Employees monitoring of information and communication technologies private usage Guidelines updated in Portugal
|
|
- Charles Cummings
- 8 years ago
- Views:
Transcription
1 COELHO RIBEIRO E ASSOCIADOS SOCIEDADE CIVIL DE ADVOGADOS Employees monitoring of information and communication technologies private usage Guidelines updated in Portugal CRA Coelho Ribeiro e Associados, SCARL Mónica Oliveira Costa Portugal December 2013 On 14 November last the Portuguese Data Protection Authority (CNPD) published the updated guidelines on employees monitoring of information and communication technologies private usage issued on 16 July. Despite being in line with the previous ones (issued on 29 October 2002) these guidelines establish some new rules as far as phone calls, and internet monitoring and addresses the remote computer access which was not foreseen previously. CNPD made clear that these guidelines do not include the use of geolocalisation systems by the employer, which will be address autonomously and in a different guideline. 1. General Requirements As the previous guidelines, the CNPD emphasizes that the legitimacy of the employee monitoring lays down on the fair balance between the employer s right to establish rules on how the work and the work tools should be performed and used (employees productivity and companies assets management) and the employees right to privacy. A V. E N G º D U A R T E P A C H E C O, E M P R E E N D I M E N T O D A S A M O R E I R A S T O R R E I I, 1 3 º A L I S B O A P O R T U G A L T E L. ( ) F A X ( ) E - M A I L : c r W W W. C R A L A W. C O M
2 Again, the CNPD highlights that it is unrealistic and unreasonable that the employer forbids the private use of information and communication technologies by the employees. Instead, the employer should establish clear and precise rules on the private use of such assets made available to the employees and the level of tolerance admitted as well as on the means of monitoring used. Such rules should be based on the principles of necessity, proportionality, and good faith, being the employer able to demonstrate that the means of monitoring used are the ones with less impact on the employees privacy. Thus, employer shall privilege generic means of monitoring (time and duration of the connection) rather than individual ones (traffic data that reveals the private life of the employee, such as, called number, receiver s address or the website visited) as those will be sufficient to ascertain whether there have been any abusive use. CNPD expressly bans any kind of monitoring of personal , social networks or similar even if accessed through the computer at the workplace. In addition, communications extract lists even if intended to be sent to the employees for their alleged control is also not seen by CNPD as legitimate because it disrespects the necessity and adequacy principles. In what concerns to data retention, CNPD clarifies, in these updated guidelines, that data should not be retained for more than 6 months, unless in case a disciplinary or judicial procedure is ongoing. As in the previous guidelines, the retention period for phone calls should be less than the statutory period of payment applicable to the invoices of such phone calls. Interconnection of this processing with other databases of the controller or third parties is not allowed as well as disclosure to any third parties, unless to comply with a legal obligation within a judicial or a disciplinary procedure. 2
3 CNPD underlines the need to ensure the employees access, rectification and deletion rights and explicitly refers that employees should be informed of the conditions to exercise such rights and provided, upon their request, without constraint, at regular intervals and without excessive delay or expense the information legally foreseen in the law as far as the right of access is concerned (article 11.1 a), b) and c) of the Data Protection Act): (a) Confirmation as to whether or not data relating to him are being processed and information as to the purposes of the processing, the categories of data concerned and the recipients or categories of recipients to whom the data are disclosed; (b) Communication in an intelligible form of the data undergoing processing and of any available information as to their source; (c) Knowledge of the logic involved in any automatic processing of data concerning him. Particular attention is given by the CNPD to security measures. Considering that sensitive data are processed special security measures foreseen in the Data Protection Act will be required and the CNPD provides some guidance on what specifically should be implemented by the controllers: (i) Create a specific access profile for the purposes of this processing; (ii) The access to the systems which record this information shall only be made through user accounts that allow to uniquely identify the user; (iii) Restrict access to the servers (physical and logical); (iv) Access record to the sensitive information for purposes of operations control as well as internal and external audits; (v) Trusted audit system; (vi) Tracking of access monitoring (configuration of systems that allows logs to record who accessed, day and hour timestamp what was done assigning a sequential number id for each occurrence and a hash with these elements: id, user, date, hour and operation). In order to be valid, logs, should be digitally signed; (vii) Alarm system and response in case of misuse; (viii) Log analysis Policy with period analysis reports that should be kept for 1 year for CNPD s supervising purposes. 3
