PwC Logo


Data Protection Procedure

PwC Sri Lanka/Maldives [The firm] needs to demonstrate its compliance with the 8 principles outlined in this procedure. These are rules of good data handling and data system owners need to demonstrate that their applications can meet the requirements in the processing of personal data.

Below are the 8 Data protection requirements of the local firm:
1. Processed fairly and lawfully
2. Held for one or more specified purposes
3. Adequate, relevant and not excessive
4. Accurate and where necessary kept up to date
5. Not kept for longer than necessary
6. Processed in accordance with individual rights
7. Held securely
8. Not transferred to countries unable to offer 'adequate' protection

Principle 1: Processed fairly and lawfully
The first principle, and arguably the most important, that needs to be met is that the data is processed lawfully and fairly.

Processed lawfully
(1) Processing of personal data must meet at least one of the following conditions in order to be considered lawful:

  • The data subject has consented to the processing
  • The processing is necessary for the performance of a contract with the data subject
  • The processing is necessary for the firm's compliance with a legal obligation
  • The processing is necessary to protect the vital interests of the data subject
  • The processing is necessary for the administration of justice or other public functions
  • The processing is in the legitimate interests of the firm except where the processing is unwarranted or
    prejudicial to the rights, freedoms or legitimate interests of the data subject

    In practice, this means that there should be a number of controls and procedures around the processing of personal data.

    It is also important to include fair processing notices on terms of business for client work so clients are aware of how the firm will deal with personal information provided by them and to ensure that, if necessary, the firm can comply with a request for personal data from the courts or for the administration of justice.

    Lawful processing of sensitive data
    (2) In the case of sensitive personal data, processing will not be lawful unless one of the following conditions is also
  • The data subject has given explicit consent to the processing
  • The processing is necessary to meet employment law obligations
  • The processing is necessary to protect the vital interests of the data subject or another person
  • The processing is necessary or is part of the normal activities of any not for profit or charitable body
  • The information has been made public by the data subject
  • The processing is necessary for the administration of justice or other public functions
  • The processing is necessary for medical purposes undertaken by a health professional
  • The processing is necessary for equal opportunities monitoring

    Only some of the above conditions will be relevant to the firm.

    The firm may collect sensitive personal data in the course of some of our client work so it is important that the firm's obligations are outlined very clearly in terms of business and engagement letters. The need for consent relating to data collected for other purposes e.g. recruitment must be considered on a case by case basis.

    Process data fairly
    (3) In order to process personal data fairly, the firm needs to ensure that the individual is provided with, at least, the following information in a clearly worded "fair processing notice". It is really a who, what, why and how of dealing with data.
  • Who - give the firm's identity (the full legal name).
  • What - explain what data will be held.
  • Why - explain what the data will be used for.
  • How - give any further information necessary. For example, will any data be disclosed to third parties? You may also have to explain how individuals can have their information updated (where it is inaccurate) and how they can apply to see a copy of their data.

    (4) The information should normally be provided at the point of collection, or, under certain circumstances, as soon as possible after this point. It must be presented clearly, not "buried" in small print. In practice, this means that if the firm is collecting personally identifiable data, we should make it clear that we are collecting this data in accordance with the global PwC requirements and the reasons why the processing will occur (for example, for marketing or administration reasons etc.)

    (5) In assessing whether further information may need to be given, circumstances of the collection and the ability of the data subject to understand the consequences of the intended processing should be considered. Only by ensuring that the individual has a clear and full understanding of the above issues, will it also be possible for the firm to demonstrate the data subject's implied consent to the processing of any non-sensitive personal data relating to them.

    (6) In particular, if information is collected which is intended for disclosure to a third party (such as a conference organizer or an organization with which we have a business development relationship) or for direct marketing purposes, this should be explicitly spelled out, as such a disclosure would not be obvious in most cases. An individual should be given the opportunity of opting-out of direct marketing. In an on-line situation, individuals should be given the chance to opt-out on the screen where the data is being collected.

