Genvejsmenu:
S - Indhold
1 - Forside
2 - Nyheder
3 - Oversigt
4 - Søg

Guidance to Executive Order on Security

The official version of the Executive Order on Security is published on 27 june 2000. Only the Danish version of the text has legal validity.

The Executive Order has been supplemented with a guidance text to help understand the background for each section in the order and to help understand how compliance with each section can be achieved.

Sections from the Executive Order have been highlighted by stating these in italic font.

 

Guidance to Executive Order no. 528 of 15 June 2000 on Security Measures for Protection of Personal Data that is Processed for the Public Administration

Introduction

This guidance describes and expands on the technical and organisational security measures to be taken in public administration to ensure data processing security (data protection).

This version is translated for the Danish Data Protection Agency. Only the Danish version of the text has legal validity.

The overall data protection regulations are laid down in sections 41-42 of the Act on Processing of Personal Data (the Data Processing Act). These provisions are worded as follows:

41. - (1) Individuals, companies, etc. performing work for the controller or the processor and who have access to data may process these only on instructions from the controller unless otherwise provided by law or regulations.

(2) The instruction mentioned in subsection (1) may not restrict journalistic freedom or impede the production of an artistic or literary product.

(3) The controller shall implement appropriate technical and organisational security measures to protect data against accidental or unlawful destruction, loss or deterioration and against unauthorized disclosure, abuse or other processing in violation of the provisions laid down in law. The same shall apply to processors.

(4) As regards data which are processed for the public administration and which are of special interest to foreign powers, measures shall be taken to ensure that they can be disposed of or destroyed in the event of war or similar conditions.

(5) The Minister of Justice may lay down more detailed rules concerning the security measures mentioned in subsection (3).

42. - (1) Where a controller leaves the processing of data to a processor, the controller shall make sure that the processor is in a position to implement the technical and organisational security measures mentioned in section 41 (3) to (5), and shall ensure compliance with those measures.

(2) The carrying out of processing by way of a processor must be governed by a written contract between the parties. This contract must stipulate that the processor shall act only on instructions from the controller and that the rules laid down in section 41 (3) to (5) shall also apply to processing by way of a processor. If the processor is established in a different Member State, the contract must stipulate that the provisions on security measures laid down by the law in the Member State in which the processor is established shall also be incumbent on the processor.

Pursuant to section 41 (5) of the Act the Minister of Justice has issued Executive Order no. 528 of 15 June 2000 on security measures for protection of personal data that is processed on behalf of the public administration. Section 2 (2) of the Executive Order is amended by Executive Order no. 201 of 22 March 2001. The Executive Order contains more detailed regulations on the security measures required pursuant to section 41 (3) of the Act.

The provisions in Executive Order no. 528 (the Executive Order on Security) are stated below. In addition to the individual provisions a description and clarification of the requirements of the provision are presented.

The Provisions of the Executive Order
Chapter 1
General Provisions

1. This Executive Order shall apply to the processing of personal data on behalf of the public administration wholly or partly by use of electronic data processing.

This Executive Order solely applies to the processing of personal data that is undertaken on behalf of the public administration wholly or partly with the help of electronic data processing. With regard to data processing that is only partly undertaken by use of electronic data processing, the Executive Order shall only apply to this part. The provisions of the Act as well as any provisions laid down in separate Orders, cf. section 41 (5) of the Act, shall apply to public administration's processing of personal data in manual filing systems, and to the processing of personal data in the private sector.

2. The processing of personal data shall take place in accordance with the provisions in Chapters 1 and 2.

The provisions in Chapter 1 of the Executive Order - General Provisions - and in Chapter 2 - General Security Provisions - shall apply to any processing of personal data, irrespective of whether it includes confidential data.

