Data Protection Rules and Security Measures

Posted on Nov 30, 2024 in Computers

Data Protection Rules for Employees

Working with Personal Data Files

  1. Understand which personal data files are relevant to your job.
  2. Obtain explicit consent from the individual before processing their data.
  3. Refrain from using personal data files for unauthorized purposes.
  4. Report the cessation of use of a specific file.
  5. Notify the relevant department of any changes to the structure or purpose of Data Protection Commission (DPC) files to ensure GDPR compliance.
  6. Communicate to the relevant authority when a file is no longer in use and ensure its deletion.
  7. Refrain from making copies of databases or documents containing personal data.
  8. If temporary copies are necessary, protect them adequately and delete them as soon as possible.
  9. Avoid creating personal copies of files containing personal data.
  10. Do not export confidential directories, files, or documents without authorization.
  11. Maintain strict confidentiality of all personal data.

True or False Statements

  1. True – Each department must maintain an updated list of users with access permissions to personal data files. A template is used to specify authorized users for each file.
  2. False – Employees are responsible for any damages caused by their failure to comply with security measures related to personal data files.
  3. False – Outsourcing the processing of personal data to other companies is permissible, but a contract specifying the purpose of the processing is required.

Rules for Using Company Equipment and Computer Services

  1. Use company computer equipment only for its intended purpose and authorized services.
  2. Be responsible for the secure use of your assigned equipment.
  3. Lock your computer with a password when not in use.
  4. Log off all active sessions and disconnect from servers before leaving your workstation.
  5. Do not remove company equipment from the premises without authorization, and transport it in a suitable bag when authorized.
  6. Prevent others from viewing sensitive data on your computer screen.
  7. Be aware of the company’s monitoring and surveillance policies.
  8. Limit internet access to business purposes and avoid accessing non-work-related websites or downloading unauthorized files.

Rules for Equipment Configuration and Maintenance

  1. Use only authorized corporate software and refrain from installing unauthorized software.
  2. Do not alter system settings without authorization.
  3. Report any equipment malfunctions to the IT department for resolution.
  4. Do not use real data for testing new or modified computer systems and applications that handle DPC files.

Rules for Password Management and Access Permissions

  1. Always use your assigned password and username.
  2. Keep your password secure and confidential.
  3. Report any suspected unauthorized access or excessive access privileges to the IT department.

Rules for Data Backups

  1. The IT department is responsible for conducting daily backups of all documents and files containing personal data.
  2. Backup media must be properly protected to prevent damage or unauthorized access.
  3. Restoring files containing personal data requires appropriate security clearance.

Security Incident Definition

A security incident is any abnormality that affects or could affect the security of personal data.

Media Management

Media Inventory

  • Label media properly.
  • Maintain an updated inventory of all media.

Media Usage and Storage

  • Check media for damage and viruses before use.
  • Store media securely.
  • Restrict access to personal data to authorized personnel only.

Media Inputs and Outputs

  • Obtain written authorization from the IT department before introducing media containing DPC data.
  • Take necessary precautions to prevent data recovery from media leaving the premises.
  • Maintain records of all inputs and outputs of computer media containing DPC files, especially for medium or high-level data.

High-Level Security Measures for Data Files

  1. True – Encrypt the content of media containing high-level security data during distribution.
  2. True – Encryption is necessary when transmitting data over telecommunication networks.
  3. False – Recording access to high-security files should include user identity information, but not necessarily their mobile number.
  4. False – The designated security officer, not necessarily the Data Protection Officer, should periodically review control information.
  5. False – Store backups of high-security files in a separate location from the computers processing them.

Security Measures for Paper-Based Personal Data

  1. Store documents in a locked room or cabinet.
  2. Assign responsibility for the care and protection of these documents to a specific individual.
  3. Securely destroy or incinerate documents that are no longer needed.
  4. Maintain a log of entries and exits for documents containing personal information.
  5. Enable access logs for high-level data files, recording user identity.

Citizen Rights Regarding Personal Data

Right to Information

  • Inform individuals when collecting their personal data and obtain their explicit consent.
  • Use a clause to inform stakeholders and obtain consent for data processing.

Right to Access

  • Citizens have the right to request and obtain information about their personal data being processed, free of charge.
  • Respond to access requests in writing within 30 days.

Right to Rectification and Cancellation

  • Fulfill requests for data modification or cancellation within 10 days.

Right to Object

  • Consent is not required for data processing under a contract, preliminary contract, or for administrative purposes if the data is necessary for maintenance or performance.