National Audit Office of Estonia (RKTR)

Effectiveness of internal controls in the protection of personal data in national databases Read full summary in English

2008 report autoID-EE:1358242756906

The NAO analysed seven national databases in order to find out how the legitimate use of personal data is ensured. In accordance with the Personal Data Protection Act, the agencies who run databases must ensure that personal data is protected from abuse. The information system of the database must function appropriately, incl. be reliable and safe. Log files must be retained of all instances of viewing, amending, deleting, transmitting of data, etc. These files must allow ex-post determination of who did what, why, when and using which data. In its audit the NAO focused on the functioning of internal controls which must ensure the accuracy and preservation of data and avoid information leaks.

In the report: part 82-88, 91-95, 101-106 (page 37-39, 40-42, 44-45)

- no procedures for logs analysing

- no log files

- illegal access, amending, transmission etc. of data

In the report: part 42-54 (page 23-26)

- unsecure IT systems

- absence of agreements

- use of delicate personal data

The risk cases visible on this page are collected and described by the e-Government Subgroup of the EUROSAI IT Working Group in contact with author Supreme Audit Institutions (SAI). In the same way, analytical assumptions and headings are chosen by the Subgroup. We encourage you to read the original texts by SAIs - to be found in the linked files.