- Accountability (Information Security)
Accountability is the property that ensures that the actions of an entity can be traced solely to this entity.
Accountability guarantees that all operations carried out by individuals, systems or processes can be identified (identification) and that the trace to the author and the operation is kept (traceability).
- Anonymous data
Anonymous data cannot be related to an identified or identifiable person and are consequently not personal data.
- Article 29 Working Party
The Article 29 Data Protection Working Party is an independent European advisory body. The Working Party's mission is to ensure the uniform application of Directive 95/46/EC, providing opinions and making recommendations or drafting working documents that are all available on the Internet. The Article 29 Working Party's members are representatives of the different national data protection authorities, the European Data Protection Supervisor and representatives of the European Commission.
- Assets (Information Security)
An organisation's assets (patrimony, property or possessions) are everything that is valuable to it or, in other words, everything that makes the organisation more valuable or everything that would diminish the organisation's value or efficiency in case of loss.
In the context of personal data protection, personal data and all necessary resources to process them correctly are considered as assets:
- material possessions housing the data (buildings, machines, IT supplies, etc.);
- the software necessary for data processing (applications and programmes, operating systems, etc.);
- the information used in data processing operations, which can be stored in various forms: in the database, on a paper carrier, etc.;
- infrastructure (the basic services necessary for the organisation to achieve its objective; electrical energy, lighting, communication, transport, lifts, etc.);
- staff (the organisation's employees, temporary staff, etc.);
- intangibles (reputation, brand image, ethical values, etc.);
- the financial resources necessary for the organisation to function properly.
- Authenticity (Information Security)
Authenticity is the property that ensures that the identity of a subject or resource is the identity claimed.
Authenticity applies to individuals (users), but also to any other entity (applications, processes, systems, etc.). It is an identification, i.e. the recognition of a name indicating an entity without the slightest doubt.
- Availability (information security)
Thanks to this property, information, systems and processes are accessible and usable at the request of an authorised entity.
- Binding Corporate Rules (BCRs)
BCRs are rules elaborated by multinationals for the international transfer of personal data within their corporate group. All entities and employees of the enterprise have to observe these rules. Binding Corporate Rules are considered as adequate safeguards for personal data protection after approval by the national data protection authorities. At European level the Article 29 Working Party has established a joint procedure for the different national authorities. At Belgian level the Federal Public Service of Justice has agreed on a protocol (only available in French and Dutch) with the Privacy Commission regarding the implementation of the national authorisation procedure.
- Camera Act
The Act of 21 March 2007 on the installation and use of surveillance cameras (published in the Belgian Official Journal of 31 May 2007). The Camera Act applies to the installation and use of cameras with a view to surveillance and supervision.
- Commission for the Protection of Privacy
The Commission for the Protection of Privacy (better known as Privacy Commission) was established by the Act of 8 December 1992 on the protection of privacy in relation to the processing of personal data (better known as the Privacy Act / Data Protection Act). On the basis of the Privacy Act, the Privacy Commission, as an independent body, ensures that personal data are used and protected with due care, and that citizens' privacy remains safeguarded.
- Confidentiality (Information Security)
Confidentiality is a property of information according to which it is not made available or disclosed to unauthorised persons, entities or processes.
The possibility to make only portions of information accessible has to be guaranteed as long as the information exists, i.e. during its collection, processing and disclosure.
In practice only individuals exercising a function or professional activity justifying access to personal data will be authorised.
- Conformity with the European Commission's standard contractual clauses
In conformity with the European Commission's standard contractual clauses is understood to refer to the following contractual clauses:
- clauses identical to the standard contractual clauses approved by the European Commission which have been completed where specifically requested (annexes, names of parties and other specific elements such as clause 5.b of standard clause 2001/497/CE, etc.);
- clauses with a minimum of modifications (e.g. punctuation, translation) and the modification of which does not change the meaning nor the scope of the standard contractual clauses and does not prejudice the fundamental rights and freedoms of data subjects;
- standard contractual clauses inserted in a larger contract and standard contractual clauses to which other clauses have been added, including commercial clauses, provided that the latter do not directly or indirectly contraduct the standard contractual clauses and that they do not prejudice the fundamental rights and freedoms of data subjects.