4 Pursuant the data subjects information right, the employer should have a written policy governing the information and communication technologies usage that shall define with accuracy the rules and conditions, under which the company assets may be used for private purposes or the level of tolerance admitted. Furthermore, the employer shall inform previously the employees about the existence of the processing, its purpose, the control methods adopted, the data processed and the retention period, as well as the consequences for the misuse of the company s assets made available to the employee. Prior consultation of the workers council or similar employees representative structures/entities, if any, must be made and afterwards the employer must post the policy at the working places, in order to allow the employees to have full awareness of its content. Moreover, because sensitive data are processed, prior authorisation of the CNPD must be obtained. Finally, prior to the writing policy the controller should conduct a Privacy Impact Assessment in order to evaluate the effects that the control mechanisms will have on the employees privacy and find those that are less intrusive and simultaneously answers the company s legitimate purposes. 2. Specific Requirements a) Telephone usage data and traffic data Access to communications content, the use of any tapping device, storage, interception and surveillance of the communications are forbidden. Recording telephone conversations is allowed under the terms legally foreseen, for the purposes and within the conditions authorised by the CNPD in accordance with its guidelines of 10 September
5 No monitoring is permitted within the activities subject to professional secrecy (ex.: lawyers, physicians and journalists). Calls monitoring shall be limited to the user identification, his/her rank/function in the company, number called/received (being the last 4 numbers removed), type of call (local, regional or international), duration of the call and price. b) and traffic data CNPD reaffirms its understanding that in no event the employer is entitled to open, automatically, the s addressed to the employees. The fact that such s are stored in the company s servers does not legitimise the access to such s, even within a disciplinary investigation. Neither the need of virus detection nor other malicious software justifies for itself the access to the s received by the employee. However, employees should be required to create folders, duly identified on which the employees should save their personal s received in their company s mail box. Again, the employer shall not undertake a permanent and systematic monitoring of the employees . The control shall be punctual and towards the areas or activities that present a greater risk. As in the case of phone calls, no monitoring is permitted within the activities subject to professional secrecy (ex.: lawyers, physicians and journalists). monitoring should be made on a randomly basis. The employer may also adopt the necessary procedures always with the knowledge of the employees to filter certain files that may indicate not being professional s (exe. Files, mp3 or image files). 5
6 Eventual monitoring for prevention or detection of commercial secrets disclosure shall be directed exclusively for the employees with access to those secrets and only when there are grounded suspicions. It shall be clearly distinctive the level of exigency and accuracy in relation to the monitoring of received and sent s. Instructions to the employee to delete messages received in breach of the Policy should be given. When facing an abusive use of the the employer should issue a warn notice to the employee. The access to the employee s shall be the last recourse to be used by the employer, and it should be done in the presence of the employee and a representative of the work council or other similar employees representative structure/entity or someone the employee chooses. The access shall be limited to watch the addresses of the recipients, the subject, date and hour. The employee is entitled to identify the s that are personal and object their reading by the employer; in which case, the employer shall refrain from consult the content of those s, in case the employee still had not the chance to save them in the personal folder. In case of scheduled absence (ex.: holidays or parental leave) the out of office reply together with an alternate address should be adopted. The reasons for acceding to the mailbox of the employee in case of absence shall be clearly expressed and of the employee s previous knowledge. Likewise, it should be done in the presence of a representative of the work council or other similar employees representative structure/entity or someone the employee chooses. If not possible and for companies who have a Data Protection Officer, the latest should be responsible to ensure compliance with the law and the rights of the employee preventing any unlawful access from the employer. 6
7 Finally, procedures on mail box of former employees ( heritage) should also be implemented. The employee should be given with a period to remove all the personal e- mails, at the end of which the account should be deleted and shall not be reused/assigned to another employee. c) Internet The employer shall adopt a preventive approach, giving preference to the creation of filters that block the access to the websites unauthorised by the employer. Time limits for private use of internet at the workplace are admissible. However the employer shall not undertake a permanent and systematic control of the Internet s access. It shall be done in a global way, not individualised, in relation to all accesses made in the company, with reference to the time of web connection. It is admissible that the employer processes data about the most acceded websites, but without identifying the place of origin of the access. Whenever there are reasons of costs and productivity involved, the monitoring shall be done through the counting of the time of connection, independently of the sites visited. In case it is found excessive and disproportionate, the employee shall be warned in respect to his level of use. The control of the time daily spent in the access to Internet and the web sites consulted by the employee shall only occur in exceptional circumstances, in particular when the employee, after the warning, doubts of the employer s accesses data and wishes to confirm them. 7
