INTERNET AND EMAIL SECURITY



Similar documents
Cloud computing and the legal framework

Clause 1. Definitions and Interpretation

Guidelines on Data Protection. Draft. Version 3.1. Published by

REPUBLIC OF LITHUANIA. LAW ON ELECTRONIC SIGNATURE

Data protection compliance checklist

C O N D I T I O N S C H E Q U E A N D C A S H C A R D A C C O U N T S

PRESIDENT S DECISION No. 40. of 27 August Regarding Data Protection at the European University Institute. (EUI Data Protection Policy)

The primary responsibility for the data processing lies within the Administration Department, which the FINCOP Unit is part of.

Card Conditions MasterCard Corporate Virtual

ORDER OF THE DIRECTOR OF THE COMMUNICATIONS REGULATORY AUTHORITY OF THE REPUBLIC OF LITHUANIA

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

PRIVACY AND DATA SECURITY MODULE

The potential legal consequences of a personal data breach

The supplier shall have appropriate policies and procedures in place to ensure compliance with

Recommendations for companies planning to use Cloud computing services

HIPAA PRIVACY AND SECURITY AWARENESS

AUDIT ACT Revised Edition CAP

Appendix 11 - Swiss Data Protection Act

ON MUTUAL COOPERATION AND THE EXCHANGE OF INFORMATION RELATED TO THE OVERSIGHT OF AUDITORS

SRI LANKA AUDITING PRACTICE STATEMENT 1013 ELECTRONIC COMMERCE EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS

INTERNATIONAL AUDITING PRACTICE STATEMENT 1013 ELECTRONIC COMMERCE EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS

BRING YOUR OWN DEVICE

Information Security: Roles, Responsibilities, and Data Classification. Technology Services 1/4/2013

CCBE RECOMMENDATIONS FOR THE IMPLEMENTATION OF THE DATA RETENTION DIRECTIVE

Welcome to our job search and application platform (the Platform ). Please read our Legal Terms (which includes our Privacy Policy) carefully.

Data Protection Consent Clause and Policy Background

PRACTICE NOTE 1013 ELECTRONIC COMMERCE - EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

Data controllers and data processors: what the difference is and what the governance implications are

Proposal of regulation Com /4 Directive 95/46/EC Conclusion

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0

Data Protection in Ireland

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.

DIFC LAW NO. 1 OF 2007

SECURITY MEASURES RELATED WITH DATA PROTECTION. A PRACTICAL APPROACH: THE IMPORTANCE OF THE ORGANIZATIONAL MEASURES

Data Processing Agreement for Oracle Cloud Services

THE TRANSFER OF PERSONAL DATA ABROAD

Personal Data Act (1998:204);

Practical Overview on responsibilities of Data Protection Officers. Security measures

Certification Practice Statement

STATE BANK OF INDIA. Rules and Regulations of Internet Banking. General Information:

First State Bank, Belmond

Financial Advisers (Amendment) Bill

2014 No. ELECTRONIC COMMUNICATIONS. The Data Retention Regulations 2014

singapore american school

Executive Order no. 922 of 28 September 2009

Data protection policy

Online Banking Security Guide Internet-based version

Firm Registration Form

In order to consider your application we kindly ask that you undertake the following tasks:

ACCESS TO MEDICAL RECORDS. By Felicia Jolaoye Blavo & Co Solicitors Ltd.

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

PRIVACY REGULATIONS regarding the Web Health History ("W.H.H.") Service called LifepassportPRO provided by Meshpass SA

Act CLXV of on Complaints and Public Interest Disclosures. 1. Complaint and public interest disclosure

Internal Control Guide & Resources

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

HIPAA BUSINESS ASSOCIATE AGREEMENT

Multiple SSL Certificates on a single IP address without losing any backward compatibility

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING

1. COMPANY APPLICATION, ELECTRICAL INSTALLATIONS AREA:

2. Information concerning the host company s contact person the inviting party PLEASE COMPLETE IN CAPITAL LETTERS

LASTING POWER OF ATTORNEY QUESTIONNAIRE

Article 29 Working Party Issues Opinion on Cloud Computing

CROATIAN PARLIAMENT 1364

Hong Kong E-Account Registration Requirements and Procedure

Welcome to Highlands State Bank Internet Banking Center. Important Information for New Users. System Security and Browser Information