It is very important to know who has been designated as "controller" under the Privacy Act, as this is the person who has to comply with nearly all the duties imposed by this Act. In case of problems, this person is responsible.
Controllers are also the most important contact for data subjects, but also for the authorities that have to supervise them.
Moreover, they determine the purposes and the resources for the data processing. The controller can be a natural (physical) person or a legal person, an un-associated organization or a public authority.
If an act, decree or ordinance prescribes the purpose and the resources for a particular data processing operation, this act, decree or ordinance will also specifically designate a controller.
- Daily Security Management (Information Security)
Daily security management consists of activities such as the administration of security rules, authorisation management and the analysis of discovered incidents.
- Data (anonymous)
Anonymous data cannot be related to an identified or identifiable person and are consequently not personal data.
- Data subject
We are all data subjects. For example, you disclose personal data as soon as you:
- fill in a form;
- place an order;
- book concert tickets;
- buy a train ticket;
- use a credit card;
- register for a course or in a sports club;
- are admitted to hospital;
- borrow a book from a public library or a DVD from a video rental shop.
The Belgian Privacy Act does not make a distinction between Belgians and non-Belgians.
- Direct marketing
Direct marketing is quite a difficult concept with many aspects to it. At any rate, it has a wider range of meaning than just "publicity". According to an official European definition it includes "all activities which make it possible to offer goods or services or to transmit any other messages to a segment of the population by post, telephone or other direct means aimed at informing or soliciting a response from the data subject as well as any service ancillary thereto".
A disclaimer is a general statement, describing the rights and obligations of all parties concerned, for example included in a privacy statement on a web site or in a contract.
- Encoded data
These are personal data that can only be related to an identified or identifiable person by means of a code.
- European Economic Area
This is an association agreement between the Member States of the European Union and the three Member States of the European Free Trade Association (EFTA): Iceland, Norway and Liechtenstein.
- Exemption from notification
Not all data processing operations have to be notified. Besides manual processing operations (for example on paper or on microfiche), a series of automatic processing operations are exempt from the duty of notification, which are listed in the implementing decree of 13 February 2001 and relate to some of the most frequent processing operations (for example personnel management, accounting, customer management, payroll management, …). This exemption from notification does not mean, however, that the other obligations in the Privacy Act do not have to be observed.
- Further processing
A further processing operation, as defined in the implementing decree of 13 February 2001, involves personal data initially collected for an explicit purpose and re-used at a later time for historical, statistical or scientific purposes that are incompatible with the initial purpose. In other words, these processing operations constitute a specific form of secondary data collection.
- Impact (Information Security)
The consequences of an incident on one or more assets constitute the impact (for instance personal data that are no longer accurate).
In information security usually a difference is made between direct consequences (damage to the information system, such as file modifications, changes in the accessibility of confidential data or an inappropriate system shutdown) and the indirect impact (the damage the organization or third parties have incurred, such as abuse of confidential information, wrong decisions as a result of incorrect data).
There is not always an immediate relation between an incident's direct consequences and its indirect impact on an organization or on third parties: the loss of fundamental data can have enormous consequences for the person involved whereas a system that was erased completely can already be restored with a good back-up.
- Incident (Information Security)
An incident is an unexpected or unwanted event that can have serious consequences.
An information security incident is any unexpected event that might compromise an organisation's activities or information security (system malfunction or overload, human error, software or hardware malfunction). An incident is not good or bad in itself.
- Integrity (Information Security)
Integrity covers two different aspects: information integrity as well as system or process integrity.
Information integrity means that information cannot be changed or destroyed intentionally or unintentionally.
