belgian it security laws & regulations infosecurity 2006

BelgianBelgian IT IT SecuritySecurity LawsLaws & & RegulationsRegulations

Johan VandendriesscheJohan Vandendriessche

AttorneyAttorney--atat--lawlaw

TableTable of contentsof contentsIntroductionIntroductionGeneralGeneral overviewoverview of of legislationlegislationData Data protectionprotection securitysecurity obligationsobligations–– GeneralGeneral securitysecurity obligationobligation–– SpecificSpecific securitysecurity obligationsobligations–– Data processor Data processor securitysecurity obligationsobligations

Employee Employee monitoringmonitoring–– PrinciplesPrinciples–– OverviewOverview of of legislationlegislation–– BalanceBalance of of interestsinterests–– CommunicationCommunication data?data?–– PurposesPurposes–– ProportionalityProportionality–– TransparencyTransparency–– IdentificationIdentification / / sanctionssanctions

IntroductionIntroduction

InformationInformation securitysecurity legislationlegislation–– No No generalgeneral informationinformation securitysecurity lawlaw

–– InformationInformation securitysecurity obligationsobligations in in specificspecific legislationlegislationData Data protectionprotection legislationlegislation

CommunicationsCommunications LawLaw

–– InformationInformation securitysecurity obligationsobligations in case in case lawlaw??

Data Data ProtectionProtection –– informationinformation securitysecurity–– WhatWhat must must youyou do? (Data do? (Data ProtectionProtection informationinformation securitysecurity

obligationsobligations))

–– WhatWhat cancan youyou notnot do? (Employee do? (Employee monitoringmonitoring))

GeneralGeneral overviewoverview of of legislationlegislation

Privacy (data Privacy (data protectionprotection))–– The The LawLaw of 8 December 1992 of 8 December 1992 onon privacy privacy protectionprotection in in

relationrelation toto the processing of the processing of personalpersonal data, as data, as modifiedmodifiedbyby LawLaw of 11 December 1998of 11 December 1998

–– ImplementationImplementation of EU of EU DirectiveDirective 95/46 95/46 of 24 October 1995 of 24 October 1995 on the protection of individuals with regard to the on the protection of individuals with regard to the processing of personal data and on the free movement of processing of personal data and on the free movement of such data such data

–– SecuritySecurity obligationsobligations: : articlearticle 16 of the 16 of the aboveabove mentionedmentionedlawlaw

MonitoringMonitoring of employees (data of employees (data protectionprotection))–– CommunicationsCommunications LawLaw of 13 of 13 JuneJune 20052005–– CWA (CAO/CWA (CAO/CCTCCT) nr. 81 of 26 April 2002) nr. 81 of 26 April 2002

Data Data protectionprotection securitysecurityobligationsobligations

SecuritySecurity obligationsobligations in in relationrelation toto data processingdata processing–– Management of processing Management of processing

–– Audit issuesAudit issues

QualityQuality of of legislationlegislation onon thisthis topic is topic is poorpoor

ObligationsObligations–– GeneralGeneral obligationobligation

–– SpecificSpecific obligationsobligations

–– ObligationsObligations relatedrelated toto the the useuse of a data processorof a data processor

GeneralGeneral securitysecurity obligationobligation

GeneralGeneral securitysecurity obligationobligation–– appropriate measuresappropriate measures

technicaltechnical

organisationalorganisational

–– the protection of personal data against accidental or the protection of personal data against accidental or unauthorisedunauthorised destruction, accidental loss, as well as destruction, accidental loss, as well as against alteration of, access to and any other against alteration of, access to and any other unauthorisedunauthorised processing of personal dataprocessing of personal data

PurposePurpose: : toto prevent prevent unlawfulunlawful processingprocessing

GeneralGeneral securitysecurity obligationobligation

AppropriateAppropriate? A ? A balancebalance must must bebe struckstruck betweenbetween::–– the state of the art and the cost of implementing the the state of the art and the cost of implementing the

measuresmeasures

–– the nature of the data to be protected and the potential the nature of the data to be protected and the potential risks on the other hand risks on the other hand

EvolutiveEvolutive appreciationappreciation

RoyalRoyal DecreeDecree maymay provideprovide sectorialsectorial securitysecurityregulationsregulations

SpecificSpecific securitysecurity obligationsobligations

SpecificSpecific securitysecurity obligationsobligations–– Ensure data qualityEnsure data quality

–– Limitation of accessLimitation of accessto the persons that need accessto the persons that need access

only to personal data neededonly to personal data needed

–– Notification of legal provisionNotification of legal provision

–– Ascertain the accordance of the software with the Ascertain the accordance of the software with the notification under article 17notification under article 17

Data processor Data processor securitysecurityobligationsobligations

Data processing Data processing obligationsobligations–– the the choicechoice of of a processor providing sufficient guarantees a processor providing sufficient guarantees

in respect of the technical and in respect of the technical and organisationalorganisational security security measuresmeasures

–– supervision of the compliance therewith (in particular by supervision of the compliance therewith (in particular by laying them down in contractual stipulations)laying them down in contractual stipulations)

–– liability regimeliability regime

–– detail instructions and competences of the data detail instructions and competences of the data processorprocessor

–– the conclusion in writing or on electronic carrier of these the conclusion in writing or on electronic carrier of these elements (data processing agreement)elements (data processing agreement)

Employee Employee monitoringmonitoring: : principlesprinciples

GeneralGeneral rightright toto privacy (even at privacy (even at workwork!)!)

