The life cycle of personal data: a case study on information security in the public administration of the canton of Geneva

Master

Reference

The life cycle of personal data: a case study on information security in the public administration of the canton of Geneva

DE PALMA, Marina

Abstract

The life cycle of personal data: a case study on information security in the public administration of the canton of Geneva.

DE PALMA, Marina. The life cycle of personal data: a case study on information security in the public administration of the canton of Geneva. Master : Univ. Genève, 2021

Available at:

http://archive-ouverte.unige.ch/unige:153303

Disclaimer: layout of this document may differ from the published version.

1 / 1

T HE L IFE C YCLE OF PERSONAL DATA : A

CASE STUDY ON INFORMATION SECURITY IN THE PUBLIC ADMINISTRATION OF THE CANTON OF GENEVA

Marina De Palma

Internship-based Thesis

Submitted in fulfillment of the requirements of the degree of Master of Standardization, Social Regulation and Sustainable Development

Under the supervision of Professor Reinhard Weissinger

July, 2021

A

CKNOWLEDGMENTS

First and foremost, I would like to express my deepest appreciation to my academic super- visor, Professor Reinhard Weissinger, for his continuous support and patience. With his invaluable expertise in standardisation, he provided insightful comments and suggestions, thereby sharpening my thinking for framing and improving my master thesis along the pro- cess.

I would like to extend my sincere gratitude to my internship supervisor, Mr. Fabrice Moore.

With his plentiful experience and immense knowledge, he provided remarkable guidance and precious advice during my internship at the Personnel State Office of the State of Ge- neva. I am also grateful for his patience and continuous support from the end of the in- ternship.

I would also extend my sincere thanks to Mrs Lauren Jaquier, that provided relevant and precise information for my thesis about the State of Geneva. As long-time friend, she en- couraged me during my studies, and I thank her for the cherished time spent together.

I would offer my special thanks to Mr Lucas Catalani Gabriel, who strongly encouraged me in pursuing my studies and brought full support in every aspect of my life over the last year and a half, a period full of challenges between COVID 19, internships and student jobs.

Finally, I am deeply grateful to my friends and family for their tireless support and encour- agement all through my studies.

T

ABLE OF CONTENTS

LIST OF FIGURES 4

LIST OF TABLES 5

ACRONYMS 6

ABSTRACT 7

1. INTRODUCTION 8

1.1. THE CANTON OF GENEVA 9

1.2. ORGANIZATIONAL OVERVIEW AND ANALYSIS 10

1.3. INTERNAL AUDITING SERVICE OF THE STATE OF GENEVA 12 1.4. DESCRIPTION OF THE SPECIFIC SITUATION, CHALLENGE, AND RESEARCH QUESTIONS

12

2. THEORETICAL FRAMEWORK 14

2.1. OPEN GOVERNMENT DATA 15

2.2. DATA PROTECTION LAW 16

2.2.1. THE EMERGENCE OF THE GDPR 16

2.2.2. DEFINITION OF PERSONAL DATA IN THE EU DATA PROTECTION LAW 16 2.2.3. PERSONAL DATA –DEFINITION ISSUES AND THE GENERAL DATA PROTECTION

REGULATION (GDPR) 17

2.2.4. BIG DATA AND GDPR 18

2.2.5. THE LIPAD 18

2.3. THE ISO/IEC27000- INFORMATION SECURITY MANAGEMENT SYSTEMS (ISMS)

STANDARDS 19

2.3.1. ISO/IEC27001 VS ISO/IEC27002 21

2.3.2. USE OF ISO/IEC27001 22

2.3.3. ISO/IEC27001/2 AND GDPR 23

3. METHODOLOGY 25

4. CONCRETE TASKS 26

4.1. THE RECOMMENDATIONS OF THE INTERNAL AUDITING SERVICE 26 4.2. NEW GUIDELINE:“HR LIFE CYCLE INFORMATION -INTERNAL CONTROL SYSTEM” 26

4.3. WHAT IS INCLUDED FROM ISO/IEC27002 NORM 28

4.3.1. WHY NOT ISO/IEC27701? 29

4.4. LIFE CYCLE OF HR DATA IN THE STATE OF GENEVA 29

4.4.1. PERSONAL DATA 32

4.4.2. SENSITIVE PERSONAL DATA 32

4.4.3. H 33

L

IST OF FIGURES

Figure 1: Structure of the State administration of Geneva 10

Figure 2: Department of Finances and Human Resources 11

Figure 3: Role of the Governance tools service in the OPE 12

Figure 4: Data sharing by three actors 15

Figure 5 Illustration from ISMS PDCA process (Bamakan & Dehghanimohammadabadi, 2015)20 Figure 6: Constituting the HR life cycle information document 27

Figure 7: Life cycle of HR data in the State of Geneva 30

Figure 8: LIPAD Principles 31

L

IST OF TABLES

Table 1 Chapters included and excluded from ISO/IEC 27002 28

Table 2 Overview on the document 34

A

CRONYMS

CobIT: a framework for governance and information and communication systems management COSO: Internal control system framework

DCT: Data collection and treatment

EGE: Cross-cutting directive (“Directive transversale”)

E-learning eSusi: E-learning to bring the attention of the employees to information security and data protection.

