belgian it security laws & regulations infosecurity 2006
TRANSCRIPT
BelgianBelgian IT IT SecuritySecurity LawsLaws & & RegulationsRegulations
Johan VandendriesscheJohan Vandendriessche
AttorneyAttorney--atat--lawlaw
TableTable of contentsof contentsIntroductionIntroductionGeneralGeneral overviewoverview of of legislationlegislationData Data protectionprotection securitysecurity obligationsobligations–– GeneralGeneral securitysecurity obligationobligation–– SpecificSpecific securitysecurity obligationsobligations–– Data processor Data processor securitysecurity obligationsobligations
Employee Employee monitoringmonitoring–– PrinciplesPrinciples–– OverviewOverview of of legislationlegislation–– BalanceBalance of of interestsinterests–– CommunicationCommunication data?data?–– PurposesPurposes–– ProportionalityProportionality–– TransparencyTransparency–– IdentificationIdentification / / sanctionssanctions
IntroductionIntroduction
InformationInformation securitysecurity legislationlegislation–– No No generalgeneral informationinformation securitysecurity lawlaw
–– InformationInformation securitysecurity obligationsobligations in in specificspecific legislationlegislationData Data protectionprotection legislationlegislation
CommunicationsCommunications LawLaw
–– InformationInformation securitysecurity obligationsobligations in case in case lawlaw??
Data Data ProtectionProtection –– informationinformation securitysecurity–– WhatWhat must must youyou do? (Data do? (Data ProtectionProtection informationinformation securitysecurity
obligationsobligations))
–– WhatWhat cancan youyou notnot do? (Employee do? (Employee monitoringmonitoring))
GeneralGeneral overviewoverview of of legislationlegislation
Privacy (data Privacy (data protectionprotection))–– The The LawLaw of 8 December 1992 of 8 December 1992 onon privacy privacy protectionprotection in in
relationrelation toto the processing of the processing of personalpersonal data, as data, as modifiedmodifiedbyby LawLaw of 11 December 1998of 11 December 1998
–– ImplementationImplementation of EU of EU DirectiveDirective 95/46 95/46 of 24 October 1995 of 24 October 1995 on the protection of individuals with regard to the on the protection of individuals with regard to the processing of personal data and on the free movement of processing of personal data and on the free movement of such data such data
–– SecuritySecurity obligationsobligations: : articlearticle 16 of the 16 of the aboveabove mentionedmentionedlawlaw
MonitoringMonitoring of employees (data of employees (data protectionprotection))–– CommunicationsCommunications LawLaw of 13 of 13 JuneJune 20052005–– CWA (CAO/CWA (CAO/CCTCCT) nr. 81 of 26 April 2002) nr. 81 of 26 April 2002
Data Data protectionprotection securitysecurityobligationsobligations
SecuritySecurity obligationsobligations in in relationrelation toto data processingdata processing–– Management of processing Management of processing
–– Audit issuesAudit issues
QualityQuality of of legislationlegislation onon thisthis topic is topic is poorpoor
ObligationsObligations–– GeneralGeneral obligationobligation
–– SpecificSpecific obligationsobligations
–– ObligationsObligations relatedrelated toto the the useuse of a data processorof a data processor
GeneralGeneral securitysecurity obligationobligation
GeneralGeneral securitysecurity obligationobligation–– appropriate measuresappropriate measures
technicaltechnical
organisationalorganisational
–– the protection of personal data against accidental or the protection of personal data against accidental or unauthorisedunauthorised destruction, accidental loss, as well as destruction, accidental loss, as well as against alteration of, access to and any other against alteration of, access to and any other unauthorisedunauthorised processing of personal dataprocessing of personal data
PurposePurpose: : toto prevent prevent unlawfulunlawful processingprocessing
GeneralGeneral securitysecurity obligationobligation
AppropriateAppropriate? A ? A balancebalance must must bebe struckstruck betweenbetween::–– the state of the art and the cost of implementing the the state of the art and the cost of implementing the
measuresmeasures
–– the nature of the data to be protected and the potential the nature of the data to be protected and the potential risks on the other hand risks on the other hand
EvolutiveEvolutive appreciationappreciation
RoyalRoyal DecreeDecree maymay provideprovide sectorialsectorial securitysecurityregulationsregulations
SpecificSpecific securitysecurity obligationsobligations
SpecificSpecific securitysecurity obligationsobligations–– Ensure data qualityEnsure data quality
