W HY NOT ISO/IEC 27701?

16. Information security incident management (16.1 Management of information security incidents and improvements)

4.3.1. W

ISO/IEC 27701?

The norm ISO/IEC 27701, a privacy extension to ISO/IEC 27001 and ISO/IEC 27002 has been published in August 2019 with the aim of improving the existing ISMS. Therefore, the document provides guidance for establishing, implement, maintaining and continuously enhancing the Privacy Information Management System (PIMS)(ISO, 2019). With clear guidance, the standard helps the organisation manage personally identifiable information (PII), as required by the GDPR. Annexe D presents a mapping to the GDPR, thereby linking the subclauses of ISO/IEC 27701 and the articles of the law. The first part of the standard includes the requirements of ISO/IEC 27001, with the mention of privacy and, when necessary, adaptations to the PIMS. Besides the chapters from ISO/IEC 27002, the second part contains two entire chapters offering ISO/IEC 27002 guidance for PII controllers and processors.

The ISO/IEC 27701 was not chosen as the framework for several reasons. Firstly, at the internship in early 2020, the ISO/IEC 27701 was newly released and, consequently, not well known by the public since no pertinent publications could attest to the relevance of the norm. Furthermore, although certain chapters from the ISO/IEC 27002 framework have been adapted to privacy, most subchapters refer directly to subchapters in ISO/IEC 27002 with only a mention of privacy, making difficult to use as a unique base for new draft procedures document. In the same way, the ISO/IEC 27701, which contains ISO/IEC 27001 normative references, should be used in conjunction with ISO/IEC 27001. Thus, for the reasons mentioned in chapter 2.3.1, we decided to not use the ISO/IEC 27001, hence the ISO/IEC 27701. Finally, the inclusion of the additional guidance for PII controllers and processors would have to increase the file size, which had already approximately 40 pages, hence being already considerable. The aspects related to privacy, through the LIPAD application, have been incorporated along with the ISO/IEC 27002 chapters.

flow¹ of the Permanent personnel of the State of Geneva within 4 phases: the recruitment, the employment, administrative archives and State archives. The data flow shifts according to the phases related to the employment as well as the rules concerning the conservation of the documents. Along the process, the responsibilities of the different services were de-fined.

The recruitment phase includes all the data collected from the applications of candidates for permanent positions, such as personal data, motivation letters, work certificates, diplo-mas, among others. By applying the recommendations, it has been stated that all applica-tions data from candidates that have not been considered are deleted each civil year, which decrease the amount of unnecessary data significantly and remove all sensitive data that is not allowed to be maintained under the LIPAD rules.

Figure 7: Life cycle of HR data in the State of Geneva

The average duration of a permanent employee at the State lasts twenty years. During this phase, the data volume of the personnel grows since it integrates, over the years, the events, such as the wedding, house moving, and career evolution, among others.

The administrative Archives begins at the end of the contract: while, according to the LIPAD, the public institution has to delete all unnecessary data for the accomplishment of legal tasks, it has also to keep several documents according to the law of conservation, which includes the rules and the calendar (EGE-03-02), thereby becoming semi-active.

Their administrative and legal utility ends on average after ten years (EGE-03-02 relatif aux dossiers du personnel).

At the end of the administrative and legal utility, the HR of each department has to an-nounce any documents containing personal data that they want to conserve as historical archives. Moreover, they should propose that the document meant to be deleted from the State Archives.

●

1 Fiche informative sur l'archivage et la destruction de l'information: https://ge.ch/archives/me-dia/site_archives/files/imce/pdf/procedures/fiche_informative_archivage_des_documents_3.pdf

The State Archives defines which documents are conserved as historical archives (also called definitive archives), notably by choosing randomly all ancient personnel whose name begins by a letter from the alphabet determined randomly. The unselected data are de-stroyed or anonymized.

In the internal control document, it is also defined which data are deleted: According to the LIPAD (art. 40), personal data are destroyed and anonymized whenever their utility for legal tasks expires or should not be conserved under other specific laws. Since data deletion can sometimes bring some confusion, it has been specified that data are deleted when their physical support has been destroyed or/and the data cannot be rebuildable. In other words, any user will not be able to use them for other purposes (Informative document concerning information archives and destruction).