ArticleArticle 22 of the 22 of the BelgianBelgian ConstitutionConstitution–– ““Everyone has the right to the respect of his private and Everyone has the right to the respect of his private and

family life, except in the cases and conditions determined family life, except in the cases and conditions determined by law. The laws, decrees and rulings alluded to in Article by law. The laws, decrees and rulings alluded to in Article 134 guarantee the protection of this right134 guarantee the protection of this right””

ArticleArticle 8 of the 8 of the EuropeanEuropean ConventionConvention onon HumanHumanRightsRights–– ““Everyone has the right to respect for his private and Everyone has the right to respect for his private and

family life, his home and his correspondence.family life, his home and his correspondence.””

OverviewOverview of of legislationlegislation

Law of 3 July 1978 concerning Law of 3 July 1978 concerning labourlabour contractscontracts–– Article 2 and 3: an employee undertakes to perform the Article 2 and 3: an employee undertakes to perform the

contract against payment of wages under the authority of contract against payment of wages under the authority of the employerthe employer

–– Article 16: employer and employee owe each other Article 16: employer and employee owe each other respect, during the performance of the contract they must respect, during the performance of the contract they must behave decently behave decently

–– Article 17: the employee must (Article 17: the employee must (inter inter aliaalia))::Perform his work honestly and with care, at the time and place Perform his work honestly and with care, at the time and place that has been agreedthat has been agreed

Act according to the orders and instructions given by the Act according to the orders and instructions given by the employer (concerning the performance of the contract)employer (concerning the performance of the contract)


Law of 13 June 2005 on electronic communicationsLaw of 13 June 2005 on electronic communications–– New framework for electronic communicationsNew framework for electronic communications

–– (Partially) replaces the (Partially) replaces the ““BelgacomBelgacom lawlaw”” (Law of 21 March (Law of 21 March 1991)1991)

–– Article 124: Article 124: ““Without consent of all directly or indirectly involved persons, Without consent of all directly or indirectly involved persons, it is it is prohibited toprohibited to

11°° intentionally obtain information about the existence of any infintentionally obtain information about the existence of any information that has ormation that has been sent by electronic means and that is not personally addressbeen sent by electronic means and that is not personally addressed to him;ed to him;

22°° intentionally identify persons involved in the transmission of intentionally identify persons involved in the transmission of the information and the information and the content thereofthe content thereof

33°° notwithstanding the articles 122 and 123 intentionally obtain inotwithstanding the articles 122 and 123 intentionally obtain information nformation concerning electronic communication and concerning another persoconcerning electronic communication and concerning another person;n;

44°° modify, delete, publish, conserve or use otherwise, the informamodify, delete, publish, conserve or use otherwise, the information, identification tion, identification or data that has been obtained intentionally or notor data that has been obtained intentionally or not””


Article 125: exceptions to article 124Article 125: exceptions to article 124

–– If the law permits or imposes the acts under article 124If the law permits or imposes the acts under article 124

–– If these acts are committed solely for the purpose of If these acts are committed solely for the purpose of ensuring the correct functioning of the network and to ensuring the correct functioning of the network and to guarantee the proper delivery of the electronic guarantee the proper delivery of the electronic communications servicecommunications service

–– If the acts are committed solely for the purpose of offering If the acts are committed solely for the purpose of offering the endthe end--user a service consisting of preventing the user a service consisting of preventing the reception of unsolicited electronic mail, provided that the reception of unsolicited electronic mail, provided that the required consent has been obtainedrequired consent has been obtained


Article 314bis of the Criminal Code:Article 314bis of the Criminal Code:–– ““Is punishable with imprisonment of 6 months and/or a Is punishable with imprisonment of 6 months and/or a

fine of 200 EUR up until 10000 EUR (x5,5):fine of 200 EUR up until 10000 EUR (x5,5):11°° intentionally, with the aid of any equipment private intentionally, with the aid of any equipment private

communication or telecommunication to which he is not communication or telecommunication to which he is not part, during the transmission thereof, intercepts himself or part, during the transmission thereof, intercepts himself or through a third party, obtains information thereof himself through a third party, obtains information thereof himself or through a third party, records himself or through a third or through a third party, records himself or through a third party, without the consent of all participants thereof;party, without the consent of all participants thereof;22°° or installs himself or through a third party any or installs himself or through a third party any

equipment with the intent of committing one of the acts equipment with the intent of committing one of the acts mentioned abovementioned above””

BalanceBalance of of interestsinterests

EmployerEmployer–– Financial interestFinancial interest

Efficient and productive employeesEfficient and productive employees

Preferably spending their time at work on workPreferably spending their time at work on work

EmployeeEmployee–– Respect of Respect of ““privacyprivacy””

Given the nature of the employerGiven the nature of the employer--employee employee relationship some form of control will be exerted by relationship some form of control will be exerted by the employerthe employer

Often leads to discussions related to evidence, in Often leads to discussions related to evidence, in case of dismissal of employeecase of dismissal of employee

CommunicationCommunication data?data?

