A controller’s duty to protect personal data is a corollary to the individual’s right to privacy. This right is established in international treaties, in European legislation, in the Dutch constitution and in legislation. In the Netherlands, the Wet bescherming persoonsgegevens (Wbp; Dutch Personal Data Protection Act) has provided the general basis for this field of law since it came into force on 1 September 2001. Responsibility for supervising compliance with the Wbp lies with the Dutch DPA. The Wbp regulates the processing of personal data, i.e. any procedure involving such data, from its collection to its destruction. Before collecting personal data, a controller – the person responsible for the processing of the data – must look into the question of appropriate security measures. The Act covers both automated and manual data processing. Measures and procedures already in place for the protection and processing of data need to be tested against the requirements of the Wbp and revised as necessary.
The security that must be provided goes beyond information security; all matters relevant to the processing of personal data must be addressed – not just those that fall within the ICT domain of information security. This document describes the additional measures to be taken to supplement those needed for compliance with general security requirements. This is because the Wbp stipulates that extra measures must be taken to ensure the security of personal data processing activities. The measures put in place must therefore be broader than those needed to satisfy general data security requirements.
The protection of personal data is concerned with three quality aspects: exclusivity, integrity and continuity. The guidance set out in this document is particularly concerned with measures and procedures for protecting the exclusivity of personal data. The other two aspects are covered by the general system of security measures.
The legal basis for personal data protection measures is formed by Article 13 of the Wbp. The relevant passage of the Act states: “The controller shall implement appropriate technical and organizational measures to secure personal data against loss or against any form of unlawful processing. These measures shall guarantee an appropriate level of security, taking into account the state of the art and the costs of implementation, and having regard to the risks associated with the processing and the nature of the data to be protected. These measures shall also aim at preventing unnecessary collection and further processing of personal data.” The level of security that a controller must provide will depend on the risk class. Article 13 of the Wbp forms the basis for the use of Privacy-Enhancing Technologies (PETs). PETs are a coherent system of ICT measures protecting informational privacy (in accordance with European directive 95/46/EC and the Wbp) by eliminating or minimising personal data or by preventing the unnecessary or unwanted processing of such data, without compromising the functionality of the information system. The use of PETs is more than an appropriate technical measure; it is a means of systematically ensuring compliance with the Wbp.
Protection levels for personal data
In the protection of personal data, it is important that the measures taken address threats that are realistic, given the nature of the data concerned and the scale of the processing activities. The risk may be regarded as the product of the likelihood of an undesirable event and the seriousness of the implications of that event. The greater the risk, the stricter the protection requirements that must be met. As a guide to the measures that are appropriate, data processing procedures are divided into a number of predefined risk classes. Each class is linked to a particular level of protection. The main factors influencing the level of protection required include:
- The significance attached by society to the personal data to be processed.
- The level of awareness within the processing organisation regarding information security and the protection of personal data and subjects’ privacy.
- The nature of the ICT infrastructure within which the personal data is to be processed.
In each case, the controller must perform a thorough analysis. On the basis of the findings, the controller can decide which risk class the intended procedure falls into and what level of protection is therefore required. The analysis must be verifiable and it must be possible to give an account of the analysis if necessary. Four risk classes are recognised:
- Risk class 0: Public-level risk
- Risk class I: Basic-level risk
- Risk class II: Increased risk
- Risk class III: High risk
Risk class 0: Public-level risk
The personal data to be processed is already in the public domain. It is generally accepted that use of the data for the intended purpose represents no risk to the subjects. This document therefore proposes no special protection measures.
Risk class I: Basic-level risk
The consequences for the subjects of the loss or unauthorised or inappropriate use of their personal data are such that standard (information) protection measures are sufficient.
Risk class II: Increased risk
The loss or unauthorised or inappropriate use of the personal data would have additional consequences for the subjects. Certain types of personal data referred to in Article 16 of the Wbp enjoy special legal protection and therefore require at least the level of protection associated with this risk class. The types of personal data in question are data concerning a data subject’s religion or philosophical beliefs, race, political opinions, health, sex life, trade-union membership, criminal record or record of unlawful or antisocial behaviour following the imposition of an injunction.
Risk class III: High risk
Where several collections of special categories of personal data are to be processed, the potential consequences of processing can be sufficiently serious for the data subjects that the procedure warrants inclusion in risk class III. The measures taken to protect data processed in a class III procedure must meet the highest standards.
The interrelationships between the various risk classes are summarised in the table below.
