc.?

• If so, does this distinguish between “Personal data” and

non- personal data?

Identify and list what types of information is held by the

organisation

Identify the purpose(s) for holding the differing types of

information (see Principle 2 in Audit Section 2 of this toolkit)

Is the organisation aware of any relevant legal requirements, or

industry standards, for periods of record retention?
Policy
Can you identify and list these periods?

Page 42 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
For all the differing types of information, computerised and/or
manual, does the organisation have a record retention policy or a Policy
clear statement on how long the information should be retained?

Policy
Is there a policy on deleting information when it is no longer
required for the specified purpose or purposes?

When information is no longer required, how is the information

Policy/procedures
deleted or destroyed?

Does the organisation have archive facilities or off-site storage?

Policy/procedures
If so, is the information stored in such facilities routinely weeded?

Does the organisation regularly weed databases of information

that is no longer required, such as information relating to former Policy
customers or staff?

Page 43 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
Audit Section 4 - Security of Personal Data

The seventh data protection principle is concerned with measures against misuse and loss of personal
data. This applies to all personal data whether that is in computerised or paper format.

The principle states:

“Appropriate technical and organisational measures shall be taken against unauthorised or

unlawful processing of personal data and against accidental loss or destruction of, or
damage to, personal data”, with further interpretation in part 2 of schedule 1 to the Act.

Access to information should be on a ‘need to know’ basis.

With this in mind, it is recommended that organisations:

• Conduct an audit identifying the types of information held, listing all information repositories
and their location;

• Chart personal information flows both within the organisation and outside it, listing all third
parties to which information may be disclosed and assess these disclosures to ensure they are
legitimate;

• Examine access rights to information across the various identified repositories;

• Divide the organisation into functional units and assess whether access rights are appropriate
based on the needs of each functional unit. There may be sub-divisions within each functional
unit where access rights could be limited, or extended;

• Based on an analysis of information repositories and data flows, investigate with your IT team
the possibility of installing filters, and creating tiered access to subsets of information;

• Review logging and reporting functionality for all systems holding information;

• Examine other system controls, For example:

o Printer connections
o Copy facilities
o Necessity of enabled ports for USB or disks;

• Conduct regular reviews of access control and user provisioning polices, especially with regard
to situations where a user’s role and duties within the organisation changes.

It is recommended that audit section 2 is completed prior to this section, as the

information obtained in Audit Section 2 feeds into this section.

It may not be necessary, depending upon the size and nature of the organisation, to include responses
to all the questions set out in this section.

Page 44 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
Audit Section 4

Security of Personal Data

Audit Questions Response/Notes Example Evidence

Basic security

How is access to the building controlled?

Consider access by both staff and visitors

Paper Records

What security arrangements are there in place

in respect of paper records?

Access to paper records:

o How is access to paper record

controlled?

o Is access to paper records monitored?

o Are paper records tracked if they are

removed from the filing system?

ELECTRONIC SYSTEMS

1. Network security

• What type of back-up systems operates?

• Is there a set daily or weekly procedure?

• Where are the back-ups kept?

Page 46 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
 • Is this a secure location?

• Are all entry routes to server rooms/

computer centre subject to access
control?

• If you obtain information via a website,

e.g. an online application form, what
level of security is in place taking into
account the nature of the information
being transmitted? (https/ssl etc. )

2. System security

User Registration

• Is there a user registration and removal

procedure in place?

• Are user ID’s unique?

• Are users required to sign an Agreed

User Policy (AUP) prior to having an Procedure/ policy
account created?

• Are access roles used or defined?

• Is there a generic administrator

account?

Access rights management

• Is the allocation of access rights

controlled in a formal manner?

• Is there a record of the authorisation

Procedure/ policy
process and the privileges assigned?
Request and
authorisation forms
• Does the AUP cover keeping passwords
secure?

• Is there a procedure to verify the

identity of the user prior to resetting or
sending a password to them?

Page 47 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
 Review of access rights

• Does management conduct a review of

access rights allocated at periodic
intervals using a documented process?
Procedure/ policy
• Are user access rights re-allocated when
they move groups within the
organisation?

Internal data transfer

• Is data transferred electronically

internally? E.g., intranet, data
repositories

• What security measures are in

place? E.g. encryption levels

• Do access rights vary across

different data repositories and
data types?
E.g. do all staff have full
read/write/copy access to any
ERMS or intranet documentation
or does this vary with role and
responsibilities?

• Are there any audit trails/logs in

place?

3. User responsibilities

Are users advised to:

• Keep passwords safe and not share

passwords? Procedure/ policy
Staff handbook
• Not write down their password?