Figure 8: LIPAD Principles

Inserted in the chapter on personal data confidentiality and protection, Figure 8 illustrates the seven principles of the LIPAD that should be followed for the personal data collection and processing by any employee and partner involved in the management of personal data.

Following the same structure, one additional chapter, which doesn’t belong to the ISO norm 27002, has been added in the internal control document, entitled “information secu-rity”. The principles intervene as a filter for collecting and treating data: physical aspect constituted by the storage limitation; only pertinent and valuable data are treated; and com-pliance with the law related to data protection and privacy. Unfortunately, due to the limited number of pages allowed, the seven principles were not developed in the control document since the information is provided in other papers, such as the documents conceived by the cantonal data protection commissioner. However, for a better understanding of the figure’s inclusion in the control document and the measures taken for data protection, the seven

Data collection

and treatment

Security Accuracy

Accountability

Proportionality

Purpose limitation

Lawfulness

Fairness

purpose, they are responsible for the data's storage, availability, confidentiality, and integrity.

• Accuracy: The data collected and treated should be exact, complete and correct.

• Accountability: This aspect is related to the transparency of DCT since the purpose should be communicated to the person concerned or should arise from the circum-stances according to the principle of predictability.

• Proportionality: DCT should be adequate, pertinent and not excessive. Only the data objectively necessary and responding to the aim indicated for the collection can be processed. This principle concerns also data minimisation: the minimum amount of required data for the purposes established could be collected, in other words, finding the less invasive way to reach the goal pursued, thereby balancing interests of the data processed and the privacy of the person concerned.

• Purpose limitation: The purpose of the DCT should be not only clearly defined and legitimate but also communicated beforehand if it does not derive from circum-stances or prescribed by law. Regarding sensitive personal data, the consensus of the person should be explicit.

• Fairness: It involved the DCT conducted under good faith, total transparency and reasonable interest. Consequently, the person concerned is aware and agrees with the DCT. In addition, the purpose of the DCT should be accurate.

• Lawfulness: DCT is lawful and has not been performed under fear or usurpation.

Thus, personal data should be necessary for public administration tasks, with the free consensus of the person concerned.

While the LIPAD responsible of each department are designed to advise the different ac-tors involved concerning their responsibilities and specific procedures, the conformity of the employees file with the general principles of data protection is ensured by the HR of each department.

4.4.1. PERSONAL DATA

Although personal data are defined broadly in the literature, the LIPAD, driven by the GDPR, provides more precisions of what is considered personal data to be easily applicable in practice and limit the possibility of interpretation. Thus, personal data refer to any infor-mation related to a person identified or identifiable. In this context, examples have been provided, such as the name and surname, birth date, the credit card number, and the AVS number, among others. Moreover, a declaration of usage signed by the employee at the career’s beginning already exists to use his picture.

4.4.2. SENSITIVE PERSONAL DATA

Sensitive personal data have specific rules, determined by the LIPAD and Federal law. Fur-thermore, the document states that all data, especially sensitive personal data, which have no relevance within the mission of the State personnel should not be registered and main-tained in the State database (SIRH). Thus, data related to religious, philosophical, political or cultural opinions or activities should be avoided, together with information concerning ethnicity and privacy. Other sensitive personal data (health, social welfare measures and disciplinary measures and legal proceedings) are allowed to be registered in the database only if they are required for work purposes. Under specific conditions, data can be

conserved between 5 and 10 years, notably for financial purposes. Furthermore, according to the Swiss federal data protection and transparency commissioner, data necessary for the constitution of the employee’s work certificate should be conserved ten years after the end of the contract due to the statutory limitation (art. 127 CO). Besides the data necessary for a work certificate, only the last two assessments can be kept in the database. Thus, the files of employees should be sorted regularly to determine which data are necessary and which ones can be deleted. Comments, interview contents and health details about the employees should not be registered in the State databases, namely SIRIH and Qlikview, among others.

4.4.3. HEALTH DATA

Few months after the beginning of the pandemic in Switzerland, some additional measures related to absences, compensation measures, and home office work regarding COVID-19 were being discussed in the State administration of Geneva. One of the main questions, also related to data protection, was: Can we include in the State databases a mention that an employee is a vulnerable person? In other words, these data would identify whether the employees are at higher risk of serious illness from Covid-19 to adapt State measures of sickness leave and home office for that specific group of persons.