    (7) Difficulties arise in practice. For example, we might collect personal data in the course of an audit or a forensic assignment. When personal data is collected the need for a fair processing notice should be considered and Compliance consulted in respect of particular situations. In some cases, we should require the client to issue notices
    (usually through our engagement letter).

    Some of the questions that we may want to ask in seeing whether the processing meets requirement 1 include:
  • Are data subjects informed of the identity of the firm as a data controller?
  • Is all personally identifiable data obtained in a reasonable and lawful manner?
  • Are we disclosing this data to any third parties? If so, are the data subjects informed of this?

    Principle 2: Held for one or more specified purposes
    The second Principle that needs to be met is that the data is only held for one or more specified purposes.
    This Principle requires the firm to consider whether an intended purpose for processing personal data, is compatible with the original explanation given to the data subject as to how their information would be used.

    In practice this means that the firm can use data only for the purposes for which it was collected. For example, if you meet a client director as part of an audit engagement then this does not necessarily mean you can accumulate general data about that person (without them knowing) for our files in order to market other services to them. It is important to limit the use of the personal and sensitive personal data that is collected as part of our work within and outside the firm to the purposes for which it was originally intended.

    One of the questions that you may want to ask to test whether the processing meets Principle 2 is:

  • Is the data used only for processes specified both to the Information Commissioner (in the firm¡¦s

    Principle 3: Adequate, relevant and not excessive
    Data held for a particular purpose should be adequate for the purpose for which it is needed but not more than required for this purpose. It would not be acceptable to gather more than the basic information needed about an individual for a particular purpose, merely on the off-chance that it may be useful one day or because the information may be needed about some individuals but not all. For example, it might be nice to know an individual's favorite food for business entertaining purposes but for the functioning of most auditing work this would not be necessary. Another example is that a considerable amount of personal data will be required from clients, much of which we would not need for an individual whose only relationship to the firm is a director of an audit client. Personal data processing should also be monitored on an ongoing basis to ensure any data that has become irrelevant is discarded.

    One of the questions that you may want to ask to test whether the processing meets Principle 3 is:
    . Is all the personal data adequate and relevant for the purposes you collected it for?

    Principle 4: Accurate and, where necessary, kept up to date
    This Principle may appear self-explanatory. However, failure to keep personal data accurate and up to date has traditionally accounted for a significant proportion of the complaints received by the Information Commissioner. Personal data is inaccurate if it is incorrect or misleading as to any matter of fact. However, data will not be considered to be inaccurate if the data accurately records information supplied by the individual affected or a third party, where the firm took reasonable steps to ensure the accuracy of the data and, having been notified by the individual affected of their view that the data is inaccurate, the data record is updated to indicate this view.

    The reliability of the source is important when initially generating personal data that is accurate. In some cases it may be necessary to take further steps to verify the data supplied. Paying attention to collection forms and data entry procedures is equally important. Inaccuracies can easily be replicated as information is shared across databases, and therefore it is important to have procedures to track back any affected data across all database records and make the necessary corrections.

    Finally, it is equally important to have ongoing procedures to maintain the accuracy of collected personal data. Accurate personal data can subsequently become inaccurate, perhaps as the result of a change in the data subject¡¦s circumstances. The firm, its partners and staff need wherever possible to take a proactive approach to maintaining the accuracy of their data records. A good example of this is the HC Gateway ¡V staff profile tab where employees can view their individual details and make amendments where needed.

    Some of the questions that you may want to ask to test whether the processing meets Principle 4 include:
  • Do you have a process in place to correct personal data?
  • Are third parties informed when incorrect data is corrected? For example, if we outsource some data
    processing, do we inform them when someone¡¦s personal data is amended or deleted?
  • Do you routinely delete incorrect data?

