Sections 10 (1A) and (1B) of the Data Protection Acts provide that:
"The Commissioner may carry out or cause to be carried out such investigations as he or she considers appropriate in order to ensure compliance with the provisions of this Act and the Electronic Communications networks and Services Regulations of 2003 and to identify any contravention thereof"
These investigations usually take the form of audits of selected organisations. A number of such audits are carried out each year. The aim of an audit is to identify any issues of concern about the way the organisation deals with personal data and to recommend solutions.
An organisation selected for audit is usually given a number of weeks notice of the audit. It may be asked to provide in advance a written report on its data protection practices. The audit normally includes one or more on-site visits by an audit team from the Office. During these visits, the team will meet with selected staff of the organisation. They will also usually inspect electronic and manual records. At the end of the audit, the team prepares a report which typically includes a set of recommendations. The organisation audited is given an opportunity to comment on this before it is finalised. The Office may follow up later on how these recommendations have been acted on.
This guidance will assist organisations selected for audit by the Office of the Data Protection Commissioner and provide organisations holding personal data with a simple and clear basis to conduct a self-assessment of their compliance with their obligations under Irish Data Protection Law.