System or process integrity means that the desired operation is fully achieved according to expectations. Without an authorised intervention it is impossible to make intentional or unintentional changes.
- Intermediary organisation
This means any natural person, legal person, un-associated organization or public authority, other than the controller of the processing of non-encoded data, encoding the aforementioned data.
- Legitimate interest
An interest is considered as legitimate when the controller's interest in processing the data outweighs the data subject's interest in not processing the data. In case of doubt the Priacy Commission or a jduge will decide whose interest is of greater importance.
- Management System (Information Security)
There are several models for management systems regarding information security (ISMS – Information Security Management System). The best-known system is based on a PDCA structure (Plan-Do-Check-Act) permanently improving security. Permanent improvement is linked to changing factors, for example modifications in the organisation and related risks, changes in the information system, technological novelties, both for operational systems and security rules.
- Manual filing system
A manual filing system is a structured set of personal data that are accessible according to certain criteria, the yellow pages on paper for example.
- Minimum security standards
There are several international models and guidelines that can be used to draft an information security policy. The Privacy Commission has also elaborated a model in order to help controllers secure the personal data they want to process, also known as "minimum security standards" or "reference measures for the security of personal data processing".
- Mobile Mapping
Technology using a vehicle equipped with a camera and/or scanner to keep a digital copy of all data for a specific trajectory, among other things by taking 360° pictures.
"Google Street View" is an example of such an application.
- Non-repudiation (Information Security)
Non-repudiation is the ability to prove that an operation or event has taken place, so that this cannot be repudiated later. For e-mails, for example, non-repudiation is used to guarantee that the recipient cannot deny receiving the message, and that the sender cannot deny sending it.
A notification is an action carried out by controllers to inform the Privacy Commission that they will be processing data. A notification is not intended to request permission or authorisation, but only to notify a processing operation. A notification mainly consists of a description of the data processing operation.
- Opt in
In this system, you give somebody your prior consent to send you commercial messages. The opt-in system is valid for all forms of communication and allows you to give your free, specific and informed consent, as required by the Privacy Act.
The opt-in system is mainly used when somebody regularly wants to send a massive number of e-mails, for example a newsletter, electronic magazines, promotional offers. You can register by filling in your e-mail address on a specific online form. The idea behind the opt in is to know in advance exactly what you are registering for, so that there are no unpleasant surprises afterwards.
- Opt out
As opposed to opt in, the opt-out system allows you to object to any data processing operation with a view to direct marketing, as required by the Privacy Act.
This involves receiving an unwanted message containing the possibility to unsubscribe in order to stop receiving messages. This system is only authorised provided that the sender obtained your (e-mail) address directly from you while purchasing a product or service from him, that this (e-mail) address is only used to offer similar products or services the sender delivers himself, and that you are given the possibility to object easily and free of charge when you give the sender your e-mail address. In addition to this system, the Belgian direct marketing sector has organized the Robinson lists.
- Personal data
Personal data reveal information about an identified or identifiable natural person (called the "data subject" in the Privacy Act). In other words, personal data are all data allowing for the identification of an individual.
Personal data include an individual's name, a picture, a phone number, even a professional phone number, a code, a bank account number, an e-mail address, a fingerprint, …
They do not only include data having to do with individuals' privacy, but also data having to do with an individual's professional or public life.
Only data about a natural (physical) person are taken into account, excluding data about a legal person or an association (civil or commercial corporations or non-profit organisations).
- Privacy Act
The Privacy Act (officially the Act of 8 December 1992 on the protection of privacy in relation to the processing of personal data) is intended to protect citizens against the abuse of their personal data. The rights and obligations of the individual whose data are processed as well as the rights and obligations of the processor have been laid down in this act.
