Summary of the Dutch Data Protection Authority s guidelines for the Data Breach Notification Act



Similar documents
The potential legal consequences of a personal data breach

The supplier shall have appropriate policies and procedures in place to ensure compliance with

Follow the trainer s instructions and explanations to complete the planned tasks.

Data Breach Notification Duty. Dr. Elisabeth Thole 31 October 2015 UIA Valencia

20. Exercise: CERT participation in incident handling related to Article 4 obligations

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

Standard: Information Security Incident Management

Merthyr Tydfil County Borough Council. Data Protection Policy

Client Advisory October Data Security Law MGL Chapter 93H and 201 CMR 17.00

Overview of the HIPAA Security Rule

Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data

FINAL May Guideline on Security Systems for Safeguarding Customer Information

QUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN better health cover shouldn t hurt

Health Information Privacy Refresher Training. March 2013

COMPLIANCE ALERT 10-12

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, A Guide for Data Controllers

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

Data Protection Act. Privacy & Security in the Information Age. April 26, Ministry of Communications, Ghana

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

Office 365 Data Processing Agreement with Model Clauses

Guidelines on Data Protection. Draft. Version 3.1. Published by

FIRST DATA CORPORATION SUMMARY: BINDING CORPORATE RULES FOR DATA PRIVACY AND PROTECTION

So the security measures you put in place should seek to ensure that:

Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

Data Protection Act Guidance on the use of cloud computing

Information Security Risks when going cloud. How to deal with data security: an EU perspective.

COMPUTER AND NETWORK USAGE POLICY

Data protection compliance checklist

Boys and Girls Clubs of Kawartha Lakes B: Administration B4: Information Management & Policy: Privacy & Consent Technology

GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS

2.1 It is an offence under UK law to transmit, receive or store certain types of files.

The impact of the personal data security breach notification law

Data Protection A Guide for Users

Data Processing Agreement for Oracle Cloud Services

University of Liverpool Online Programmes - Privacy Policy for Visitors and Students

COMMISSION REGULATION (EU) No /.. of XXX

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

ON MUTUAL COOPERATION AND THE EXCHANGE OF INFORMATION RELATED TO THE OVERSIGHT OF AUDITORS

Data Security Incident Response Plan. [Insert Organization Name]

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

S 0134 SUBSTITUTE B ======== LC000486/SUB B/2 ======== S T A T E O F R H O D E I S L A N D

VMware vcloud Air HIPAA Matrix

M E M O R A N D U M. Definitions

STANDARD ADMINISTRATIVE PROCEDURE

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014

FACT SHEET: Ransomware and HIPAA

Data Compliance. And. Your Obligations

Data Breach, Electronic Health Records and Healthcare Reform

KEY STEPS FOLLOWING A DATA BREACH

Supplier Information Security Addendum for GE Restricted Data

California State University, Sacramento INFORMATION SECURITY PROGRAM

Data Security and Extranet

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Web Site Download Carol Johnston

How To Protect Your Data In European Law

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

ICTN Enterprise Database Security Issues and Solutions

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:

This procedure is associated with BCIT policy 6700, Freedom of Information and Protection of Privacy.

WEBSITE PRIVACY POLICY. Last modified 10/20/11

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

Privacy Data Loss. Privacy Data Loss. Identity Theft. The Legal Issues

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

MASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009

TABLE OF CONTENTS. University of Northern Colorado

Community First Health Plans Breach Notification for Unsecured PHI

Iowa Health Information Network (IHIN) Security Incident Response Plan

Tilburg University. U.S. Subpoenas and European data protection legislation Moerel, Lokke; Jansen, Nani; Koëter, Jeroen

HIPAA: Bigger and More Annoying

HIPAA BUSINESS ASSOCIATE AGREEMENT

Privacy vs Data Protection. PRESENTATION TITLE GOES HERE Eric A. Hibbard, CISSP, CISA Hitachi Data Systems

PRIVACY POLICY Personal information and sensitive information Information we request from you

CORK INSTITUTE OF TECHNOLOGY

Utica College. Information Security Plan

A practical guide to IT security

ECSA EuroCloud Star Audit Data Privacy Audit Guide

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

The Romanian Parliament adopts the present law. Chapter I: General Provisions

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

PRIVACY BREACH POLICY

Data Management Policies. Sage ERP Online

Privacy and Electronic Communications Regulations

Medical Information Breaches: Are Your Records Safe?

