Data protection glossary (part 2)
After over a month when E-Crime Expert presented the most important Case Law and Rulings on the applicability of both Directive 95/46 (private sector) and Regulation 45/2001 (public sector) to the processing of personal data, today’s post will bring more useful information: A Glossary of the most common terms from the Directive 95/46.
The information will be delivered during three blog posts and aims to make the readers and data subject aware of the most common terminology in order to better understand and protect their personal data and privacy.
You could read the first post here.
(F) Further processing
A further processing operation, as defined in the implementing decree of 13 February 2001, involves personal data initially collected for an explicit purpose and re-used at a later time for historical, statistical or scientific purposes that are incompatible with the initial purpose. In other words, these processing operations constitute a specific form of secondary data collection.
(I) Impact (Information Security)
The consequences of an incident on one or more assets constitute the impact (for instance personal data who are no longer accurate).
In information security usually a difference is made between direct consequences (damage to the information system, such as file modifications, changes in the accessibility of confidential data or an inappropriate system shutdown) and the indirect impact (the damage the organization or third parties have incurred, such as abuse of confidential information, wrong decisions as a result of incorrect data).
There is not always an immediate relation between an incident’s direct consequences and its indirect impact on an organization or on third parties: the loss of fundamental data can have enormous consequences for the person involved whereas a system that was erased completely can already be restored with a good back-up.
Incident (Information Security)
An incident is an unexpected or unwanted event that can have serious consequences.
An information security incident is any unexpected event that might cause a compromise of an organization’s activities or information security (system malfunction or overload, human error, software or hardware malfunction). An incident in itself is not good nor bad.
Integrity (Information Security)
Integrity covers two different aspects: information integrity, and system and process integrity.
Information integrity means that information cannot be changed or destroyed intentionally or unintentionally.
System or process integrity means that the desired function is fully achieved according to expectations. Without an authorized intervention it is not possible to make intentional or unintentional changes.
Intermediary organization
An intermediary organization is defined as any natural person, legal person, un-associated organization or public authority encoding personal data, other than the controller of the processing of non-encoded data.
(L) Legitimate interest
An interest is called legitimate when the controller’s interest in processing the data overrides the registered person’s interest in not processing the data. In case of doubt, the Commission or a judge will decide whose interest has the highest priority.
(M) Management System (Information Security)
There are several models for management systems regarding information security (ISMS – Information Security Management System). The best-known system is based on a PDCA structure (Plan-Do-Check-Act) and permanently improves security. This permanent improvement is linked to changing factors, for example modifications in the organization and related risks, changes in the information system, technological novelties, both for operational systems and security rules.
Manual filing system
A manual filing system is a structured set of personal data that are accessible according to certain criteria, the yellow pages on paper for example.
(N) Non-repudiation (Information Security)
Non-repudiation is the ability to prove that an operation or event has taken place, so that it cannot be repudiated later. For e-mails, for example, non-repudiation is used to guarantee that the recipient cannot deny that he received the message, and that the sender cannot deny that he sent is.
Notification
A notification is an action carried out by the controller to inform the Commission that he will be processing data. A notification is not intended to request permission or authorization, but only to notify a processing operation. The notification mainly consists of a description of the data processing operation.
(O) Opt in
In this system, you give somebody your prior consent to send you commercial messages. The opt-in system is valid for all forms of communication and allows you to give your free, specific and informed consent, as required by the Privacy Law.
The opt-in system is mainly used when somebody regularly wants to send a massive number of e-mails, for example a newsletter, electronic magazines, promotional offers. You can register by filling in your e-mail address on a specific online form. The idea behind the opt in is to know in advance exactly what you are registering for, so that there are no unpleasant surprises afterwards.
Opt out
As opposed to opt in, the opt-out system allows you to object to any data processing operation with a view to direct marketing, as required by the Privacy Law.
This involves receiving an unwanted message containing the possibility to unsubscribe in order to stop receiving messages. This system is only authorised provided that the sender obtained your (e-mail) address directly from you while purchasing a product or service from him, that this (e-mail) address is only used to offer similar products or services the sender delivers himself, and that you are given the possibility to object easily and free of charge when you give the sender your e-mail address. In addition to this system, the direct marketing sector has organized the Robinson lists.
