Information Systems Audit & Information Privacy

Roger Clarke

Principal, Xamax Consultancy Pty Ltd, Canberra

Visiting Fellow, Department of Computer Science, Australian National University

Version of 11 October 1997, rev. 8 September 1999

© Xamax Consultancy Pty Ltd, 1997, 1999

These notes were prepared as input to Prof. Ron Weber when he was preparing the revised edition of his world-leading text on Information Systems Audit, subsequently published as Weber (1999)

This document is at http://www.anu.edu.au/people/Roger.Clarke/DV/Audit.html


Introduction

Privacy has become very relevant to information systems audit, and indeed is increasingly important to corporate strategy. This section provides background to the phenomenon, and guidance as to the auditor's role.


Background

Privacy is the interest that individuals have in sustaining a 'personal space', free from interference by other people and organisations. It is not a single interest, but has several dimensions. Privacy of the person is concerned with the integrity of the individual's body. Issues include compulsory immunisation, and blood transfusion without consent. Privacy of personal behaviour is particularly important in the context of such sensitive matters as sexual preferences and habits, political activities and religious practices, both in private and in public places.

The dimensions of relevance to information systems auditors are the privacy of personal communications and the privacy of personal data. Individuals claim that data about themselves should not be automatically available to other individuals and organisations, and that, even where data is possessed by another party, the individual must be able to exercise a substantial degree of control over that data and its use. With the close coupling that has occurred between computing and communications, particularly since the 1980s, the last two aspects have become closely linked, and are commonly referred to as 'information privacy'.

Since the beginning of the 1970s, legislatures have increasingly recognised the need for privacy protections. Most advanced countries have passed what are commonly called 'data protection' laws, which impose codes of 'fair information practice' on organisations. In some cases the scope is limited to the public sector, but regulatory regimes are increasingly impinging on the private sector as well.

A much fuller introduction is available.


Legal Position

Historically, auditing has been oriented towards financial and security aspects of business. This is slowly changing, however, as evidenced by standards (e.g. ISACA 1996, 1999) and text-books in the area (e.g. Weber 1999).

Regulatory regimes in relation to privacy vary widely in matters of detail. Some directly impose statutory obligations on organisations that handle personal data. Others establish a statutory framework, but delegate implementation details to a supervisory body, typically a Data Protection or Privacy Commissioner. Some involve the establishment of statutory codes of conduct applicable to particular industry sectors, or to classes of activity or record, in such areas as employment or health care. In some cases, industries are encouraged to establish self-regulatory codes, subject to some degree of supervision by a government agency.

The most widely respected set of general privacy protection principles is the OECD's Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (OECD, 1980). These were codified in 1980, as a means of encouraging harmonisation among the laws of different countries, and hence the avoidance of a new form of trade barrier emerging. They drew on the 'fair information practices' thinking that had emerged during the late 1960s and early 1970s on both sides of the Atlantic.

During the 1990s, momentum has been gathering, especially in Europe, for substantial upgrading to these limited protections, in order to provide enhanced protections against technologies whose privacy-invasiveness has increased dramatically in the intervening period. For a summary of the inadequacies of these 'fair information practices' formulations, see Clarke (1999).

Guidance in relation to a strategic approach to privacy is provided in Clarke (1996). The nature of Privacy Impact Assessments (PIAs) is outlined in Clarke (1998).

The Australian Legal Information Institute (AustLII) provides the best available reference to relevant laws of the world. A further source is AustLII's index of Privacy and Data Protection Commissioners.

Generally, laws impose responsibilities on organisations in the following areas:


Implications for Information-Systems Auditing

[This section is taken almost directly from Ron's draft, because I couldn't improve on it!]

The impact of privacy legislation on the our work as information-systems auditors will depend on the particular forms of legislation existing in the country and state in which we work or the forms of the legislation applying to the organizations we audit. Nonetheless, privacy legislation is likely to have five broad implications for our work as information-systems auditors:

