Are there specific security obligations that must be complied with?
Allende & Brea
According to Section 9 of the Data Protection Act, the registration of personal data in a database is forbidden if the technical conditions for the integrity and security of the data are not met. The responsible person must adopt all the organisational and technical measures necessary to guarantee the confidentiality and security of the personal data in a manner that it prevents non-authorised modifications, loss, access or processing, or it allows for the detection of information deviations, whether the risks arises from human interaction or the technical infrastructure.
Section 10 of the Data Protection Act imposes a confidentiality duty on the responsible person and every person involved in the processing of personal data, even after the relationship with the data subject has ended. This duty can be lifted only by a judicial writ based on a national security, public safety or public health matter.
Dorda Brugger Jordis
Yes. The Data Protection Act sets out technical and organisational measures that data controllers must undertake to secure personal data against:
- unauthorised access;
- accidental or unlawful destruction, manipulation, disclosure and transfer; and
- other unlawful processing.
Data controllers must also comply with data confidentiality rules and ensure that personnel who process personal data are bound by confidentiality obligations.
The Data Protection Act does not expressly stipulate which data security measures must be taken, but provides that any such measures should reflect the current state of technological capabilities and be economically tenable. Thus, good industry practices have become crucial in determining the necessary data security measures to take in the event of a breach of the act or internal control systems. Such practices are particularly relevant in the context of an internal control systems breach, where the courts will examine the potential liability of persons responsible for the breach (eg, managing directors). Liability for lack of sufficient data security seldom arises when good industry practices are followed.
The specific security obligations include legal, organisational and technical data protection measures:
- The legal measures include concluding agreements with individuals whose personal data is collected and processed. The agreements should provide the terms of personal data usage and define parties’ responsibility for breach of such terms.
- The organisational measures include establishing a special regime for entrance to the premises where the collection and processing of the personal data are carried out, and establishing a list of employees with access to such premises and data.
- The technical measures include using cryptography and other measures of control over information protection.
Under the Personal Information Protection and Electronic Documents Act (SC 2000, c 5) (PIPEDA), organisations must implement safeguards that are appropriate to the sensitivity of the personal data. Safeguards should include physical, technical and administrative controls to prevent loss or unauthorised access to or modification or disclosure of personal data. Some regulatory and self-regulatory bodies have published additional guidance, particularly with respect to cybersecurity. For example, the Office of the Superintendent of Financial Institutions and the Investment Industry Regulatory Organisation have published cybersecurity guidance. It is possible that the federal government may, in the future, enact legislation mandating security measures for critical infrastructure.
Mayer Brown LLP
Data controllers must take all practicable steps to ensure that the personal information they hold is protected against disclosure, tampering, damage or loss. Should any of these occur, or should there be a risk of them occurring, remedial measures must be taken immediately.
Article 13 of the Provisions on Protecting the Personal Information of Telecommunications and Internet Users imposes the following security requirements on telecommunications operators and internet service providers:
- Specify the responsibilities of each department, post and branch in terms of managing the security of personal information;
- Establish the authority of different staff members and agents, review the export, duplication and destruction of information, and take measure to prevent the leak of confidential information;
- Properly retain the carriers that record users’ personal information, such as hard-copy media, optical media and magnetic media, and take appropriate secure storage measures;
- Conduct access inspections of the information systems that store users’ personal information, and put in place intrusion prevention, anti-virus and other measures;
- Record operations performed with users’ personal information, including the staff members who perform such operations, the time and place of such operations and the matters involved;
- Undertake communications network security protection work as required by the relevant telecommunications authority; and
- Take other necessary measures as prescribed by the relevant telecommunications authority.
The Provisions on Protecting the Personal Information of Telecommunications and Internet Users also require that telecommunications operators and internet service providers provide staff members with training in the relevant skills and responsibilities relating to the protection of personal information. They must also conduct at least one self-audit of their data protection measures, record the results and promptly eliminate any security risks discovered during the audit.
Havel, Holásek & Partners s.r.o.