    Principle 5: Not kept for longer than necessary
    There is no general justification within local regulation for retaining personal data indefinitely. Data controllers need to assess how long specific personal data is needed for a purpose and pull together a retention policy reflecting the fact that different types of personal data will have different ¡§shelf-lives¡¨. At the point personal data is no longer necessary for a purpose it should be deleted. Clearly there is a close relationship between this Principle and Principles 3 and 4.

    An ongoing policy of reviewing and discarding any data no longer needed is therefore essential to ensuring
    compliance with the eight Data protection principles.

    The firm does have a document and data retention policy that should be consulted in determining how long data should be held for. In addition, individual lines of service may have specific document retention standards that should be met. Individual LoS risk management partners should also be consulted to determine how long data should be retained.

    One of the questions that you may want to ask to test whether the processing meets Principle 5 includes:
  • Is data being held only for as long as it is required?

    Principle 6: Processed in accordance with individual rights
    Every individual is a data subject. As data subjects we naturally expect our personal data to be treated with due care and held securely. We want to know our rights in respect of any personal data processed about us. It is equally important that we treat with respect the rights of those people whose personal data we process on a daily basis. Individuals have a number of important rights in relation to their personal data. These rights place corresponding obligations upon those processing this information:

    The rights are:
    (1) Right of access (subject access)
    (2) Right to object to processing
    (3) Right to object to processing for purposes of direct marketing
    (4) Right to request an assessment
    (5) Right to compensation
    (6) Right to rectification, blocking, erasure and destruction

    (1) Right of access (subject access)
    An individual (including partners and staff of the firm) has the right to make a request in writing to find out whether personal data of which they are the subject is being processed and, if that is the case, to be given a copy of the data and any information available to the firm as to the source of the data.
    This is the right of 'subject access'.

    On receipt of a valid written subject access request, the firm should provide, in a permanent form, a copy of any data held about the subject to which they are entitled.
    The subject access response must be intelligible, including an explanation of any codes or terminology used that the applicant would not be able to understand by merely reaching for the dictionary off the shelf. Furthermore, the firm must ensure that any personal data about an individual is not amended after the request is received, until after the response is supplied, unless the amendment is in the form of a routine update.

    It is important that the firm is sure that the applicant is the subject of the data requested or is acting upon the express authority of the individual or their solicitor. As such, we need to take steps to confirm the identity of the applicant in addition to requesting any information needed to help locate the data.
    It is very difficult to make a judgment on whether the data subject is entitled to all personal data about them. There are certain exemptions based on the firm¡¦s confidentiality requirements and procedures, to not provide requested personal data to a data subject. That being said, the firm may consider that it is appropriate to provide certain personal data back to the data subject concerned. Such issues would be considered on a case-by-case basis.

    Therefore, the firm¡¦s approach is that all personal data about the data subject requested under a formal subject access request must be made available to Risk and Quality. If there are any concerns about whether data should be released to the data subject these should be drawn to the attention of Risk and Quality who will either determine whether a suitable exemption is available and thus whether or not the data will be disclosed or will seek appropriate advice. All subject access requests received must be passed immediately to Risk and Quality who will
    acknowledge and deal with the request.

    How would I recognize a subject access request and what should I do?
    Look out for the following key words and indicators:
    - Access
    - Intelligible form
    - Data Protection
    - Manual files
    - Data
    - Personal
    - Subject Access request
    - Electronic data
    - Information about me

    Any communication including one of these terms may be a subject access request. Pass the communication immediately to the Risk and Quality team or the ISMS committee.

    (2) Right to prevent processing likely to cause damage or distress
    Individuals have the right to require the firm and any other data controller to stop processing or not to begin processing personal data likely to cause substantial damage or substantial distress to him/her or to another person. This would probably only apply to the firm infrequently, but a common example may be an incorrect remark on a credit rating list.

    This does not provide an absolute right to object to processing of personal data, as there may be valid reasons why the firm will need to process the data in question. For example: where the processing is necessary for the performance of a contract with the data subject or to protect the data subject¡¦s vital interests.