(2) The processing of personal data that is subject to notification to the Data Protection Agency pursuant to the regulations in Chapter 12 of the Act on Processing of Personal Data shall furthermore take place in accordance with the provisions of Chapter 3 of this Executive Order. This does not, however, apply to the processing of personal data for the exclusive purpose of operating a legal information system, to the extent that this concerns data in the publicly accessible part of the legal information system. This furthermore does not apply to the processing of data concerning employees' trade union membership in connection with agreements on collection of membership fees.

In addition to the provisions in Chapters 1 and 2 of the Executive Order, the provisions in Chapter 3 - Supplementary Security Measures for Processing Subject to the Notification Obligation - shall apply to processing that pursuant to the regulations in Chapter 12 of the Act must be notified to the Danish Data Protection Agency.

The regulations concerning the notification of processing undertaken on behalf of the public administration are stated in Chapter 12 of the Act and are described in the Danish Data Protection Agency's guidance no. 125 of 10 July 2000.

3. - (1) The data controlling authority shall implement appropriate technical and organisational measures to protect data against accidental or unlawful destruction, loss or deterioration and against unauthorised disclosure, abuse or other processing in violation of the provisions laid down in the Act on Processing of Personal Data.

The provision is a repetition of section 41 (3) of the Act, with omission of the last clause, however.

Measures to protect data against accidental or unlawful destruction, loss or deterioration may, for example, comprise taking back-up copies in accordance with more detailed routines.

The security measures laid down in the Executive Order on Security are in particular intended to prevent data from being disclosed to unauthorised persons, misused or otherwise processed in conflict with the Act.

More general guidelines on the establishment of both technical and organisational security measures in connection with electronic data processing are laid down in Danish Standard DS 484, Standard for IT Security.

(2) As regards data which are of special interest to foreign powers, measures shall be taken to ensure that they can be disposed of or destroyed in the event of war or similar conditions.

The provision corresponds to section 41 (4) of the Act. The data controlling authority will be obliged to first identify the processing by the authority that concerns data of special interest to foreign powers, and then to take the security measures required in the assessment of the authority.

4. The Data Protection Agency shall supervise compliance with this Executive Order and may make requests to the data controlling authority concerning the security measures taken, cf. section 3.

The Danish Data Protection Agency's supervision of compliance with the Executive Order is part of the supervision that the Agency is required to conduct pursuant to section 55 of the Act, and namely supervision of any processing that is subject to the Act (with the exception of data processing carried out on behalf of the courts, cf. Chapter 17 of the Act).

Chapter 2
General Security Provisions

5. - (1) The data controlling authority shall lay down more detailed internal provisions for the authority's security measures in order to elaborate on the regulations laid down in this Executive Order. The provisions shall in particular concern organisational issues and physical security, including security organisation, administration of access control systems and authorisation systems, and authorisation control. Furthermore, instructions shall be laid down to set out the responsibility for and describe the processing and destruction of input and output data material and the use of IT equipment. In addition, guidelines shall be laid down for the authority's supervision of compliance with the security measures laid down for the authority.

As the provisions of the Executive Order are of a more general and overall nature, there will be a need for the individual data controlling authority to determine and describe in more detail how the provisions of the Executive Order are to be complied with, and generally how the security aspects of the processing of personal data are to be arranged.

This provision names a number of topics for internal provisions, instructions and guidelines. The list serves to provide examples and is not exhaustive.

Besides serving as documentation, the provisions, etc. prepared by the data controlling authority pursuant to this provision will also serve as descriptions of procedures, and as descriptions of various security functions, allocation and delineation of responsibility, etc.

Some of the descriptions mentioned may be of such a nature that security considerations make it appropriate to classify them as not publicly available. This may be relevant for, for example, descriptions of technical equipment such as alarm systems.

(2) The internal provisions must be reviewed at least once a year in order to ensure that they are complete and reflect the authority's actual circumstances.

As documentation is of no value if it is not up to date the internal provisions described above should be kept up to date so as to always reflect the actual on-site conditions. Pursuant to this provision it is the responsibility of the controller to check at least once a year that the internal provisions have been updated as stated.

