S 1.30 Safeguarding of data media containing data on telecommunications charges

Initiation responsibility: Data Protection Officer, PBX System Manager

Implementation responsibility: Administrator

Call charge data is collected by the PBX systems during operation. This data contains information on the following:

• time and date of a telephone call
• source and destination telephone numbers, and
• duration of the call.

Call charge data is personal data in the sense of the relevant German Federal and State Data Protection Laws. As a consequence, a separate examination in terms of the requirements of the data protection laws (e.g. from the appendix to § 9 of the German Federal Data Protection Act) must be performed after having taken the IT-Grundschutz safeguards suggested in the following.

This data can be stored on the hard disk of the PBX system itself or on an external call charge computer. In many cases, a combination of both is used. If possible, the computers must be protected in such a way that only authorised persons have access to the call charge data. For this, it is necessary to install the call charge computer in a particularly protected room (see module S 2.4 Server room). Safeguards S 1.23 Locked doors, S 2.5 Division of responsibilities and separation of functions, S 2.6 Granting of site access authorisations, S 2.7 Granting of (system/network) access authorisations, S 2.8 Granting of access rights, S 2.13 Correct disposal of resources requiring protection, and S 2.17 Entry regulations and controls must also be implemented for equipment call charge data is stored on.

It must be documented who has access to the call charge data and what roles they assume when accessing the data.

Review questions:

• Is access to call charge data only granted to authorised persons and have the authorisations been documented?
• Is there a provision governing the documentation of the persons granted access to the call charge data and what roles they assume when accessing the data?