Privacy Audit Control and the Governance Process

Question: Describe about the privacy audit. Answer: Introduction Auditing tends to be an independent and objective assurance consulting activity that receives guidance from philosophies that add value so as to improve the operations. It also assists the funding parties to accomplish their objectives through the establishment of a significant system and disciplined approach that evaluates and improves the effectiveness of any organization's risk management, control and the governance process (McMillan, 2016). Therefore, as an auditor one is expected to establish or takes the responsibilities given by the board to oversight their function. Hence, it is expected that as an auditor that you adhere to the auditor code of ethics (McMillan, 2016). Therefore, the significance of this paper will be the identification of the codes that are being violated in the three case scenarios and offer a recommendation report that implements the conformation to the privacy legislation issue. Scenario 1 The rising issue that can be outlined in this scenario is the act of Billy taking customers information so as to save potential work for himself. His acts arent necessary because the practical purpose of this step he has undertaken isnt required at this stage. Billy also fails to include the privacy of the information being collected from the customers who have applied in the system. Therefore, in this case, we can outline that Billy has breached three APP rules that are; organizational policies, privacy principles, and data and network security. Organization policies From what we can observe in this case is that Billy was expected to develop a system that suits the policies that are outlined in the privacy practices, and the expectation was that their system will handle personal information for clients, customers and listees in an effective manner. But according to our scenario Billy has failed to include the privacy of information that is being collected from customers who have applied in this system. Privacy Principles The privacy principle requires that there should be an effective, fair information practice being developed in any organization (Peltier, 2014). Since this principle is made up of different components I will outline some of the components that Billy has breached: they are Purpose specification-this component requires that the purpose of collection of information should be set at a specific time of collection. Therefore, further uses should be limited to other purposes. But, according to our scenario Billy collected information for future purposes, thus breaking the law of limitation for other purposes. Hence, his act of taking more data for future purposes can act as a breach of the privacy principles. Collection limitation- is required that personal information should be collected in a fair and lawful channel, and there should be proper consent of the subjects. Organizations must always keep sure that they minimize their data collection only for the present purpose of business conduction (Peltier, 2014). Looking at our scenario what is seen is that Billy decides not to limit his data collection method; he also takes more data for potential work purpose for himself. Therefore, such an act tends to be considered as a breach of the privacy principle. Data and Network Security Security of personal data, whether kept in electronic form, paper form or micrographic form on any website, book, journal or magazine. What should be certain is that there should be a data security breach response plan, high security of clients personal information and effective measures or procedures that make it hard for any past employee accessing data (Peltier, 2014). In this case, Billy deciding to take customers information for future purposes is an act of security breach of data. There is also the aspect of keeping customers information secure, since Billy was the web developer he failed to keep the customers information secure, leading to the breach of APP rules of data security. Scenario 2 In this case, what tends to be observed is Steve as a customer support employee in his daily routines pops out a wrongful customer detail. The contact detail of the person brought up tends to be his old high school friend Peter. Steve then takes the step if keeping the contact and sending his old friend a text message. In such a scenario the types of breach that have occurred are the limitation access control and privacy rule. In access control, the APP rules provide that one should only access information for the purpose of organizational objective. Hence, if one attains personal information from the organizations database for individual purposes it means that he is violating the rule of access control. Therefore, having access control tends to be a necessary factor as it enables the ability of organization to control it clients private information. The APP rules tend to require that any data controller must limit himself from accessing personal data on the need to know basis. Therefore, there should only be greater access limitations or controls to the most sensitive data. Therefore, a data controller should be aware that of the different users and the manners of controlling personal customers information should be only used for business purposes, not for personal reasons (Hightower, 2009). The rule also pertains that any data controller employee must not download or take any personal data from the organization's system. Hence, in our scenario Steve committed a breach of the access control rule. All this occurred when he decided to take the number of his old friend Peter and texted him. Privacy rules As discussed above the privacy rule is made up of different components that govern the methods effective privacy policies. As for this case scenario, Steve has breached the users limitation and quality components. Users limitation- Steves action of taking his old friends number and texting him tends to be a violation, this is because he extended his actions instead of limiting himself from using personal information. Quality- this component requires that personal information is accurate, complete and in timely manners. In this scenario what is observed is that Steve brings up the wrong customer details, meaning that he has affected the quality rule of data keeping. Scenario 3 In this case, we observe that Mary a contract cleaner found an attended file lying open on the desk and reads. Upon reading, she finds a full history of the book titles that characterize the customers history purchases of R18 in the company. In such a case, the APP rules that we can outline that he has broken is that of privacy principle and users authentication. 1) Privacy Principle According to the rule it requires that customers personal information be confidential, and in this case, the principle is made up of components (McMillan, 2016). Hence, the components that he has violated are that of user limitation, purpose specification, and individual participation. User limitations- here Marys action of picking up the file and reading means that he has violated the act of limitation. As a contract employee, she was not subjected to reading the file, in this case, thus breaching the rules. Purpose specification- here it is required that the access and use of information be used for a specific reason. Hence, in our case Mary has violated this by reading the customer transactions history as well as the personal details for no specific reason. Individual participation- here, individuals are allowed to inspect and correct their personal data. From our case, Mary looks at the customers details and comments by herself how disgusting. Such an act tends to be a breach of the privacy principle. 2) Users Authentication In this case, the act of Mary taking the file and deciding to go through it is an act that violates the users authentication rule. The rule requires that an individual should not access a customers file or personal details in any instance except when in need. Task 2 Introduction Express Books should consider taking vital steps for the purpose of protection of personal information which they hold so as to avoid interference, loss or misuse from any unauthorized access such as the case of Mary, the contracted cleaner. Scope of audit Hence, they should consider modifying or disclosing their systems in a unique way that lowers the risk levels of privacy legislation issues, thus this will serve as a proper scope of audit (Lamar University, 2004). Objective of the audit The primary objective of this audit is to make Express organization work on special circumstance appoint that other agencies that are subject to specific legislative requirements. Hence, this objective would protect information, and also the legislative privacy requirements as well as other requirements that apply across the organization. Audit Criteria The audit criteria pertained here is that of protection of personal information for Express Company clients. It is evident that there is misuse of personal information by the organizations employees. Hence, the audit criteria will involve information protection. Audit Finding The findings in this case is that there has been misuse if information. Hence, this audit works on privacy protection which is a critical part in the auditing process. Recommendations Having proper security tends to safeguard personal information, hence the need of making sure that it is considered across all ranges of the companys department. Therefore, this should include the maintenance of physical security, personnel security, computer and networking security, and communication security. Hence, to meet the above set of security measures Express Books should consider assessing the risk, assessing the privacy impact assessments, developing policies, training staffs, appropriate contract management, setting up of high privacy security standards, training staffs to avoid privacy legislation challenges, and lastly is monitoring and reviewing of the legislations (Lamar University, 2004). Depending on the legislative privacy circumstance, the reasonable step that Express Book may include the preparation and implementation of data breach policy and plans. Therefore, the notification of individuals who may suffer from the breach should be notified as this is a reasonable step that should be undertaken (Lamar University, 2004). References Hightower, R. (2009).Internal controls policies and procedures. Hoboken, N.J: Wiley. McMillan, E. J. (2016).Policies and procedures to prevent fraud and embezzlement: Guidance, internal controls, and investigation. Hoboken N.J: John Wiley. Peltier, T. R. (2014).Information security policies and procedures: A practitioner's reference. Boca Raton, FL: Auerbach Publications. Lamar University. (2004).Report to management on audit of investment policies and procedures compliance. Beaumont, Tex.: Lamar University.