    (3) Right to prevent processing for the purposes of direct marketing
    There is an absolute right for individuals to object to the processing of their personal data for the purpose of direct marketing. Where the firm receives a written request to cease or not begin processing for marketing purposes, we must take immediate steps to comply with the notice.

    (4) Right in relation to automated decisions
    An individual has the right to require, that the firm, and any other data controller, takes no decision in order to evaluate matters about them based solely on the automated processing of personal data about them and which significantly affects them.
    This right is intended to cover for example, systems capable of making credit-scoring decisions about people or the types of systems human resource departments may use for psychometric testing or evaluation of employee¡¦s performance at work.
    Regardless of whether a notice is sent to the firm, individuals must still be told whenever any automated decision has been made about them and allowed 21 days to request that the decision be reconsidered or retaken without the sole use of an automated decision process.

    (5) Right to compensation for failure to comply with certain requirements
    Individuals can take an action for compensation to the courts if they suffer damage by any processing of personal data. Damage includes any financial loss or physical injury and can include distress suffered by the individual if damage is proved.
    It is a defense for the firm to be able to demonstrate that all reasonable care had been taken to process the personal data in compliance with the Data Protection Procedure. This is one of the reasons why it is vitally important that data protection is controlled centrally by Risk and Quality, and that all partners and staff understand their obligations under this Data Protection Procedure. Some of the questions that you may want to ask to test whether the processing meets Principle 6 and the rights of individuals include:

  • Are there processes in place to meet the data subject's rights to prevent information being used for direct
  • Does the systems you use make a reasonable effort to ensure the accuracy of information on the system?

    (6) Right to rectification, blocking, erasure and destruction
    If a court is satisfied on the application of a data subject that their personal data are inaccurate, the court may order the data controller to rectify, block, erase or destroy that data.
    If you receive any requests relating to any of the above rights, contact Risk and Quality immediately

    Principle 7: Held securely
    Appropriate technical and organizational measures should be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
    Whether security measures are 'appropriate' will depend upon the nature of the data and any harm that might result from processing the data. Other important considerations include the state of the technology available and the cost of implementing security measures. Security measures that may be put in place include access control, encryption, screen savers, passwords and physical security measures (such as lock and key).

    Some of the questions that you may want to ask to test whether the processing meets Principle 7 include:
  • Is your security at a level that is appropriate for the nature of personal data held?
  • Do you have adequate security to ensure that unauthorized access to personal data is prevented?
  • Have security measures been put in place to monitor access and activities conducted to ensure that data
    collection staff is not contravene this Data Protection Procedure?

    Principle 8: Not transferred to countries unable to offer 'adequate protection' for that data
    The last of the principles restricts the transfer of any personal data to a country outside of the local firm unless that country can demonstrate adequate protection for the rights and freedoms of data subjects.
    Determining whether protection is adequate depends upon factors such as the nature of the personal data, the purposes for which the data are to be processed and the data protection laws or codes within the destination country.
    In other cases, protection will be considered to be adequate where one of the following conditions can be met:
  • The data subject has consented to the transfer
  • The transfer is necessary to enter into or perform a contract with the data subject, at their request
  • The transfer is in the vital interests of the subject
  • There is a substantial public interest
  • The information is on a public register
  • The transfer is necessary for the purpose of legal proceedings, legal advice or protecting legal rights
    Some of the questions that you may want to ask to test whether the processing meets Principle 8 include:
  • If data is transferred outside of the local Firm, do you know what security measures are taken /required in the receiving country?
  • If data is obtained, processed or transferred outside of the local Firm, do you know what form and quality of data protection are practiced or demanded in those countries?
  • Do we really need to transfer this data and if so do we need to transfer all of it?
  • How will we control what it is used for?

    In order to determine whether PwC can conduct a transfer, please contact Risk and Quality.