1. Access control to premises and facilities. Measures must be taken to prevent unauthorized physical access to premises and facilities
holding personal data. Measures shall include:
a. Access control system
b. ID reader, magnetic card, chip card
c. Door locking (electric door openers etc.)
d. Surveillance facilities
e. Alarm system, video/CCTV monitor
2. Access control to systems. Measures must be taken to prevent unauthorized access to IT systems. These must include the following technical and organizational measures for user identification and authentication:
a. Password procedures (incl. special characters, minimum length, forced change of password)
b. No access for guest users or anonymous accounts
c. Central management of system access
d. Access to IT systems subject to approval from HR management and IT system administrators
3. Access control to data. Measures must be taken to prevent authorized users from accessing data beyond their authorized access rights and prevent the unauthorised input, reading, copying, removal modification or disclosure of data. These measures shall include:
a. Differentiated access rights
b. Access rights defined according to duties
c. Automated log of user access via IT systems
d. Measures to prevent the use of automated data-processing systems by unauthorised persons using data communication equipment
4. Disclosure control. Measures must be taken to prevent the unauthorized access, alteration or removal of data during transfer, and to ensure that all transfers are secure and are logged. These measures shall include:
a. Compulsory use of a wholly-owned private network for all data transfers
b. Encryption using a VPN for remote access, transport and communication of data.
c. Prohibition of portable media
d. Creating an audit trail of all data transfers
5. Input control. Measures must be put in place to ensure all data management and maintenance is logged, and an audit trail of whether data have been entered, changed or removed (deleted) and by whom must be maintained. Measures shall include:
a. Logging user activities on IT systems
b. Ensure that it is possible to verify and establish to which bodies personal data have been or may be transmitted or made available using data communication equipment
c. Ensure that it is possible to verify and establish which personal data have been input into automated data-processing systems and when and by whom the data were input.
6. Job control. Measures should be put in place to ensure that data is processed strictly in compliance with the data importer’s instructions. These measures shall include:
a. Unambiguous wording of contractual instructions
b. Monitoring of contract performance
7. Availability control. Measures should be put in place to ensure that data are protected against accidental destruction or loss. These measures shall include:
a. Ensuring that installed systems may, in the case of interruption, be restored
b. Ensure systems are functioning, and that faults are reported
c. Ensure stored personal data cannot be corrupted by means of a malfunctioning of the system
d. Uninterruptible power supply (UPS)
e. Business Continuity procedures
f. Remote storage
g. Anti-virus/firewall systems
8. Segregation control. Measures should be put in place to allow data collected for different purposes to be processed separately. These shall include:
a. Restriction of access to data stored for different purposes according to staff duties.
b. Segregation of business IT systems
c. Segregation of IT testing and production environments
