Leading Edge Practices 4-10-08

Every month, ITAudit will provide information on existing IT frameworks, legislation, best practices, and industry-specific regulations and standards to enhance auditors' knowledge in the area.

EU Directive on Data Protection of 1995

Throughout the European Union (EU), one of the most important pieces of legislation concerning the protection of private information is the Directive on Data Protection of 1995, a set of data privacy guidelines that regulates the processing and storage of personal data. According to the directive, EU members must protect the privacy of individuals by prohibiting businesses from transferring sensitive information to organizations in countries without similar privacy regulations. For example, many member countries don't use Social Security numbers as identification information or allow consumer financial records and other sensitive data to be sold or shared without the consumer's consent.

The directive, which went into effect in October 1998, contains 33 articles in eight chapters. Following are the directive's six basic tenants:

  1. Notice. An individual has the right to know that the collection of personal data will exist. In addition, the personal data must be collected for a specified, explicit, and legitimate purpose only and "not further processed in a way incompatible with those purposes."
  2. Choice. An individual has the right to choose not to have the personal data collected.
  3. Use. An individual has the right to know how personal data will be used and restrict its use, while personal data may only be used for legitimate processing.
  4. Security. An individual has the right to know the extent to which the personal data will be protected. As a result, organizations need to implement effective technical and organizational measures to protect the data based on the risks represented by the processing and the nature of the data.
  5. Correction. An individual has the right to challenge the accuracy of the data and provide corrected information. Personal data collected and maintained by organizations needs to be up-to-date, and reasonable steps must be taken to ensure that inaccurate or incomplete data is corrected.
  6. Enforcement. An individual has the right to seek legal counsel through appropriate channels to protect privacy rights.

When reviewing compliance with the directive, auditors need to note that the directive's definitions for the processing and storage of personal data are broad enough to effectively cover nearly every conceivable use of personal information. For instance, the directive defines the processing of personal data as any operation that is performed on the data, whether this processing is automated or not. As the directive states, data may not be processed unless:

  • The data subject has unambiguously given his or her consent.
  • Processing is necessary for the performance of a contract to which the data subject is party to or to take steps at the request of the data subject prior to entering into a contract.
  • Processing is necessary for compliance with a legal obligation to which the controller is subjected.
  • Processing is necessary to protect the vital interests of the data subject.
  • Processing is necessary for the performance of a task carried out in the public's interest, in the exercise of official authority vested in the controller, or in a third party to whom the data are disclosed.
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party to whom the data are disclosed, except where such interests are overridden by the data subject's fundamental rights and freedoms.

The directive also applies to data processors, which are companies or data centers that operate in EU member countries, and interpretation of the rules is left to individual EU member states, which are empowered and directed to implement laws regulating data processing that are compatible with overall EU directives.

To read the entire Directive on Data Protection, visit the EU's law Web site. For quick information on the directive, auditors can read: