Download presentation
Presentation is loading. Please wait.
Published byCamron Crawford Modified over 8 years ago
1
-1- WORKSHOP ON DATA PROTECTION AND DATA TRANSFERS TO THIRD COUNTRIES Technical and organizational security measures Skopje, 16 May - 17 May 2011 María José Blanco Antón Head of the Data Protection Register José Leandro Núñez García Advisor on International Affairs Spanish Data Protection Agency
2
-2- Legal framework Europe Convention 108 of the European Council Directive 95/46/CE on Data Protection (EU Directive) Other International Instruments OECD guidelines International Standards on the Protection of Personal Data and Privacy, Madrid Resolution, 5 th Nov, 2009 Spain Spanish Data Protection Act – LOPD (Organic Law 15/1999 of 13 December) Regulation implementing LOPD – RLOPD (Royal Decree 1720/2007 of 21 December) SECURITY AND DATA PROTECTION
3
-3- Security principle Section 9 LOPD. Data security Data controller or data processor have to adopt: Technical and organisational measures – prevent their alteration or loss – control unauthorised processing or access State of technology Nature of the data Risks to which they are exposed: human action, physical or natural environment Integrity, availability and confidentiality SECURITY AND DATA PROTECTION
4
-4- Security measures Title VIII RLOPD. Regarding security measures in the processing of personal data Levels of security Document of security Basic conditions of security Scope: Data controler Data processor Every personal data processing under the scope of LOPD Independence of the processing media: local, online, telecomunications, … From the design of the information systems to the real processing of data SECURITY AND DATA PROTECTION
5
-5- Levels of security HIGH level Sensitive data Security forces without consent of the data subjects Acts of gender-based violence MEDIUM Criminal or administrative offences. Information services on creditworthiness and credit. Tax Administrations - tax powers Finance - Financial Services. Social Security Evaluation of identity or behaviour Operators providing electronic communications services procesing traffic and location data (also, accesses log register) BASIC Any other file + Processing sensitive data in case of: Monetary transfer s- entities to which data subjects are associated or members, Incidentally processing without relation with its former purpose Degree of disability - performance of public duties SECURITY AND DATA PROTECTION
6
-6- Levels of security SECURITY AND DATA PROTECTION HIGH LEVEL MEDIUM LEVEL BASIC LEVEL Requirements provided for in these three security levels are cumulative
7
-7- Document of security Scope of application of the document Measures, regulations, protocols aimed at guaranteeing the level of security required Tasks and obligations of users Structure and description of the filing systems Procedure of notification, management and response to security incidents Backup copies and recovery of the data Transport of documents and files Identification of the security officer Control measures to verify the fulfillment of security SECURITY AND DATA PROTECTION
8
-8- Document of security Access control Identification and authentication Log access register (1) Electronic communications accesses (networks, intranet,..) (2) Management of media and documents Input and output (2) Transport of documents, media,.. Temporary files of copies of documents Backups Tasks and obligations of users Information and training Procedure of notification, management and response to security incidents Security audit (1) (1) Required on medium and high level (2) Sensitive data require encryption SECURITY AND DATA PROTECTION
9
-9- Security measures and authorization of data transfers Standard contractual clauses requires a description of security measures provided by the importer of data Afford the same conditions of the exporter of data Security measures of RLOPD or similar Commitment to comply with the level of security RLOPD Description of measures (based on acknowledged standards …) Remote access from third countries could be allowed if it is performed in a equivalent way to that applicable to local access In any case, if transfer includes sensitive data: Encryption of data Log access register Security audit every 2 years SECURITY AND DATA PROTECTION
10
-10- Security measures and authorization of data transfers Although in Spain is only compulsory when dealing with processing subject to the high level security requirements, encryption of communications through public networks seems is an increasingly extended technique. Encrypt is not enough. Data should be encrypted in such a way that information is not accessible nor modifiable by third parties. RC4 algorithm, used in WEP WiFi or in Adobe PDF, is not safe SHA or AES algorithms a.o. could be considered safe While Spain requires only to encrypt information while it is being transmitted, other countries (such as Italy) require that some sensitive data are also stored in a encrypted way. SECURITY AND DATA PROTECTION
11
-11- Security breaches Individuals should be informed when their data are accidentally or unlawfully destroyed, lost, altered, accessed by or disclosed to unauthorised persons. The e-Privacy Directive includes a mandatory personal data breach notification which covers the telecom sector. Given that risks of data breaches also exist in other sectors (e.g. the financial sector), the Commission is examining how to extend this obligation to other sectors. Positive measure, because: Benefit individuals Favours transparency Guarantees that strong security measures are in place SECURITY AND DATA PROTECTION
12
-12- Security measures as a part of the Madrid Resolution SECURITY AND DATA PROTECTION
13
-13- Security measures as a part of the Madrid Resolution Apart of that provisions, the Madrid Resolutions encourages the implementation of proactive measures such as: Implementation of information security standards Appointment of data protection officers Implementation of training and awareness programs Conduct of periodic audits Privacy by Design / Privacy by Default Privacy Impact Assessments Adoption of codes of conduct Implementation of response plans in case of breaches These measures should be put in place in a coherent and systematic way, in order to promote compliance. SECURITY AND DATA PROTECTION
14
-14-
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.