DATA AND PAYMENT SECURITY PART 1

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

POLICY TEMPLATE. Date initially approved: November 5, 2013 Date of last revision: same

Data Protection in Ireland

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Credit Card (PCI) Security Incident Response Plan

Personal Information Protection Act Information Sheet 11

Terms and Conditions. Acceptable Use Policy Introduction. Compliance with UK Law. Compliance with foreign law

Network Security: Policies and Guidelines for Effective Network Management

Transcription:

Summary of the Dutch Data Protection Authority s guidelines for the Data Breach Notification Act

On 1 January 2016, the Dutch Data Breach Notification Act will enter into force. The Dutch DPA issued Guidelines on September 21st to clarify certain aspects of the new data breach notification obligation. The following is a summary of those Guidelines. It is important to note that this version of the Guidelines is still subject to public consultation. Not only is it possible that certain things will change, but the CBP is actively requesting feedback from businesses who will have to comply with these Guidelines. If you d like to submit your comments to the DPA, we d be happy to assist in drafting a (Dutchlanguage) statement expressing your views on the Guidelines. The final date for submissions is 19 October 2015. 1. Preparation The Guidelines make it clear that the controller should ensure that its data processors enables him to comply with the law, which means at the very least that the processor must provide timely and adequate information about any data breaches that he might discover. In order to do this, the data controller must execute a written agreement with its data processor, which includes the following: 1. The data processor will notify the data controller about relevant incidents. Parties should design a plan which describes how the data controller will be informed and kept up-to-date throughout the resolution of the data breach. 2. How swiftly should the data processor alert the data controller? 3. Who will submit the initial notification to the DPA? The data controller or data processor? The DPA apparently does not think that it should always be the data controller who does the notification. This notification may later be supplemented by the data controller, who probably has more information about the data subjects involved in the breach. 4. The data processor should implement measures to prevent incidents and detect data breaches, such as intrusion detection systems. 5. Is there any way to audit whether the data processor has met its obligations to inform and keep the data controller up-to-date?

We note that the DPA says two surprising things about controllers, which creates some confusion about that role. 1. The DPA says that although the controller is responsible and liable for compliance, the data processor is also responsible for compliance. He should not merely follow the instructions of the data controller, but should take independent responsibility for compliance with the requirements set out under data protection law. This is consistent with a recent DPA report that the DPA has published, but contrary to the established interpretation of the law. Moreover, it runs contrary to recent statements by the government that obligations in the Data Protection Act are imposed on the data controller (and not others). 2. The DPA also says that the data controller has to ensure that the data processor complies with its local law. The DPA refers to article 14(4) of the Data Protection Act (an implementation of article 17(3)(2nd point) of the Data Protection Directive. The Directive is very clear that this obligation doesn t apply to all local law, but only to local data security obligations. In our opinion, the DPA is using an unfortunate translation in the Dutch implementation of the Directive to extend the scope of this obligation beyond the intent of the legislature. 2. To notify or not to notify? Does the incident qualify as a data breach? This question should be answered in two parts: 1. Was personal data exposed to destruction or unlawful processing? The data controller must first answer the question whether its technical and organizational security measures were breached. It s irrelevant whether the data controller implemented adequate technical and organizational security measures to prevent destruction or unlawful processing. The only relevant issue is whether there was a breach. For example, the data controller should assume that personal data were exposed to destruction or unlawful processing in the case of a malware infection. 2. Can the data controller rule out that personal data was actually destroyed or processed unlawfully? The second question is whether the data controller can reasonably rule out that data was actually destroyed or processed unlawfully. For example, if the data was destroyed, but could be recovered using a backup, the incident does not qualify as a data breach. If the data controller finds out that an employee gave out his user name and password to a

third party, but can use server logs to establish that no one used these credentials to log in, the incident does not qualify as a data breach. 3. Notifying the DPA The data controller will have to notify the DPA in case the data breach will (likely) have serious detrimental consequences for the protection of personal data. If the data are of a sensitive nature, this will always be the case. Sensitive data are defined as including at least: Special categories of personal data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and data regarding health and sex life). Data regarding the financial or economic situation of the data subject Data which may lead to stigmatization or exclusion User names, password and other log-in information Data which may be used for identity fraud If the data does not fall in those categories, the incident may still have serious detrimental consequences based on the nature and size of the data breach. The following considerations should be taken into account: As the volume of the compromised data increases, it will become a more attractive tool for abuse and more likely to cause harm for the data subject. This is especially true for government databases. As the compromised data is used to take more far-reaching decisions about data subject, the impact will increase. For example, if a hacker has access to and potentially is able to change data in a database used for assessing credit worthiness, that will have more impact than if that same database would be used for marketing purposes. If the compromised data is used throughout a chain of service providers as is often the case with government and health care providers it becomes harder to manage the consequences of that data being lost or altered, which increases the impact of the breach. If the data specifically relates to vulnerable groups, such as children, or less computer-literate individuals, it will be harder for the data subjects to manage the consequences of the incident and as such the impact of the breach will likely be larger. Certain incident involve a higher risk of abuse, e.g. a hack.

