Privacy audits: expectations and implementation

Abstract

This thesis tackles pressing issues for those tasked with undertaking a privacy audit. It is the first research to directly investigate the practice of privacy auditing through interviews with privacy auditors, analysis of privacy audit reports and legal analysis of information privacy laws and policy documents. The research questions focus on issues of both theoretical and practical significance to privacy auditors. This study addresses the research questions: What auditing standards and/or methodologies are used for privacy audits, where are they derived from, and how much convergence and/or divergence is there among standards used by different auditors? Who benefits from privacy audits and are privacy audits an appropriate way to provide benefits to them? The thesis departs from the positivist philosophy prevalent in accounting research. It adopts a critical perspective which is useful for this area because the theoretical basis of both privacy auditing and the information privacy rights on which the practice is based are underdeveloped. Critical research allows the thesis to propose solutions to problems identified with previous privacy audits and to suggest goals that the practice of privacy auditing might aspire to. The legal theory supporting the thesis is also anti-positivist because this thesis proposes that privacy audits may be assisted by the application of a set of fundamental principles that may be ascertained from existing information privacy legislation in the five countries that are the subject of this thesis, with the addition of principles drawn from the latest proposals for policy and legislative reform regarding information privacy rights. The existing privacy audit reports that are analysed demonstrate that there is a large degree of divergence between the criteria used by different privacy auditors. This divergence arguably should not be explained by differences in national information privacy legislation in the five countries. If privacy audits are to be seen as useful by stakeholders then such audits may need to be of relevance to users in multiple countries, especially where a privacy audit examines the activities of an organization that operates across national borders. Privacy issues increasingly are of global impact. This thesis contributes to the literature in both accounting and law with published papers in academic journals of both disciplines. It also presents the results of interviews with people who include regulators and private auditors. It identifies challenges that are currently faced by those undertaking privacy audits. It examines issues including the extent to which privacy auditors see harmonization of privacy auditing standards as possible and desirable, challenges relating to the definition of privacy auditing and the skills that privacy auditors may require and how they may gain these skills. It also identifies the stakeholders of privacy audits and investigates the efficacy of the benefits that privacy audits provide to them. The thesis aims to provide opportunities for debate about the practice of privacy auditing culminating in the potential for insights that may illuminate areas in which the practice of privacy auditing may achieve greater relevance to its stakeholders. The potential exists for privacy audits to provide assurance to users of reports where the auditee organization operates across multiple countries. In addition to providing a potential theoretical framework for harmonization of privacy auditing criteria, the thesis contributes to the theory of privacy auditing itself through its analysis of standards and methodologies that are used in the practice of privacy auditing. The contributions of the thesis to policy regarding privacy audit criteria and the regulation of privacy auditing are in a form that could provide the flexibility for the practice to improve as changes to technology pose greater and greater challenges to the information privacy rights of citizens.