Surveillance purposes: distinction between Surveillance purposes: distinction between professional/private communication and professional/private communication and content/communication datacontent/communication data–– Collective Workers Agreement nr. 81 only mentions Collective Workers Agreement nr. 81 only mentions

private communication and relates to communication private communication and relates to communication datadata

–– Other legislation does not distinguish different forms of Other legislation does not distinguish different forms of communication and content/communication datacommunication and content/communication data


Collective Workers Agreement nr. 81 on the Collective Workers Agreement nr. 81 on the monitoring of online communication of employeesmonitoring of online communication of employees

Report: the employer should be able to have Report: the employer should be able to have access to professional communication without any access to professional communication without any formalities whatsoeverformalities whatsoever

Conclusion: CWA nr. 81 only applies to private Conclusion: CWA nr. 81 only applies to private communication?communication?


Online communications data?Online communications data?–– Electronic online communications data in a broad sense Electronic online communications data in a broad sense

sent or received by an employee during the performance sent or received by an employee during the performance of his taskof his task

–– All online technologies, internal and externalAll online technologies, internal and external

–– E.g.: internet, intranet, eE.g.: internet, intranet, e--mail, SMS, MMS, IM, mail, SMS, MMS, IM, ……

Content?Content?

PurposesPurposes

PurposesPurposes–– The prevention of unlawful acts, libel and acts contrary to The prevention of unlawful acts, libel and acts contrary to

decencydecency

–– The protection of economic, commercial and financial The protection of economic, commercial and financial confidential interests of the companyconfidential interests of the company

–– The maintenance of the technical performance of the The maintenance of the technical performance of the computer systemcomputer system

–– The control of the respect of the terms of use of the The control of the respect of the terms of use of the computer systemcomputer system

ProportionalityProportionality

ProportionalityProportionality–– The infringement of the privacy of the employee must be The infringement of the privacy of the employee must be

restricted to a minimum (if unavoidable)restricted to a minimum (if unavoidable)

–– Interdiction of systematic Interdiction of systematic individualisationindividualisation (identification (identification of employees, possibly in view of sanctions)of employees, possibly in view of sanctions)

TransparencyTransparency

TransparencyTransparency–– CollectiveCollective

To whom? (cascade)To whom? (cascade)–– Works councilWorks council

–– Committee for prevention and protectionCommittee for prevention and protection

–– Delegation of the Labour UnionDelegation of the Labour Union

–– The employeeThe employee

How?How?

Which information?Which information?–– The supervision policyThe supervision policy

–– The purposes of the monitoringThe purposes of the monitoring

–– Conservation? Place and duration?Conservation? Place and duration?

–– The permanent nature of the supervisionThe permanent nature of the supervision

TransparencyTransparency

TranparencyTranparency–– Individual (i.e. the employee)Individual (i.e. the employee)

Which information?Which information?–– All the information provided collectivelyAll the information provided collectively

–– The conditions of use of the equipment that is at the disposal oThe conditions of use of the equipment that is at the disposal of the f the employee and the functional limitation thereofemployee and the functional limitation thereof

–– The rights, obligations and tasks of the employee, and possible The rights, obligations and tasks of the employee, and possible limitations to the use of communications on the network of the limitations to the use of communications on the network of the companycompany

–– Sanctions, if any, provided in the Sanctions, if any, provided in the ““employee policyemployee policy”” ((RRèèglementglement dudutravail / travail / WerkreglementWerkreglement))

How?How?–– General instructionsGeneral instructions

–– Employee policyEmployee policy

–– ContractuallyContractually

–– User policy, each time the tool is usedUser policy, each time the tool is used

IdentificationIdentification / / sanctionssanctions

IndividualisationIndividualisation??–– DirectDirect

PurposesPurposes 1 31 3

–– IndirectIndirectPurposePurpose 44

IdentificationIdentification / / sanctionssanctions

Indirect Indirect individualisationindividualisation

ProcedureProcedure–– General information obligation to all employees (first General information obligation to all employees (first

irregularity)irregularity)

–– Identification (second irregularity)Identification (second irregularity)

–– The concerned employee must be heard before The concerned employee must be heard before sanctions are takensanctions are taken

Employee policy!Employee policy!

ThankThank youyou forfor youryour attentionattention!!

Johan VandendriesscheJohan Vandendriessche

AttorneyAttorney--atat--lawlaw

Lontings & PartnersLontings & Partners

Tour & Tour & TaxisTaxis

HavenlaanHavenlaan 86 c b11386 c b113

1000 Brussels1000 Brussels

jjohan.vandendriesscheohan.vandendriessche@@lontings.belontings.be

Tel: 02/787.90.12Tel: 02/787.90.12

Fax: 02/787.90.99Fax: 02/787.90.99

belgian it security laws & regulations infosecurity 2006

Business