NEWS FROM PLESNER JUNI 2008 INTERNET AND EMAIL SECURITY Introduction By Attorney-at-Law, junior-partner Michael Hopp In Denmark, a data controller must implement appropriate technical and organizational security measures to protect data against accidental or unlawful destruction, loss or alteration and against unauthorized disclosure and abuse. Until recently, no specific rules, regulations or guidelines had been issued concerning the specific requirements of internet security placed on private data controllers. However, on 16 June 2008 the Danish Data Protection Agency issued a statement in which the Agency's requirements and recommendations regarding transfer of personal data via the internet in the private sector are set out. It follows from the statement that transfer of sensitive data and civil registration numbers via websites must be encrypted. Encryption is also required, if the processing of personal data takes place according to an authorisation issued by the Data Protection Agency with specific terms and conditions in this regard. The Danish Data Protection Agency has not issued an English version of the statement. However, a translation of the statement can be found here below. The requirements and recommendations of the Data Protection Agency regarding private companies' transfer of personal data via the internet In 2007, the Data Protection Agency decided to review the safety regulations of the Act on Processing of Personal Data in relation to private companies' transfer of personal data via the internet. With a total staff of 345, including 195 lawyers, Plesner is one of Denmark's leading international law firms with expertise in all areas of commercial and public law. Plesner's vision is to be the best law firm in Denmark - the natural choice for any Danish or foreign business needing legal advice on commercial matters. 1
In this connection, the Data Protection Agency has consulted a number of organisations etc. The hearing responses are reported in a report. Read the Data Protection Agency's hearing report [in Danish] After the Data Protection Council's review, the Data Protection Agency has decided that, until further notice, the requirements and recommendations mentioned below shall constitute the legal basis for the Agency's administration of safety regulations laid down in the Act on Processing of Personal Data in relation to the private sector. By doing so, the Data Protection Agency seeks to find a reasonable balance between the possibilities of use of the internet and email throughout the society as effective means of communication and the need for protection of personal data against abuse, loss etc. The Data Protection Agency distinguishes between communication via websites and communication by email. The reason for this is that the actual means of protecting data are different for these two types of transfer of data. The decision of the Data Protection Agency implies that the Data Protection Agency only makes specific demands for encryption when: transferring sensitive data via websites, transferring civil registration numbers via websites, and in cases, in which the processing of personal data in the private sector takes place according to an authorisation in which terms and conditions regarding specific safety regulations for transmission over the internet has been determined. In a number of other situations the Data Protection Council recommends that personal data be protected when transferred over the internet. At the same time, the Data Protection Council requests that all interested parties include considerations for protection of personal data when preparing and selecting new technical solutions for transfer of personal data. The Data Protection Agency hopes that, concurrently with the development and distribution of new digital solutions, the possibilities of protecting personal data effectively, and without incurring too much expenditure to the involved parties, will be developed. The present requirements and recommendations from the Data Protection Agency must, therefore, be reconsidered as new technical means of data protection become easily ac- 2
cessible. More detailed information about the Data Protection Agency's requirements and recommendations The requirements of the Act on Processing of Personal Data According to the Act on Processing of Personal Data, companies, organisations, associations etc. must protect all personal data processed by them by adequate safety means. According to the act it is, as a starting point, up to the individual company to assess and decide which safety means are required in a given situation. The requirement for protection applies i.a. when data are being transferred via the internet. It also applies when the company etc. makes it possible for customers and other persons to send information to the company via its website. Transfer of personal data via websites Communication via websites may be safeguarded by means of SSL encryption etc. It is possible to implement various degrees of encryption, including what is also described as "strong encryption" (128 bit SSL/TLX-connection). The use of safe communication does not require implementation of a specific solution for the company's customers or users of the website. At the same time, the solution implies that the users by means of the website's certificate are ensured that they are communicating with the right recipient. Requirement for encryption of sensitive personal data Transfer of sensitive personal data via websites must be encrypted. Requirement for encryption of civil registration numbers Transfer of civil registration numbers via websites must be encrypted. 3
Recommendation regarding encryption of ordinary, private personal data The Data Protection Agency recommends that transfer of non-sensitive private (confidential) personal data via websites be protected by encryption. Particulars regarding transfer of personal data via websites from company to user If users gain access to personal data via the website e.g. about themselves - security must be provided to ensure that the information is not passed on to third parties. This may be done through the use of pin codes or digital signatures. If access to sensitive personal data is given, the Data Protection Agency recommends the use of digital signatures. Transfer of personal data via e-mail Requirement for encryption in accordance with terms and conditions issued by the Data Protection Agency If processing takes place according to an authorisation from the Data Protection Agency, the processor must comply with the terms and conditions of the permission regarding encryption. This applies to: private research projects warning registers and credit information agencies other private companies etc. that have obtained authorization from the Data Protection Agency prescribing conditions regarding encryption The assessment of the individual company If the Data Protection Agency has not laid down conditions etc. regarding encryption, it is, as a starting point, up to the individual company to assess and decide which safety regulations are required, when personal data are transferred by email. The decision of the individual company must be made on the basis of an assessment of among other things: the type of information and the relation in which they take part, including the consequences, loss of information may have, if it is a matter of transfer of personal data between: two professional parties like e.g. attorneys, trade unions, auditors etc., during which other persons are mentioned, or a professional participant and a private person such as e.g. a customer, a client, a 4
member etc. the costs related to the implementation of safety regulations. The Data Protection Agency recommends encryption when sending sensitive personal data by email via the internet The Data Protection Agency recommends using encryption when an email or a document contains sensitive personal data and is sent via the internet. when sending the civil registration number by email via the internet Due to the special character of the civil registration number, the Data Protection Agency recommends that civil registration numbers are only sent via the internet using encryption. It is the assessment of the Agency that in many cases it will be possible for companies, wanting to send emails without encryption, to omit mentioning the civil registration number in the email or the document forwarded. This also applies to situations where a company would like to reply to an e-mail from a private person, in which the person himself has forwarded the civil registration number without use of encryption. Datatilsynet [The Danish Data Protetion Agency] Borgergade 28, 5 1300 København K Tel: +45 3319 3200 Fax: +45 3319 3218 E-mail: dt@datatilsynet.dk 5