DEFRA’s Internal Audit Division have not conducted any audits specifically focusing on personal data or IT equipment during the period. As departmental policy does not require business areas to undertake audits, information on any they may have carried out could not be collected without incurring disproportionate costs, but a thorough ‘wall-to-wall’ audit of IT equipment was carried out by IBM in October 2004 when ownership of DEFRA’s IT equipment was transferred under the terms of the IT outsourcing contract.
The Department’s IT services are provided mainly by IBM under an outsourcing arrangement. This contract includes provisions for DEFRA and its audit agents to have audit and access rights, including contractor premises, systems and records as may be required for the purposes of verifying the integrity, confidentiality and security of the Department’s data and/or personal data.
There are also provisions which require IBM and its sub-contractors to comply with all applicable parts of the Data Protection Acts, specifically the seventh data protection principle, which concerns the unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Other contracts awarded by DEFRA include standard terms and conditions which place obligations on contractors including requirements for access to audit and compliance with the Data Protection Acts as stated above.