CNIL has translated in english its guide designed to help data controllers to meet their obligations regarding the security of personal data.
The increasing use of information technology in the management of organisations has led to a rise in the amount of personal data they collect, use and maintain.
However, the French Data Protection Act requires data controllers to guarantee the security of personal data. The threats to systems and information networks are numerous: computer fraud, purpose circumvention, fraudulent data collection, data loss, vandalism, and most frequent disasters such as fires or floods.
Security has to be designed for all the processes concerning such data, whether it relates to their creation, their use, their backup, their safeguard or their destruction and includes their confidentiality, their integrity, their authenticity and their availability.
The establishment of a security policy requires, in the first place, a risk assessment. Risks are plentiful: dissemination of confidential information, forgery, identity theft or accidental loss of personal data, etc....
This guide, which includes a set of 17 factsheets, is intended for individuals that are computer literate – system administrator, developer, head of information system security, or user – and that want to evaluate the security level that any processing of personal data must meet.
To encourage data controllers to assess the security level of personal data in their organisation, a questionnaire helps data controllers to assess the security measures already in place and to identify which measures should be taken to improve the protection of personal data