–– Limitation of accessLimitation of accessto the persons that need accessto the persons that need access
only to personal data neededonly to personal data needed
–– Notification of legal provisionNotification of legal provision
–– Ascertain the accordance of the software with the Ascertain the accordance of the software with the notification under article 17notification under article 17
Data processor Data processor securitysecurityobligationsobligations
Data processing Data processing obligationsobligations–– the the choicechoice of of a processor providing sufficient guarantees a processor providing sufficient guarantees
in respect of the technical and in respect of the technical and organisationalorganisational security security measuresmeasures
–– supervision of the compliance therewith (in particular by supervision of the compliance therewith (in particular by laying them down in contractual stipulations)laying them down in contractual stipulations)
–– liability regimeliability regime
–– detail instructions and competences of the data detail instructions and competences of the data processorprocessor
–– the conclusion in writing or on electronic carrier of these the conclusion in writing or on electronic carrier of these elements (data processing agreement)elements (data processing agreement)
Employee Employee monitoringmonitoring: : principlesprinciples
GeneralGeneral rightright toto privacy (even at privacy (even at workwork!)!)
ArticleArticle 22 of the 22 of the BelgianBelgian ConstitutionConstitution–– ““Everyone has the right to the respect of his private and Everyone has the right to the respect of his private and
family life, except in the cases and conditions determined family life, except in the cases and conditions determined by law. The laws, decrees and rulings alluded to in Article by law. The laws, decrees and rulings alluded to in Article 134 guarantee the protection of this right134 guarantee the protection of this right””
ArticleArticle 8 of the 8 of the EuropeanEuropean ConventionConvention onon HumanHumanRightsRights–– ““Everyone has the right to respect for his private and Everyone has the right to respect for his private and
family life, his home and his correspondence.family life, his home and his correspondence.””
OverviewOverview of of legislationlegislation
Law of 3 July 1978 concerning Law of 3 July 1978 concerning labourlabour contractscontracts–– Article 2 and 3: an employee undertakes to perform the Article 2 and 3: an employee undertakes to perform the
contract against payment of wages under the authority of contract against payment of wages under the authority of the employerthe employer
–– Article 16: employer and employee owe each other Article 16: employer and employee owe each other respect, during the performance of the contract they must respect, during the performance of the contract they must behave decently behave decently
–– Article 17: the employee must (Article 17: the employee must (inter inter aliaalia))::Perform his work honestly and with care, at the time and place Perform his work honestly and with care, at the time and place that has been agreedthat has been agreed
Act according to the orders and instructions given by the Act according to the orders and instructions given by the employer (concerning the performance of the contract)employer (concerning the performance of the contract)
OverviewOverview of of legislationlegislation
Law of 13 June 2005 on electronic communicationsLaw of 13 June 2005 on electronic communications–– New framework for electronic communicationsNew framework for electronic communications
–– (Partially) replaces the (Partially) replaces the ““BelgacomBelgacom lawlaw”” (Law of 21 March (Law of 21 March 1991)1991)
–– Article 124: Article 124: ““Without consent of all directly or indirectly involved persons, Without consent of all directly or indirectly involved persons, it is it is prohibited toprohibited to
11°° intentionally obtain information about the existence of any infintentionally obtain information about the existence of any information that has ormation that has been sent by electronic means and that is not personally addressbeen sent by electronic means and that is not personally addressed to him;ed to him;
22°° intentionally identify persons involved in the transmission of intentionally identify persons involved in the transmission of the information and the information and the content thereofthe content thereof
33°° notwithstanding the articles 122 and 123 intentionally obtain inotwithstanding the articles 122 and 123 intentionally obtain information nformation concerning electronic communication and concerning another persoconcerning electronic communication and concerning another person;n;