6. The data controlling authority shall give the necessary instructions to the employees who process personal data. The employees shall among other things be made familiar with the regulations laid down pursuant to section 5.

In order to ensure that personal data is processed correctly and as required by the controller, employees that perform such processing must be given the knowledge required through training, instruction, etc. In order to ensure that processing takes place correctly in terms of security, the employees must be familiar with the current security regulations, which can among other things be achieved by informing the employees of relevant sections of the provisions laid down pursuant to section 5 of the Executive Order.

7. - (1) If personal data is processed by a processor on behalf of the controller there must be a written contract stating that the regulations in this Executive Order also apply to processing by the processor. If the processor is established in another  Member State, the contract must stipulate that the provisions on security measures laid down by law in the Member State in which the processor is established applies to the processor.

According to this provision the processing carried out by a processor must be governed by a written contract between the controller and the processor. The contract must state that the processing delegated by the controller to the processor takes place according to the regulations laid down in this Executive Order, just as if the controller itself had undertaken the processing.

The controller must ensure that processing is conducted in accordance with the regulations laid down in the Executive Order, even if processing is undertaken by a processor that is established in another Member State. If the Member State in question has special security regulations applying to the processor's activities the contract between the controller and the processor shall state that the processor must also observe these regulations.

The provision is directed first and foremost at situations where data processing is delegated to a processor.

Besides this section 42 (1) of the Act on Processing of Personal Data states that where a controller leaves the processing of data to a processor, the controller shall make sure that the processor is in a position to implement the technical and organisational security measures mentioned in section 41 (3) to (5), and shall ensure compliance with those measures. The controller must thus actively ensure that the processor abides by the required security measures, and it may be relevant in this regard to obtain an annual auditor's statement from an independent third party. The written contract between the parties as stated above could among other things include this auditor's statement as a condition for allowing processing to be undertaken by the processor.

Finally, the written contract should state whether the processing of personal data by the processor takes place wholly or partly via home workplaces.

(2) If personal data is processed at a PC workplace outside the data controlling authority's premises, the authority shall lay down special guidelines in this respect, in order to ensure compliance with the provisions on security measures.

PC workplaces outside the controller's premises are first and foremost home workplaces (workplace established by setting up a PC in the employee's home; the PC being connected to the employer's IT system so that the employee can work on certain tasks from home), but the provision will also apply in a number of other cases where processing takes place at different locations to the customary workplaces on the employer's premises (use of laptop PCs while travelling or visiting customers or clients, etc., use of a PC in another enterprise or authority, use of a private PC at home). This applies not only to PCs, but also to other electronic equipment such as PDAs (Personal Digital Assistant) and similar.

The following considerations are made concerning home workplaces, but the equivalent can apply to all cases of examples of workplaces outside the premises of the controller. The controller shall perform an assessment based on the security conditions and lay down special guidelines on this basis.

On working from a home workplace the application of data takes place in a different environment. Work at the normal workplace is subject to routines and behaviour based on practice over a long period that ensures responsible data processing, but there is no equivalent practice in place to ensure that data processing from a home workplace is subject to the same degree of security.

There are therefore a number of issues to consider. The problematic security areas to be assessed include among other things:

Local storage of data. If it is necessary for the home PC to be used not only as a terminal connected to the central system, but also to store date from the central system, the data should be encrypted.

Local printing of data. If it is necessary to print data from the home PC regulations must be laid down and instructions given for the storage and destruction of printouts, so that the data is not disclosed to unauthorised persons.

Other use of the home PC. If the data controller authorises other use, e.g. private use, guidelines must be laid down for this use, with establishment of the necessary security measures.

Physical security. In the home environment it must be expected that the physical security measures against theft, vandalism, and access by unauthorised persons in general will not be at the same level as at the normal workplace. Particular attention should be paid with regard to local storage and printing of data. Furthermore, in this environment there can be greater opportunity to tap data transmission by physically intercepting telephone lines.

