Following a recent exercise on the retention of personal data, staff have sought clarity on data protection, and what this means for staff on a day-to-day basis.
This paper sets out, in summary, the key aspects of data protection relevant to our work and includes:
• Relevant policies already issued;
• Defining what personal data is;
• Where personal data may be found as part of our audits;
• Data Protection Principles and how they apply to our audits; and
• Guidance on retention of personal data.
Introduction
We have privileged and wide-ranging access to data and information to support the discharge of our statutory audit functions and ensure that reports to the Assembly are factual, accurate and complete. We have a duty to respect this privileged access and to ensure that the personal information entrusted to us is safeguarded properly.
We have policies and controls in place to ensure that access to information is correctly managed and safeguarded throughout its life cycle, including creation, storage, transmission, and destruction. Staff are made aware of these policies and controls, and awareness is reinforced through information security training.
Under our current guidance we have established an effective compliance framework:
• staff are trained through e-learning;
• we conduct annual reviews of the Office’s auditing software to ensure that no excessive personal data is retained following audit completion;
• we maintain an information assets register; and
• we have an up-to-date Data Protection Policy in place.