S 2.505 Definition of technical/organisational safeguards according to the state-of-the-art for processing of personal data

Initiation responsibility: Data Protection Officer, Top Management, IT Security Officer

Implementation responsibility: Specialists Responsible, IT Security Officer, Data Protection Officer

The technical and organisational safeguards to be taken in order that the right to informational self-determination is guaranteed and the personal data is protected as well as possible against misuse, errors, and accidents constitute a vital part of data protection.

The safeguards necessary do not only depend on the type of data and on the tasks the data is to be used for, but also on the organisational conditions, the spatial conditions, the personnel situation, and other general conditions.

Therefore, the laws do not make certain individual safeguards mandatory, but only require "taking the technical and organisational safeguards required in order to ensure the execution of the provisions of these laws".

The data protection laws specify the impact of these safeguards in the field of automated processing in the form of catalogues. According to § 9 BDSG, the safeguards must be appropriate to

• deny any access to data processing systems used to process or use personal data for unauthorised persons (site access control),
• prevent unauthorised persons from being able to use data processing systems (system access control),
• ensure that the persons authorised to use a data processing system may only access the data subject to their access authorisation and that personal data cannot be read, copied, changed, or deleted in an unauthorised manner while it is being processed or used or after it is stored (data access control),
• ensure that personal data cannot be read, copied, changed or deleted in an unauthorised manner while it is transmitted electronically, during transport, or while being stored to data media and that it can be checked and determined where the transmission of personal data by data transmission centres is designated (disclosure control),
• ensure that it is possible to subsequently check and determine whether and by whom personal data in data processing systems was entered, modified, or deleted (input control),
• ensure that personal data processed on a customer's behalf may only be processed in accordance with the instructions of the customer (order control),
• ensure that personal data is protected against accidental destruction or loss (availability control),
• ensure that personal data collected for different purposes can be processed separately.

Regarding the wording and consequences of the individual state data protection laws, the requirements differ.

When planning and implementing the technical and organisational safeguards, it is crucial that they are understood as a collectively acting protection system. Along with the statutorily required data protection, such a protection system also ensures the proper performance of tasks and proper operations. Therefore, it is important to draw up and apply the data protection concept in coordination with the specialised concepts of the corresponding organisational units and the remaining security policies, e.g. the information security policy.

The time and expenditure required for the necessary measures should be in appropriate proportion to the protection purpose aimed at (for protection levels, see BSI standard 100-2 and/or state-specific provisions on data protection). The more severe the impending infringement for the persons concerned and the higher the risk of an occurrence of damage, the higher the appropriate time and expenditure required. There is discretion regarding the selection of the individual measures, but not regarding the definition of the level of protection. Safeguards deemed necessary must also be taken if they make the development and use of an IT application more difficult. If this cannot be ensured by means of the designed safeguards, either more time and expenditure must be accepted or designing the procedure differently with less time and expenditure required must be taken into consideration. These safeguards must be updated in accordance with the current state of the art.

Likewise, it must be ensured that the statutory data protection provisions are implemented by information security and data protection policies.

If a Data Protection Officer (bDSB) is institutionalised in the company and/or the government agency (some data protection laws contain statutory specifications regarding this), policies, newsletters, and such like which the management issues as horizontal provisions as to how to handle personal data in the entire office must be drawn up with the involvement of the Data Protection Officer.

He/she should always be called in when dealing with service and/or operation agreements between office and/or company and Personnel and/or Supervisory Board regarding the handling of personal data. Compliance with the policies should be controlled..

Examples of technical-organisational safeguards include:

• the physical deletion of data (see S 4.32 Physical deletion of data media before and after usage, for example),
• the cryptographic encryption (see S 5.36 Encryption under Unix and Windows NT, for example),
• internal IT and data protection policies (see S 2.1 Specification of responsibilities and provisions, for example), as well as
• logging and documentation of procedures in order to ensure comprehensibility (see S4.25 Use of logging in Unix systems, for example).

An overview of the safeguards in the IT-Grundschutz Catalogues suitable for achieving the requirements mentioned above can be found in the table for module S 1.5 Data protection at Resources for IT-Grundschutz.

Review questions:

• Have all technical and organisational safeguards required to ensure sufficient levels of data protection been implemented?
• Are there suitable specifications as to how to handle personal data in the entire organisation?