8 Finally, the CNPD clarifies that in no event the employer should have access to the employee s personal profile area as it is deemed to be private, such as, conversations in chats rooms. d) Remote computer access Remote computer access (ex: VNC Virtual Network Computing), in real time or delayed, is not admissible, unless for technical assistance upon the employee s request or knowledge each time it is performed. Systems that allow search, localisation and obtaining data or electronic stored information at the companies computers is not permitted either. The employer must ensure that backups of individual computers granted to the employees and the general archive centralization of the dispersed business documentation do not include private information. In order to accomplish this goal clear and comprehensive procedures to separate personal from business folders must be created. Employees should be duly informed of such procedures and guidance on how to archive personal files should be made available to them as well. Regrettably the CNPD did not take the opportunity to address in these guidelines the use of employees own personal computing devices for work purposes (BYOD) which of course raises different issues and challenges that companies need to face ever more. 8
Guidelines on Data Protection. Draft. Version 3.1. Published by
Guidelines on Data Protection Draft Version 3.1 Published by National Information Technology Development Agency (NITDA) September 2013 Table of Contents Section One... 2 1.1 Preamble... 2 1.2 Authority...
More informationCOUNCIL OF EUROPE COMMITTEE OF MINISTERS. RECOMMENDATION No. R (95) 4 OF THE COMMITTEE OF MINISTERS TO MEMBER STATES
COUNCIL OF EUROPE COMMITTEE OF MINISTERS RECOMMENDATION No. R (95) 4 OF THE COMMITTEE OF MINISTERS TO MEMBER STATES ON THE PROTECTION OF PERSONAL DATA IN THE AREA OF TELECOMMUNICATION SERVICES, WITH PARTICULAR
More informationINERTIA ETHICS MANUAL
SEVENTH FRAMEWORK PROGRAMME Smart Energy Grids Project Title: Integrating Active, Flexible and Responsive Tertiary INERTIA Grant Agreement No: 318216 Collaborative Project INERTIA ETHICS MANUAL Responsible
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationWest Lothian College. E-Mail and Computer Network Responsible Use Policy. September 2011
West Lothian College E-Mail and Computer Network Responsible Use Policy September 2011 Author: Steve Williams Date: September 2011 Agreed: Computer Network & Email Policy September 2011 E-Mail and Computer
More informationSTFC Monitoring and Interception policy for Information & Communications Technology Systems and Services
STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services Issue 1.0 (Effective 27 June 2012) This document contains a copy of the STFC policy statements outlining
More informationPRESIDENT S DECISION No. 40. of 27 August 2013. Regarding Data Protection at the European University Institute. (EUI Data Protection Policy)
PRESIDENT S DECISION No. 40 of 27 August 2013 Regarding Data Protection at the European University Institute (EUI Data Protection Policy) THE PRESIDENT OF THE EUROPEAN UNIVERSITY INSTITUTE, Having regard
More informationStandard Operating Procedure. Authority to access and monitor University IT Account holder communications and data
Standard Operating Procedure Title: Authority to access and monitor University IT Account holder communications and data Version: 2.0 Effective Date March 2016 Summary Describes the approval process and
More informationCCBE RECOMMENDATIONS FOR THE IMPLEMENTATION OF THE DATA RETENTION DIRECTIVE
Représentant les avocats d Europe Representing Europe s lawyers CCBE RECOMMENDATIONS FOR THE IMPLEMENTATION OF THE DATA RETENTION DIRECTIVE CCBE RECOMMENDATIONS FOR THE IMPLEMENTATION OF THE DATA RETENTION
More informationRecommendations for companies planning to use Cloud computing services
Recommendations for companies planning to use Cloud computing services From a legal standpoint, CNIL finds that Cloud computing raises a number of difficulties with regard to compliance with the legislation
More informationTEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL
TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Computer and Network Security Policy Policy Number: 04.72.12 Effective Date: November 4, 2003 Issuing Authority: Office of the Vice President for
More informationAcceptable Use of ICT Policy For Staff
Policy Document Acceptable Use of ICT Policy For Staff Acceptable Use of ICT Policy For Staff Policy Implementation Date Review Date and Frequency January 2012 Every two Years Rev 1: 26 January 2014 Policy
More informationAct on the Protection of Privacy in Working Life (759/2004)
NB: Unofficial translation Ministry of Labour, Finland Chapter 1 - General provisions Section 1 Purpose of the act Act on the Protection of Privacy in Working Life (759/2004) The purpose of this Act is
More informationPersonal Data Act (1998:204);
Personal Data Act (1998:204); issued 29 April 1998. Be it enacted as follows. General provisions Purpose of this Act Section 1 The purpose of this Act is to protect people against the violation of their
More information7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data
Akzo Nobel N.V. Executive Committee Rules 7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data Source Directive Content Owner Directive 7.08 Protection of Personal Data AkzoNobel Legal
More informationThe supplier shall have appropriate policies and procedures in place to ensure compliance with
Supplier Instructions for Processing of Personal Data 1 PURPOSE SOS International has legal and contractual obligations on the matters of data protection and IT security. As a part of these obligations
More informationMedina County Policy Manual
Medina County Policy Manual Policy: Computer & Network Usage Section: Work Rules Number: 7.015 Issued: 09/17/07 Reviewed/Revised: Page #: 1 of 5 A. It is the intent of Medina County to provide local, network,
More informationDo you have a private life at your workplace?