GDPR: General data protection regulation in the EU GTS: Governance tools service

HR: Human Resources IAS: internal auditing service

ISMS: Information Security Management System (ISMS) ISP: Information security policy

LACI: Federal law on the compulsory unemployment insurance (“loi fédérale sur l'assurance-chô- mage obligatoire et l'indemnité en cas d'insolvabilité”)

LArch: Public Archives law (“loi sur les archives publiques”)

LAVS: Federal law on seniors and survivors insurance (“loi fédérale sur l'assurance-vieillesse et survivants”)

LDA: Copyright federal law (“loi fédérale sur le droit d’auteur et les droits des voisins”)

LIPAD: Law of data protection in the Canton of Geneva (« Loi sur l’information du public, l’accès aux documents et la protection des données »)

MIOPE: Instructions memento of the Personnel Office of the State of Geneva (“Mémento des instructions de l’OPE)

OCSIN: Cantonal Office of Information and numeric systems (“Office cantonal des systèmes d’information et du numérique”)

OGD: Open Data Government

OPE: Personnel Office of the State of Geneva (“Office du Personnel de l’Etat”) PII: Personally Identifiable Information

PFPDT: Swiss federal data protection commissioner (“Préposé fédéral à la protection des données et à la transparence”)

PPDT: Cantonal data protection commissioner (“Préposé cantonal à la protection des données et à la transparence”)

PSI: Security information policy of the State of Geneva (“Politique de sécurité de l’information de l’administration cantonale de Genève”)

RCEL: Electronic communication regulation (“règlement sur la communication électronique”) RGR: Risk management regulation (“règlement sur la gestion des risques”)

ROGSIC: Organisation and governance regulation for information and communication systems regulation (“Règlement sur l’organisation et la gouvernance des systèmes d’information et de com- munication”)

RPAC: Regulation related to the personnel of the State of Geneva (“Règlement d’application de la loi générale relative au personnel de l’administration cantonale, du pouvoir judiciaire et des établis- sements publics médicaux”)

RTt: teleworking regulation (“règlement sur le télétravail”)

SETA programs : security education, training and awareness programs

SIRH: HR information system (“Système d’information des ressources humaines”) SPE: Personnel health service of the State (“Service de santé du personnel de l’Etat”)

A

BSTRACT

As the technologies evolve and the people interconnections increase over the year, privacy, data protection, and information security topics are part of the prevailing trends. Data pro- tection violations occur regularly due to a lack of knowledge regarding the rules and proce- dures to adopt within an organisation. The HR of various public departments have also encountered the issue. A lack of compliance by HR employees with the data protection law was observed. In order to fill the gap, a guideline describing the HR life cycle information has been conceived, notably by merging the Information security management system (ISMS), namely the ISO 27002/IEC standard, and the cantonal data protection law (LIPAD). This procedure followed a systematic approach elaborated by the authors. Other laws, regulations, and guidelines have been added to complete the control document with all the resources available and known. Therefore, data quality can be achieved by applying the seven principles of the LIPAD. In addition, the framework chapters were constituted by the definition of the objectives, the designation of responsibilities, the description of procedures, the documentation of additional sources, the inclusion of good practices and the illustration of the concept with figures. The HR life cycle information guideline could constitute a starting point for mapping the different sources and add contents related to data protection law and information systems updates.

1. I

NTRODUCTION

Data records have been significantly increasing over the last few years. Access to websites and platforms is free in monetary terms, but it is paid indirectly by the users through their privacy. Thus, data constitute a source of revenue not only for the sellers but also for the purchasers since they will be able to increase their sales thanks to more targeted ads. Thus, data have become a precious asset for organisations nowadays. Cyberattacks have, in the meantime, significantly raised, which generate huge losses for organisations and a threat to privacy. In this context, information security and data protection have become essential.

To address these issues, standards have been developed, such as the ISO/IEC 27000 series, while laws, namely the GDPR at the European level, have entered into force.

