The institution establishes policies on data privacy management based on the corresponding regulations.
This refers not only to national regulations but also to requirements related to international data exchange.
Guideline code
ICT_03700
Mechanism
Mechanism
- The management should analyse the legal and regulatory environment, taking into account all instruments which could affect the institution’s activities, including both national regulations and those governing the implementation of international agreements.
- The board and/or management should formalize agreements with external organizations on the mutual respect of data privacy regulations during collaboration between institutions.
- The internal audit office should carry out a detailed audit of files containing personal data and classify them according to their level of sensitivity.
- The unit responsible for data privacy (“specialized unit”) should establish procedures to ensure the appropriate treatment of personal data, i.e. to minimize the amount of data collected and ensure that data is accurate, up to date and used solely for defined purposes. The unit should implement adequate security measures for personal data files.
- The specialized unit should implement data collection mechanisms in compliance with the applicable data privacy policies and regulations.
- The specialized unit should implement mechanisms which protect personal rights concerning data. Such mechanisms should enable people to access their personal data stored by the institution and ensure that proper consent is obtained when necessary.
- The specialized unit should establish data transfer mechanisms to third parties which comply with the applicable data privacy policies and regulations.
- The public relations unit should carry out information campaigns and training activities explaining the scope and impact of the data privacy regulations and policies, for both the staff of the institution and other members of the social security system.
- The internal audit office should periodically audit and monitor the data privacy measures and mechanisms in place.
Parent
Structure
Structure
- The board and management should establish a policy on data privacy and protection in accordance with the legal and regulatory environment.
- The board and management should define the legal and regulatory environment of the institution, taking into account not only national regulations but also agreements with external organizations concerning mutual respect of data privacy.
- The management should designate responsibility (e.g. to a specialized unit) to develop a strategic plan to implement data privacy policies. An organizational structure (e.g. a unit or a committee) should coordinate measures and report to the management.
Title HTML
Guideline 28. Data privacy policies and regulations
Type
Guideline_1
Weight
40