Data protection glossary (part 1)

After over a month when E-Crime Expert presented the most important Case Law and Rulings on the applicability of both Directive 95/46 (private sector) and Regulation 45/2001 (public sector) to the processing of personal data, today’s post will bring more useful information: A Glossary of the most common terms from the Directive 95/46.

The information will be delivered during three blog posts and  aims to make the readers and data subject aware of the most common terminology in order to better understand and protect their personal data and privacy.

(A) Accountability (Information Security)

Accountability is the property that ensures that the actions of an entity may be traced uniquely to the entity.
Accountability guarantees that all operations carried out by persons, systems or processes can be identified (identification) and that the trace to the author and the operation is kept (traceability).

Anonymous data

Anonymous data cannot be related to an identified or identifiable person and are consequently not personal data.

Article 29 Working Party

The Article 29 Data Protection Working Party is an independent European advisory body. The Working Party’s mission is to ensure the uniform application of Directive 95/46/EC, providing opinions and making recommendations or drafting working documents that are all available on the Internet. The Article 29 Working Party’s members are representatives of the different national data protection authorities, the European Data Protection Supervisor and representatives of the European Commission.

Assets (Information Security)

An organization’s assets (patrimony, property or possessions) are everything that is of value to it or, in other words, everything that makes the organization more valuable or everything that would diminish the organization’s value or efficiency in case of loss.

In the context of personal data protection, personal data and all necessary resources to process them correctly are considered as assets:
• material possessions housing the data (buildings, machines, IT supplies, etc.);
• the software necessary for the data processing (applications and programmes, operating systems, etc.);
• the information used in the data processing operations, which can be stored in various forms: in the database, on a paper carrier, etc.;
• infrastructure (the basic services necessary for the organization to achieve its objective; electrical energy, lighting, communication, transport, lifts, etc.);
• staff (the organization’s employees, temporary staff, etc.);
• intangibles (reputation, brand image, ethical values, etc.);
• the financial resources necessary for the organization to function properly.

Authenticity (Information Security)

Authenticity is the property that ensures that the identity of a subject or resource is the one claimed.
Authenticity appies to persons (users), but also to any other entity (applications, processes, systems, etc.). It is an identification, i.e. recognition of a name indicating an entity without the slightest doubt.

(B) Binding Corporate Rules (BCRs)

BCRs are rules elaborated by multinationals for the international transfer of personal data within their corporate group. All entities and employees of the enterprise have to observe these rules. Binding Corporate Rules are considered as adequate safeguards for personal data protection after approval by the national data protection authorities. At European level the Article 29 Working Party has established a joint procedure for the different national authorities. At Belgian level the Federal Public Service of Justice has agreed on a protocol (only available in French and Dutch) with the Belgian DPA regarding the implementation of the national authorisation procedure.

(C) Confidentiality (Information Security)

Confidentiality is an information characteristic implying that information is not made available or disclosed to unauthorized persons, entities or processes.

The possibility to make only portions of information accessible has to be guaranteed as long as the information exists, i.e. during its collection, processing and disclosure.

In practice only persons exercising a function or professional activity justifying access to personal data will be authorized.

Controller

It is very important to know who has been designated as “controller” under the Privacy Law, as this is the person who has to comply with nearly all the duties imposed by this Law. In case of problems, this person is responsible.

The controller is also the most important contact for you as a data subject, but also for the authorities that are to check him.

He also determines the purposes and the resources for the data processing. The controller can be a natural (physical) person or a legal person, an un-associated organization or a public authority.

If a law, decree or ordinance prescribes the purpose and the resources for a particular data processing operation, this law, decree or ordinance will also specifically designate a controller.

(D) Daily Security Management (Information Security)

Daily security management consists of activities such as the administration of security rules, management of authorizations and the analysis of discovered incidents.

Data (anonymous)

Anonymous data cannot be related to an identified or identifiable person and are consequently not personal data.

Data (sensitive)

Certain personal data are more sensitive than others. An individual’s name and address are rather innocent data, but this does not hold true for his political opinions, sexual preferences or judicial past. The Privacy Law regulates registration and use of those sensitive data more strictly in comparison with other personal data.

Sensitive data relate to race, political opinions, religious or philosophical beliefs, trade union membership, health, sex life, suspicions, persecutions and criminal or administrative convictions. In principle, processing such data is prohibited.

Data subject

We are all data subjects. For example, you disclose personal data as soon as you:

• fill in a form;
• place an order;
• book concert tickets;
• buy a train ticket;
• use a credit card;
• register for a course or in a sports club;
• are admitted to hospital;
• borrow a book from a public library or a DVD from a video rental shop.

The law does not make a distinction between Belgians and non-Belgians.

Disclaimer

A disclaimer is a general statement, describing the rights and obligations of all parties concerned, for example included in a privacy statement on a web site or in a contract.

(E) Encoded data

These are personal data that can only be related to an identified or identifiable person by means of a code.

European Economic Area

This is an association agreement between theMemberStatesof the European Union and the threeMemberStatesof the European Free Trade Association (EFTA): Iceland, Norwayand Liechtenstein.

Exemption from notification

Not all data processing operations have to be notified. Besides manual processing operations (for example on paper or on microfiche), a series of automatic processing operations are exempt from the duty of notification, which are listed in the implementing decree of 13 February 2001 and relate to some of the most frequent processing operations (for example personnel management, accounting, customer management, payroll management, …). This exemption from notification does not mean, however, that the other obligations in the Law do not have to be observed.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Are you used to this terminology? Do you find it useful?

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.