In the canton of Geneva, the LIPAD applies to public institutions for protecting data. This work derives from an internship undertaken at the State personnel Office of the canton of Geneva. The cantonal public administration employs over 17000 people in order to provide public services. More specifically, the Department of Finance and Human Resources en- sures the proper functioning of the public administration and the funding of benefits to the population. It includes the Personnel Office of the State of Geneva (OPE), in charge of the management of all Human Resources Offices present in each of the seven departments of the administration (Secrétariat Général du département des Finances, n.d.).

The Personnel Office, through its activities, has an impact on the whole administration.

Heading the Human Resources Offices of the seven departments of the “small State”, the Office constitutes a centre of competencies, control, and execution, supporting the State Council with strategical and operational actions. His role consists of building and coordi- nating the budget for the staff of the State. The office manages the retributions and insur- ance. Most pertinent in this context, the Office controls the good compliance with laws, rules, and directives in Human Resources and assists, through its expertise, the whole ad- ministration. He conceives the training based on the need of the work positions and ensures the implementation of measures linked to occupational health (Département des finances et des ressources humaines (DF) de l’Etat de Genève, 2020).

The internship happened in the governance tools service, whose missions are in compliance with laws, rules, and directives related to HR. For these reasons, the OPE received some recommendations from the Internal Audit Service, which identified several gaps in the compliance and application of the law regarding data protection, linked inevitably to the security information.

For this purpose, the core of the internship consisted of writing the control document entitled “HR life cycle information” related to data protection based on the ISO/IEC norm 27002, as a framework and based on the data protection law, as well as the current good practices that have been already implemented in some of the Human Resources depart- ments. It includes the life cycle management of Human Resources data as well, in order to have a complete framework that allows the application of the rules from the data protection law.

Moreover, this work starts with the organizational overview of the cantonal administration and analysis of the OPE function. The attention is also brought to the internal auditing service that identified the gaps between the current practices of HR employees and the

LIPAD. The specific situation and challenges are described in the following subchapter.

Moreover, the theoretical framework is presented in chapter 2, which includes an insight into open government data, the development and description of European and Swiss data protection laws, and the ISO/IEC 27000 series concerning security information. Despite the security information constitutes an essential part of the ISO/IEC norm considered, we will focus on the privacy aspect, which is the specific point addressed in the HR life cycle information document. Then, the methodology of the work will be followed by the chap- ters entitled “concrete tasks”, which include a detailed view on the recommendations from the internal auditing service, the conception of the HR guideline for data protection and a focus on the crucial topics of the document, such as the personal and sensitive data, as well as health data. An additional chapter has been added concerning the document's last update, which happened after the internship and some specifications concerning the rules imple- mentations. We will also discuss to which extend the objectives have been reached with the conception of the guideline, and the main challenges concerning its implementation. Fi- nally, the conclusion presents the observations and findings concerning the use of ISO/IEC 27002 in a public administration, as well as recommendations.

1.1. T

HE

C

ANTON OF

G

ENEVA

The Republic and Canton of Geneva, whose official language is French, belongs to the 26 cantons that compose the Swiss Confederation. It includes notable institutions, such as the University of Geneva, the United Nations, and CERN. Since the canton was established in 1847, the state organisation is based on three powers (Chancellerie d’Etat - Genève, 2017b):

- The Great Council is the legislative body of the canon composed of 100 deputies elected every five years;

- The judiciary power, constituted by the public prosecutor and tribunals, fulfils its mission independently of the Great Council and the State Council;

- The State Council, which is composed of seven members elected every five years, administers the State of Geneva. Each one of them heads a department, as illustrated in Figure 1. Its role consists of applying the laws voted by the Great Council and presenting laws projects to the latter.

The State Chancellery is intimately related to the State Council as it in charge of organising and planning its weekly meetings and brings organisational, logistical and juridical support through its different services. It also works closely with all departments by coordinating the cross-cutting processes (Chancellerie d’Etat - Genève, 2017a). The Chancellery also in- cludes the State Archives. As independent authority administratively attached to the State Chancellery, the data protection and transparency body monitors the application of the law of the public information, documents access and personal data protection (LIPAD) in the public institutions and subsidized private institutions of the canton of Geneva (Etat de

parliament (Great Council). Intending to improve the State management and after a risk analysis, the Court performs different types of audits whose missions are chosen freely, such as audits of the legality, financial audits, and management audits. Finally, reports con- taining observations and recommendations are published, thereby supporting the transpar- ency of the public funds that promote democratic governance and. It also contributes to improving the State's action (Cour des Comptes, n.d.) and enhances the accountability of the public administration (Chidinma, Nwadialor, & Ifureze, 2016).Thus, even though ex- ternal and internal audits have different roles and responsibilities, their common purpose is to promote good governance by contributing to transparency and accountability

.

