Access to information, data security and confidentiality
91. Auditors have wide-ranging enforceable rights of access to documents and information in relation to the audit which are set out in s22 and s23 of the Act. Such rights apply not only to documents and information held by the audited body and its directors and staff, including documents held in electronic form, but also to the audited body’s partners and contractors, whether in the public, private or third sectors. Auditors may also require a person holding or accountable for any relevant document to give them such information and explanation as they consider necessary.
92. There are restrictions on the disclosure of information obtained in the course of the audit, subject only to specific exemptions. The Freedom of Information Act 2000 does not apply to appointed auditors, as they have not been designated as public authorities for the purposes of that legislation, although they are subject to the Environmental Information Regulations 2004. Audited bodies wishing to disclose information obtained from an auditor, which is subject to a statutory restriction on its disclosure, must consider Schedule 11 of the Act and seek the auditor’s consent to that disclosure.
93. Auditors should protect the integrity of data relating to audited bodies and individuals either received or obtained during the audit. They should ensure that data are held securely and that all reasonable steps are taken to ensure compliance with statutory and other requirements relating to the collection, holding and disclosure of information.
94. Auditors may need to process personal data about individuals associated with the authority (such as clients, staff, trustees and others), which could include the following: personal identification and contact details, employment related information or financial data. The auditor holds Personal Data as Data Controller.