How and when should the DPA be notified? The DPA can be notified through a web form, or by fax. The notification should be made on the second working day after discovery of the incident by the data controller or its data processor. (E.g. the incident should be reported no later than Tuesday, if it was discovered on Friday.) It s possible to amend, supplement the notification or even withdraw it later. 4. Notifying the data subject If, based on the above, the data controller has to notify the DPA, the next question is whether to notify the data subject. The relevant consideration is whether the incident is likely to have negative consequences for the private life of the data subject(s). Has the data controller taken adequate data security measures to avert having to notify the data subject? The data controller does not need to notify the data subject if it has taken security measures which render the personal data incomprehensible or inaccessible for unauthorized third parties. The DPA lists the following measures as examples: Encryption. Remote wipe. The data controller will have to ascertain whether the remote wipe has been activated in time, whether the device was still capable of receiving and executing a remote wipe command and whether the remote wipe successfully prevented any attempt at reconstruction of the data. Pseudonymization. This measure must effectively prevent reidentifying the data subject. On the point of encryption: If the personal data has been destroyed, encryption will not prevent harm to the data subject. In such a case, the data controller may still be required to notify the data subject. The encryption must have been active at the time of the incident. The encryption should be based on a standard algorithm (e.g. as published by the EU Agency for Network and Information Security, ENISA). The algorithm can be considered sufficiently future-proof if they are rated as suitable for future use (meaning: safe for the next 10-50 years) by ENISA. The data controller must take into account any published weaknesses in the algorithm. The implementation of the encryption algorithm needs to have been sufficiently secure. This may have to be ascertained by an (external) expert.

The encryption must remain secret and e.g. not have leaked as part of the incident. Finally, the data controller must ascertain whether in light of all applicable security measures there is any remaining risk of unauthorized processing of the personal data, now or in the future. Will the incident likely have negative consequences for the private life of the data subject? Assuming the security measures were inadequate, the data controller will have to determine whether there are likely to be negative consequences for the private life of the data subject. If the data breach involves sensitive data (as defined above) the data controller should notify the data subject. In other cases, the data controller will have to assess what the likely negative consequences for the data subject will be and whether they need information about the data breach to protect themselves against those negative consequences. Are there pressing circumstances that advise against notifying the data subject (for now)? The data controller may decide to postpone notifying the data subject or decide not to notify at all, in situations where this constitutes a necessary measure to safeguard: the prevention, investigation and prosecution of criminal offenses; an important economic or financial interest of the state and other public bodies; the enforcement of compliance with legal requirements aimed at safeguarding the above two interests; national security; the protection of the data subject or the protection of the rights and freedoms of others (including the data controller). Examples of interests in the last category: If data of a child who has confidentially asked for help with domestic abuse has been involved in a data breach, the data controller may decide not to notify the data subject for fear of their parents finding out. The data controller s interests will be so disproportionally affected that its rights and freedom are breached. For example, if the data controller is about to finalize a merger with another business and a data breach incident occurs, he is allowed to postpone notification to the data subject (but not to the DPA).

How and when should the data subject be notified? The data subject should be notified without delay, which means that the data controller: may take some time to investigate the incident to prepare a proper and thorough notification. must be aware that the data subject might have to take measures to protect themselves from harm. may do an initial notification to allow data subjects to e.g. change their passwords, without providing full details (yet). The data controller will have to inform the DPA when it intends to notify the data subject. This commitment is binding on the data controller, unless it later amends the notification. 5. After notification Maintaining a record of the incident The data controller will have to keep a record of all data breaches that were serious enough to warrant a notification to the DPA. This record need not be made public. Each record should be kept for at least one year following the final notification to the data subject. In case the data controller decided not to inform the data subject (e.g. because of encryption or because of an overriding pressing interest prevented this) the record must be kept for at least three years. In this case, the notification should be reviewed at least annually to determine whether there are reasons to notify after some time has passed (e.g. it turns out the encryption contains a vulnerability). How will the DPA respond upon receipt of a notification? If the notification is cause for further action, the DPA will contact the data controller. The primary purpose will be to verify if the notification indeed originates with the data controller and to ask questions about the event. The DPA can force the data controller to notify data subjects, if the data controller wrongfully decided to not inform data subjects. The DPA will keep a non-public record of every notification. Only if the data controller has afforded itself a plainly unreasonable margin of appreciation in deciding not to file a notification about the incident, will the DPA impose a fine.

Contact Maarten Goudsmit 020-5506 683 maarten.goudsmit@kvdl.com Maarten Goudsmit is an associate in the Privacy and Technology teams and has been with Kennedy Van der Laan since 2012. In 2004 Maarten began his law studies at the University of Amsterdam and graduated with a specialization in Information Law. After earning his master s degree in Amsterdam, Maarten studied IP & IT Law at Fordham University in New York City, and earned his LL.M magna cum laude. Before moving to Kennedy Van der Laan, Maarten worked as an attorney at another major law firm in Amsterdam for a year and a half.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information