-1- WORKSHOP ON DATA PROTECTION AND DATA TRANSFERS TO THIRD COUNTRIES Technical and organizational security measures Skopje, 16 May - 17 May 2011 María.

Slides:

Advertisements

Similar presentations

1 Agencia Española de Protección de Datos AUDITING AND ENFORCEMENT AT THE SPANISH DPA. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL.

Advertisements

1 The Data Protection Officer at work Experience, good practices and lessons learnt Pierre Vernhes – former DPO at the Council of the EU Workshop on Data.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Data Protection Information Management / Jody McKenzie.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

The Data Protection (Jersey) Law 2005.

Security Controls – What Works

Information Security Policies and Standards

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Transborder dataflows Flow of information across national borders Much of this data involves personal information.

From European to international standards on data protection (1/2)

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Protecting information rights – advancing information policy Privacy law reform for APP entities (organisations)

National Smartcard Project Work Package 8 – Security Issues Report.

RESPECT Guidelines regarding data protection aspects whithin socio-economic research Y. Poullet, K. Rosier, I. Vereecken CRID-FUNDP in cooperation with.

Company Confidential How to implement privacy and security requirements in practice? Tobias Bräutigam, OTT Senior Legal Counsel, Nokia 8 October

Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.

Finance and Governance Workshop Data Protection and Information Management 10 June 2014.

CHILEAN SYSTEM OF CRIMINAL LIABILITY OF LEGAL ENTITIES BASIC ELEMENTS OF CRIME PREVENTION (LAW Nº20.393) Pablo Gómez Niada Valparaíso’s Regional Prosecutor.

SWISS DATA PROTECTION LAW AND PERSONAL DATA SECURITY MEASURES.

M. ANGELA JIMENEZ 1 UNIT 5. REGULATION OF EXTERNAL AUDIT IFAC AND E.C.

EuropeAid 1 Delegation Agreements: 2011 templates “Regards Croisés” on Aid Effectiveness Practitioners’ Network for European Development Cooperation -

Data Protection Act AS Module Heathcote Ch. 12.

IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;

Capacity building workshop on environment and health Public participation and the right to know: Aarhus Convention and PRTR Protocol Monica Guarinoni Sofia,

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

SCHOOLS FINANCE OFFICERS MEETINGS Records Management, “Paper-Lite” Environments and Procedures when a school closes Elizabeth Barber.

Data protection and compliance in context 19 November 2007 Stewart Room Partner.

International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.

Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.

Milestones for Nuclear Power Infrastructure Development Establishment of A Regulatory Framework Gustavo Caruso, Section Head, Regulatory Activities Section.

Privacy and Data Protection in e-Communications Sector Legislation, Codes of Practice and Standards Privacy and Data Protection in e-Communications Sector.

CMG Events 2016 Cybersecurity Briefing 24 February 2016 John Magee William Fry.

GCSE ICT Data and you: The Data Protection Act. Loyalty cards Many companies use loyalty cards to encourage consumers to use their shops and services.

Workshop on Privacy of Public Figures and Freedom of Information - Skopje, 9-10 October 2012.

© University of Reading Lee Shailer 06 June 2016 Data Protection the basics.

1 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014.

The EU General Data Protection Regulation Frank Rankin.

Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.

Key Points for a Privacy Programme for Multinationals Steve Coope.

Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.

Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

Hallgrímur Snorrason Management seminar on global assessment Session 6: Institutional and legal framework of the national statistical system Yalta

Data Protection Officer’s Overview of the GDPR

THE NEW GENERAL DATA PROTECTION REGULATION: A EUROPEAN OR A GLOBAL STANDARD? Bart van der Sloot Senior Researcher Tilburg Institute for Law, Technology,

WORLD OF CLOUD COMPUTING AFTER GDPR challenges, opportunities and the unknown Matjaž Drev, MA. National Supervisor for Personal Data Protection, Information.

General Data Protection Regulation

General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.

APP entities (organisations)

Data Protection Legislation

Bob Siegel President Privacy Ref, Inc.

GENERAL DATA PROTECTION REGULATION (GDPR)

Cyberforum 2018 March 8, 2018 Los Angeles GDPR & SECURITY

Introduction to GDPR 09/11/2018.

General Data Protection Regulation

Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .

Data transfers to non-EU countries under the new GDPR

The Modernisation of Convention108

Main Features of an Ethics Framework for the Public Sector

GDPR PERSONDATAFORORDNINGEN I PRAKSIS

Overview of the recommendations regarding approximation of the Law on personal data protection to the new EU General data protection regulation Valerija.

Neopay Practical Guides #2 PSD2 (Should I be worried?)

General Data Protection Regulation “11 months in”

THE IMPACT OF DATA PROTECTION RULES ON CORPORATE INFO SECURITY AND INCIDENT RESPONSE MANAGEMENT – The Energy sector CEER Cybersecurity Workshop Massimo.