Do you have a private life at your workplace? Privacy in the workplace in EC institutions and bodies Giovanni Buttarelli In the course of his supervisory activities, the EDPS has published positions on
More informationSOUTHERN SLOPES COUNTY COUNCIL COMPUTER & INFORMATION TECHNOLOGY USE POLICY
SOUTHERN SLOPES COUNTY COUNCIL COMPUTER & INFORMATION TECHNOLOGY USE POLICY OBJECTIVE To provide users with guidelines for the use of information technology resources provided by Council. SCOPE This policy
More informationOnline Research and Investigation
Online Research and Investigation This document is intended to provide guidance to police officers or staff engaged in research and investigation across the internet. This guidance is not a source of law
More informationPersonal use of computers
Personal use of computers Personal Use In addition to the internal mail system, ICO staff have direct access to the Internet and external email from their IT equipment. This statement of the Commissioner
More informationSURVEILLANCE AND PRIVACY
info sheet 03.12 SURVEILLANCE AND PRIVACY Info Sheet 03.12 March 2012 This Information Sheet applies to Victorian state and local government organisations that are bound by the Information Privacy Act
More informationWelcome to our job search and application platform (the Platform ). Please read our Legal Terms (which includes our Privacy Policy) carefully.
LEGAL TERMS AND PRIVACY POLICY Welcome to our job search and application platform (the Platform ). Please read our Legal Terms (which includes our Privacy Policy) carefully. The Platform is accessible
More informationResponsible Use of Technology and Information Resources
Responsible Use of Technology and Information Resources Introduction: The policies and guidelines outlined in this document apply to the entire Wagner College community: students, faculty, staff, alumni
More informationCROATIAN PARLIAMENT 1364
CROATIAN PARLIAMENT 1364 Pursuant to Article 88 of the Constitution of the Republic of Croatia, I hereby pass the DECISION PROMULGATING THE ACT ON PERSONAL DATA PROTECTION I hereby promulgate the Act on
More informationHow To Write A Report On A Recipe Card
Opinion on a notification for Prior Checking received from the Data Protection Officer of the European Investment Bank (EIB) concerning procedures related to "360 Leadership feedback report" Brussels,
More informationEmail Rules in Brief. Every email user has one or more roles 28.11.2013. the rules are partly different for e.g. the staff and the students
Email Rules in Brief Every email user has one or more roles the rules are partly different for e.g. the staff and the students All rules shall be obeyed use different passwords at the university of applied
More informationRESTREINT UE/EU RESTRICTED
COUNCIL OF THE EUROPEAN UNION Brussels, 9 April 2014 8761/14 RESTREINT UE/EU RESTRICTED JAI 220 USA 9 DATAPROTECT 56 RELEX 319 NOTE from : Commission Services to : JHA Counsellors No. prev. doc. : 5999/12
More informationELECTRONIC COMMUNICATION & INFORMATION SYSTEMS POLICY
ELECTRONIC COMMUNICATION & INFORMATION SYSTEMS POLICY I. ELECTRONIC COMMUNICATION A. PURPOSE To better serve our citizens and give our workforce the best tools to do their jobs, the Common Council of the
More informationLEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT
LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT 2300 Pursuant to its authority from Article 59 of the Rules of Procedure of the Croatian Parliament, the Legislation Committee determined the revised text
More informationPRIVACY REGULATIONS regarding the Web Health History ("W.H.H.") Service called LifepassportPRO provided by Meshpass SA
PRIVACY REGULATIONS regarding the Web Health History ("W.H.H.") Service called LifepassportPRO provided by Meshpass SA Updated: 20 Jun 2015 (substitutes previous versions) This Privacy Policy describes
More informationSt. Peter s C.E. Primary School Farnworth Email, Internet Security and Facsimile Policy
Learn, sparkle & shine St. Peter s C.E. Primary School Farnworth Email, Internet Security and Facsimile Policy Adopted from the LA Policy April 2015 CONTENTS Page No 1. Introduction 1 2. Guiding Principles
More informationE-mail rules in brief
Tampere University of Technology E-Mail rules 1 (6) E-mail rules in brief Every e-mail user has one or more roles There are slightly different rules, for example, for staff members and students. All rules
More informationUniversity of Liverpool
University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October
More informationThe primary responsibility for the data processing lies within the Administration Department, which the FINCOP Unit is part of.