Use of dial-up lines. If the establishment of a connection from the home workplace to the central system is based on the use of a dial-up connection (analogue telephone connection, ISDN, mobile telephone, etc.) measures must be taken to prevent unauthorised persons from dialling up to the central system and generally intercepting communication. Examples of such measures are call-back, password protection and closed user groups. In this connection it can among other things be considered whether there should be certain periods of time when the home workplace may not be used, and whether use should be subject to special logging.

The special guidelines concerning home workplaces should be updated continuously to ensure compliance with the provisions on security measures.

8. At locations where personal data is processed measures must be taken to prevent access to the data by unauthorised persons.

The provision is very broadly directed at locations where personal data is processed, and mainly at physical security. Measures taken pursuant to this provision can be seen as a supplement to the Executive Order's other provisions on access to data and will to a great extent correspond to the controller's customary physical security regulations, such as locking the premises and building sections, alarm system, limited access to server rooms, and the location of screens and printers (especially in case handling and public areas).

9. In connection with repair and service of data equipment containing personal data, and on sale and discarding of data media used, the necessary measures must be taken to ensure compliance with the provision in section 3.

Measures to prevent unauthorised persons from access to stored data will depend on the concrete situation. On repair and maintenance of equipment the controller must ensure, if the data cannot be removed from the equipment, that repair and service staff will treat any data coming to their knowledge in the course of their work as confidential material that in no circumstances may be passed on or used. On discarding storage media and equipment that contains personal data, the storage media should be destroyed or demagnetised so that it is no longer possible to read the content. If the controller, rather than destroying the storage media, sells these for the purpose of reuse, the stored data must be erased effectively by overwriting.

For the overwriting of data media, the Danish Data Protection Agency recommends the use of a special program that overwrites data multiple times in accordance with a recognised specification (e.g., DOD 5220.22-M).

In case of the repair of equipment, stored data must as far as possible be erased prior to repair.

Input data material containing personal data.

10. - (1) Input data material that is not part of a manual case or a manual filing system may only be used by persons engaged in data inputting. Input data material that is subject to the provision in section 2 (2) shall be stored under lock when not in use.

Input data material comprises the basic material (paper-based or electronic) from which data is obtained for further electronic data processing. The provision applies to input data material that is neither part of a traditional, paper-based case, including patient notes, nor a manual filing system. Application forms received that are stored in one batch, without being registered to, for example, a case for each applicant or a combined case for the type of application in question, will thus be subject to the provision if the forms' data is to be registered electronically. On the other hand, the application forms will not be subject to the provision as soon as the aforementioned registration has taken place, nor will they be subject to the provision if they are stored in such a way as to constitute a manual filing system (e.g. filed in a binder according to special criteria), as the Executive Order does not apply to manual filing systems.

Input data material in electronic form, for example transactions registered in a file, will normally be subject to the provision.

It should be noted that input by manual entry, e.g. in an online system, in itself constitutes processing that is subject to the Executive Order.

Input data material that is subject to the provision in section 2 (2), i.e. material that as a general rule contains data of a confidential nature, must be stored under lock when not in use, in order to prevent unauthorised access to the data. No more specific requirements are made of how such locking is to be established, but it is assumed that this is by locking drawers, cupboards, rooms or otherwise as deemed responsible by the controller.

(2) Input data material as described in subsection (1) must be erased or destroyed when no longer to be used for the purposes for which processing is required, or for control with the inputted personal data, but no later that a specific deadline determined by the data controlling authority.

Input data material as described in subsection (1) - the provision thus does not apply to material that is part of a manual case or a manual register - must be erased (electronic material) or destroyed (paper-based material) when the material is no longer needed. The controller must thus in connection with each processing consider how long there is a need or requirement for the input data material to be stored, and formally determine a final date of erasure or destruction.

(3) On the destruction of input data material the required security measures must be taken to ensure that the material is not misused or disclosed to unauthorised persons.

In accordance with the provision a procedure for destruction of input data material must be arranged in such a way that the material cannot in this context be misused or disclosed to unauthorised persons. It can, for example, be relevant to gather the material in locked skips before transfer to a reliable shredding service for confidential material.

