The Danish guidance on the management of Personnel Data was summarised in a set of 12 obligations on Data Controllers, which have resonance and relevance to Controllers in all jurisdictions.
See our initial article here outlining the first six obligations in the list.
The sharp-eyed Data Protection Officers out there noticed that, due to a technical glitch, the second set of six obligations did not see light of day. We are rectifying that oversight today.
It is interesting to see the alignment of these requirements with the language and principles, not only of the existing DP legislation in force across EU member states, but also with the principles of the General Data Protection Regulation, due to be signed off by the end of this year, and to come into effect by end 2017 at the latest.
7. If personnel information is stored on an USB-key, the information must be protected appropriately. For example, a USB-key with password and encryption should be used. Otherwise, the USB-key must be stored in a locker or locked drawer when not in use. The same applies with regard to storage of personnel information on other equivalent data mediums – cd’s, external storage drives, etc..
8. PC's connected to the internet must have an updated firewall and virus control installed. We have seen a substantial increase in the number of times the network of an organisation is compromised by being hacked through weak online security. The landscape of firewall defences is constantly changing, and organisations should make sure that they are receiving regular and timely updates from their security service providers.
9. If homepage forms are being used, in which sensitive personnel information, social security numbers, etc,. can be entered and forwarded, encryption must be applied. This is good practice in any jurisdiction. Where new customers or clients can register on-line by submitting their data, their data is at risk if it is being communicated over an unsecure telecommunications network. For any such communications, we recommend an SSL licence (e.g. a HTTPS: domain).
10. If sensitive personnel information and social security numbers are forwarded via email through the internet, the Danish Data Protection Agency recommends encryption. Similarly, it is inappropriate to use free, unsecure e-mail systems such as Gmail or Hotmail to conduct sensitive or confidential business correspondence.
11. In connection with repair and service of data equipment, which entail personnel information and when data mediums are sold or destroyed, the company must take proper precautions to prevent unauthorised access to the data while the device is being repaired. This can be done by removing such data from the device prior to handing it over for repair, for example. It that is not an option, the organisation should have a robust contract in place with the firm conducting the repairs, so that any data accessed or seen during the course of the repair process is kept confidential and secure. Sytorus is happy to provide suggested clauses for inclusion in such a contract, and we will be providing a separate article on that topic in the coming days.
12. Regardless of the obligations outlined above, there is a long-established requirement to have a formal Data Processor Contract in place when using an external data processor to collect and process personal information.