Effectiveness of internal controls in the protection of personal data in national databases Read full summary in English
The NAO analysed seven national databases in order to find out how the legitimate use of personal data is ensured. In accordance with the Personal Data Protection Act, the agencies who run databases must ensure that personal data is protected from abuse. The information system of the database must function appropriately, incl. be reliable and safe. Log files must be retained of all instances of viewing, amending, deleting, transmitting of data, etc. These files must allow ex-post determination of who did what, why, when and using which data. In its audit the NAO focused on the functioning of internal controls which must ensure the accuracy and preservation of data and avoid information leaks.
- no procedures for logs analysing
- no log files
- illegal access, amending, transmission etc. of data
- unsecure IT systems
- absence of agreements
- use of delicate personal data