Historical - non-valid version
Security Provisions for the processing of personal data at the University of Aarhus
Appendix 1 : Notifications to the Danish Data Protection Agency
Appendix 2 : Other registers for which the University of Aarhus is responsible
Appendix 3 : Rules and guidelines
Appendix 4 : The IT organisation of the University of Aarhus
SECURITY PROVISIONS
for
the processing of personal data at the University of Aarhus
In accordance with Section 5 of the Ministry of Justice’s Executive Order no. 528 of 15 June 2000 regarding security measures for the protection of personal data processed by public administrations, the following is stipulated:
Part 1
Scope of the provisions
Article 1. The security provisions apply to all processing of personal data for which the University of Aarhus is responsible and which is processed wholly or in part by means of electronic data processing.
Article 2. The objective of the security provisions is to describe and elaborate on the rules set out in Sections 41–42 of the Danish Act on Processing of Personal Data and the Ministry of Justice’s Executive Order no. 528 of 15 June 2000 as amended by Executive Order no. 201 of 22 March 2001 regarding security measures for the protection of personal data processed by public administrations. The rules are described in Appendix 3.
Article 3. The University of Aarhus only processes personal data necessary for performing university tasks.
(2) As regards personal data subject to notification of the Danish Data Protection Agency, cf. Appendix 1, the university processes the data indicated in the notification.
Part 2
Security organisation
Article 4. The rector of the University of Aarhus has the overall responsibility for complying with the security provisions, including follow-up and updating of the provisions.
(2) The university director appoints one or more leading staff members to be responsible for the administrative systems, which includes responsibility for the whole or part of the security relating to the processing of personal data in the administration.
(3) A person with responsibility for the security system can appoint one or more staff members to be responsible for implementing and monitoring compliance with the security provisions at specific localities, functions, etc.
(4) The rector appoints an Information Security Committee with the university’s IT manager as chairman. The Information Security Committee is responsible for ensuring that the university’s information security policy complies with standard DS 484 and that a risk analysis and subsequent review of the policy takes place at least once a year. The committee ensures that the policy complies with the requirements in the Danish Act on Processing of Personal Data for logical and physical security of information assets and that it clearly defines the information security organisation.
(5) The IT manager appoints an information security coordinator who has the practical and day-to-day responsibility for the university’s personal data security policy. The security coordinator is also responsible for ensuring that relevant individuals are informed of the principles and specific guidelines of the policy.
(6) The IT organisation and IT security organisation of the University of Aarhus are described in Appendix 4.
Part 3
Security measures
Article 5 . Personal data in the registers administered by the University of Aarhus can only be processed by authorised employees.
Article 6. The system manager, cf. Article 4 (2) and Appendix 4, ensures that no incorrect or misleading personal information is registered. If information of that nature nevertheless occurs in the register, it must immediately be either deleted or corrected.
(2) Personal data in registers must be updated on an ongoing basis.
Article 7. The personnel manager of the university is responsible for ensuring that all staff members likely to have access to the university’s information assets are informed upon employment about the confidentiality imposed on them by law. This applies whether the staff member is a permanent employee, a casual employee or involved in any other work-related relationship with the University of Aarhus.
Article 8. The information security coordinator, cf. Article 4 (4) above is responsible for preparing and implementing security guidelines for the individual functions within the organisation, including cases where these functions are handled by individuals who are not actually employed by the University of Aarhus. The information security coordinator can delegate the responsibility for preparing and implementing the specific guidelines to other sections of the IT security organisation.
Article 9. The security guidelines for the different organisational functions must describe the responsibility of the organisational unit as regards the receipt, storage, use and deletion of personal data.
Article 10. The information security coordinator is responsible for preparing guidelines for change management procedures, system documentation and user-friendly tools that altogether ensure that any development, changes or tests do not compromise the security of the IT systems and procedures that involve the processing of personal data.
Part 4
Physical security
Article 11. In order to safeguard the integrity, confidentiality and accessibility of personal data, whether it be in electronic or other form, the following must be ensured:
• Premises used for the storage or processing of personal data must be secured by means of access control systems that prevent unauthorised access.
• Premises in which personal data is stored must be equipped with relevant protection and alarm systems that protect the assets against damage or destruction.