Figure 1: Structure of the State administration of Geneva

Seven departments are responsible for the operationalization of the administration, notably the Department of Human Resources and Finance, which plays an essential role in ensuring the proper functioning of the entire administration while ensuring the financing of services to the population. Therefore, several sections belong, interact and respond to the depart- ment of human resources and finance, according to the last information available, namely:

the cantonal statistics office; cantonal tax authority; State personnel office; Bankruptcy and prosecutions cantonal office; as well as offices related to finance, equality and prevention of violence, and international affairs (Département des finances et des ressources humaines (DF) de l’Etat de Genève, 2020). In addition, part of the department of infrastructure, the cantonal office of information and information and digital systems (OCSIN), is defined as the nervous system of the cantonal administration of Geneva. Through technologies, the office supports citizens and public professionals in facilitating access to information, thereby providing digital services based on quality and security (Etat de Genève, n.d.-a).

1.2. O

RGANIZATIONAL

O

VERVIEW AND

A

NALYSIS

The responsibilities of the Personnel office of the State (OPE) englobe the entire Geneva admin- istration. It acts on the strategic and operational levels, notably preparing and coordinating budget for the State's employees, including wages and insurances. Besides, the Office mon- itors the applications of laws, regulations, and directives related to HR, designs training actions, guarantees the implementation of occupational health measures, and provides

advice to the State administration. The OPE responds formally to the Department of Fi- nances and Human Resources, as illustrated in

Figure 2, while officially responsible for the HR operations of the seven departments. In order to not overload the information, the scheme shows only the offices and services relevant to this work.

Figure 2: Department of Finances and Human Resources

The Personnel Office of the Geneva State is constituted by different units: Assessment and remuneration system, payments and insurances, human resources development which in- cludes the health service, and the budget, finance and governance tools. The latter contains itself the services of budget, governance tools, accountability and time control. Our atten- tion is brought to the governance tools service, whose functioning is represented in Figure 3. The Governance tools service (GTS) has two primary missions: Providing guidelines and assisting the HR services while supervising HR operations; and publishing the Social report yearly which describes the HR of the administration of Geneva (for the “Small state” and

“big State”; we will, though, consider only the first one for this work). Thus, GTS collects the HR data registered in the database (managed with the software “Qlikview”) by the HR services of the different departments. Statistics are then generated from the HR data treated in order to be published in the Social Report, which can be consulted by any interested citizen. Through the use of statistics, the service also contributes to seeking answers to the demands of politicians. Consequently, transparency related to the HR of the Geneva State is promoted through the treatment of HR data.

Figure 3: Role of the Governance tools service in the OPE

1.3. I

NTERNAL

A

UDITING

S

ERVICE OF THE

S

TATE OF

G

ENEVA

As an independent and autonomous entity in the department of Finance and Human Re- sources, as illustrated in Figure 2, the internal auditing service ensures a high level of sur- veillance of the cantonal administration of Geneva. In addition, the service evaluates the effectiveness and efficiency of the control systems, risks management processes, and gov- ernance under its initiative or the request of the Councils.

The audits consist of verifying the existence and adequation of the internal control system of the audited entity, which should include the risk management, clear and quantified ob- jectives, and measurement of the management tools and monitor the achievement of the goals set by the entities. The audits examine the administrative activity under an efficiency perspective (Service d’audit interne de l’Etat de Genève, 2019a).

The recommendations issued by the internal auditing service allow potential savings. For instance, the guidance issued in 2018 could allow for potential savings of up to a few million francs. Moreover, besides the financial gains, the internal auditing service aims to bring an added value in the risks management and toward achieving operational purposes, the en- forcement of the law and regulations, and ensuring the quality of financial and management reporting. The recommendations emitted in those areas contribute to improving the organ- ization of the State, thereby seeking better efficiency (Service d’audit interne de l’Etat de Genève, 2019b). The auditing reports are addressed directly to the service audited, while the Court of Auditors publishes the auditing reports on its website, which all citizens can access.