Presentation transcript:

-1- WORKSHOP ON DATA PROTECTION AND DATA TRANSFERS TO THIRD COUNTRIES Technical and organizational security measures Skopje, 16 May - 17 May 2011 María José Blanco Antón Head of the Data Protection Register José Leandro Núñez García Advisor on International Affairs Spanish Data Protection Agency

-2- Legal framework  Europe  Convention 108 of the European Council  Directive 95/46/CE on Data Protection (EU Directive)  Other International Instruments  OECD guidelines  International Standards on the Protection of Personal Data and Privacy, Madrid Resolution, 5 th Nov, 2009  Spain  Spanish Data Protection Act – LOPD (Organic Law 15/1999 of 13 December)  Regulation implementing LOPD – RLOPD (Royal Decree 1720/2007 of 21 December) SECURITY AND DATA PROTECTION

-3- Security principle  Section 9 LOPD. Data security Data controller or data processor have to adopt:  Technical and organisational measures – prevent their alteration or loss – control unauthorised processing or access  State of technology  Nature of the data  Risks to which they are exposed: human action, physical or natural environment Integrity, availability and confidentiality SECURITY AND DATA PROTECTION

-4- Security measures  Title VIII RLOPD. Regarding security measures in the processing of personal data Levels of security Document of security Basic conditions of security Scope:  Data controler  Data processor  Every personal data processing under the scope of LOPD  Independence of the processing media: local, online, telecomunications, …  From the design of the information systems to the real processing of data SECURITY AND DATA PROTECTION

-5- Levels of security  HIGH level Sensitive data Security forces without consent of the data subjects Acts of gender-based violence  MEDIUM Criminal or administrative offences. Information services on creditworthiness and credit. Tax Administrations - tax powers Finance - Financial Services. Social Security Evaluation of identity or behaviour Operators providing electronic communications services procesing traffic and location data (also, accesses log register)  BASIC Any other file + Processing sensitive data in case of:  Monetary transfer s- entities to which data subjects are associated or members,  Incidentally processing without relation with its former purpose  Degree of disability - performance of public duties SECURITY AND DATA PROTECTION

-6- Levels of security SECURITY AND DATA PROTECTION HIGH LEVEL MEDIUM LEVEL BASIC LEVEL Requirements provided for in these three security levels are cumulative

-7- Document of security  Scope of application of the document  Measures, regulations, protocols aimed at guaranteeing the level of security required  Tasks and obligations of users  Structure and description of the filing systems  Procedure of notification, management and response to security incidents  Backup copies and recovery of the data  Transport of documents and files  Identification of the security officer  Control measures to verify the fulfillment of security SECURITY AND DATA PROTECTION

-8- Document of security  Access control Identification and authentication Log access register (1) Electronic communications accesses (networks, intranet,..) (2)  Management of media and documents Input and output (2) Transport of documents, media,.. Temporary files of copies of documents  Backups  Tasks and obligations of users Information and training  Procedure of notification, management and response to security incidents Security audit (1) (1) Required on medium and high level (2) Sensitive data require encryption SECURITY AND DATA PROTECTION

-9- Security measures and authorization of data transfers  Standard contractual clauses requires a description of security measures provided by the importer of data  Afford the same conditions of the exporter of data  Security measures of RLOPD or similar  Commitment to comply with the level of security RLOPD  Description of measures (based on acknowledged standards …)  Remote access from third countries could be allowed if it is performed in a equivalent way to that applicable to local access  In any case, if transfer includes sensitive data:  Encryption of data  Log access register  Security audit every 2 years SECURITY AND DATA PROTECTION

-10- Security measures and authorization of data transfers  Although in Spain is only compulsory when dealing with processing subject to the high level security requirements, encryption of communications through public networks seems is an increasingly extended technique.  Encrypt is not enough. Data should be encrypted in such a way that information is not accessible nor modifiable by third parties.  RC4 algorithm, used in WEP WiFi or in Adobe PDF, is not safe  SHA or AES algorithms a.o. could be considered safe  While Spain requires only to encrypt information while it is being transmitted, other countries (such as Italy) require that some sensitive data are also stored in a encrypted way. SECURITY AND DATA PROTECTION

-11- Security breaches  Individuals should be informed when their data are accidentally or unlawfully destroyed, lost, altered, accessed by or disclosed to unauthorised persons.  The e-Privacy Directive includes a mandatory personal data breach notification which covers the telecom sector.  Given that risks of data breaches also exist in other sectors (e.g. the financial sector), the Commission is examining how to extend this obligation to other sectors.  Positive measure, because:  Benefit individuals  Favours transparency  Guarantees that strong security measures are in place SECURITY AND DATA PROTECTION

-12- Security measures as a part of the Madrid Resolution SECURITY AND DATA PROTECTION

-13- Security measures as a part of the Madrid Resolution  Apart of that provisions, the Madrid Resolutions encourages the implementation of proactive measures such as:  Implementation of information security standards  Appointment of data protection officers  Implementation of training and awareness programs  Conduct of periodic audits  Privacy by Design / Privacy by Default  Privacy Impact Assessments  Adoption of codes of conduct  Implementation of response plans in case of breaches  These measures should be put in place in a coherent and systematic way, in order to promote compliance. SECURITY AND DATA PROTECTION

-14-