Statement on the Management of Personal Data

The Comptroller and Auditor General (C&AG) audits the accounts of Government Departments and State bodies and produces special reports to Dáil Éireann on matters of financial management and Value for Money.

Both the formation of audit opinions and the finalisation of reports are based on routines which include examinations of substantiating documentation, enquiries from administrators, inspections and third party confirmations.  A primary source of evidence is the record of payments by the audited body.  Included in audited expenditure are a variety of different types of payments to individuals.  These records and the related substantiating documentation are personal data to the extent that they relate to living individuals.

The Office of the Comptroller and Auditor General (the Office) has been given a statutory right of access to data and information to support the discharge of its audit function and ensure that the C&AG’s reports to Dáil Éireann are factual, accurate and complete.  The Office acknowledges its duty to ensure that the personal information entrusted to it under these access provisions is properly safeguarded.

Policy on audit evidence

Taking account of the provisions of International Standards on Auditing it is the policy of the Office to keep its requests for personal data to the minimum necessary to enable it to complete its work and retain any personal information obtained only for as long as necessary. 

To this end, the Office undertakes to

  • Identify the data including personal data which is necessary for purposes of audit
  • Ensure that it is acquired in a secure manner
  • Take all necessary steps to hold it securely
  • Use it only for purposes of public audit, inspection or value for money examination
  • Delete it once the account has been reported upon by the Committee of Public Accounts or after six years whichever is the later.

Personal data principles

The Office undertakes to take appropriate measures to safeguard the integrity and confidentiality of data provided to it by taking all reasonable steps to prevent unauthorised access.  All staff have an obligation to comply with data protection policies.

To this end, the following principles underpin the Office policy on personal data

  • Personal data will only be requested for use in discharging audit, examination and inspection functions and in accordance with statutory provisions.  Requests will be kept to the minimum necessary.
  • Audit staff have authority to request information and explanations necessary for the purpose of audit.  Ad hoc requests for information including personal data will be requisitioned in accordance with an audit plan and approach authorised by a senior manager.  Once received it will be held in encrypted form.
  • Where large or entire datasets including personal data are requested for sampling or analysis the requests will be 
    • Authorised by a Deputy Director
    • Held by the Office in encrypted form
    • Deleted once the samples have been taken or the analysis completed.
  • Personal data held on encrypted working papers will be held for no longer than the periods specified in International Standards on Auditing or domestic legislation or the matter has been reported upon by the Committee of Public Accounts whichever is the later.
  • The Office will annually inform all audited bodies how it will secure, use and dispose of the personal data provided. 
  • Should a loss of personal data occur, the fact of the loss and the details of the data will be reported immediately to the audited body.   
  • Any departures from the foregoing will be specifically agreed in advance with audited bodies.The Office will audit compliance with data protection policies, in order to gain assurance that protection is in accordance with the terms of this Statement.