Privacy Commission guidance on information security published

12 July 2006

Peter Van de Velde

In the January 2006 issue of our Privacy & Data Protection newsletter, we announced that the Belgian Privacy Commission was in the process of adopting guidelines to help organisations comply with their security obligations under Article 16 of the Belgian Data Protection Act of 8 December 1992 (“the DPA”). This guidance is now published on the Commission’s website.

The published document is entitled “Reference measures for securing the processing of personal data”. It contains a list of 10 “action points” for information security. Organisations processing personal data are urged to take measures to comply with these action points. The Privacy Commission emphasises however that information security is evolving constantly and that, therefore, a systematic update of the reference measures will be needed in order to take into account new technologies and regulations.

The 10 reference measures currently put forward by the Commission can be summarised as follows: each organisation processing personal data should

  1. have a written security policy setting out the general security strategy and the measures implemented to secure personal data (the Commission specifies that such policy should be approved at senior management level, should be distributed to a maximum extent within the organisation and should be updated at least on a yearly basis);

  2. appoint a data security officer responsible within the organisation for the implementation of the security policy;

  3. define internal responsibilities and data security management policies (which should include an adequate classification of the data so that they can be easily located and accessed);

  4. implement measures to protect the physical security of data (such as back-up systems, restricted access to IT-equipment, protection of equipment against fire, flooding, …);

  5. implement measures to protect the network security;

  6. implement measures to ensure that data can only be accessed by authorised persons or applications following their classification within the organisation;

  7. implement measures to ensure the adequate recording of personal data, as well as the implementation of tracking and monitoring schemes allowing to detect and analyse unauthorised access, intrusion or data manipulation;

  8. implement measures to ensure the follow-up and control of the technical and organisational security measures;

  9. implement adequate incident response and business continuity schemes;

  10. keep complete and up-to-date records on data security within the organisation.

The Privacy Commission also published on its website a questionnaire for organisations requesting access to or a connection with the National Register (for the identification of natural persons) in view of the processing of personal data from this Register. The questionnaire should allow organisations to assess their compliance with the security obligation under the DPA and with the recommended reference measures. The questionnaire is to be dated and signed by the organisation’s data security officer.

For further background on the security obligations under the DPA, see also our January 2006 issue.