Data Protection Rules and Security Measures
Data Protection Rules for Employees
Working with Personal Data Files
- Understand which personal data files are relevant to your job.
- Obtain explicit consent from the individual before processing their data.
- Refrain from using personal data files for unauthorized purposes.
- Report the cessation of use of a specific file.
- Notify the relevant department of any changes to the structure or purpose of Data Protection Commission (DPC) files to ensure GDPR compliance.
- Communicate to the relevant authority when a file is no longer in use and ensure its deletion.
- Refrain from making copies of databases or documents containing personal data.
- If temporary copies are necessary, protect them adequately and delete them as soon as possible.
- Avoid creating personal copies of files containing personal data.
- Do not export confidential directories, files, or documents without authorization.
- Maintain strict confidentiality of all personal data.
True or False Statements
- True – Each department must maintain an updated list of users with access permissions to personal data files. A template is used to specify authorized users for each file.
- False – Employees are responsible for any damages caused by their failure to comply with security measures related to personal data files.
- False – Outsourcing the processing of personal data to other companies is permissible, but a contract specifying the purpose of the processing is required.
Rules for Using Company Equipment and Computer Services
- Use company computer equipment only for its intended purpose and authorized services.
- Be responsible for the secure use of your assigned equipment.
- Lock your computer with a password when not in use.
- Log off all active sessions and disconnect from servers before leaving your workstation.
- Do not remove company equipment from the premises without authorization, and transport it in a suitable bag when authorized.
- Prevent others from viewing sensitive data on your computer screen.
- Be aware of the company’s monitoring and surveillance policies.
- Limit internet access to business purposes and avoid accessing non-work-related websites or downloading unauthorized files.
Rules for Equipment Configuration and Maintenance
- Use only authorized corporate software and refrain from installing unauthorized software.
- Do not alter system settings without authorization.
- Report any equipment malfunctions to the IT department for resolution.
- Do not use real data for testing new or modified computer systems and applications that handle DPC files.
Rules for Password Management and Access Permissions
- Always use your assigned password and username.
- Keep your password secure and confidential.
- Report any suspected unauthorized access or excessive access privileges to the IT department.
Rules for Data Backups
- The IT department is responsible for conducting daily backups of all documents and files containing personal data.
- Backup media must be properly protected to prevent damage or unauthorized access.
- Restoring files containing personal data requires appropriate security clearance.
Security Incident Definition
A security incident is any abnormality that affects or could affect the security of personal data.
Media Management
Media Inventory
- Label media properly.
- Maintain an updated inventory of all media.
Media Usage and Storage
- Check media for damage and viruses before use.
- Store media securely.
- Restrict access to personal data to authorized personnel only.
Media Inputs and Outputs
- Obtain written authorization from the IT department before introducing media containing DPC data.
- Take necessary precautions to prevent data recovery from media leaving the premises.
- Maintain records of all inputs and outputs of computer media containing DPC files, especially for medium or high-level data.
High-Level Security Measures for Data Files
- True – Encrypt the content of media containing high-level security data during distribution.
- True – Encryption is necessary when transmitting data over telecommunication networks.
- False – Recording access to high-security files should include user identity information, but not necessarily their mobile number.
- False – The designated security officer, not necessarily the Data Protection Officer, should periodically review control information.
- False – Store backups of high-security files in a separate location from the computers processing them.
Security Measures for Paper-Based Personal Data
- Store documents in a locked room or cabinet.
- Assign responsibility for the care and protection of these documents to a specific individual.
- Securely destroy or incinerate documents that are no longer needed.
- Maintain a log of entries and exits for documents containing personal information.
- Enable access logs for high-level data files, recording user identity.
Citizen Rights Regarding Personal Data
Right to Information
- Inform individuals when collecting their personal data and obtain their explicit consent.
- Use a clause to inform stakeholders and obtain consent for data processing.
Right to Access
- Citizens have the right to request and obtain information about their personal data being processed, free of charge.
- Respond to access requests in writing within 30 days.
Right to Rectification and Cancellation
- Fulfill requests for data modification or cancellation within 10 days.
Right to Object
- Consent is not required for data processing under a contract, preliminary contract, or for administrative purposes if the data is necessary for maintenance or performance.