Authorisation and access control.

11. - (1) Only persons so authorised may have access to the personal data that is processed.

Chapter 11 on security of processing of the Act on Processing of Personal Data states that appropriate technical and organisational security measures must be taken against unauthorised disclosure of the data (section 41 (3)). This provision of the Executive Order therefore lays down that access to personal data may only be given to directly authorised persons. It is  presupposed that a formal authorisation system and procedure will be determined.

(2) Only persons engaged with the purposes for which the personal data is processed may be so authorised. The individual users may not be authorised for uses for which they have no need.

This provision lays down that only persons engaged with the purposes for which the personal data is processed may be so authorised. All other persons, including other employees of the data controlling authority, are of no relevance to the processing in question and may not have access to the data. The same considerations apply to the limitation of authorisation to solely concern uses required by the individual users. It is presupposed that the formal authorisation procedure will include prior assessment of which authorisations the individual user requires. The formal authorisation procedure may furthermore, for example, include that a letter is sent to the user in question with a more detailed description of which data the user is hereby authorised (approved) to use.

The authorisations of users that no longer require the authorisations issued to them shall be revoked. This for example applies to employees that move to another area of work, or whose employment is terminated.

(3) Authorisation must furthermore be given to persons for whom access to data is necessary for auditing purposes or for operational and system-related technical tasks.

In addition to the employees described above of the authority in question it may be relevant to give data access to persons who are not directly relevant in terms of current processing, but who require such access on other grounds. This provision takes account of such persons who undertake auditing, and persons who conduct technical maintenance, operations monitoring, troubleshooting, etc. The controller shall lay down special guidelines for the issue of such authorisations and for the revocation thereof with regard to authorisations that need only be temporary (for example authorisations for the annual audit).

12. Measures shall be taken to ensure that only authorised users can gain access, and that they can only gain access to the personal data and applications for which they are authorised.

In addition to the aforementioned formal authorisation of users, technical access control in the systems must be established so that authorised persons must identify themselves to the system in order to gain access to process data in accordance with the authorisation. The most common type of access control is user identification with related password, but this does not exclude other types of access control. If a password is used the controller must determine more detailed guidelines for the handling and structure of passwords.

The Danish Data Protection Agency recommends that passwords are at least 8 digits in length. Passwords should be structured as a combination of numbers and upper and lowercase letters. Passwords should be changed at least once a year.

Output data material containing personal data.

13. - (1) Output data material may only be used by persons engaged with the purposes for which the personal data is processed.

By output data material is meant the result of electronic data processing that may be in paper-based or electronic form. The provisions in section 13 (1)-(5) apply only to output data material - paper-based or electronic - that contains personal data, and thus not to, for example, anonymous overviews and similar. The provisions furthermore apply only to output data material - paper-based or electronic - that is not part of a manual case or manual filing system, cf. subsection (6).

As personal data may not be disclosed to unauthorised persons, such unauthorised persons may not have access to output data material containing personal data either. Access to such output data material must therefore be limited to persons engaged with the purposes for which the personal data is processed.

(2) Furthermore, output data material may be used by persons engaged with auditing or operational and technical system-related tasks in the system in question.

It may also be relevant to give access to output data material to persons who are not directly engaged in the relevant processing, but who require such access on other grounds. This provision takes account of such persons who undertake auditing, and persons who conduct technical maintenance, operations monitoring, troubleshooting, etc.

(3) Output data material must be stored in such a way that unauthorised persons have no access to become familiar with the personal data contained in such material.

How the output data material can be stored so that unauthorised persons cannot become familiar with the personal data contained in such material will depend on the concrete situation. The responsibility for responsible storage rests on the controller, who should determine the formal guidelines in this respect.

(4) Output data material must be erased or destroyed when it is no longer to be used for the purposes for which the data is processed, and at the latest by the deadline determined by the data controlling authority.