Opinion on a Notification for Prior Checking received from the Data Protection Officer of the European Training Foundation Regarding the Processing Operations to Manage Calls for Tenders Brussels, 22 April
More informationTable of contents: ***
Table of contents: *** In Europe the issue of personal data protection is settled by European Parliament s and European Council s Directive 95/46/WE of October 24, 1995 (which is basis of Polish regulations)
More informationUNIVERSITY OF ST ANDREWS. EMAIL POLICY November 2005
UNIVERSITY OF ST ANDREWS EMAIL POLICY November 2005 I Introduction 1. Email is an important method of communication for University business, and carries the same weight as paper-based communications. The
More informationHOSTING SERVICES AGREEMENT
HOSTING SERVICES AGREEMENT 1 Introduction 1.1 Usage. This Schedule is an addition to and forms an integral part of the General Terms and Conditions, hereafter referred as the "Main Agreement". This Schedule
More informationAstaro Services AG Rheinweg 7, CH-8200 Schaffhausen. Supplementary data protection agreement. to the license agreement for license ID: between
Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen Supplementary data protection agreement to the license agreement for license ID: between...... represented by... Hereinafter referred to as the "Client"
More informationPERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE
PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE ADOPTED ON 9 th January 2008 TABLE OF CONTENTS Page No. 1 Introduction...3 2 Glossary...3 3 Types of Personal Data held by Us...3 4 Obligations
More informationARTICLE 29 Data Protection Working Party
ARTICLE 29 Data Protection Working Party 5401/01/EN/Final WP 55 Working document on the surveillance of electronic communications in the workplace Adopted on 29 May 2002 Comments: * national chapters might
More informationSaint Martin s Catholic Academy
Saint Martin s Catholic Academy E-Safety Policy - Acceptable Use - Students January 2015 Why have an Acceptable Use Policy? An Acceptable Use Policy is about ensuring that you, as a student at Saint Martin
More informationStrathfield Girls High School Bring your Own Device User Charter
Strathfield Girls High School Bring your Own Device User Charter The Strathfield Girls High School Bring Your Own Device program aims to improve student learning experiences both in and beyond the classroom.
More informationEmail Services Policy
Email Services Policy CONTENTS Page 1 Introduction 3 2 Scope 3 3 Review and Evaluation 3 4 General Principles 4 5 Responsibilities 4 6 Business Use and Continuity 4 7 Personal Use 6 8 Managing Email Messages
More informationCalifornia State University, Sacramento INFORMATION SECURITY PROGRAM
California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...
More informationTerms of Use of MiMafia.com
Terms of Use of MiMafia.com The website www.mimafia.com (hereinafter referred to as Website ) allows you to manage a text-based online multi-player mafia game (the Game ), and to also play Games managed
More informationInterception of Communications Code of Practice. Pursuant to section 71 of the Regulation of Investigatory Powers Act 2000
Interception of Communications Code of Practice Pursuant to section 71 of the Regulation of Investigatory Powers Act 2000 Draft for public consultation February 2015 Contents Contents... 2 1. General...