44°° modify, delete, publish, conserve or use otherwise, the informamodify, delete, publish, conserve or use otherwise, the information, identification tion, identification or data that has been obtained intentionally or notor data that has been obtained intentionally or not””
OverviewOverview of of legislationlegislation
Article 125: exceptions to article 124Article 125: exceptions to article 124
–– If the law permits or imposes the acts under article 124If the law permits or imposes the acts under article 124
–– If these acts are committed solely for the purpose of If these acts are committed solely for the purpose of ensuring the correct functioning of the network and to ensuring the correct functioning of the network and to guarantee the proper delivery of the electronic guarantee the proper delivery of the electronic communications servicecommunications service
–– If the acts are committed solely for the purpose of offering If the acts are committed solely for the purpose of offering the endthe end--user a service consisting of preventing the user a service consisting of preventing the reception of unsolicited electronic mail, provided that the reception of unsolicited electronic mail, provided that the required consent has been obtainedrequired consent has been obtained
OverviewOverview of of legislationlegislation
Article 314bis of the Criminal Code:Article 314bis of the Criminal Code:–– ““Is punishable with imprisonment of 6 months and/or a Is punishable with imprisonment of 6 months and/or a
fine of 200 EUR up until 10000 EUR (x5,5):fine of 200 EUR up until 10000 EUR (x5,5):11°° intentionally, with the aid of any equipment private intentionally, with the aid of any equipment private
communication or telecommunication to which he is not communication or telecommunication to which he is not part, during the transmission thereof, intercepts himself or part, during the transmission thereof, intercepts himself or through a third party, obtains information thereof himself through a third party, obtains information thereof himself or through a third party, records himself or through a third or through a third party, records himself or through a third party, without the consent of all participants thereof;party, without the consent of all participants thereof;22°° or installs himself or through a third party any or installs himself or through a third party any
equipment with the intent of committing one of the acts equipment with the intent of committing one of the acts mentioned abovementioned above””
BalanceBalance of of interestsinterests
EmployerEmployer–– Financial interestFinancial interest
Efficient and productive employeesEfficient and productive employees
Preferably spending their time at work on workPreferably spending their time at work on work
EmployeeEmployee–– Respect of Respect of ““privacyprivacy””
Given the nature of the employerGiven the nature of the employer--employee employee relationship some form of control will be exerted by relationship some form of control will be exerted by the employerthe employer
Often leads to discussions related to evidence, in Often leads to discussions related to evidence, in case of dismissal of employeecase of dismissal of employee
CommunicationCommunication data?data?
Surveillance purposes: distinction between Surveillance purposes: distinction between professional/private communication and professional/private communication and content/communication datacontent/communication data–– Collective Workers Agreement nr. 81 only mentions Collective Workers Agreement nr. 81 only mentions
private communication and relates to communication private communication and relates to communication datadata
–– Other legislation does not distinguish different forms of Other legislation does not distinguish different forms of communication and content/communication datacommunication and content/communication data
CommunicationCommunication data?data?
Collective Workers Agreement nr. 81 on the Collective Workers Agreement nr. 81 on the monitoring of online communication of employeesmonitoring of online communication of employees
Report: the employer should be able to have Report: the employer should be able to have access to professional communication without any access to professional communication without any formalities whatsoeverformalities whatsoever
Conclusion: CWA nr. 81 only applies to private Conclusion: CWA nr. 81 only applies to private communication?communication?
CommunicationCommunication data?data?