(P) Personal data
Personal data reveal information about an identified or identifiable natural person (called the “data subject” in the Privacy Law). In other words, personal data are all data allowing for the identification of an individual.
Personal data include an individual’s name, a picture, a phone number, even a professional phone number, a code, a bank account number, an e-mail address, a fingerprint, …
They do not only include data having to do with individuals’ privacy, but also data having to do with an individual’s professional or public life.
Only data about a natural (physical) person are taken into account, excluding data about a legal person or an association (civil or commercial corporations or non-profit organizations).
Processing personal data
Processing personal data is defined as any operation or set of operations performed on personal data. These operations are extremely varied and relate, among others, to the collection, storage, use, modification, disclosure of the data.
A few examples:
- a hotel offering the possibility of online bookings processes data when registering the customer’s name, the dates of his stay and his credit card number.
- a municipality transmitting the names of persons requesting a building permit to a contractor who wants to send them publicity, also processes data.
The law applies as soon as the data are processed, even partially, using automatic means. Automatic means include all information technologies, computer technology, telematics, telecommunication networks (the Internet).
For example, the Privacy Law is applied to:
- a company’s computerized database containing customer or supplier data;
- the electronic list of transactions on a bank account;
- the computerized file of a company’s members of staff or of the children enrolled in a school;
- etc.
The Privacy Law also applies, however, as soon as one processing operation is carried out using automatic means. For example:
- a temporary employment agency keeping applicants’ hand-written curricula vitae but sending them to employers by fax, has to observe the rules in the Privacy Law for all operations it performs on the curricula vitae (such as storing, filing or sending them).
If data are not processed using automatic means (for example on paper or on microfiche) the Law still has to be observed if the data are included or will be included in a manual filing system that can be accessed according to specific criteria (for example people’s names in alphabetical order).
Processor
This is any natural person, legal person, un-associated organization or public authority processing data on behalf of the controller, not including individuals who are under the direct authority of the controller and who have been authorized to process the data).
Public register
The public register is a list of notifications of personal data processing operations notified to the Commission. Anyone can consult this list, for example via the Internet.
Purposes: historical, statistical or scientific
- historical research involves the processing of personal data with a view to the analysis of an earlier event or in order to make that analysis possible. This is possibly but not necessarily also a processing operation with a scientific purpose (in other words, a genealogist can appeal to this provision);
- statistical purposes are achieved through any action with a view to collecting and processing personal data when this is necessary for statistical surveys or to produce a statistical result;
- scientific research involves establishing patterns, rules of conduct and causal relations exceeding all individuals they relate to.
Any questions can be submitted to: dan@e-crimeexpert.com
Additional information can be found at: www.e-crimeexppert.com
Are you used to this terminology? Do you find it useful?
Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.
Data protection glossary (part 1)
After over a month when E-Crime Expert presented the most important Case Law and Rulings on the applicability of both Directive 95/46 (private sector) and Regulation 45/2001 (public sector) to the processing of personal data, today’s post will bring more useful information: A Glossary of the most common terms from the Directive 95/46.
The information will be delivered during three blog posts and aims to make the readers and data subject aware of the most common terminology in order to better understand and protect their personal data and privacy.
(A) Accountability (Information Security)
Accountability is the property that ensures that the actions of an entity may be traced uniquely to the entity.
Accountability guarantees that all operations carried out by persons, systems or processes can be identified (identification) and that the trace to the author and the operation is kept (traceability).
Anonymous data
Anonymous data cannot be related to an identified or identifiable person and are consequently not personal data.
Article 29 Working Party
The Article 29 Data Protection Working Party is an independent European advisory body. The Working Party’s mission is to ensure the uniform application of Directive 95/46/EC, providing opinions and making recommendations or drafting working documents that are all available on the Internet. The Article 29 Working Party’s members are representatives of the different national data protection authorities, the European Data Protection Supervisor and representatives of the European Commission.
Assets (Information Security)
An organization’s assets (patrimony, property or possessions) are everything that is of value to it or, in other words, everything that makes the organization more valuable or everything that would diminish the organization’s value or efficiency in case of loss.