• Select quality passwords of a minimum

length (e.g. alpha-numeric)

Page 48 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
Are users advised to /enforced

• Change passwords frequently

Procedure/ policy
Staff handbook
• Change temporary passwords at first
log-on

Are suitable controls in place to authenticate

Procedure/ policy
remote users?

Are documents sent externally by email

Procedure/ policy
encrypted or password protected?

If emails are sent to multiple recipients, is the

BCC (blind carbon copy) function routinely used Procedure/ policy
as default?

4. Removable devices/media

• Are ports such as CD, SD and USB drives

enabled?

• Are such drives capable of copying files?

In relation to laptops:

• Under what circumstances is ‘personal

data’ held on laptops?

• Do laptops have remote access to

corporate databases?

• Are laptops password protected?

• Are laptops encrypted?

• Do staff have remote access to data

when they are offsite so that ‘personal
data’ does not need to be stored
elsewhere?

Page 49 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
 5. Monitoring

Are audit logs recording:

• user activities, including read access,

• exceptions, and

• information security events

Procedure/ policy
produced and kept for an agreed period to
assist future investigations and access control
monitoring?

• Are patterns of abnormal usage

identifiable?

Do procedures for monitoring use of information

processing systems exist?
Procedure/ policy
• Are the results of such monitoring
activities reviewed regularly?

6. Password Management System

Is the password management system

configured in line with best practice?

This would include:

• Enforcing the use of individual

username/passwords

• Maintain a history of passwords and

prevent re-use of previous passwords
Procedure/ policy
• Allow users to select / change their own
passwords

• Enforce secure passwords

• Force periodic changes

• Store and transmit passwords securely

Page 50 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
Audit Section 5 - Requests for Personal Data

The sixth data protection principle states:

“Personal data shall be processed in accordance with the rights of data subjects under this
Act.”

The rights of individuals are set out in Part 2 of the Act.

One of these rights is the fundamental right of access to their information and section 5 of the Act sets
out the obligations in respect of this right.

The exercising of this right is known as ‘making a subject access request’.

Guidance on complying with subject access requests, including format and time limitation, is available
on our website www.inforights.im

Page 52 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
Audit Section 5

Requests for Personal Data

Audit Questions Response Example Evidence

Has the organisation allocated an individual the role of ensuring

Organisational chart
compliance with subject access requests?

Does the organisation have procedures for identifying subject

Procedures
access requests?

Does the organisation have procedures for dealing with subject

Procedures
access requests?

Does the organisation log all requests received to ensure that

Procedures
they are dealt with within the appropriate timeframe?

Are staff aware of these procedures? Training materials

Page 55 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
Audit Section 6 - Direct marketing

Many organisations rely on direct marketing for increased sales, diversification of products or services
and generally increasing corporate awareness.

The Act defines 'direct marketing’ as “the communication (by whatever means) of any advertising or
marketing material which is directed to particular individuals.”

When direct marketing, in any format, is targeted at individuals, i.e. their personal data is used to send
direct marketing, then that marketing is subject to the Act.

The sixth data protection principle states:

“Personal data shall be processed in accordance with the rights of data subjects under this Act.”

The rights of individuals are set out in Part 2 of the Act.

One of these rights, set out in section 9, is the right to opt out from the use of their information for the
purpose of direct marketing and individuals can exercise this right by writing to, or emailing, the
organisation.

The Commissioner is also responsible for ensuring that organisations comply with the
Unsolicited Communications Regulations 2005 in respect of electronic direct marketing.

Page 58 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
Audit Section 6

Direct marketing

Audit Questions Response Example Evidence

Marketing

Describe how a typical marketing campaign operates

What methods / media do you use?

(if using electronic means for direct marketing [email, sms,

fax, phone calls] - see separate section below)

Do you outsource marketing activities?

If so,
• Is there a contract in place?
Contract
• Does the contracted organisation handle personal data of
your customers?

• Does the contracted organisation procure new customers

for you?

Do you purchase any third party direct mail lists or commission

tailored lists of prospective customers?

Page 61 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
Customers

• Can customers opt-out of marketing campaigns?

• How does a customer change his/her opt-out

preference?

Electronic Marketing

Do you direct market using email, sms, fax or telephone?

At the time you collect customers contact details are they

• advised of the use of their contact details, and

• provided with the opportunity to opt out from direct

marketing?

Does each communication include:

• the organisation’s name

• a simple, free means (apart from the cost of

transmission) for individuals to opt out from future direct
marketing?

Page 62 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015
Is the organisation’s name included on each direct marketing
communication?

If you use the telephone to direct market, does the

organisation take steps to check whether the individual has
asked for their number (mobile or landline) to be included on
the Telephone Preference Service which lists individuals who do
not wish to receive direct marketing by telephone

Page 63 of 63
Isle of Man Information Commissioner - Audit Toolkit, V1.1, September 2015