- Privacy Commission
The Commission for the Protection of Privacy (better known as the Privacy Commission) was established by the Act of 8 December 1992 on the protection of privacy in relation to the processing of personal data (better known as the Privacy Act/Data Protection Act). On the basis of the Privacy Act, the Privacy Commission, as an independent body, ensures that personal data are used and protected with due care, and that citizens' privacy remains safeguarded.
- Processing personal data
Processing personal data is defined as any operation or set of operations performed on personal data. These operations are extremely varied and relate, among others, to the collection, storage, use, modification, disclosure of the data.
A few examples:
- a hotel offering the possibility of online bookings processes data when registering customers' name, the dates of their stay and their credit card number.
- a municipality also processes data when it transmits the names of individuals requesting a building permit to a contractor who wants to send them publicity, .
The Privacy Act applies as soon as data are processed, even only partially, using automatic means. Automatic means include all information technologies, computer technology, telematics, telecommunication networks (the Internet).
For example, the Privacy Act applies to:
- a company's computerised database containing customer or supplier data;
- the electronic list of transactions on a bank account;
- the computerised file of a company's members of staff or of the children enrolled in a school;
The Privacy Act also applies, however, as soon as a processing operation is carried out using automatic means. For example:
- a temporary employment agency keeping applicants' hand-written curricula vitae but sending the documents to employers by fax, has to observe the rules in the Privacy Act for all the operations it performs on the curricula vitae (such as storing, filing or sending them).
If data are not processed using automatic means (for example on paper or on microfiche) the Act still has to be observed if the data are included or will be included in a manual filing system that can be accessed according to specific criteria (for example people's names in alphabetical order).
This is any natural person, legal person, un-associated organisation or public authority processing data on behalf of the controller, except for individuals who are under the direct authority of the controller and who have been authorised to process the data.
- Public register
The public register is a list of notifications of personal data processing operations notified to the Privacy Commission. Anyone can consult this list, for example using the button on this website's homepage.
- Purposes: historical, statistical or scientific
- Historical research involves the processing of personal data with a view to the analysis of an earlier event or in order to make that analysis possible. This is possibly but not necessarily also a processing operation with a scientific purpose (in other words, a genealogist can appeal to this provision);
- statistical purposes are achieved through any action with a view to collecting and processing personal data when this is necessary for statistical surveys or to produce a statistical result;
- scientific research involves establishing patterns, rules of conduct and causal relations exceeding all individuals they relate to.
- Reference Measures for the Security of Any Personal Data Processing Operation
There are several international models and guidelines that can ve used to draft an information security policy. The Privacy Commission has also elaborated a model in order to help controllers secure the personal data they want to process, also known as "minimum security standards" or "reference measures for the security of personal data processing".
- Reliability (Information Security)
Reliability is the property of leading to consistent intended behaviour and results.
Reliability is also defined as the property of trustworthiness. Data are often considered reliable when they are exact and precise, and when they can be reproduced.
- Residual Risks (Information Security)
Residual risks are the remaining risks after risk treatment or, in other words, after protective measures were introduced.
- Right to object
You may always object to the use of your data, provided that you have serious reasons for this. You cannot object to a data processing operation that is required by a law or a regulatory provision, or that is necessary to perform a contract you have entered into. However, you always have the right to object to the illegitimate use of your data and can always object free of charge and without justification if your data are processed for direct marketing purposes.
To object you have to send a dated and signed request, including a document proving your identity (for example a copy of your identity card) to the controller by letter or by fax (a request by e-mail is only accepted with an electronic signature). The request can also be submitted on the spot. The controller then has one month to reply. If he fails to do so or if his reply is not convincing, you can address the Privacy Commission, which will try to mediate. You can also take your case to court.
- Right to rectification
Individuals can have incorrect data relating to them rectified free of charge, and have other data erased if they are irrelevant, incomplete or prohibited, or have the use of those data prohibited. If the controller does not react, the data subject can address the Privacy Commission, which will attempt to mediate. The data subject may also submit a complaint to the judicial authorities.