INERTIA ETHICS MANUAL

ECSA EuroCloud Star Audit Data Privacy Audit Guide

Sample Engagement Letter September 2012

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Best Practices in Identity and Access Management (I&AM) for Regulatory Compliance. RSA Security and Accenture February 26, :00 AM

AlixPartners, LLP. General Data Protection Statement

SERVICES ADDENDUM TO EULA

Leathes Prior Solicitors Terms of Business

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

Danish Act on Approved Auditors and Audit Firms (Lov om godkendte revisorer og revisionsvirksomheder) 1

BSP Internet Banking Terms and Conditions

Web Time and Attendance

SCOTLAND S COMMISSIONER FOR CHILDREN AND YOUNG PEOPLE STANDARD CONDITIONS OF CONTRACT FOR SERVICES

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

Federal Trade Commission Privacy Impact Assessment

Scottish Rowing Data Protection Policy

LOANS ACT. Section 2-Authenticating of Agreements, Securities, Etc. Section 3-Authority to raise External Loans.

Disclosing Client Information

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

GENERAL TERMS AND CONDITIONS FOR LEGAL SERVICES

ONLINE BANKING DISCLOSURE AND AGREEMENT

QUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN better health cover shouldn t hurt

Software Support and Maintenance Terms

Corporate Policy. Data Protection for Data of Customers & Partners.

Matrix Technical Support Mailer - 72 Procedure for Image Upload through Server in SATATYA DVR,NVR & HVR

Secure Client User Guide Receiving Secure from Mercantile Bank

DATA PROTECTION ACT 1998 COUNCIL POLICY

SOP 502L: INTERNET/SOCIAL MEDIA-BASED RESEARCH

Approved by the Board of Trustees, Certification No. 72 ( )

COMPUTER MISUSE AND CYBERSECURITY ACT (CHAPTER 50A)

Microsoft Online Services - Data Processing Agreement

Transcription:

NEWS FROM PLESNER JUNI 2008 INTERNET AND EMAIL SECURITY Introduction By Attorney-at-Law, junior-partner Michael Hopp In Denmark, a data controller must implement appropriate technical and organizational security measures to protect data against accidental or unlawful destruction, loss or alteration and against unauthorized disclosure and abuse. Until recently, no specific rules, regulations or guidelines had been issued concerning the specific requirements of internet security placed on private data controllers. However, on 16 June 2008 the Danish Data Protection Agency issued a statement in which the Agency's requirements and recommendations regarding transfer of personal data via the internet in the private sector are set out. It follows from the statement that transfer of sensitive data and civil registration numbers via websites must be encrypted. Encryption is also required, if the processing of personal data takes place according to an authorisation issued by the Data Protection Agency with specific terms and conditions in this regard. The Danish Data Protection Agency has not issued an English version of the statement. However, a translation of the statement can be found here below. The requirements and recommendations of the Data Protection Agency regarding private companies' transfer of personal data via the internet In 2007, the Data Protection Agency decided to review the safety regulations of the Act on Processing of Personal Data in relation to private companies' transfer of personal data via the internet. With a total staff of 345, including 195 lawyers, Plesner is one of Denmark's leading international law firms with expertise in all areas of commercial and public law. Plesner's vision is to be the best law firm in Denmark - the natural choice for any Danish or foreign business needing legal advice on commercial matters. 1

