The Belgian Privacy Commission is currently in the process of adopting guidelines to help organisations comply with their security obligations under the Belgian Data Protection Act of 8 December 1992.
General security obligation imposed by the Data Protection Act
Article 16 §4 of the Belgian Data Protection Act requires data controllers (or their representative in Belgium), as well as data processors, to guarantee the security of personal data by taking “the appropriate technical and organisational measures that are necessary for the protection of personal data against accidental or unauthorised destruction, accidental loss, as well as against alteration of, access to and any other unauthorised processing of personal data”.
It is further stipulated that the security measures need to ensure an “appropriate level of security taking into account the state of art in this field and the cost of implementing the measures on the one hand, and the nature of the data to be protected and the potential risks on the other hand”.
Moreover, if the processing of personal data is consigned to a processor, the data controller (or his representative in Belgium) is required to “choose a processor providing sufficient guarantees in respect of the technical and organisational measures governing the processing to be carried out” and to supervise the compliance with these measures by setting them out in a (written) data processing agreement (Article 16 §1 of the Data Protection Act).
Generally, Article 16 of the Data Protection Act is one of the few examples where a law actively imposes a security obligation, and thus an obligation of good IT governance, upon organisations. Non-compliance can lead to criminal sanctions in certain circumstances.
However, the security obligation is defined in a very broad and general way. There is little guidance on which measures (technical or organisational) exactly need to be implemented in order to be compliant, although some limited guidance can be deduced from Article 16 §2 of the Data Protection Act: compliance with the security obligation should at least involve measures to restrict access to authorised persons; adequate information should be provided to personnel; and data processing applications should comply with the contents of the notification with the Privacy Commission.
There was nevertheless a clear need for more precise guidance on this matter, not least for larger organisations or organisations processing sensitive data.
Recommendation of the Privacy Commission
In order to further specify the general obligation to secure the processing of personal data, the Privacy Commission is now issuing a formal recommendation containing a list of security guidelines which it considers to be a minimum standard for organisations to implement.
The assessment of the level of detail and complexity to which organisations will have to implement each of the guidelines will of course need to be done on a case-by-case basis. Each organisation processing personal data will have to consider its proper security needs, taking into account the nature (and sensitivity) of the data it processes, the risks and threats involved, the size of the organisation, the importance and complexity of the IT and information systems, the specific legal provisions that apply to its business and so on.
Article 16 §4 of the Data Protection Act provides that the adequacy of the security level should also be assessed, taking into account the technological state of the art and the cost involved in implementing security measures.
The advantage of the new recommendation is that organisations involved in the processing of personal data can now at least get an idea about the exact scope of their legal obligation to secure personal data. Given the general nature of this legal obligation, it was generally seen as an obligation of means for data controllers or processors, not as an obligation of result. A data subject claiming to have suffered damage would still have to show that the lack of security that caused the damage was unacceptable given the nature of the processing carried out by the responsible organisation. From this perspective, it is of course important for organisations (and data subjects) to see that there is now more specific guidance on how far the security obligation for personal data reaches.
Finally, it is to be noted that the Data Protection Act also provides a possibility for the King (on advice of the Privacy Commission) to adopt appropriate standards on IT security for all or certain categories of processing. It remains to be seen whether the security recommendation of the Commission will be a first step towards any further such regulatory initiative on IT security.
Peter Van de Velde
14 December 2005