Logo and page links

Main menu

Information security

Section 2 -1. Proportionality requirements relating to the protection of personal data

The provisions of this chapter shall apply to such processing of personal data as is carried out entirely or partly by automatic means where it is necessary, in order to prevent the danger of loss of life and health, financial loss or loss of esteem and personal integrity, to protect the confidentiality, availability and integrity of the data.

Where such a danger exists, the planned and systematic measures taken pursuant to these Regulations shall be proportional to the probability and consequence of breaches of security.

Section 2-2. Orders from the Data Protection Authority

The Data Protection Authority may issue orders regarding the protection of personal data, including the establishment of criteria for acceptable risk associated with the processing of personal data.

Section 2-3. Security management

The general manager of the enterprise run by the data controller is responsible for ensuring compliance with the provisions of this chapter.

The purpose of the processing of personal data and general guidelines for the use of information technology shall be described in security objectives.

Choices and priorities in security activities shall be described in a security strategy.

Use of the information system shall be reviewed regularly in order to ascertain whether it is appropriate in relation to the needs of the enterprise, and whether the security strategy provides adequate information security.

The result of the review shall be documented and used as a basis for any changes in security objectives and strategy.

Section 2-4. Risk assessment

An overview shall be maintained of the kinds of personal data that are processed. The enterprise shall itself establish criteria for acceptable risk associated with the processing of personal data.

The data controller shall carry out a risk assessment in order to determine the probability and consequences of breaches of security. A new risk assessment shall be carried out in the event of changes of significance for information security.

The result of the risk assessment shall be compared with the established criteria for acceptable risk associated with the processing of personal data, cf. first paragraph and section 2-2.

The result of the risk assessment shall be documented.

Section 2-5. Security audits

Security audits of the use of the information system shall be carried out regularly.

A security audit shall comprise an assessment of organization, security measures and use of communication partners and suppliers.

If the security audit reveals any unforeseen use of the information system, this shall be treated as a discrepancy, cf. section 2-6.

The result of the security audit shall be documented.

Section 2-6. Discrepancies

Any use of the information system that is contrary to established routines, and security breaches, shall be treated as a discrepancy.

The purpose of discrepancy processing shall be to re-establish the normal state of affairs, eliminate the cause of the discrepancy and prevent its recurrence.

If the discrepancy has resulted in the unauthorised disclosure of personal data where confidentiality is necessary, the Data Protection Authority shall be notified.

The result of discrepancy processing shall be documented.

Section 2-7. Organization

The distribution of responsibility for and authority governing the use of the information system shall be clearly established.

The distribution of responsibility and authority shall be documented and shall not be changed without the authorization of the data controller's general manager.

The information system shall be configured in such a way as to achieve adequate information security.

The configuration shall be documented and shall not be changed without the authorization of the data controller's general manager.

Use of the information system that has significance for information security shall be carried out in accordance with established routines.

Section 2-8. Personnel

Members of the staff of the data controller shall only use the information system to carry out assigned asks, and shall be personally authorized to make such use.

The staff members shall have the knowledge necessary to use the information system in accordance with the routines that have been established.

Authorized use of the information system shall be registered.

Section 2-9. Duty of confidentiality

Members of the staff of the data controller shall be subject to a duty of confidentiality as regards personal data where confidentiality is necessary. The duty of confidentiality shall also apply to other data of significance for information security.

Section 2-10. Physical security

 

Measures shall be taken to prevent unauthorized access to equipment that is used to process personal data pursuant to these Regulations.

The security measures shall also prevent unauthorized access to other equipment of significance for information security.

Equipment shall be installed in such a way that influence from the environment in which it is operated does not significantly affect the processing of personal data.

Section 2-11. Protection of confidentiality

Measures shall be taken to prevent unauthorized access to personal data where confidentiality is necessary.

The security measures shall also prevent unauthorized access to other data of significance for information security.

Personal data that are transferred electronically by means of a transfer medium that is beyond the physical control of the data controller shall be encrypted or protected in another way when confidentiality is necessary.

As regards storage media that contain personal data where confidentiality is necessary, the need to protect confidentiality shall be shown by means of marking or in another way.

If the storage medium is no longer used for the processing of such data, the data shall be erased from the medium.

Section 2-12. Securing of accessibility

Measures shall be taken to secure access to personal data where accessibility is necessary.

The security measures shall also secure access to other data of significance for information security.

Preparations shall be made for alternative processing in the event of the information system being unavailable for normal use.

Personal data and other data that are necessary to restore normal use shall be copied.

Section 2-13. Protection of integrity

Measures shall be taken to prevent unauthorized changes in personal data where integrity is necessary. The security measures shall also prevent unauthorized changes in other data of significance for information security.

Measures shall be taken to prevent malicious software.

Section 2-14. Security measures

Security measures shall prevent unauthorized use of the information system and make it possible to detect attempts to make such use.

Attempts to make unauthorized use of the information system shall be registered.

Security measures shall include measures that cannot be influenced or circumvented by members of the staff, and shall not be limited to actions that any individual member is supposed to carry out.

Security measures shall be documented.

Section 2-15. Security in other enterprises

The data controller shall only transfer personal data by automatic means to a person who satisfies the requirements of these Regulations.

The data controller may transfer personal data to any person if the transfer is carried out in accordance with the provisions of sections 29 and 30 of the Personal Data Act, or when it has been laid down by statute that requests may be made to obtain the data from a public register.

Data suppliers who carry out security measures, or make other use of the information system on behalf of the data controller, shall satisfy the requirements of this chapter.

The data controller shall clearly establish the distribution of responsibility and authority in respect of communication partners and suppliers. The distribution of responsibility and authority shall be described in a special agreement.

The data controller shall have knowledge of the security strategy of communication partners and suppliers, and regularly make sure that the strategy provides adequate information security.

Section 2-16. Documentation

Routines for using the information system and other data of significance for information security shall be documented.

The documentation shall be stored for at least five years from the time the document was replaced by a new, current version.

Records of authorized use of the information system and of attempts at unauthorized use shall be stored for at least three months. The same shall apply to records of all other events of significance for information security.