Compendium of Belgian IT Laws
An overview of legislation on privacy, monitoring and outsourcing
Johan Vandendriessche
24 May 2005
3
Overview
Privacy (data protection) The law of 8 December 1992 on privacy protection in
relation to the processing of personal data
Monitoring (data protection) CWA (CAO/CCT) nr. 81
Outsourcing Outsourcing by financial and/or insurance companies
4
Data Protection
Security obligation in relation to data processing
Management of processing (organising thereof)
Audit
Quality of legislation on this topic is poor
5
Data Protection
General security obligation appropriate measures
• technical
• organisational
the protection of personal data against accidental or unauthorised destruction, accidental loss, as well as against alteration of, access to and any other unauthorised processing of personal data
Purpose: to prevent unlawful processing
6
Data Protection
Appropriate? A balance must be struck between:
the state of the art and the cost of implementing the measures
the nature of the data to be protected and the potential risks on the other hand
Evolutive appreciation
7
Data Protection
Specific security obligations Ensure data quality
Limitation of access • to the persons that need access
• only to those personal data that they need
Notification of legal provision
ascertain the accordance of the software with the notification under article 17
8
Data Protection Data processing obligations
the choice of a processor providing sufficient guarantees in respect of the technical and organisational security measures
supervision of the compliance therewith (in particular by laying them down in contractual stipulations)
liability regime detail instructions and competences of the data
processor the conclusion in writing or on electronic carrier of
these elements (data processing agreement)
9
Data Protection
Importance of data processing agreement:
Audit
Auditor may be a data processor
10
Monitoring
CWA n° 81 on the monitoring of online communication of employees
Monitoring techniques are highly efficient
Legal?
11
Monitoring
Online communications data?
Content?
12
Monitoring
Purposes The prevention of unlawful acts, libel and acts
contrary to decency The protection of economic, commercial and
financial confidential interests of the company The maintenance of the technical performance
of the computer system The control of the respect of the terms of use
of the computer system
13
Monitoring
Proportionality
The infringement of the privacy of the employee must be restricted to a minimum (if unavoidable)
Interdiction of systematic individualisation
14
Monitoring
Transparency Collective
• To whom? (cascade) • Works council • Committee for prevention and protection • Delegation of the Union • The employee
• How? • Which information?
• The supervision policy • The purposes of the monitoring • Conservation? Place and duration? • The permanent nature of the supervision
15
Monitoring Tranparency
Individual (i.e. the employee) • Which information?
• All the information provided collectively • The conditions of use of the tools that are at the disposal of
the employee and the functional limitation thereof • The rights, obligations and tasks of the employee, and
possible limitations to the use of communications on the network of the company
• Sanctions, if any, provided in the “employee policy” (règlement du travail / Werkreglement)
• How? • General instructions • Employee policy • Contractually • User policy, each time the tool is used
16
Monitoring
Individualisation?
Direct
• Purposes 1 -> 3
Indirect
• Purpose 4
17
Monitoring
Indirect individualisation Procedure
• General information obligation to all employees (first irregularity)
• Identification (second irregularity)
• The concerned employee must be heard before sanctions are taken
• Employee policy
18
Outsourcing
Outsourcing in the financial sector Circular of 10 March 2005 on healthy
management practices concerning the continuity of financial institutions
Circular of 22 June 2004 on healthy management practices concerning the outsourcing by financial institutions
19
Outsourcing
Continuity? Outsourcing of internal processes
• Customer services
• Accountancy
• IT
• Internal audits
• Data management
General service providers are not concerned
20
Outsourcing Principles (10)
Determination of the outsourcing policy Responsibility is retained
• Vis-à-vis the shareholder, the customers, the supervisory entities
• An audit right is mandatory
Outsourcing decision • Documentary evidence
• The description of the outsourced activities • The expected results of the outsourcing operation • Evaluation of the involved risks
21
Outsourcing
Principles The choice of the service provider and
the maintenance of the continuity • Reputation, financial state, capacities
(technical / operational / insurance)
• Termination issues
Written agreement
22
Outsourcing
Security
Subcontracting
Internal audit and compliance
Revisory and prudential supervision
Applicability of Belgian law
23
Outsourcing
Transborder outsourcing?
Activities with licence
• EEA?
• Outside EEA?
Information to CBFI
24
Future developments
Privacy and monitoring
Implementation of Directive 2002/58/EC
• Security obligations
• Privacy issues related to electronic communications (localisation, cookies and spyware, …)
25
Future developments
Security obligation for electronic communications service providers
Security obligation for the providers of public communications networks
Security obligation for providers of software for electronic communications
26
Future developments
Location data processing by mobile communications service providers
Anonymous
Part of service related to location data
Thank you for your attention!
Johan Vandendriessche
Associate
Lontings & Partners
Tel: +32 2 708 40 00
Fax: +32 2 708 40 99
E-mail : [email protected]
www.lontingsandpartners.be