According to the transversal directive concerning the share of information covered by the function secret (EGE-09-02) and the LIPAD, only the data allowing to determine the work capacity of the employees are collected by the employer. Furthermore, only the State (SPE) personnel health service, which is under medical secret, is allowed to access and treat sen-sitive personal data related to the employee's health, such as medical certificates, diagnoses, personal comments of the doctor, and impressions. Under the directive EGE-03-06 regard-ing the work security and health in the State, the SPE should also communicate some pre-cisions or make appropriate suggestions to the employer to facilitate the employee's return to work. Thus, while the SPE ensures the good health of the employees within the public administration of the Geneva State and provides advice to the department and managers concerned, it also ensures, under an HR perspective, the smooth workflow within the State by communicating regularly with the OPE and HR department involved, in the aim of taking adequate measures after an accurate analysis of the situation as well as the working relationship of the employee.

As a result, the mention of an employee's vulnerability does not constitute sensitive per-sonal data on its own since it allows to determine the work capacity of an employee. Besides, only a restricted number of users, whose data use is justified and covered legally, would be able to access and treat this information, such as the service manager. Furthermore, the inclusion of the reasons for absences in the databases, such as the diseases, could allow statistics to measure the work climate within a department or service. However, similarly to what has been mentioned above, the reasons for absences can be evidenced, according to the LIPAD, only under two conditions: the access of those data are restricted to the HR

Table 2 Overview on the document

Chapters included in the

docu-ment Outcome - content

7. Human resources security (7.1 prior to employment, 7.2 during employment, 7.3 termina-tion and change of employment)

Responsibilities are defined along with the employment steps, from the recruitment process until the end of the employees' contract. The HR life cycle has been illustrated (Figure 7). The data deletion of non-se-lected candidates every year has been determined, together with the HR data life cycle of data.

8. Asset Management (8.2

in-formation classification) The data protection level is assessed according to their sensitivity and criticality. The responsibilities are shared between the OCSIN, OPE and the different HR departments of the State.

9. Access control (9.1 business requirements of access control, 9.2 user access management, 9.3 user responsibilities)

Users access are activated at the beginning of the contract, attributed according to their organizational role, and deactivated at the employ-ment’s end. The responsibilities of access management are shared be-tween the OCSIN, organizational management and HR departments.

As the authentication system protection is technically protected by the OCSIN, users are responsible for protecting their authentication infor-mation (for instance, not communicating the password to anyone else, among other measures adopted by users.

12. Operations security (12.4

log-ging and monitoring) The logs registration, such as access, modifications and data deletion, constitute sensitive data conserved for a limited period and regularly deleted. Appropriate measures should be taken. The system adminis-trators are not allowed to delete the logs related to their activity.

13. Communications security

(13.2 Information transfer) In information transfers, the employees should verify if the demand complies with the LIPAD and function secret. For this purpose, an agreement should be signed by the parties involved. When the data storage exceeds 12 months, it is subject to a declaration to the data pro-tection commissioner. In addition, the files treated by the HR and con-taining personal data should be declared to the data protection com-missioner by the LIPAD managers of each department, with the assis-tance of information system managers by establishing a list of those files.

15. Supplier relationships (15.1 Information security in supplier relationships)

Confidential information of HR communicated to suppliers should fol-low the principle of proportionality and be the object of a confidential-ity agreement before the data transfer if it does not constitute a legal obligation. Appropriate precautions in terms of information security should be taken by the service or employee requiring external services, as it is considered responsible for the data treatment.

18. Compliance (18.1 Compliance with legal and contractual re-quirements, 18.2 Information se-curity reviews)

The chapter includes a list of the laws, regulations and frameworks on which the document is based. HR of each department must follow the LIPAD principles, shown in figure 5. Personal data and sensitive per-sonal data, defined according to the LIPAD and the documentation provided by the data protection commissioner, are non-pertinent for the mission of the State Personnel Office, thereby must not be intro-duced in SIRH (information system of HR). Employees files should be reviewed regularly to delete unnecessary data. The treatment of health data and reasons for absences are also specified in that chapter. Con-formity of data treatment should be checked by the officers responsible for the files, while the technical conformity is attributed to the OCSIN.