More informationInformation Technology - Switzerland
Newsletters Law Directory Deals News Subscribe Home Information Technology - Switzerland Data Protection - Key Issues Contributed by Homburger December 2 2003 Introduction No Free Flow of Data within a
More informationElectronic Communications Monitoring Policy
Electronic Communications Monitoring Policy Printed copies should not be considered the definitive version DOCUMENT CONTROL POLICY NO. 79 Policy Group Information Governance and Security Author Andrew
More informationHow To Protect Your Data In European Law
Corporate Data Protection Code of Conduct for the Protection of the Individual s Right to Privacy in the Handling of Personal Data within the Deutsche Telekom Group 2010 / 04 We make ICT strategies work
More informationDATA PROTECTION AND DATA STORAGE POLICY
DATA PROTECTION AND DATA STORAGE POLICY 1. Purpose and Scope 1.1 This Data Protection and Data Storage Policy (the Policy ) applies to all personal data collected and dealt with by Centre 404, whether
More informationINTERNET, E-MAIL USE AND
INTERNET, E-MAIL AND TELEPHONE USE AND MONITORING POLICY Originated by: Customer Services LJCC: 10 th April 2008 Full Council: June 2008 Implemented: June 2008 1.0 Introduction and Aim 1.1 The aim of this
More informationProposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion
Page 1 sur 155 Proposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion Legal nature of the instrument Règlement Directive Directly applicable act in internal law 91 articles 34 articles Art.
More informationSTRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS
Policy: Title: Status: ISP-S9 Use of Computers Policy Revised Information Security Policy Documentation STRATEGIC POLICY 1. Introduction 1.1. This information security policy document contains high-level
More informationCORK INSTITUTE OF TECHNOLOGY
CORK INSTITUTE OF TECHNOLOGY DATA PROTECTION POLICY APPROVED BY GOVERNING BODY ON 30 APRIL 2009 INTRODUCTION Cork Institute of Technology is committed to a policy of protecting the rights and privacy of
More informationThese terms and conditions were last updated on 30 September 2015.
Game Rules The website www.mafiacontrol.com (hereinafter referred to as Website ) allows you to manage a text-based online multi-player mafia game (the Game ), and to also play Games managed by others.
More informationon the transfer of personal data from the European Union
on the transfer of personal data from the European Union BCRsseptembre 2008.doc 1 TABLE OF CONTENTS I. PRELIMINARY REMARKS 3 II. DEFINITIONS 3 III. DELEGATED DATA PROTECTION MANAGER 4 IV. MICHELIN GROUP
More informationBRING YOUR OWN DEVICE
BRING YOUR OWN DEVICE Legal Analysis & Practical TIPs for an effective BYOD corporate Policy CONTENTS 1. What is BYOD? 2. Benefits and risks of BYOD in Europe 3. BYOD and existing Policies 4. Legal issues
More informationAtlanta Insomnia & Behavioral Health Services, P.C. 315 West Ponce de Leon Ave Suite 1051 Decatur, GA 30030 404-378-0441
Atlanta Insomnia & Behavioral Health Services, P.C. 315 West Ponce de Leon Ave Suite 1051 Decatur, GA 30030 404-378-0441 Health Insurance Portability and Accountability Act (HIPAA) NOTICE OF PRIVACY PRACTICES
More informationRules for the use of the IT facilities. Effective August 2015 Present
Rules for the use of the IT facilities Effective August 2015 Present INFORMATION MANAGEMENT GUIDE RULES FOR THE USE OF THE UNIVERSITY S IT FACILITIES ( The Rules ) 1. Introduction 2. Interpretation 3.
