 |
Documentation Review (print ref: Part 3, Section 2.1.2)
The documentation to be assessed will already have been discussed and agreed at the Preparatory Meeting/Visit (see section 1.4) and provided to the Auditor. The review of this documentation should be conducted off-site to cause as little disruption as possible to the organisation. However, in some circumstances it may be necessary to carry out the review in-situ, for example if the documentation is excessively bulky, or if it is totally computer-based.
The Auditor should ensure that the documentation supplied for assessment includes:
- Policies: Copies of the Data Protection Policy Statement or Manual or other top-level documents that describe how Data Protection issues are dealt with by the organisation.
- Codes of Practice: Any industry or sector-specific Codes of Practice that regulate how the organisation operates and which cover Data Protection.
- Guidelines: In-house guidance or training materials the organisation has produced to increase staff awareness of Data Protection issues.
- Procedures: In-house procedures that provide detailed step-by-step instructions to staff on how to deal with specific Data Protection issues, e.g. Subject Access Requests.
Auditors should be aware of the possibility that an organisation may have relevant documentation that does not specifically refer to data protection, for example a patient confidentiality policy. Such documents can be valuable in judging adequacy and need to be taken in to account.
Return to top
|
|
