Rules on the Security of Personal Data
Nr. 299/2001 on the Security of Personal Data
Aim and Scope
The aim of these rules is to guarantee security when processing personal data. That means that the appropriate secrecy of the data, legal access to them, their quality, and accuracy, shall be guaranteed.
In additon to what follows from these rules, the standard BS 7799 – Information Security Management – may be taken for consideration and guidance.
These rules apply to the processing of personal data that Act No. 77/2000, on the Protection of Privacy as Regards the Processing of Personal Data, applies to.
The Data Protection Authority can give an exemption from the provisions of these rules if the exemption is not considered to endanger privacy, e.g., in the light of the scale of the processing, the risk of the processing, and the nature of the data that shall be protected.
The data controller shall create a security system to guarantee the security of personal data. The preparation for a security system is done in three stages:
1. The data controller writes a security policy. It shall, amongst other things, contain a general description of the data controller's highest superior's position towards security issues. When forming a security policy, it shall be taken into consideration which personal data shall be protected, how they shall be protected, and by which measure they will be processed.
2. The data controller writes a risk analysis. A risk analysis is an evaluation of the risk of someone unauthorized gaining access to personal data, being able to change the data, or to threaten their security in some other manner. A risk analysis, also, consists of an evaluation of the scale and consequences of the risk in the light of the nature of the personal data being processed. The aim of a risk analysis is to create premises for the selection of security measures, cf. chapter III of these rules. Also, it shall be stated what can go wrong, which effect that will have on the security of the data, and what are the probabilities of that happening. A risk analysis shall be reviewed on a regular basis.
3. The data controller chooses which security measures shall be employed in accordance with chapter III of these rules and writes a description of them. The description shall, amongst other things, contain the data processor's position towards what shall be considered to be the acceptable risk in the processing. Also, it shall be described which security measures shall be employed and how they will be applied, amongst other things, in the design, development, operation, testing, and maintainance of the system, including software, that will by used for the processing of the data. It shall, also, be stated how blows to the operation of the processing system shall be dealt with, and how data will be transferred between processing systems, amongst other things, how a possible transfer between the data controller and a data processor shall take place. Security measures shall be reviewed on a regular basis.
The Data Protection Authority shall, whenever it wishes, have access to the data controller's security policy, risk analysis, and description of security measures.
The data controller shall resort to appropriate security measures and is responsible for ensuring that the processing of personal data is always in accordance with legal acts, rules and the orders of The Data Protection Authority on how to guarantee the security of data, amongst other things, the standards that it decides that shall be used. The aim of organizational and technical security measures is to guarantee enough security and protect personal data against unlawful destruction, against them being lost or changed by accident, against unauthorized access, and against all other illegal processing.
When choosing security measures, notice shall be taken of the risk of the processing and the nature of the data that shall be protected. If personal data are transmitted through the Internet, notice shall be taken of the higher risk that such processing entails.
Security Measures Regarding Employing
In the aim of preventing and lessening damage caused by human mistakes, theft, fraud, and other misuse, the data controller shall resort to the security measures that are appropiate in each case, e.g.:
1. Investigate job applicants' history.
2. Get written declarations of confidentiality from applicants.
3. Define, in a clear way, the role and duties of each employee that has access to personal data, amongst other things, who are responsible for individual collections of registers.
4. Do the necessary measures for making employees, on a regular basis, aware of their duties at work and the consequenses that violations against them can entail.
In the aim of preventing and lessening damage caused by unauthorized access, the data controller shall resort to the security measures that are appropriate in each case, e.g.:
5. Control access to facilities by allocating keys, access cards, etc.
6. Employ security guarding, e.g., with security guards, warning systems, or electronic surveillance.
Organizational and Technical Security Measures
In the aim of preventing and lessening damage caused by malfunctions and unauthorized access to processing equipment, the data controller shall resort to the security measures that are appropriate in each case, e.g.:
7. Control access by allocating user names and passwords.
8. Decode or destroy personal identification marks, or use numbers instead of such marks and preserve the identification key in a secure way.
9. Guarantee the traceability of look-ups and processing operations.
10. Preserve personal data in a computer that is not connected to a computer net.
11. Restrict access to personal data to reading access (look-up access), e.g., in the aim of hindering prohibited destruction, copying, or connection of registers.
12. Employ constantly active virus defences.
The data controller shall resort to internal audit of processing of personal data to make sure that the processing is in accordance with the legal acts and rules in force, amongst other things, conditions that The Data Protection Authority has set in relation the processing in question.
Internal audit shall, amongst other things, be pointed at:
13. Observation of whether the processing is allowed according to Act. No. 77/2000.
14. Whether the duty to notify processing or seek a permission for it, according to Act. No. 77/2000, has been fulfilled.
15. Whether the rules of Art. 7 of the Act on the legality of processing are fulfilled, amongst them, the rule of Point 5 on the destruction of data that it is not needed to preserve longer in the light of the original purpose of their collection.
16. Whether provisions in the Act on the rights of the data subject are followed in practice.
17. Whether the security measures that have been chosen according to Art. 3, Sec. 1:c, of these rules are being followed.
18. Internal audit shall take place on a regular basis. The frequency of the audit and its scale shall be decided with consideration to the risk that the processing entails, the nature of the data that are being processed, the technical means that are used to guarantee the security of the data, and the financial cost of the audit. It shall, however, take place at least yearly.
Internal audit shall, usually, take place according to a system defined in advance.
The data controller shall ensure that a report is made on each operation that is a part of internal audit. In such a report, the outcome of each part of the audit shall be described. Reports on internal audit shall be preserved securely, and The Data Protection Authority has right of access to them whenever it wishes to.
The data controller may make an agreement with another party on taking care of, wholly or partly, the processing of personal data that he is responsible for. That is, however, contingent upon the controller having, beforehand, verified that this data processor is able to carry the security measures that apply to the processing and conduct internal audit in relation to it.
An agreement according to Sec. 1 shall be in writing and, at least, in two copys. It shall, amongst other things, state that the data processor shall work in accordance with the data controller's instructions and that the provisions of these rules on the duties of the data controller also apply to the processing that the data processor takes care of. Both the data controller and the data processor shall preserve a copy of the agreement.
If the data processor is established in another memberstate of the EEA than the data controller, cf. Art. 6, Sec. 1, of Act Nr. 77/2000, then it shall, also, be stated in the agreement that the legal acts and rules of the country, where the data processor is established, apply to security measures relating to processing of personal data.
Each one that works under the authority of the data processor or data controller is only permitted to process personal data in accordance with instructions from the data controller, unless legal acts stipulate otherwise.
Entry into force, etc.
Notification to The Data Protection Authority on Security Measures
In a notication to The Data Protection Authority accorting to Art. 31 of Act No. 77/2000, it shall be stated in which way the data controller meets the requirements of these rules.
Entry into Force
These rules, that are passed in accordance with Art. 11 and 12 of Act No. 77/2000 on the Protection of Privacy as Regards the Processing of Personal Data, enter into force immediately.
The Data Protection Authority, 20 March 2001.
Páll Hreinsson, Chairman of the Board