The Danish Data Protection Agency has set out a number of specific requirements in relation to personnel administration. From January 2015 the Agency's permissions in the private sector entails as a standard term observation of these requirements.
In relation to personnel administration, the personal data protection act must be observed in its entirety. This – among others things – entails that the data controller (the employer) must fulfill the requirements for data privacy.
The controller shall implement appropriate technical and organizational security measures to protect data against accidental or unlawful destruction, loss or alteration and against unauthorized disclosure, abuse or other processing in violation of the provisions laid down in this Act, cf. the personal data protection act section 41 (3)
The Danish Data Protection Agency has listed 12 minimum requirements in relation to personnel administration. The requirements require management within a company to:
1) Describe how you protect your personnel information in the personnel administration and how you in praxis have implemented section 2-12. The description may be special guidelines which are a part of the company's thorough safety instruction, in an IT security policy or as a part of the company's employment handbook or policy.
2) Access to the information must be limited to persons who have a reasonable need for the access to the information. It must be as few persons as possible.
3) Employees who handle personnel administration must receive instruction and education in what they can do with the information and how they can protect the information.
4) Personnel information on paper – for example in records and binders – must be kept locked when they are not in use.
When documents (papers, records etc.) with personnel information must be thrown away, this must happen by means of paper destruction or other arrangements which prevent any unauthorized person getting access to the information.
5) All computers and other electronic equipment with personnel information must have a password. Only those, who need access, may receive the password.
Those persons who have a password cannot leave the password to others or leave it so others can see it.
Control of allocated passwords must be performed at least one time each six months.
6) It must be recorded if there are failed attempts to access IT-systems with sensitive information. If a specific number of attempts to access are denied, further attempts must be blocked.
7) If personnel information is stored on an USB-key, the information must be protected. For example, a USB-key with password and encryption can be used. Otherwise, the USB-key must be stored in a locker of locked draw. The equivalent is the case with regards to storage of personnel information on other equivalent data mediums.
8) PC's connected to the internet must have an updated firewall and virus control installed.
9) If homepage forms, in which sensitive personnel information and social security numbers can be entered and forwarded are used encryption must be applied.
10) If sensitive personnel information and social security numbers are forwarded via email through the internet, the Danish Data Protection Agency recommends encryption.
11) In connection with reparation and service of data equipment, which entail personnel information and when data mediums are sold or destroyed, the company must take proper precautions to prevent that he information does not come to unauthorized persons knowledge.
12) When using an external data processor to collect the information, the personal data protection act section 42 regarding written data processing agreements etc. must be followed. This is, for example, the case where an external document archive or recruitment system on the internet or an external supplier for payroll and personnel administration is used.
Bird & Bird comments:
These minimum requirements for data security in relation to personnel administration illustrate an increased focus on the area and in private companies' personnel administration in general. For this reason, it is important to have the companies' general praxis on personnel administration examined, including preparation and updating of IT security policies and other guidelines and manuals relating to personnel.
Bird & Bird will assist in answering your questions and supporting you on practical challenges regarding personal data protection for employees. Please contact Nis Peter Dall at firstname.lastname@example.org or Pernille Østergaard at email@example.com.