• The functions of the different environments – e.g. development, testing, operation and back-up – from which personal data can be accessed must be separated.
• Procedures must be put in place for timely deletion of the different types of personal data.
• Procedures must be established and documented for the allocation, maintenance and termination of access to registers with personal data, and for logging on and carrying out transactions within these registers.
• Security back-ups and procedures for re-establishment of data must be prepared, cf. the information security policy of the University of Aarhus.
• The destruction of media containing data (regardless of their form, including paper) must comply with security policy provisions.
• Portable data media (including printouts, laptop computers and PDAs) are subject to these security provisions.
Part 5
Right of access to own personal information
Registered individuals are entitled to access their own personal information to the extent set out in Part 9 of the Danish Act on Processing of Personal Data and the Danish Data Protection Agency’s guidelines, cf. the summary of rules in Appendix 3.
(2) Before a person can be granted access to personal information, the individual must produce proof of identity or in some other way provide a guarantee that the person requesting access is identical with the person the information concerns. If the request is made by someone other than the person registered, the data manager must make sure that the individual in question is entitled to act on behalf of the person registered.
Part 6
Passing on information
Article 13. Personal information must not be passed on to private individuals and companies, except to the extent provided by Sections 12, 15 and 16 of the Danish Act on Processing of Personal Data or in cases where another act stipulates that the information must be passed on.
Article 14. Information can be passed on to other public authorities in connection with specific legal matters if the authority has a legal interest in obtaining the information in question that clearly outweighs the regard for the confidentiality of the information. Any special confidentiality provisions stipulated by law must be complied with.
Article 15. Information can be passed on to both private individuals and public authorities if the person the information concerns has given consent or if the information is already available to the public.
(2) The consent must be in writing and must include the following information:
1) The type of information that can be passed on.
2) The person or authority to whom the information can be passed on.
3) How the indicated receiver may use the information.
(3) The consent lapses after one year at the latest.
Article 16. Information can also be passed on for use in concrete research projects subject to specific conditions or permission from the Danish Data Protection Agency.
Article 17. A system manager can stipulate additional rules for passing on information. The rector must be informed about any rules stipulated by the system manager. The rules are published in the university’s body of rules.
Part 7
Effective date
Article 18. The security provisions took effect on 15 August 2007.
(2) The Information Security Committee reviews the security provisions at least once a year to ensure that the provisions remain adequate and reflect actual conditions at the University of Aarhus. The committee is responsible for ensuring that all notifications to the Danish Data Protection Agency, cf. Appendices 1 and 2, as well as all additional rules and appendices prepared in accordance with the provisions are reviewed at least once a year with a view to making any necessary amendments. The committee makes a recommendation to the rector if an amendment to the rules is required.
University of Aarhus, 7 August 2007
| Lauritz B. Holm-Nielsen Rector | Stig Møller University Director of Administration |
Notifications to the Danish Data Protection Agency
Processing of personal data – administrative registers notified by the University of Aarhus
| The journal system of the University of Aarhus |
| Administration of study-related matters in accordance with legislation and internal university rules |
| The staff system of the University of Aarhus |
| Table of court cases in Greenland (deleted) |
Other registers for which the University of Aarhus is responsible
Processing of personal data – registers notified by institutes and centres at the University of Aarhus as of 10 January 2006
| Unit responsible | Processing system |
| Institute of Forensic Medicine | The administrative system of the Institute of Forensic Medicine at the University of Aarhus |
| Department of Political Science | Survey of participation in the 2001 municipal elections |
| Centre for Alcohol and Drug Research | Follow-up investigation of work done to assist drug abusers |
| Centre for Alcohol and Drug Research | Investigation of outpatient treatment of drug abusers |
| Institute of Forensic Medicine | Deaths from carbon monoxide poisoning in Denmark over a five-year period |
| Institute of Forensic Medicine | Pathoanatomical lesions of the cervical vertebrae in road deaths |
| School of Dentistry | Pain research |
| Centre for Alcohol and Drug Research, University of Aarhus | Evaluation of 24-hour treatment of alcohol abusers |
| Centre for Alcohol and Drug Research, University of Aarhus | Evaluation of the treatment of 15–17-year-old abusers |
In addition, a number of instances of personal data processing have been notified as private research (no special form is available for notification of public research) and the University of Aarhus also participates in data processing notified by other responsible parties, e.g. the Aarhus University Hospital, see list of notifications at http://www.datatilsynet.dk/eng/index.html
A search in the Danish Data Protection Agency’s list using the words “Aarhus Universitet” and “Århus Universitet” on 14 June 2007 produced 39 hits. A considerable number of cases of private research have also been notified.