Both the data controller and the data processor are responsible for adopting appropriate measures to prevent any unauthorised or accidental access to or alteration or other abuse of the personal data (even after terminating the data processing). To that end, the data controller or data processor will conduct relevant risk assessments concerning:
- the performance of instructions relating to data processing by persons with direct access to personal data;
- the prevention of unauthorised access to personal data and the means of processing;
- the unauthorised accessing, creation, copying, transfer, alteration or deletion of personal data; and
- the measures enabling identification of the parties to whom personal data was provided.
In regards to automatic processing systems, the data controller and data processor must also ensure that:
- the systems may be used only by authorised persons;
- the authorised persons have only the necessary access rights;
- electronic auditing enables the identification of who has accessed (or created) personal data and when and why they did so; and
- unlawful access to data carriers is restricted.
The Personal Data Protection Act provides that a personal data processor must implement appropriate organisational, physical and technological security measures for the protection of personal data against:
- accidental or intentional unauthorised alteration (ie, protection of data integrity);
- accidental or intentional destruction or prevention of access by entitled persons (ie, protection of data availability); and
- unauthorised processing (ie, protection of data confidentiality).
Unlike in other jurisdictions, Estonian law requires a data controller and data processor to keep account of the equipment and software under its control that is used for processing personal data, and record:
- the name, type, location and name of the producer of the equipment; and
- the name, version and name of the producer of the software, as well as its contact details.
Bird & Bird
Finland has no general data security law and no specific security obligations.
The Personal Data Act includes a general obligation requiring the controller to carry out technical and organisational measures which are necessary to secure personal data against:
- unauthorised access, accidental or unlawful destruction, manipulation, disclosure or transfer; and
- other unlawful processing.
In general, the data security obligations set out by Finnish law are technology neutral (ie, they do not define technical or organisational measures specifically).
Pursuant to the Information Society Code (917/2014, as amended), telecoms operators and communication intermediaries are subject to general data security obligations.
Both French law and the EU Data Protection Directive state that the data controller must ensure the security and confidentiality of the personal data that it processes. This includes the obligation not to let any unauthorised person or body access the data. Certain authorities (eg, judges or administrative agents in specific cases) are considered to be authorised by law, as well as any person under the direct authority of the data controller or its subcontractors.
As for actual security measures, the national authority for data control (CNIL) requires data controllers to undertake systematic risk assessments before processing data and maintain surveillance over the stability and efficiency of their security systems.
Mayer Brown LLP
Yes – in particular, measures suited to the types of personal data or categories of data being protected will be taken in order to:
- prevent unauthorised persons from accessing data processing systems used to process or use personal data (access control);
- prevent data processing systems from being used without authorisation (access control);
- ensure that persons authorised to use a data processing system have access only to that data which they are authorised to access, and that personal data cannot be read, copied, altered or removed without authorisation during processing and use and after storage (access control);
- ensure that personal data cannot be read, copied, altered or removed without authorisation during electronic transfer or transport or while being stored on data storage media, and that it is possible to ascertain and verify which bodies are transferring personal data using data transmission facilities (disclosure control);
- ensure that it is possible after the fact to verify and ascertain whether personal data has been accessed, altered or removed from data processing systems and, if so, by whom (input control);
- ensure that personal data processed on behalf of others is processed strictly in compliance with the data controller’s instructions (job control);
- ensure that personal data is protected against accidental destruction or loss (availability control); and
- ensure that data collected for different purposes can be processed separately.
Karageorgiou & Associates Law Firm
The Data Protection Act imposes several security obligations on data controllers. They include a confidentiality obligation and an obligation that data processing be conducted solely and exclusively by persons acting under the authority and instructions of the data controller or processor.
The confidentiality obligation is fulfilled where the persons so appointed are suitable, in the sense that they possess professional qualifications that provide sufficient guarantees in respect of their technical expertise and personal integrity. The data controller must also implement organisational and technical measures, taking into consideration the risks and nature of the data processing, so as to prevent unlawful processing. To this end, the Hellenic Data Protection Authority has issued its Guidelines 1/2005 on the safe destruction of personal data.
Mayer Brown LLP
Data users must take all practicable steps to ensure that personal data held by them is protected against unauthorised or accidental access, processing, deletion, loss or use. If any personal data is transferred to a data processor, the data user must adopt contractual or other means to ensure that the data processor protects the personal data from any unauthorised or accidental access, processing, deletion, loss or use.