Output data material as described in the remarks to the provision in subsection (1) must be erased (electronic material) or destroyed (paper-based material) when the material is no longer needed. The controller must therefore in connection with each processing consider how long there is a need or requirement for the output data material to be stored, and formally determine a final date of erasure or destruction.

(5) On the destruction of output data material, the required security measures must be taken to ensure that the material is not misused or disclosed to unauthorised persons.

In accordance with the provision, a procedure for destruction of output data material must be arranged in such a way that the material cannot in this context be misused or disclosed to unauthorised persons. It can, for example, be relevant to gather the material in locked skips before transfer to a reliable shredding service for confidential material.

(6) The provisions in subsections (1)-(5) do not apply to output data material that is part of a manual case or a manual filing system.

The Executive Order on Security does not apply to the aforementioned situations. The regulations of the Public Administration Act apply to material that is part of a manual case, while manual filing systems are subject to the provisions of the Act on Processing of Personal Data, including the regulations on security of processing in sections 41-42, as well as any special regulations laid down for manual filing systems.

External communication links

14. External communication links may only be established if special measures are taken to ensure that unauthorised persons cannot gain access to personal data via these links.
The provision applies to any type of communication relating to the processing of personal data, for example transmission of data by telefax or external e-mail, establishment of terminal access via a dial-up modem, access to data via the authority's website, and establishment of Internet access from workplaces on the authority's internal network. The special security measures must be taken after the authority's assessment of security risks in the concrete situation, including with regard to the nature of the data in question.

In order to determine the security level, it is necessary for the controller to perform an overall risk assessment comprising all elements of the communication link.

On connection to the Internet or other open networks measures must be taken to protect against unauthorised traffic and to prevent access from the open network to the controller's internal network.

On the use of telefax special attention must be paid to the risk of the fax being sent to the wrong recipient, and of the received fax being accessible to unauthorised persons on the recipient's premises.

When faxes are sent the stated telefax number must be checked carefully. The use of pre-coded telefax numbers (shortcuts) may also be considered.

With regard to the processing of faxes on receipt the telefax machine should be located so as to prevent access to received faxes by unauthorised persons. When using telefax to transmit more sensitive data a solution may be to use equipment that stores received faxes in the machine and only allow specially authorised staff members to print these.

On transmitting personal data via dial-up links (via analogue telephone lines, ISDN, mobile telephone, etc.), for example on the establishment of terminal access to a central system from a laptop PC, measures shall in particular be taken to prevent dial-up by unauthorised persons. It may, for example, be relevant to use facilities such as call-back or closed user groups.

With regard to transmission of personal data via open networks (e.g. Internet) the following concrete minimum requirements for security measures shall apply:

On transmission of data via the open Internet there is generally a risk that the data is read and even changed by unauthorised persons during such transmission. There is also a risk that the parties to the communication are not the entities they present themselves to be.

These risks must be assessed by the controller in the concrete situation so that the necessary security measures can be taken.

With regard to confidentiality, this can be ensured by the appropriate encryption of the data transmitted. If confidential data is transmitted, including Social security numbers, encryption is required as a minimum. If the transmitted data is of a sensitive nature (subject to section 7 (1) and section 8 (1) of the Act on Processing of Personal Data), strong encryption based on a recognised algorithm must be used.

Security of authenticity (identity of transmitter and recipient) and integrity (the authenticity of the transmitted data) must be appropriately ensured by the use of suitable security measures, for example electronic signature or individual, confidential, access codes.

Chapter 3
Supplementary Security Measures for Processing Subject to the Notification Obligation

15. The provisions in Chapter 3 do not apply to the extent that the processed data would not in itself be subject to the obligation of notification to the Danish Data Protection Agency.

Processing that concerns data of a confidential nature is as a general rule subject to the notification obligation and shall take place with due observance of the supplementary security provisions in this chapter. Further details of the notification obligation are available in the Danish Data Protection Agency's guidance no. 125 of 10 July 2000.

