Ensuring confidentiality, integrity, availability
and resilience
CONFIDENTIALITY, INTEGRITY, ACCESSIBILITY AND RESILIENCE OF PERSONAL DATA PROCESSING SYSTEMS AND SERVICES ARE ENSURED
The ability to continuously ensure confidentiality, integrity, availability and resilience of personal data processing systems and services is achieved thanks to:
- – encrypted SSL data flow channels
- – user authentication – possibility to enable two-step login
- – automatic logout procedure – in case of power loss
- – managing authorizations of access to data – in relation website expert – user ,pseudo-anonymization of data should be used – the website expert should know only the name and ID number (authorization should be given only to website employees who need it for service tasks , it is a list of IDs assigned to specific personal data of users)
- – implementation of high-class security measures for technical infrastructure
- – a procedure related to service safety. The service should be monitored on an ongoing basis (alert system), checked – tested (depending on the scope once a quarter or once a year) and updated – adapted to current legal requirements.
Ensuring security of personal data protection – pseudonymization or anonymization and encryption of personal data
Anonymization refers to an irreversible process aimed at use of personal data use prevention. In accounting systems, where data is used for specific accounting purposes, i.e. legal activities, anonymization does not apply, due to the legal requirement of archiving until tax obligation time-barred and / or contractual claims.
Pseudonymization – this is a replacement of a list of personal data with e.g. numbers or nicknames, so that it is impossible to easily decode whose data is provided. This method has been used for a long time, e.g. at universities – a student Jan Kowalski appears on the results lists under a transcript of record number, and not under his name and surname –that is why only persons who know a transcript of a student record numbers are able to assign a specific result to a given natural person. Pseudonymization is often used for the purposes of statistics production. In practice, it mainly concerns sharing data externally for specific purposes and situations – and it does not apply to an accounting system.
Personal data encryption is a security tool used especially in data transmission activities. Transmission becomes secure by encrypting all data going out and coming from / to the application. The applied encryption protocol should provide a high level of security.
Creation and storage of backup copies
Copies of personal data should be stored in an encrypted form, not in a main server, in another location, in places protected against unauthorized interception, modification, damage or destruction. The copies should be deleted immediately after their usefulness ceases – deletion of backups should take place automatically after the retention time set by an administrator has elapsed.
The ability to quickly restore availability and access to personal data in the event of a physical or technical incident is mainly related to backups creation. While creating backups, special attention should be paid to a place of storing backups that is, they should be stored in another location than the main server. Procedures and activities related to checking correctness of backups creation are also of vital importance.
Additionally, a high security standard is an implementation of data replication, i.e. a process of duplicating information among different database servers in almost real time (i.e. with a minimal delay). In the event of a failure, a data replication allows for faster switching and maintaining activities and data access.
Regular testing, measurement and evaluation of technical and organizational measures’ effectiveness are aimed at ensuring security of personal data processing. Both hardware and software service as well as technical infrastructure should be continually tested and recreated. Regular risk assessment allows for evaluation of applied technical and organizational measures and thus ensuring better security and protection of personal data.