- Risk (Information Security)
A risk is the potential that a given threat will exploit the vulnerabilities of an asset or group of assets, thus causing harm to the organisation (for example a virus deleting a file). It is measured in terms of a combination of the probability of an event and its consequences.
A risk is characterised by two factors: the probability that an incident will occur and the gravity of the potential direct consequences and the indirect impact.
A risk can also depend on time: the situation can become worse after an incident if remedial measures are not taken in time (for instance a software glitch infecting a database, spyware retrieving passwords, encrypted codes or pin numbers). As a result, an innocent incident can have disastrous consequences.
- Risk Management (Information Security)
Risk management identifies the most important risks and distinguishes between risks that have to be dealt with and acceptable risks. It uses security resources tackling the risks for personal data according to a scale of priorities. The risk management process constitutes a cycle that is repeated depending on the particular characteristics of the systems and the risks identified. Risk management results in final processes and an updated security policy, and often also in adaptations to the organisation and its procedures in order to handle possible new risks better, and to assess the measures that have been taken.
- Safe Harbor Principles
In consultation with the European Commission, the American Department of Commerce has elaborated the Safe Harbor Principles, intended to facilitate the transfer of personal data from the European Union to the United States. If companies declare to respect these principles in a statement to the American Department of Commerce (meaning, among other things, that the American Federal Trade Commission can check whether they respect these principles), they are considered as companies ensuring adequate safeguards for data protection.
- Security measures (Information Security)
Security measures, also called "protective measures" or "security controls", are procedures or decisions that limit risks. Security measures can be effective in several ways: by decreasing possible dangers, correcting vulnerabilities or limiting the possible direct consequences or indirect impact. It is also possible to take the factor of time into account: if incidents are traced better and sooner, action can be taken before the situation gets any worse.
- Sensitive data
Certain personal data are more sensitive than others. An individual's name and address are rather innocent data, but this does not hold true for his political opinions, sexual preferences or judicial past. The Privacy Act regulates registration and use of those sensitive data more strictly in comparison with other personal data.
Sensitive data relate to race, political opinions, religious or philosophical beliefs, trade union membership, health, sex life, suspicions, persecutions and criminal or administrative convictions. In principle, processing such data is prohibited.
- Standard Contractual Clauses
For those wishing to transfer data outside the European Union, the European Commission has elaborated standard contractual clauses, which allow to transfer personal data outside the EU while respecting the European legal conditions for data protection. In other words, the parties signing these contracts are considered as parties ensuring adequate safeguards for the protection of personal data.
As long as the European Commission does not adopt new standard contractual clauses, the current model clauses which were adopted under the Directive 95/46/EC and their templates remain valid. You can update the terminology of the model clauses to the GDPR and incorporate the new obligations flowing from article 28 of the GDPR by means of a side agreement (addendum) without affecting the validity of the standard contractual clauses.
- Threat (Information Security)
A threat is any unexpected event that can damage company assets and therefore prejudice personal data protection.
There are environmental threats (fire), technical threats (system failures) or human threats.
Human threats can be accidental (mistakes, forgetfulness, unadapted procedures) or intentional (harmful intent, intrusion, theft), internal (dissemination of information) or external (espionage).
- Unambiguous, free and informed consent
Consent is understood:
- to have been freely given. In other words, the data subject was not pressurised to say "yes";
- to be specific, meaning that the consent relates to a well-defined processing operation;
- to be informed. The data subject has received all useful information about the planned processing.
It is not necessary for consent to be given in writing, but oral consent can create problems with the burden of proof.
- Vulnerability (Information Security)
Vulnerability is the weakest link of an asset or a group of assets that can be exploited by one or more imminent dangers (developer's mistake, wrong installation). In most cases vulnerability is due to the fact that an asset is not sufficiently protected, rather than to the asset itself.
Vulnerability in itself is not harmful to the organisation. Only when an imminent danger can accidentally use vulnerability and possible special circumstances, a damaging incident can occur.