Data Protection A Practical Guide for Staff

Introduction

We have privileged and wide-ranging access to data and information to support the discharge of our statutory audit functions and ensure that reports to the Assembly are factual, accurate and complete. We have a duty to respect this privileged access and to ensure that the personal information entrusted to us is safeguarded properly.

 

We have policies and controls in place to ensure that access to information is correctly managed and safeguarded throughout its life cycle, including creation, storage, transmission, and destruction1. Staff are made aware of these policies and controls, and awareness is reinforced through information security training.

Under our current guidance we have established an effective compliance framework:

  • staff are trained through e-learning;

  • we conduct annual reviews of the Office’s auditing software to ensure that no excessive personal data is retained following audit completion;

  • we maintain an information assets register; and

  • we have an up-to-date Data Protection Policy in place.

Data Protection Guide

The NIAO data protection guide is the key document that staff should consult in relation to data protection issues and is available on NIAOmi. This paper has been developed for clarification purposes to identify the key extracts from the guide to facilitate the day-to-day management of personal data.

What is personal data?

Personal data is information relating to natural persons who:

  • can be identified or who are identifiable, directly from the information in question; or

  • who can be indirectly identified from that information in combination with other information.

What are identifiers?

The UK GDPR guidance provides a non-exhaustive list of identifiers, including:

 

  • names of:

    • names of sole suppliers

    • names of individuals in journal names

    • employee names for t&s payments

    • names of asset owners

  • identification numbers, such as

    • e-mail address

    • telephone number

    • payroll number

    • NI number

    • bank account number

    • names of sole suppliers

  • location data and online identifiers

    • including IP addresses

    • cookie identifiers

  • Any other data where an individual can be ‘identified’ or is ‘identifiable.


 

Where may identifiers be found as part of our audits?

  • General ledger downloads

  • Journal names

  • Sample details (which are often a subset of GL activities)

  • Fixed asset registers

  • Payroll files

  • Benefit payment files

  • Grant payment files

 

All such personal data should be captured on the data processing form

 

Where do we record personal data required for our audit?

Within MKI, the Administrative Planning Matters section of audit planning requires a data planning form to be completed within the administrative planning workbook as part of audit planning. This must be reviewed by the Engagement Director.

 

This form outlines:

  • the data that will be obtained for the purposes of the audit;

  • how the data will be transmitted; and

  • how it will be stored

 

In addition, the project data register within the administrative planning workbook should be completed and reviewed by the Engagement Director as part of the closure work in “L2-CG/LG Certification File” section of MKI.

 

What are the data protection principles?

  1. Data will be processed in a fair and lawful manner.

  2. Data is collected for a specified purpose.

  3. Data is adequate and relevant.

  4. Data is accurate and up to date.

  5. Data is kept no longer than is necessary.

  6. Data held has adequate security measures in place.


 

How do the data principles apply to me as an auditor?

  1. Data will be processed in a fair and lawful manner – we have access to personal data which we will only use to deliver our statutory public audit function.

  2. Data is collected for a specified purpose – we collect the personal data to conduct the audit and it is not used for other purposes. All data required should be recorded on the data processing form for each audit. This maintains a record of all personal data to be deleted (or retained) at audit completion.

  3. Data is adequate and relevant  we only request/receive the data sought sufficient to complete our audits and do not request/receive unnecessary personal data.

  4. Data is accurate and up to date.

  5. Data is kept no longer than is necessary.

    Occasions where personal data may be retained, is when it is needed to support:

 

  • The financial statements (e.g. Remuneration Report);

    • conclusions reached on significant matters/judgments or the audit opinion/report;

    • key findings in sample testing.

 

This should be held only on the MKI file and not on huggett.

 

A further occasion where audit teams may need to retain datasets is for the current and prior year activities (general ledger activity, payment files, HRconnect payroll files). In such circumstances, director approval should be sought, and access to these folders should be strictly controlled with only the minimum personal data retained to meet future needs. In such circumstances, this data should be retained on MKI alone. All personal data held on the huggett operational audit folder should be erased.

 

The need for retention of any personal data should only be in exceptional circumstances and should be recorded on the data processing form. Approval from the relevant director should be sought in the retention of such data.


 

  1. Data held has adequate security measures in place – we need to guard against unauthorised or unlawful processing and against accidental loss, destruction, or damage. We therefore should always use appropriate encryption and passwords on our laptops, secure retention of paper files and maintain full compliance with the clear desk policy.

 

What about retention of data over a prolonged period of time (e.g. for data analytics purposes)?

The data analytics team may require datasets over a number of years. In such circumstances, the same basic principles still apply –

  • we only request/receive the data sought sufficient to complete the task;

  • we do not request/receive unnecessary personal data;

  • we hold it personal data no longer than required;

  • the personal data is stored securely.

 

In such circumstances the Office needs to be quite clear in its rationale for retention – “just in case” is not a reason.

 

We should also be transparent in our requests for such data; the provider of the personal data should be made aware of both its use and retention.

 

Summary:

  • Request minimum personal data required to complete the audit task;

  • Retain personal data securely;

  • Destroy all personal data post certification of accounts on huggett and MKI, unless it is required to directly support the certificate (unlikely);

  • This exercise should be completed prior to closure of MKI files; and

  • Any personal data which needs to be retained should be on MKI only

Should you require clarification or need any further information on this paper contact Jennifer Gordon.

 

Brian O’Neill Director

12 January 2024