In addition to the notifications made by the University of Aarhus, other notifications exist from the educational institutions with which the University of Aarhus has merged.
A search for “Handelshøjskolen i Århus” (the Aarhus School of Business) on 14 June 2007 produced 10 results. A search for “Danmarks Miljøundersøgelser” (the Danish National Environmental Research Institute) on 14 June 2007 produced one result. On 14 June 2007, a number of notifications by the Danish School of Education were registered with the Danish Data Protection Agency. On 14 June 2007, the Faculty of Agricultural Sciences, University of Aarhus, had no registered notifications.
Rules and guidelines
The Danish Act on Processing of Personal Data, Act no. 429 of 31 May 2000, regarding the processing of personal data.
The Danish Ministry of Justice’s Executive Order no. 528 of 15 June 2000 regarding security measures for the protection of personal data processed by public administrations, as amended by Executive Order no. 201 of 22 March 2001.
The Danish Ministry of Justice’s Executive Order no. 529 of 15 June 2000 regarding exemptions from the duty of public administrations to notify.
The Danish Data Protection Agency’s guidelines no. 126 of 10 July 2000 regarding the rights of registered individuals in accordance with Parts 8–10 in the Danish Act on Processing of Personal Data (Guidelines on rights).
The Danish Protection Agency’s guidelines no. 37 of 2 April 2001 regarding security measures for the protection of personal data processed by public administrations (Security guidelines).
The Danish Data Protection Agency’s guidelines no. 125 of 10 July 2000 regarding notification in accordance with Part 12 of the Danish Act on Processing of Personal Data (Guidelines for notification).
The Danish Data Protection Agency’s guidelines no. 17 of 19 January 2007 regarding the reporting by public authorities of debtors to credit rating agencies.
The Danish Act on Public Administration, Act no. 571 of 19 December 1985.
The Danish Act on Public Access to Documents in Administrative Files, Act no. 572 of 19 December 1985.
The provisions of the Danish Penal Code regarding confidentiality, Part 16, Sections 152–152 f.
The University of Aarhus guidelines dated 15 September 2002 regarding the processing by staff and administrative units of personal data relating to students to which the staff/bodies have gained access in the course of their work at/for the University of Aarhus.
The IT organisation of the University of Aarhus is described in the diagram below. The overall responsibility for the IT organisation and IT security organisation at the University of Aarhus lies with the rector and the university director, who are advised by a specially appointed IT adviser.
The rector has appointed an advisory IT Committee with management representatives from the faculties and the common area. The rector’s IT adviser is the chairman of the committee. The IT Committee has a number of sub-committees that are responsible for the day-to-day coordination of IT matters throughout the university.
The committee must ensure that local IT issues are coordinated with shared systems on the basis of the shared IT strategy. The members of the committee are expected to represent the management level of the appointed units in order that any recommendations and dissenting opinions made by the committee constitute a proper basis for decisions made by the rector and the university director. In its capacity of adviser to the management in questions relating to security, the IT Security Committee acts as an autonomous committee that is not subject to instructions by the IT Committee or its chairman.
The IT security organisation comprises a management level as well as a technician level.
The IT Security Committee represents the management level. The Infrastructure Committee represents the technician level.
The IT manager is also the chairman of the System Owner Committee, which ensures that the university’s administrative IT systems:
- comply with regulatory requirements.
- are able to generate relevant management information and statistics, etc. as a quantitative basis for the university’s development contract negotiations and reporting.
- meet the requirements of centralised and decentralised users subject to operational capacity, risks of errors, maintenance needs, complexity and finance, including making sure that important administrative processes at all organisational levels are supported by the system to the extent possible.
- grant and limit user authorisation to applications and data in accordance with applicable internal and external data security rules.
- are adjusted on an ongoing basis in accordance with external and internal requirements and wishes.
- are subject to major reviews according to need or replaced by new systems on the recommendation of the committee to the IT Coordination Committee.
Historical - non-valid version