Kochhar & Co
Section 43A refers to ‘reasonable security practices and procedures’, which have been defined as reasonable security practices and procedures as determined by a law in force (of which there is none) or as agreed to by the parties and, in the absence of both, the rules framed by the government (ie, the Privacy Rules). Accordingly, the parties are free to decide on the security standards to be adopted.
The Privacy Rules do not prescribe a particular security standard (although this is was what the rules were meant to do). Instead, they suggest that the International Standards Organisation/International Electrotechnical Commission 27001 or a code prescribed by an industry association and approved by the government can be used. Thus far, the government has approved no codes.
K&K Advocates - Intellectual Property
Under the Law Concerning Electronic Information Technology and the Government Regulation Concerning Electronic Systems and Transaction Providers, electronic system providers must do the following to secure electronic systems that store personal data:
- implement a risk management scheme to mitigate damages and losses;
- maintain management policies and operational work procedures;
- maintain a continuous auditing mechanism;
- maintain and implement procedures and means to avoid parties interfering with the system or causing it to fail or be damaged; and
- implement a security system that includes prevention procedures and countermeasures against threats and attacks enabling parties to interfere with or damage the system or cause it to fail.
ICT Legal Consulting
Personal data undergoing processing must be kept and controlled (as far as possible, considering technological innovations, the nature of the data and the specific features of the processing), in such a way as to minimise the risk of:
- its accidental or wilful destruction or loss;
- unauthorised access to the data; or
- processing operations that are either unlawful or inconsistent with the purposes for which the data has been collected.
The latter measures can be specified by the Data Protection Authority via a general provision in relation to specific data processing, as done, for example, in relation to the processing of biometric data or for the processing of personal data by system administrators.
In any case, data controllers must adopt security measures in order to ensure a minimum level of personal data protection. Such measures are listed in Annex B (Technical Specifications Concerning Minimum Security Measures) to the Data Protection Code.
Nishimura & Asahi
Business operators governed by the Act on the Protection of Personal Information have a broad obligation to “take necessary and proper measures for the prevention of leakage, loss, or damage, and for other security control of the Personal Data”.
Personal data processing must meet certain technical and organisational requirements set by the Cabinet of Ministers Regulations on Mandatory Technical and Organisational Requirements for Personal Data Protection. Under Latvian law there are no specific requirements for certain categories of personal data, and no regulatory requirements for cloud service providers. The data controller must adopt internal regulations for the processing of personal data, in order to classify the personal data protection pursuant to the value and confidentiality level of the data.
The law also provides that personal data must be protected by passwords and encryption, and states which information must be stored on the receipt and transfer of personal data:
- the time of transfer;
- the parties involved; and
- the data processed.
Further, in its internal data processing regulations the data controller must determine the length of the password and the rules for its creation. However, the minimum length of the password is eight letters. The technical protection of personal data must be ensured by physical and other means (eg, passwords or encryption). The data controller must also ensure, for example, that:
personal data is accessed only by authorised persons;
certain information is stored when a personal data transfer takes place; and
internal personal data protection regulations are drafted.
Under the Law on Legal Protection of Personal Data, data controllers and processors must implement appropriate organisational and technical measures to protect personal data against accidental or unlawful destruction, alteration and disclosure and any other unlawful processing. These measures must ensure a level of security that is appropriate to the nature of the personal data being protected and the risks of the processing. The measures must be defined in a written document (eg, personal data processing regulations approved by the data controller or a contract concluded by the data controller and the data processor) in accordance with the general requirements on the organisational and technical data protection measures laid down by the State Data Protection Inspectorate (DPI).
Specific data security requirements are set out in the General Requirements for Organisational and Technical Data Security Means, which have been approved by the director of the DPI.
Yes. The data owner must prevent the amendment of or damage to the data, as well as access by non-authorised third parties. In addition, the data owner must ensure that:
- persons with access to the system can access only the data relevant to them;
- the identity and interest of any third-party recipients of the data can be verified;
- the identity of persons accessing to the system (to view the data or add data) can be verified;
- non-authorised persons cannot access the place and equipment used for data processing;
- non-authorised persons cannot read, copy, modify, destroy or move data;
- all data introduced in the system is authorised;
- the data will not be read, copied, modified or deleted without authorisation during the transport or communication of the data;
- the data is backed up with security copies; and
- the data is renewed and converted to preserve it.