Besides this data of a confidential nature of which the processing is subject to the notification obligation, the processing will typically also include data that is not confidential. The provisions of this chapter do not apply to the use of this non-confidential data, nor to the use of the confidential data that, according to the exemption provisions of the Act, may be a part of processing that is not subject to the notification obligation.

For example, processing subject to the notification obligation that includes details of the health condition of individual persons will require all use of health data to be logged pursuant to section 19 (1) of this Executive Order. On the other hand, the use of non-confidential data such as people's addresses will not be required to be logged. It is a precondition, however, that such use of non-confidential data cannot indirectly reveal confidential information concerning the persons concerned.

The detailed exemption provisions, and thereby the description of the data of a confidential nature that may be processed without being subject to the notification obligation, are stated in section 44 (1) of the Act, and in the Danish Ministry of Justice's Executive Order no. 529 of 15 June 2000 on exemption from the obligation to notify certain processing undertaken on behalf of the public administration, laid down pursuant to sections 44 (2) and 44 (4) of the Act.

Authorisation and access control

16. Authorisations, cf. section 11, shall state the extent to which the user may request, input or erase personal data.

In addition to the general requirements in section 11 concerning authorisation of users, processing that is subject to the notification obligation requires the authority to consider whether a user shall only be able to request data, or whether the user shall also be able to input data, or erase data. If there are users that are only to be authorised for some of the aforementioned functions the systems must be technically designed so that the users are only able to access data according to the authorisations given.

When the technical access control to the system's data and uses thereof is based on user identification with password, the individual user must be given a personal, confidential password.

The personal and confidential password is connected to the relevant user identification and may only be known by the user in question. It is thus not possible to use a shared code, i.e. one user identification with a password used by several users.

17. - (1) It must be ensured that the authorised persons still fulfil the conditions in section 11 (2) and (3), and Section 16.

Authorised users may at any time only be authorised for uses for which they have a need. There must therefore be procedures to ensure that the function that administers authorisations receives information concerning changes in users' need for authorisation, including details of employees who leave or move within the organisation, so that the authorisations issued may be changed or revoked.

(2) This shall be controlled at least once every six months.

According to this provision, at least once every six months it must be controlled that authorisations are updated as prescribed above. It is the controller's responsibility to ensure an appropriate control procedure. The procedure can, for example, entail that the systems generate statistics to show the individual users' use of the system, so that it can be discovered whether authorisations have been issued that are not used, which should therefore perhaps be revoked.

According to the Executive Order on Security it is now no longer a requirement to maintain use statistics.

Control of rejected attempts to access data

18. All rejected attempts to access data must be registered. If, within a determined period, a predetermined number of consecutive failed login attempts are registered from the same workstation or with the same user identification, further login attempts must be blocked. Follow up must be conducted on an ongoing basis by the authority.

The provision entails that any failed attempt to access the system must be registered, regardless of whether rejection is due to the use of an incorrect password, incorrect user identification, lack of authorisation for a certain function, or to other reasons. This establishes a system administration tool that may reveal attempts at unauthorised data access. The provision furthermore entails that the system must give a reaction, so that further access attempts, for example after a certain number of attempts to guess a password, are prevented. This reaction may be to close the user identification used, or to shut down the PC or access to the local network. The reaction must furthermore be of such a nature that the event comes to the knowledge of the right person, i.e. system administration.

Logging

19. - (1) All use of personal data must be subject to automated registration (logging). The registration must at least contain details of the time, user, type of use and an indication of the person the utilised data referred to, or the search criterion used. The log must be stored for six months, after which time it must be erased. Authorities with a special need may store the log for up to five years.

According to the provision, in principle all use of personal data that is processed must be logged, cf. however section 15. Furthermore, subsections (2)-(6) contain certain exemptions from the general logging requirement.

"All use of personal data" shall mean the use made by users of the system in connection with their work. A number of operational activities entail monitoring of and system intervention by operations and systems personnel. The use of personal data in connection with such activities is not subject to the logging requirement.

