S 2.205 Transmission and Retrieval of Person-related Data

Initiation responsibility: IT Security Management, Data Privacy Officer

Implementation responsibility: Head of IT Section, Data Privacy Officer

If any person-related data is transmitted from the employer's or customer's premises to a "remote" workplace (e.g. of a telecommuter), the relevant data privacy protection provisions must be adhered to. Under §9 of the Federal Data Protection Act (BDSG), it is especially important in such cases to prevent unauthorised persons using the data transmission facilities to access IT systems (user supervision). Furthermore, steps must be taken to ensure that it is possible to check and determine in which offices or locations person-related data can be transmitted using data transmission facilities (transmission supervision).

The transport route or transmission method should be selected in such a way as to provide assurance of both the confidentiality and integrity and also the authenticity (proof of origin) of the person-related data.

If the transmission of person-related data occurs in the context of an automated retrieval procedure, the special requirements relating to reliability contained in the relevant legislation must be complied with.

General aspects

• The occasion and purpose as well as the persons or offices involved in the retrieval procedure must be established.

• Retrieval permissions must be defined and monitored.

• The type and scope of the data held must be specified.

• Retention periods and deletion dates must be defined for data.

• The cases in which the person/office holding the information must be informed of the person/office retrieving it must be specified.

• The transport route must be specified, e.g. access over an ISDN dial-up line, callback protection based on CLIP or COLP (see S 5.49 ).

• Suitable cryptographic procedures (e.g. symmetric and asymmetric encryption or digital signature) must be employed in order to prevent violation of the data privacy protection legislation during transmission of sensitive data. Section 3.7 Crypto Concept describes how to select procedures and products that are suitable.

• If person-related data is exchanged regularly or continuously over a transport route, then transmission should be protected using a virtual private network (VPN) (see S 5.76 Use of Suitable Tunnel Protocols for RAS Communication and S 5.83 Secure Connection of an External Network with Linux FreeS/WAN).

Safeguards against unauthorised retrieval

Retrieval of data by unauthorised persons must be prevented by means of suitable precautions:

• Every user must be uniquely identified and authenticated to the IT systems from which the person-related data is retrieved.

• Authorisation should be blocked after a specified number of unsuccessful attempts.

• Passwords must be changed at regular intervals. As far as possible, this must be enforced by the relevant programs.

• Program-controlled checking procedures should be used to review the log files.

• The type and scope of logging must be specified (see also S 2.110 Data Privacy Guidelines for Logging Procedures).

• Random sampling checks should be performed or else continuous logging should be carried out.

• The place at which logging is performed must be specified (the retrieving and/or originating party).

• Logging must be designed in such a way that it is possible to determine after the event which retrieval permissions were used when data was retrieved.

• The reasons for retrieving the data must be logged.

• Where data is retrieved, which connection and which terminal devices were used during transmission must be logged.

Measures for organisational supervision

• All staff, especially those in the office which retrieves the data must be under an obligation to maintain confidentiality of the data. Passing on of data to third parties must be contractually prohibited.

Additional controls:

• Have the technical and organisational measures implemented been documented?

• Is there a concept covering the review and assessment of the reliability of data transmissions involving automated retrieval?