Protecting Data

In any situation where personal data are collected, such as a list of attendees to a site visit or a register of students participating in a project, appropriate measures must be taken to guarantee the security of those data – in particular, their confidentiality, integrity and availability.

Measures are dictated by various national and international laws, so the exact situation should be checked in each particular case. However, the following guidelines generally apply across the board:

Access to personal data must be limited to authorised persons only. Data should be accessed on a ‘need-to-know’ basis, meaning that only those who need to access the data are able to.

Physical storage must be secure. Physical media used to store personal data (such as paper, CD-ROM) must be stored in locked, closed places.

Access must be restricted when data is stored on a computer by ensuring a safe login procedure and appropriate level of protection at the file level. User passwords should not be shared.

Data should not be stored on a memory stick or other easily lost or accessed media.

Computers must be regularly updated with the latest versions of patches and must be equipped with anti-malware and firewall software.

Regular back-ups of the information must be taken and stored in a separate place, so that if an incident affects the primary storage computer, there is still a copy of the data available.

Decide how long data is kept for and what happens after the term expires.

Destroy data carefully. When recycling old computers and easily lost or accessed media, if you store data on them (memory sticks, mobile devices and the Cloud, for instance), data should be securely removed. Paper documents and other types of physical media used to store personal data should be disposed of carefully.

Designate someone as responsible for the security of data. Any staff who deal with personal data should be trained, so that everyone is made aware of the security measures and how to comply with them.

Keep a registry of personal data being collected, together with the purpose, date of collection, kind of processing and the name of the contact person. A journal should be used to log every access to personal data.

Measures should be regularly evaluated and adjusted, based on a risk-management approach.

Keep control of subcontractors. If the processing of personal data is subcontracted, the responsible organisation (‘data controller’) should make sure that the subcontractor applies appropriate measures to the protection of data; this should be described in a contract.