More informationBinding Corporate Rules ( BCR ) Summary of Third Party Rights
Binding Corporate Rules ( BCR ) Summary of Third Party Rights This document contains in its Sections 3 9 all provision of the Binding Corporate Rules (BCR) for Siemens Group Companies and Other Adopting
More informationTerms of use of information and communication technologies at the University of Burgundy
Terms of use of information and communication technologies at the University of Burgundy Adopted by the Board of the University of Burgundy on June 28, 2007. This Charter constitutes the internal regulations
More information16 Electronic health information management systems
16 Electronic health information management systems Section 16: Electronic information management systems The continued expansion and growth in global technologies is aiding the development of many new
More informationSOCIAL MEDIA POLICY. Policy. Effective: 1 July 2015
SOCIAL MEDIA POLICY Policy Effective: 1 July 2015 To be reviewed: January 2018 To help the public service spend wisely TABLE OF CONTENTS Introduction...1 Scope of the Policy...1 Responsibility for Implementation
More informationGENERAL TERMS OF USE
GENERAL TERMS OF USE 1. Purpose and Scope 1.1. The Website at www.lvmhprize.com is the internet site set up by LVMH Moët Hennessy Louis Vuitton ("LVMH") for the LVMH Prize for Young Fashion Designers and
More informationInformation Security Policies. Version 6.1
Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access
More information235.1. Federal Act on Data Protection (FADP) Aim, Scope and Definitions
English is not an official language of the Swiss Confederation. This translation is provided for information purposes only and has no legal force. Federal Act on Data Protection (FADP) 235.1 of 19 June
More informationData Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document
Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1
More informationTECHNOLOGY USAGE POLICY
TECHNOLOGY USAGE POLICY Computer Usage Policy (CUP). 2 Aims/Objectives. 2 General.. 2 Student Responsibilities 2 Monitoring 3 Access Violations... 3 Personal Devices 3 Internet Safety: Acceptable Usage
More informationCOMPUTER USAGE - EMAIL
BASIC BELIEF This policy relates to the use of staff email at Mater Dei and is designed to provide guidelines for individual staff regarding their use. It encourages users to make responsible choices when
More informationCorporate Policy. Data Protection for Data of Customers & Partners.
Corporate Policy. Data Protection for Data of Customers & Partners. 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationNetwork Security Policy
Network Security Policy I. PURPOSE Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on campus
More informationFaculty/Staff/Community Mountain Home School District Computer and Network Appropriate Use Policy
Faculty/Staff/Community Mountain Home School District Computer and Network Appropriate Use Policy Mountain Home School District is responsible for securing its network and computer systems against unauthorized
More informationRESPONSIBLE COMPUTER USE POLICY (ADOPTED AUGUST 3, 2006)
RESPONSIBLE COMPUTER USE POLICY (ADOPTED AUGUST 3, 2006) on-line at www.ccc.edu I. INTRODUCTION All users shall abide by the following provisions contained herein, or otherwise may be subject to disciplinary
More informationForm I: HIPAA Notice of Privacy Practices HIPAA NOTICE OF PRIVACY PRACTICES
Pg. 4 Form I: HIPAA Notice of Privacy Practices Susan Zaro, LMFT, BCB HIPAA NOTICE OF PRIVACY PRACTICES I. THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU
More informationINFORMATION TECHNOLOGY MANAGEMENT CONTENTS. CHAPTER C RISKS 357-7 8. Risk Assessment 357-7
Information Technology Management Page 357-1 INFORMATION TECHNOLOGY MANAGEMENT CONTENTS CHAPTER A GENERAL 357-3 1. Introduction 357-3 2. Applicability 357-3 CHAPTER B SUPERVISION AND MANAGEMENT 357-4 3.
More informationSCHEDULE "C" to the MEMORANDUM OF UNDERSTANDING BETWEEN ALBERTA HEALTH SERVICES AND THE ALBERTA MEDICAL ASSOCIATION (CMA ALBERTA DIVISION)
SCHEDULE "C" to the MEMORANDUM OF UNDERSTANDING BETWEEN ALBERTA HEALTH SERVICES AND THE ALBERTA MEDICAL ASSOCIATION (CMA ALBERTA DIVISION) ELECTRONIC MEDICAL RECORD INFORMATION EXCHANGE PROTOCOL (AHS AND
More informationE-mail Usage Policy of GCRI
E-mail Usage Policy of GCRI AIM : Email Account Management and Best Practices for Effective E-mail Usage and to promote awareness of the benefits of a paperless communication system VER : Version 1.0 Date
More informationDATA PROTECTION REQUIREMENTS FOR ATTENDANCE VERIFICATION SYSTEMS (AVSs)
DATA PROTECTION UNIT OPERATIONS AND PROGRAMME IMPLEMENTATION DIRECTORATE OFFICE OF THE PRIME MINISTER MALTA DATA PROTECTION REQUIREMENTS FOR ATTENDANCE VERIFICATION SYSTEMS (AVSs) INTRODUCTION It is within
More informationPOLICY ON USE OF INTERNET AND EMAIL
POLICY ON USE OF INTERNET AND EMAIL OVERVIEW Public sector employees are accountable for their use and management of all public resources including the use of services such as the Internet and electronic
More informationNETWORK AND AIS AUDIT, LOGGING, AND MONITORING POLICY OCIO-6011-09 TABLE OF CONTENTS
OFFICE OF THE CHIEF INFORMATION OFFICER NETWORK AND AIS AUDIT, LOGGING, AND MONITORING POLICY OCIO-6011-09 Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: TABLE OF CONTENTS Section
More informationROCHESTER AREA SCHOOL DISTRICT
No. 815.4 SECTION: OPERATIONS ROCHESTER AREA SCHOOL DISTRICT TITLE: E-MAIL SECURITY ADOPTED: October 22, 2001 REVISED: August 11, 2008 815.4. E-MAIL SECURITY 1. Purpose This policy statement provides specific
More informationSPANISH DATA PROTECTION AGENCY
SPANISH DATA PROTECTION AGENCY 21648 INSTRUCTION 1/2006, of 8 November, by the Spanish Data Protection Agency, on processing personal data for surveillance purposes through camera or video-camera systems.