In this connection, the Data Protection Agency has consulted a number of organisations etc. The hearing responses are reported in a report. Read the Data Protection Agency's hearing report [in Danish] After the Data Protection Council's review, the Data Protection Agency has decided that, until further notice, the requirements and recommendations mentioned below shall constitute the legal basis for the Agency's administration of safety regulations laid down in the Act on Processing of Personal Data in relation to the private sector. By doing so, the Data Protection Agency seeks to find a reasonable balance between the possibilities of use of the internet and email throughout the society as effective means of communication and the need for protection of personal data against abuse, loss etc. The Data Protection Agency distinguishes between communication via websites and communication by email. The reason for this is that the actual means of protecting data are different for these two types of transfer of data. The decision of the Data Protection Agency implies that the Data Protection Agency only makes specific demands for encryption when: transferring sensitive data via websites, transferring civil registration numbers via websites, and in cases, in which the processing of personal data in the private sector takes place according to an authorisation in which terms and conditions regarding specific safety regulations for transmission over the internet has been determined. In a number of other situations the Data Protection Council recommends that personal data be protected when transferred over the internet. At the same time, the Data Protection Council requests that all interested parties include considerations for protection of personal data when preparing and selecting new technical solutions for transfer of personal data. The Data Protection Agency hopes that, concurrently with the development and distribution of new digital solutions, the possibilities of protecting personal data effectively, and without incurring too much expenditure to the involved parties, will be developed. The present requirements and recommendations from the Data Protection Agency must, therefore, be reconsidered as new technical means of data protection become easily ac- 2

cessible. More detailed information about the Data Protection Agency's requirements and recommendations The requirements of the Act on Processing of Personal Data According to the Act on Processing of Personal Data, companies, organisations, associations etc. must protect all personal data processed by them by adequate safety means. According to the act it is, as a starting point, up to the individual company to assess and decide which safety means are required in a given situation. The requirement for protection applies i.a. when data are being transferred via the internet. It also applies when the company etc. makes it possible for customers and other persons to send information to the company via its website. Transfer of personal data via websites Communication via websites may be safeguarded by means of SSL encryption etc. It is possible to implement various degrees of encryption, including what is also described as "strong encryption" (128 bit SSL/TLX-connection). The use of safe communication does not require implementation of a specific solution for the company's customers or users of the website. At the same time, the solution implies that the users by means of the website's certificate are ensured that they are communicating with the right recipient. Requirement for encryption of sensitive personal data Transfer of sensitive personal data via websites must be encrypted. Requirement for encryption of civil registration numbers Transfer of civil registration numbers via websites must be encrypted. 3

Recommendation regarding encryption of ordinary, private personal data The Data Protection Agency recommends that transfer of non-sensitive private (confidential) personal data via websites be protected by encryption. Particulars regarding transfer of personal data via websites from company to user If users gain access to personal data via the website e.g. about themselves - security must be provided to ensure that the information is not passed on to third parties. This may be done through the use of pin codes or digital signatures. If access to sensitive personal data is given, the Data Protection Agency recommends the use of digital signatures. Transfer of personal data via e-mail Requirement for encryption in accordance with terms and conditions issued by the Data Protection Agency If processing takes place according to an authorisation from the Data Protection Agency, the processor must comply with the terms and conditions of the permission regarding encryption. This applies to: private research projects warning registers and credit information agencies other private companies etc. that have obtained authorization from the Data Protection Agency prescribing conditions regarding encryption The assessment of the individual company If the Data Protection Agency has not laid down conditions etc. regarding encryption, it is, as a starting point, up to the individual company to assess and decide which safety regulations are required, when personal data are transferred by email. The decision of the individual company must be made on the basis of an assessment of among other things: the type of information and the relation in which they take part, including the consequences, loss of information may have, if it is a matter of transfer of personal data between: two professional parties like e.g. attorneys, trade unions, auditors etc., during which other persons are mentioned, or a professional participant and a private person such as e.g. a customer, a client, a 4

member etc. the costs related to the implementation of safety regulations. The Data Protection Agency recommends encryption when sending sensitive personal data by email via the internet The Data Protection Agency recommends using encryption when an email or a document contains sensitive personal data and is sent via the internet. when sending the civil registration number by email via the internet Due to the special character of the civil registration number, the Data Protection Agency recommends that civil registration numbers are only sent via the internet using encryption. It is the assessment of the Agency that in many cases it will be possible for companies, wanting to send emails without encryption, to omit mentioning the civil registration number in the email or the document forwarded. This also applies to situations where a company would like to reply to an e-mail from a private person, in which the person himself has forwarded the civil registration number without use of encryption. Datatilsynet [The Danish Data Protetion Agency] Borgergade 28, 5 1300 København K Tel: +45 3319 3200 Fax: +45 3319 3218 E-mail: dt@datatilsynet.dk 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information