Havel, Holásek & Partners s.r.o.
The Data Protection Act requires controllers and processors to ensure the security of personal data by protecting it against accidental or unlawful damage or destruction, accidental loss, alteration, unauthorised access or release, or any other unauthorised forms of processing.
Controllers and processors must take technical, organisational and personal security measures in accordance with the manner of processing, while taking into account (among other things):
- the existing technical means;
- the extent of any risks that could endanger the security or functionality of the filing system;
- confidentiality considerations; and
- the importance of the processed personal data.
Security measures are specified in the Decree on the Extent of Safety Measures Documentation (164/2013 Coll) and are categorised as either:
- security documentation; or
- security projects.
Security projects are more detailed and are required if:
- sensitive personal data is processed and the filing system is connected to the Internet; or
- the filing system is used to safeguard public interests.
According to the Data Protection Act, adequate technical and organisational security safeguards must be taken against unauthorised or unlawful processing of personal data. Such measures are further specified in the Federal Ordinance on the Data Protection Act, which requires that systems which process personal data comply with state of the art technical standards in terms of protecting against:
- unauthorised or accidental destruction or loss;
- technical flaws;
- theft or unlawful access;
- use alteration; and
- other kinds of unauthorised processing.
More specific requirements apply to systems featuring automated processing of personal data – in particular, regarding appropriate access, disclosure, storage and usage controls.
Tilleke & Gibbins
Sector-specific laws and regulatory notifications govern the security of personal data held by parties operating within the telecommunications, banking and finance, insurance, securities, healthcare, consumer credit and electronic payment services sectors and government agencies. For example, regulations issued under the Computer Crimes Act impose requirements on service providers (as defined therein) in relation to retaining service users’ personal data, setting out the specific types of personal data that must be retained and how it should be stored. Another example is regulations issued under the Royal Decree on Electronic Payments. As part of the licensing process, an applicant for an electronic payment licence must explain how it will protect service users’ information, including how such information will be stored. Once approved, this effectively becomes a licence condition.
There are no specific regulations governing the protection of personal data held by private sector companies operating outside the specially regulated sectors.
The Data Protection Law obliges data controllers to take the appropriate technical and administrative measures to protect personal data. The law prescribes no specific technical requirements. However, the International Organisation for Standardisation (ISO) has already produced a set of standards with respect to technical data security measures: ISO/IEC 27000. However, whether the ISO standards correspond to the information security requirements established by the Data Protection Law remains unclear.
Sidley Austin LLP
Several sector-specific privacy and data protection laws provide for information security obligations. Almost all US states enforce broad data security and data breach notification laws that apply to sensitive personal data. About two-thirds of the states have legislation that requires companies to implement reasonable information security measures, at least in the disposal context. Data security laws also generally require companies holding certain personal information about state residents to:
- implement and maintain reasonable security procedures and practices in order to protect information from unauthorised access, destruction, use, modification or disclosure;
- take reasonable steps to destroy personal information that is no longer to be retained or to make it otherwise unreadable or undecipherable; and
- contractually require third parties to which the company discloses personal information to maintain reasonable security procedures (see, for example, Cal Civ Code § 1798.81.5 (2007); Md Code Ann, Com Law § 14-3503).
Some states impose more rigorous information security requirements. For instance, Massachusetts requires entities to develop and implement a written comprehensive information security programme (see 201 Mass Code Regs § 17.02). The regulation requires employee training, adoption of encryption standards and regular monitoring and establishes requirements for securing computer systems (id §§ 17.03–17.04). These requirements are passed through to third-party vendors engaging in business with entities subject to the regulation (id § 17.03(2)(f)). These requirements include:
- taking reasonable steps to select and retain third-party service providers capable of maintaining appropriate security measures; and
- requiring that the third-party service providers implement and maintain appropriate security measures by contract for any personal information or data.
Use the Lexology Navigator tool to compare other answers.
For more information on how to contribute to your jurisdiction, please contact Sophie Kernohan (skernohan@GlobeBMG.com)