How to write an Information Security Policy
An Information Security Policy is the cornerstone of an Information Security Program. It should reflect the organization’s objectives for security and the agreed upon management strategy for securing information.
In order to be useful in providing authority to execute the remainder of the Information Security Program, it must also be formally agreed upon by executive management. This means that, in order to compose an information security policy document, an organization has to have well-defined objectives for security and an agreed-upon management strategy for securing information. If there is debate over the content of the policy, then the debate will continue throughout subsequent attempts to enforce it, with the consequence that the Information Security Program itself will be dysfunctional.
Practical steps to adres EU general data proctection
A guide to general data protection and regulation
Compare data protection laws across the world
Thomson Reuters Practical Law
The Long-Arm of Data Protection and Data Production Laws
Data Protection Global Guide
Global Data Protection Q&A
Privacy and online proctoring
‘An important consideration when processing personal data is proportionality: does the end justify the means? Online proctoring has a major impact on privacy. Camera images fall into a separate category under the EU’s Data Protection Directive: namely, that of sensitive personal data. For instance, camera images can be used to track medical data (e.g. ‘wears glasses’), race and ethnicity. Consideration must be given to proportionality on a case by case basis, but large-scale use of online proctoring for all exams and for all students is almost certainly not proportional.
Furthermore, permission from students is the most obvious basis on which data may be processed. This permission must be given freely; a student must therefore be able to refuse permission without suffering any negative consequences. If students are dependent on their education institution, then we cannot say that their permission has been given freely. Institutions need to be very careful about this and may not in any way attach consequences to a refusal of permission. Online proctoring cannot therefore be made compulsory, and the institution must always offer the student a free alternative as well. Institutions must also ensure that their request for permission is as clear as possible, and that it indicates what data will be processed, for what purpose that data will be processed, who will be able to access the data, how long the data will be stored for, and what will subsequently be done with the data. This must be formulated clearly and be stated in the place where the student gives their permission. It may not be hidden, and may not be contained in a privacy statement.
Finally, institutions must also take account of strict requirements for the storage and processing of personal data. It is also important to note that there are even stricter requirements placed on the storage and processing of camera images.’
European Data Protection Directive
The objective of this new set of EU rules is to give citizens back control over of their personal data, and to simplify the regulatory environment for business. The data protection reform is a key enabler of the Digital Single Market which the Commission has prioritised. The reform will allow European citizens and businesses to fully benefit from the digital economy.
However, as development of the internet progresses at unprecedented scale the data protection legislation is necessarily vague. For this reason best practice entails a more conservative approach towards using data that could fall under data protection legislation (1).