The institution establishes security measures to enforce data privacy policies for personal and sensitive data in particular.
This covers specific security issues affecting the implementation of a global system for the protection of privacy and personal data, and measures specifically related to privacy and personal data (covering both routine files containing personal data and sensitive personal data files).
Guideline code
ICT_03800
Mechanism
Mechanism
- The ICT unit should establish security measures for the protection of personal data files in order to ensure data privacy. These measures should be compiled in a master guide and should include:
- Security measures for routine personal data files, explicitly defining access rights and implementing rigorous mechanisms to both control access and log all operations;
- Security measures for sensitive personal data files which apply in addition to those for routine personal data. They should include cryptography mechanisms, restrictions on the movement of sensitive data outside the data centre and strict procedures for sensitive data management;
- Security measures for data access and manipulation. The treatment of personal data should follow an established protocol to restrict data access and manipulation to authorized cases.
- The management should approve, adopt and communicate the security measures to all units involved.
Parent
Structure
Structure
- The ICT unit should define and implement security measures to protect the privacy of data.
- The management should define relevant duties and responsibilities for the enforcement of security policies concerning data privacy based on the information security management structure.
- Security measures for data privacy should be based on the institutional information security management framework as well as on international standard ISO/IEC 27002:2005 Information technology – Security techniques.
Title HTML
Guideline 29. Security measures for data privacy
Type
Guideline_1
Weight
41