Nature of personal data: |
Personal data |
Sensitive personal data
In accordance with Article 16 Wbp |
Personal data of a financial and/or economical nature |
Quantity of personal data (nature and volume) |
Nature of processing |
Small quantity of personal data |
Simple processing |
Risk class 0 |
Risk class II |
Risk class II |
Large quantity of personal data |
Complex processing |
Risk class I |
Risk class III |
|
The security of personal data in practical situations
The requirements that apply to the protection of personal data are presented below, divided into fourteen categories. The measures that should be taken in a particular case depend on the risk class in which the processing procedure is placed on the basis of the risk analysis.
Security policy, protection plan and implementation of the system of measures and procedures
The management formulates a policy setting out general information security requirements and specific personal data protection requirements. On the basis of this policy, a plan is drawn up for the creation of a system of protection measures. The responsibilities of staff members with regard to the implementation of the protection policy must be defined. Compliance must be checked regularly and validity in the current circumstances must be reviewed regularly.
Administrative organisation
The term ‘administrative organisation’ covers the entire system of measures relevant to the systematic processing of data in order to provide information to facilitate the management and operation of the organisation, as well as to facilitate the process of accounting for such activities. The measures and procedures must be defined in a structured manner. Furthermore, it is important that they are reviewed whenever changing circumstances make this appropriate. To this end, regular checks should be carried out to ascertain whether the procedures and measures are consistent with current practice. It is also important that the responsibilities with regard to information security and data processing are properly defined.
Privacy awareness
Practical application of protection measures is normally down to an organisation’s staff, all of whom need to play their part. It is therefore necessary to build up or maintain an adequate level of privacy awareness within the organisation. Checks on application and compliance are important.
Personnel requirements
In order to minimise the risk of inappropriate processing, it is important that the need for care and attention in this area is taken into account during the recruitment and selection of personnel. Responsibilities with regard to the protection of personal data must be set out in job descriptions.
Organisation of the workplace
One of the most important aspects of information security is ensuring that data (in general) does not come into the possession of unauthorised individuals. Appropriate measures – which often do not need to be at all complicated – are required to minimise the risk of unauthorised access to personal data. Personal data is sometimes transported on portable media. PCs and data carriers should be properly secured and unauthorised access prevented.
Management and classification of the ICT infrastructure
For operational purposes, an organisation needs to have an up-to-date overview of its ICT facilities. Proper management of the ICT infrastructure is also necessary for the protection of personal data.
Access control
An organisation is required to define measures and procedures to prevent unauthorised access to locations and information systems at or in which personal data is held. This implies being able to close off and control access to relevant areas and ensuring that information systems can be accessed only by authorised personnel. It is also important that records are kept indicating who is authorised to do what, and that regular authorisation checks are carried out.
Networks and external interfaces
The transmission of personal data via a network involves a significant security risk. It is therefore strongly recommended that personal data be encrypted for transmission. In this way, it is at least possible to ensure that messages containing personal data are not read by unauthorised persons without explicit, deliberate intent.
Use of third-party software
In order to minimise security risks, illegal or unapproved third-party software should never be used for data processing. Regular checks are important to ensure that this principle is adhered to. All software modifications should be documented and managed using a problem and change management system. Procedures for the modification and replacement of software should also be in place.
Bulk processing of personal data
Processes involving personal data on numerous subjects are frequently automated or semi-automated. Integrated or non-integrated automated bulk processes are initiated, then allowed to complete without further interruption. The controller nevertheless remains responsible for the processing at all stages; responsibility cannot be transferred to the system manager.
Storage of personal data
The management of data carriers is important for the protection of personal data. System backups should be made at regular intervals. Clear procedures should be defined for the production of backup personal data files, and adherence to these procedures should be checked. Data carriers bearing personal data should be carefully stored and transported, so that unauthorised persons cannot remove them or view the data. Data carriers bearing personal data in risk classes II or III should be stored in lockable areas with appropriate break-in protection, even if the data is stored in encrypted form.
Destruction of personal data
Personal data and data carriers that are no longer required should be destroyed in an appropriate manner once any applicable statutory or other retention period has elapsed. Responsibilities with regard to the destruction of personal data and data carriers should be clearly defined and personnel should be aware who is responsible for doing what.
Contingency plan
Every organisation should have a contingency plan indicating exactly what is to happen in the event of an emergency. However, such a plan is useful only if personnel are familiar with it and regular drills have been held to practise its implementation. An organisation’s contingency plan should set out a procedure for the resumption of data processing following an emergency.
Contracting out of and contracts for the processing of personal data
An organisation will sometimes choose to contract out some or all of its personal data processing activities, rather than perform them in-house. Under such circumstances, the external processor must guarantee the same level of protection as that provided by the controller. A contract made with an external processor must make provision for the protection of personal data. Furthermore, the external processor must sign a confidentiality contract. If an external processor handles personal data, the controller must supervise the processor’s protection arrangements by, for example, carrying out periodic checks.