More informationEmployee Monitoring Prepared for SurfControl by Hammonds
The Legal Guide to Employee Monitoring Prepared for SurfControl by Hammonds UK Edition T H E L E G A L G U I D E T O E M P L O Y E E M O N I T O R I N G Prepared for SurfControl by 1 Notice: This document
More informationINTERNET AND MONITORING OF COMPUTER USE POLICY SUMMARY
POLICY NUMBER: INTERNET 028/09 NAME: INTERNET AND MONITORING OF COMPUTER USE POLICY SUMMARY POLICY AIM To enable the professional usage all computers. To ensure that no illegal usage of the computer and
More informationOpinion on a notification for prior checking received from the Data Protection Officer of the Court of Auditors related to Internet monitoring
Opinion on a notification for prior checking received from the Data Protection Officer of the Court of Auditors related to Internet monitoring Brussels, 10 November 2008 (Case 2008-284) 1. Proceedings
More informationBerwick Academy Policy on E Safety
Berwick Academy Policy on E Safety Overview The purpose of this document is to describe the rules and guidance associated with E Safety and the procedures to be followed in the event of an E Safety incident
More information2) applied methods and means of authorisation and procedures connected with their management and use;
Guidelines on the way of developing the instruction specifying the method of managing the computer system used for personal data processing, with particular consideration of the information security requirements.
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationThe Manitowoc Company, Inc.
The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational
More informationAppendix 11 - Swiss Data Protection Act
GLEIF- LOU Restricted Appendix 11 - Swiss Data Protection Act GLEIF Revision Version: 1.0 2015-09-23 Master Copy page 2 of 11 Applicable Provisions of the Swiss Data Protection Act (DPA) including the
More informationDedicated Server Services Specific Terms and Conditions
Dedicated Server Services Specific Terms and Conditions These Specific Terms and Conditions and ROOT General Terms and Conditions shall be interpreted and applied together as a single instrument (the Agreement
More informationHealth Insurance Portability and Accountability Act (HIPAA)
Atlanta Center for Positive Change 333 Sandy Springs Circle NE Suites 109 & 127 Atlanta, GA 30328 Anne Lewis Moore, PsyD (404) 277-7992 Karen Kallis, M.Ed., LAPC, NCC (404) 423-1087 Ephrat L. Lipton, LCSW,
More informationSenior School 1 PURPOSE 2 SCOPE 3 SCHOOL RESPONSIBILITIES
Senior School 1 PURPOSE The policy defines and describes the acceptable use of ICT (Information and Communications Technology) and mobile phones for school-based employees. Its purpose is to minimise the
More informationUnsolicited visits and surprise requests for information by the Financial Services Authority. April 2009
Unsolicited visits and surprise requests for information by the Financial Services Authority April 2009 Contents 1. Introduction 1 2. The FSA s investigatory powers 2 3. Confidentiality of information
More informationInformation Governance Framework. June 2015
Information Governance Framework June 2015 Information Security Framework Janice McNay June 2015 1 Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review
More informationIM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction...3. 2. Policy Statement...3. 3. Purpose...
IM&T Infrastructure Security Policy Board library reference Document author Assured by Review cycle P070 Information Security and Technical Assurance Manager Finance and Planning Committee 3 Years This
More informationExecutive Vice President of Finance and
Name of Policy: Policy Number: Electronic mail services policy. 3364-65-01 Approving Officer: Administration Executive Vice President of Finance and Responsible Agent: Vice President of Information Technology
More information