Presentation is loading. Please wait.

Presentation is loading. Please wait.

-1- WORKSHOP ON DATA PROTECTION AND DATA TRANSFERS TO THIRD COUNTRIES Technical and organizational security measures Skopje, 16 May - 17 May 2011 María.

Published byCamron Crawford Modified over 8 years ago

Similar presentations

Presentation on theme: "-1- WORKSHOP ON DATA PROTECTION AND DATA TRANSFERS TO THIRD COUNTRIES Technical and organizational security measures Skopje, 16 May - 17 May 2011 María."— Presentation transcript:

1 -1- WORKSHOP ON DATA PROTECTION AND DATA TRANSFERS TO THIRD COUNTRIES Technical and organizational security measures Skopje, 16 May - 17 May 2011 María José Blanco Antón Head of the Data Protection Register José Leandro Núñez García Advisor on International Affairs Spanish Data Protection Agency

2 -2- Legal framework  Europe  Convention 108 of the European Council  Directive 95/46/CE on Data Protection (EU Directive)  Other International Instruments  OECD guidelines  International Standards on the Protection of Personal Data and Privacy, Madrid Resolution, 5 th Nov, 2009  Spain  Spanish Data Protection Act – LOPD (Organic Law 15/1999 of 13 December)  Regulation implementing LOPD – RLOPD (Royal Decree 1720/2007 of 21 December) SECURITY AND DATA PROTECTION

3 -3- Security principle  Section 9 LOPD. Data security Data controller or data processor have to adopt:  Technical and organisational measures – prevent their alteration or loss – control unauthorised processing or access  State of technology  Nature of the data  Risks to which they are exposed: human action, physical or natural environment Integrity, availability and confidentiality SECURITY AND DATA PROTECTION

4 -4- Security measures  Title VIII RLOPD. Regarding security measures in the processing of personal data Levels of security Document of security Basic conditions of security Scope:  Data controler  Data processor  Every personal data processing under the scope of LOPD  Independence of the processing media: local, online, telecomunications, …  From the design of the information systems to the real processing of data SECURITY AND DATA PROTECTION

5 -5- Levels of security  HIGH level Sensitive data Security forces without consent of the data subjects Acts of gender-based violence  MEDIUM Criminal or administrative offences. Information services on creditworthiness and credit. Tax Administrations - tax powers Finance - Financial Services. Social Security Evaluation of identity or behaviour Operators providing electronic communications services procesing traffic and location data (also, accesses log register)  BASIC Any other file + Processing sensitive data in case of:  Monetary transfer s- entities to which data subjects are associated or members,  Incidentally processing without relation with its former purpose  Degree of disability - performance of public duties SECURITY AND DATA PROTECTION

6 -6- Levels of security SECURITY AND DATA PROTECTION HIGH LEVEL MEDIUM LEVEL BASIC LEVEL Requirements provided for in these three security levels are cumulative

7 -7- Document of security  Scope of application of the document  Measures, regulations, protocols aimed at guaranteeing the level of security required  Tasks and obligations of users  Structure and description of the filing systems  Procedure of notification, management and response to security incidents  Backup copies and recovery of the data  Transport of documents and files  Identification of the security officer  Control measures to verify the fulfillment of security SECURITY AND DATA PROTECTION

8 -8- Document of security  Access control Identification and authentication Log access register (1) Electronic communications accesses (networks, intranet,..) (2)  Management of media and documents Input and output (2) Transport of documents, media,.. Temporary files of copies of documents  Backups  Tasks and obligations of users Information and training  Procedure of notification, management and response to security incidents Security audit (1) (1) Required on medium and high level (2) Sensitive data require encryption SECURITY AND DATA PROTECTION

9 -9- Security measures and authorization of data transfers  Standard contractual clauses requires a description of security measures provided by the importer of data  Afford the same conditions of the exporter of data  Security measures of RLOPD or similar  Commitment to comply with the level of security RLOPD  Description of measures (based on acknowledged standards …)  Remote access from third countries could be allowed if it is performed in a equivalent way to that applicable to local access  In any case, if transfer includes sensitive data:  Encryption of data  Log access register  Security audit every 2 years SECURITY AND DATA PROTECTION