In the context of personal data protection, personal data and all necessary resources to process them correctly are considered as assets:
• material possessions housing the data (buildings, machines, IT supplies, etc.);
• the software necessary for the data processing (applications and programmes, operating systems, etc.);
• the information used in the data processing operations, which can be stored in various forms: in the database, on a paper carrier, etc.;
• infrastructure (the basic services necessary for the organization to achieve its objective; electrical energy, lighting, communication, transport, lifts, etc.);
• staff (the organization’s employees, temporary staff, etc.);
• intangibles (reputation, brand image, ethical values, etc.);
• the financial resources necessary for the organization to function properly.
Authenticity (Information Security)
Authenticity is the property that ensures that the identity of a subject or resource is the one claimed.
Authenticity appies to persons (users), but also to any other entity (applications, processes, systems, etc.). It is an identification, i.e. recognition of a name indicating an entity without the slightest doubt.
(B) Binding Corporate Rules (BCRs)
BCRs are rules elaborated by multinationals for the international transfer of personal data within their corporate group. All entities and employees of the enterprise have to observe these rules. Binding Corporate Rules are considered as adequate safeguards for personal data protection after approval by the national data protection authorities. At European level the Article 29 Working Party has established a joint procedure for the different national authorities. At Belgian level the Federal Public Service of Justice has agreed on a protocol (only available in French and Dutch) with the Belgian DPA regarding the implementation of the national authorisation procedure.
(C) Confidentiality (Information Security)
Confidentiality is an information characteristic implying that information is not made available or disclosed to unauthorized persons, entities or processes.
The possibility to make only portions of information accessible has to be guaranteed as long as the information exists, i.e. during its collection, processing and disclosure.
In practice only persons exercising a function or professional activity justifying access to personal data will be authorized.
Controller
It is very important to know who has been designated as “controller” under the Privacy Law, as this is the person who has to comply with nearly all the duties imposed by this Law. In case of problems, this person is responsible.
The controller is also the most important contact for you as a data subject, but also for the authorities that are to check him.
He also determines the purposes and the resources for the data processing. The controller can be a natural (physical) person or a legal person, an un-associated organization or a public authority.
If a law, decree or ordinance prescribes the purpose and the resources for a particular data processing operation, this law, decree or ordinance will also specifically designate a controller.
(D) Daily Security Management (Information Security)
Daily security management consists of activities such as the administration of security rules, management of authorizations and the analysis of discovered incidents.
Data (anonymous)
Anonymous data cannot be related to an identified or identifiable person and are consequently not personal data.
Data (sensitive)
Certain personal data are more sensitive than others. An individual’s name and address are rather innocent data, but this does not hold true for his political opinions, sexual preferences or judicial past. The Privacy Law regulates registration and use of those sensitive data more strictly in comparison with other personal data.
Sensitive data relate to race, political opinions, religious or philosophical beliefs, trade union membership, health, sex life, suspicions, persecutions and criminal or administrative convictions. In principle, processing such data is prohibited.
Data subject
We are all data subjects. For example, you disclose personal data as soon as you:
- fill in a form;
- place an order;
- book concert tickets;
- buy a train ticket;
- use a credit card;
- register for a course or in a sports club;
- are admitted to hospital;
- borrow a book from a public library or a DVD from a video rental shop.
The law does not make a distinction between Belgians and non-Belgians.
Disclaimer
A disclaimer is a general statement, describing the rights and obligations of all parties concerned, for example included in a privacy statement on a web site or in a contract.
(E) Encoded data
These are personal data that can only be related to an identified or identifiable person by means of a code.
European Economic Area
This is an association agreement between theMemberStatesof the European Union and the threeMemberStatesof the European Free Trade Association (EFTA): Iceland, Norwayand Liechtenstein.
Exemption from notification
Not all data processing operations have to be notified. Besides manual processing operations (for example on paper or on microfiche), a series of automatic processing operations are exempt from the duty of notification, which are listed in the implementing decree of 13 February 2001 and relate to some of the most frequent processing operations (for example personnel management, accounting, customer management, payroll management, …). This exemption from notification does not mean, however, that the other obligations in the Law do not have to be observed.
Any questions can be submitted to: dan@e-crimeexpert.com
Additional information can be found at: www.e-crimeexppert.com
Are you used to this terminology? Do you find it useful?
Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.