Online communications data?Online communications data?–– Electronic online communications data in a broad sense Electronic online communications data in a broad sense
sent or received by an employee during the performance sent or received by an employee during the performance of his taskof his task
–– All online technologies, internal and externalAll online technologies, internal and external
–– E.g.: internet, intranet, eE.g.: internet, intranet, e--mail, SMS, MMS, IM, mail, SMS, MMS, IM, ……
Content?Content?
PurposesPurposes
PurposesPurposes–– The prevention of unlawful acts, libel and acts contrary to The prevention of unlawful acts, libel and acts contrary to
decencydecency
–– The protection of economic, commercial and financial The protection of economic, commercial and financial confidential interests of the companyconfidential interests of the company
–– The maintenance of the technical performance of the The maintenance of the technical performance of the computer systemcomputer system
–– The control of the respect of the terms of use of the The control of the respect of the terms of use of the computer systemcomputer system
ProportionalityProportionality
ProportionalityProportionality–– The infringement of the privacy of the employee must be The infringement of the privacy of the employee must be
restricted to a minimum (if unavoidable)restricted to a minimum (if unavoidable)
–– Interdiction of systematic Interdiction of systematic individualisationindividualisation (identification (identification of employees, possibly in view of sanctions)of employees, possibly in view of sanctions)
TransparencyTransparency
TransparencyTransparency–– CollectiveCollective
To whom? (cascade)To whom? (cascade)–– Works councilWorks council
–– Committee for prevention and protectionCommittee for prevention and protection
–– Delegation of the Labour UnionDelegation of the Labour Union
–– The employeeThe employee
How?How?
Which information?Which information?–– The supervision policyThe supervision policy
–– The purposes of the monitoringThe purposes of the monitoring
–– Conservation? Place and duration?Conservation? Place and duration?
–– The permanent nature of the supervisionThe permanent nature of the supervision
TransparencyTransparency
TranparencyTranparency–– Individual (i.e. the employee)Individual (i.e. the employee)
Which information?Which information?–– All the information provided collectivelyAll the information provided collectively
–– The conditions of use of the equipment that is at the disposal oThe conditions of use of the equipment that is at the disposal of the f the employee and the functional limitation thereofemployee and the functional limitation thereof
–– The rights, obligations and tasks of the employee, and possible The rights, obligations and tasks of the employee, and possible limitations to the use of communications on the network of the limitations to the use of communications on the network of the companycompany
–– Sanctions, if any, provided in the Sanctions, if any, provided in the ““employee policyemployee policy”” ((RRèèglementglement dudutravail / travail / WerkreglementWerkreglement))
How?How?–– General instructionsGeneral instructions
–– Employee policyEmployee policy
–– ContractuallyContractually
–– User policy, each time the tool is usedUser policy, each time the tool is used
IdentificationIdentification / / sanctionssanctions
IndividualisationIndividualisation??–– DirectDirect
PurposesPurposes 1 31 3
–– IndirectIndirectPurposePurpose 44
IdentificationIdentification / / sanctionssanctions
Indirect Indirect individualisationindividualisation
ProcedureProcedure–– General information obligation to all employees (first General information obligation to all employees (first
irregularity)irregularity)
–– Identification (second irregularity)Identification (second irregularity)
–– The concerned employee must be heard before The concerned employee must be heard before sanctions are takensanctions are taken
Employee policy!Employee policy!
ThankThank youyou forfor youryour attentionattention!!
Johan VandendriesscheJohan Vandendriessche
AttorneyAttorney--atat--lawlaw
Lontings & PartnersLontings & Partners
Tour & Tour & TaxisTaxis
HavenlaanHavenlaan 86 c b11386 c b113
1000 Brussels1000 Brussels
jjohan.vandendriesscheohan.vandendriessche@@lontings.belontings.be
Tel: 02/787.90.12Tel: 02/787.90.12
Fax: 02/787.90.99Fax: 02/787.90.99