10 -10- Security measures and authorization of data transfers  Although in Spain is only compulsory when dealing with processing subject to the high level security requirements, encryption of communications through public networks seems is an increasingly extended technique.  Encrypt is not enough. Data should be encrypted in such a way that information is not accessible nor modifiable by third parties.  RC4 algorithm, used in WEP WiFi or in Adobe PDF, is not safe  SHA or AES algorithms a.o. could be considered safe  While Spain requires only to encrypt information while it is being transmitted, other countries (such as Italy) require that some sensitive data are also stored in a encrypted way. SECURITY AND DATA PROTECTION

11 -11- Security breaches  Individuals should be informed when their data are accidentally or unlawfully destroyed, lost, altered, accessed by or disclosed to unauthorised persons.  The e-Privacy Directive includes a mandatory personal data breach notification which covers the telecom sector.  Given that risks of data breaches also exist in other sectors (e.g. the financial sector), the Commission is examining how to extend this obligation to other sectors.  Positive measure, because:  Benefit individuals  Favours transparency  Guarantees that strong security measures are in place SECURITY AND DATA PROTECTION

12 -12- Security measures as a part of the Madrid Resolution SECURITY AND DATA PROTECTION

13 -13- Security measures as a part of the Madrid Resolution  Apart of that provisions, the Madrid Resolutions encourages the implementation of proactive measures such as:  Implementation of information security standards  Appointment of data protection officers  Implementation of training and awareness programs  Conduct of periodic audits  Privacy by Design / Privacy by Default  Privacy Impact Assessments  Adoption of codes of conduct  Implementation of response plans in case of breaches  These measures should be put in place in a coherent and systematic way, in order to promote compliance. SECURITY AND DATA PROTECTION

14 -14-

Download ppt "-1- WORKSHOP ON DATA PROTECTION AND DATA TRANSFERS TO THIRD COUNTRIES Technical and organizational security measures Skopje, 16 May - 17 May 2011 María."

Similar presentations

1 Agencia Española de Protección de Datos AUDITING AND ENFORCEMENT AT THE SPANISH DPA. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL.

1 Agencia Española de Protección de Datos AUDITING AND ENFORCEMENT AT THE SPANISH DPA. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL.
1 The Data Protection Officer at work Experience, good practices and lessons learnt Pierre Vernhes – former DPO at the Council of the EU Workshop on Data.

1 The Data Protection Officer at work Experience, good practices and lessons learnt Pierre Vernhes – former DPO at the Council of the EU Workshop on Data.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Data Protection Information Management / Jody McKenzie.

Data Protection Information Management / Jody McKenzie.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.

The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Transborder dataflows Flow of information across national borders Much of this data involves personal information.

Transborder dataflows Flow of information across national borders Much of this data involves personal information.
From European to international standards on data protection (1/2)

From European to international standards on data protection (1/2)
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)

Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)
Www.nationalsmartcardproject.org.uk www.scnf.org.uk National Smartcard Project Work Package 8 – Security Issues Report.

National Smartcard Project Work Package 8 – Security Issues Report.
RESPECT Guidelines regarding data protection aspects whithin socio-economic research Y. Poullet, K. Rosier, I. Vereecken CRID-FUNDP in cooperation with.

RESPECT Guidelines regarding data protection aspects whithin socio-economic research Y. Poullet, K. Rosier, I. Vereecken CRID-FUNDP in cooperation with.
Company Confidential How to implement privacy and security requirements in practice? Tobias Bräutigam, OTT Senior Legal Counsel, Nokia 8 October 2012 1.

Company Confidential How to implement privacy and security requirements in practice? Tobias Bräutigam, OTT Senior Legal Counsel, Nokia 8 October
Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.

Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.

Similar presentations

Ads by Google