The logging must include details of the person the utilised data referred to, or the search criterion used. If a search for a person is made using a Social security number, the Social security number used or other unique identification of the person in question must be registered in the log. If the search is based on date of birth, the date stated (search criterion) must be registered in the log, but there is no requirement to register the identification of the individuals included in the search result, i.e. all persons found with the stated date of birth. The inclusion in the log of the search criterion used makes it possible to subsequently reconstruct the processing, including the persons included in such processing, which is one of the purposes of logging.

There is no requirement to print the log, nor is there a requirement for the log to be present in the system in question for the prescribed storage time, and there is nothing to prevent the log from, for example, being transferred to a tape and archived.

The provision states that the log must be stored for six months, after which time it must be erased. Erasure of the log may be arranged so that it takes place in, for example, monthly runs.

It is possible for authorities with special requirements to store the log for up to five years, but in such case a special need to have the information in the log available for use in accordance with the actual purpose of the log is required, which is to serve as a tool to investigate any possible unauthorised use of data. The log thus may not be stored for longer than the stated period of six months for the purpose of use in relation to the administrative tasks that are part of the processing in question.

(2) The provision in subsection (1) does not apply to personal data included in text processing documents and similar that are not available in their final version. The same applies to such documents in their final version if they are erased within a short deadline set by the data controlling authority.

The provision concerning logging does not apply to the processing of personal data that takes place when the data is included in text processing documents, spreadsheets and similar, for as long as these documents are in the process of preparation or function as work documents to which new information is continuously added when the individual case is processed.

The exemption does not, however, apply if the authority in a case area has established routine administration that, with the help of text processing, spreadsheets or similar, is based on processing that corresponds to maintaining an IT register. For example, the exemption does not apply to the ongoing registration of disbursed benefits or of waiting lists.

The provision concerning logging does not apply to completed documents and similar that are stored for a certain shorter period before they - for example according to a fixed procedure - are either erased or made anonymous by removing all identification details that can link the data to particular persons. The controller must consider the length of the aforementioned shorter period, which should generally be at most one month, and prepare guidelines for the procedure employees are to follow.

It should be noted that there is nothing to prevent completed documents from not being erased, but transferred to document archives for long-term storage. In this case, however, the processing will also be subject to the logging provision.

(3) The provision in subsection (1) does not apply if the personal data is processed exclusively by running programs that perform a pre-defined mass processing of personal data (batch job). There must, however, be an automated logging of the user and time of the processing.

The provision concerning logging does not apply if the personal data is processed exclusively by running programs that perform a pre-defined mass processing of personal data, so called batch jobs. An example is the (regular) updating of large databases whereby the processing does not log which database registrations have been updated, i.e. which of the registered persons are affected by the update. However, there must be automated registration (logging) that such an update has been run, which user started the run, and the time of the update.

(4) The provision in subsection (1) furthermore does not apply if the personal data is processed exclusively for the purpose of statistical or scientific studies, and the identification data has been either subject to prior encryption or replaced with a code number or similar. There must, however, be machine logging of the user and time of processing.

The provision concerning logging does not apply to the processing of personal data that takes place exclusively for the purpose of statistical or scientific studies. It is a precondition, however, that all identification data (social security number, name, address, etc.) is either only included in encrypted form, or replaced with a code number or similar. However, there must be an automated registration (logging) that such processing has taken place, which user started the processing, and the time of processing.

(5) Finally, the provision in subsection (1) does not apply to personal data that is stored automatically as measurement or analysis results in medico-technical equipment. The exemption furthermore comprises personal data that is registered manually in medico-technical equipment as a supplement to data stored automatically.

The provision concerning logging does not apply to the processing of personal data on the automatic registration of measurement and analysis results in medico-technical equipment, nor to the personal data that might be registered manually as a supplement to the data registered automatically.

The Danish Data Protection Agency, 2 April 2001
Hugo Wendler Pedersen
/Ib Alfred Larsen