  1. Need to be familiar with statutes: Auditing standards require auditors to be familiar with statutes affecting the organizations they audit. In the case of privacy statutes, the laws that are relevant to our work may have both domestic and foreign origins. If the organizations we audit collect personal data in other countries and transfer this data across international boundaries, for example, we will need to identify and understand the implications of any foreign laws that pertain to this data.
  2. Need to audit for legislative compliance: Because penalties may arise for noncompliance with a privacy act, as information-systems auditors we may be given responsibility for ensuring that the organizations we audit comply with the statutes. If we are internal auditors, we may also be responsible for preparing a privacy impact statement and constructing a comprehensive privacy plan. If we are external auditors, in some cases we may have to determine whether contingent liabilities have arisen because our clients have failed to comply with a privacy act.
  3. Auditor as user of personal data: As users of personal data, information-systems auditors may be subject to the provisions of a privacy act. For example, organizations might have to identify their auditors and the ways in which their auditors will use personal data in advance. Approval may have to be obtained for any deviations from these stated purposes.
  4. Auditor as maintainer of personal data: In the course of an audit, we may extract personal data from files to include in our working papers. Under a privacy act, we might then be responsible for ensuring that adequate security exists over our own files, in the same way that we are responsible for evaluating whether adequate security exists over files belonging to the organizations we audit. Indeed, under a privacy act the organizations we audit may be prevented from providing us with personal data unless we can show that our files are secure.
  5. Need to evaluate fairness of information practices: Although privacy legislation may not apply to a specific information practice in which an organization we audit engages, we must still be mindful that many individuals now expect organizations to evaluate their actions for compliance in spirit with privacy principles. From our viewpoint as information-systems auditors, therefore, we need to continually evaluate how information technologies are used in the organizations we audit in case unfavorable implications arise for personal privacy. For example, the organizations we audit may engage in some type of computer matching activities that are legal. Nonetheless, if these activities were to become public, they might lead to a substantial loss of organizational goodwill.

Audit firms in a number of countries, notably Australia and Canada, have established specialised practices in the area of data or information privacy. In some countries, guidance regarding the nature and conduct of privacy audits are available from the Privacy or Data Protection Commissioner.


Conclusions

Auditors are increasingly being called upon to examine corporate mission statements and strategic plans, in order to ensure that the organisation is adopting an appropriate stance in relation to personal data and privacy-intrusive technologies and practices.

Depending on the terms of reference of the audit, information systems auditors have a professional obligation to examine plans, policies, manual and automated procedures and practices, for compliance with the law, and with corporate privacy strategy and policy. They accordingly have a responsibility to keep themselves informed of developments in relevant law, and in privacy-relevant technologies.


References

A comprehensive listing of sources is available on the authors' Dataveillance page.

Clarke R. (1996) 'Privacy, Dataveillance, Organisational Strategy' Proc. I.S. Audit & Control Association Conf. (EDPAC'96), Perth, 28 May 1996. Revised version at http://www.anu.edu.au/people/Roger.Clarke/DV/PStrat.html

Clarke R. (1998) 'Privacy Impact Assessments' February 1998, at http://www.anu.edu.au/people/Roger.Clarke/DV/PIA.html

Clarke R. (1999) 'Internet Privacy Concerns Confirm the Case for Intervention' Commun. ACM 42, 2 (February 1999) 60-67, at http://www.anu.edu.au/people/Roger.Clarke/DV/CACM99.html

ISACA (1996, 1999) 'Control Objectives for Information and Related Technology', Information Systems Audit and Control Association, 2nd edition, 1996, 1999, at http://www.isaca.org/

Morison J. (1996) 'Developing and Implementing a Privacy Compliance Programme' Proc. IIR Conference on Information Privacy, 12-13 August 1996, Office of the Privacy Commissioner, Human Rights Australia, G.P.O. Box 5218 Sydney NSW 2001

OECD (1980) ' Guidelines on the Protection of Privacy and Transborder Flows of Personal Data' OECD, Paris, 1980, at http://www.oecd.org/dsti/sti/it/secur/prod/PRIV-en.HTM

Privacy Commissioner of Australia (1991) 'Privacy Audit Manual' Office of the Privacy Commissioner, Human Rights Australia, G.P.O. Box 5218 Sydney NSW 2001

Stewart B. (1996) 'Privacy impact assessments' Privacy Law & Policy Reporter, 3, 4 (July 1996)

Weber R. (1999) 'Information Systems Control and Audit', Prentice-Hall, 1999, pp. 9-10, 995-998, outline at http://www.prenhall.com/books/be_0139478701.html


Navigation

Go to Roger's Home Page.

Go to the contents-page for this segment.

Send an email to Roger

Created: 11 October 1997

Last Amended: 8 September 1999


These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content).
The Australian National University
Visiting Fellow, Faculty of
Engineering and Information Technology,
Information Sciences Building Room 211
Xamax Consultancy Pty Ltd, ACN: 002 360 456
78 Sidaway St
Chapman ACT 2611 AUSTRALIA
Tel: +61 6 288 6916 Fax: +61 6 288 1472