1.4. D

ESCRIPTION OF THE SPECIFIC SITUATION

,

CHALLENGE

,

AND RE- SEARCH QUESTIONS

To follow the recommendations provided by the internal auditing service, the OPE had the challenge to document the life cycle information related to human resource operations

while ensuring that the data is reliable (with quality), transparent, secure, and following the law. Some standards cover these aspects, such as the ISO/IEC 27002. Therefore, we use the insights provided in the literature to compile, apply, analyse, and suggest improvements to our case study while answering the following research question: How to fulfil the rec- ommendations of the Internal auditing service related to data protection among the human resources departments? For this purpose, we set the objectives below:

Primary objective:

• Document the life cycle information related to human resource operations as a case of understanding the best practices for information security in the State of Geneva;

Secondary objectives:

• Highlight the importance of data quality management in the public administration

• Suggest the internal norms for controlling the documents’ creation, use, and dis- posal, including considerations about data protection and regulation;

• Suggest the best operational practices from the ISO/IEC 27002 for a public sector;

• Discuss the definitions of personal data according to the GDPR and how it can perform in the public sector while identifying the gaps between current practices and the law;

• Address the recommendations of the Internal auditing service (SAI) by investigating the information security life cycle;

• Provide insight for improvement, indicate trends, and suggestions for future works.

2. T

HEORETICAL

F

RAMEWORK

According to the latest Global Risks Report, Information infrastructure breakdown consti- tutes, until 2030, “the sixth most impactful risk in the years” (World Economic Forum, 2020, p.7), since more than half of the population worldwide can access computer networks globally interconnected. In the Global Risks Perception Survey, cyberattacks and data pro- tection issues are categorized in the respondents' top-ten list of long-term risks (World Economic Forum, 2020). In another global survey released in 2015 by ISACA, only 38%

of the respondents from 129 countries felt ready to face a cyber-attack (Lazarte, 2015).

According to a study realised in 2017 analysing 254 companies (Accenture, 2017), cyber security costs on average 11.7$ US per company each year. Whereas the cyber security costs increase annually by 22.7 per cent, the security breaches are proliferating, with an annual rate of 27.4 per cent. In addition, the rise of the Internet of Things, which leads to a higher number of firms connecting to the internet, will result in a continuous rise of the cyber- crime costs over the following years (Fenz & Neubauer, 2018).

Several relevant cyberattacks have been reported lately, highlighting the network's vulnera- bility on which organisations and public bodies rely. For example, in May 2021, one of the largest pipelines of the United States, the Colonial Pipeline, has been forced to shut down after an attack on its corporate computer networks by ransomware, a software that blocks access to a computer system until the victim pays a ransom. More specifically, the company had to close its 5500 miles of pipeline, which represents 45 per cent of the US East Coast’s fuel supplies, in an attempt to contain the breach. In addition, several cyberattacks occurred previously to other US energy infrastructures, such as the SolarWinds and a natural gas compression of a pipeline operator, among others; hence, underlying once again the vul- nerability infrastructure against the threat to information security (E. Sanger, Krauss, &

Periroth, n.d.). More locally, in October 2020, some hackers have diverted salary transfers of employees from three swiss universities by obtaining access data through phishing. The loss is estimated to be few million francs, which have been sent on foreign accounts (Swissinfo (SWI), 2020).

Technology is changing and bringing benefits to our society, notably by enhancing people's health with improved medical devices and reducing environmental impact by optimising water use and energy consumption (World Economic Forum, 2020). Similarly, digitalization creates new opportunities to upgrade living standards while preserving and improving en- vironmental and social health. Linkov et al. (2018, p.1) define digitalization as “the increased connectivity and networking of digital technologies to enhance communication, services, and trade between people, organizations, and things”.

Recently, especially in the current pandemic context, the digital transformation has been accelerating in several areas, such as education, healthcare, and the economy, together with the public sector (Gabryelczyk, 2020). On the other hand, the non-optimal use of digitali- sation may prevent progress in information systems and compromise the performance of the public sector when resources are employed inefficiently. The same applies when plat- forms available become redundant, and government systems suffer from a lack of interop- erability.

Similarly, a rising number of data related to individuals and activities are being collected, recorded, and analysed in order to solve current issues and bring solutions for future

generations (Linkov et al., 2018). This phenomenon, defined as “Big data”, derives from the significant progress over the last years of the analysis techniques and capacities, allowing obtaining a very appropriate amount of information from row data. However, that might conflict with data protection in some instances (Delforge, 2018). Therefore, through sta- tistics, data allow shaping public policies and adopting adequate measures, such as financial and social help granted to the most vulnerable groups (Davidian & Louis, 2012).

In public administration institutions, digitalization promotes transparency and accountabil- ity towards citizens by allowing information disclosure and provides access to public sector information, which further improves public engagement (OECD, 2016). Thus, the more informed citizens and businesses are, the higher their expectations will be, which raises the demand for more transparent and inclusive decision-making. Besides, through better use of information and communications technologies by the public sector, businesses and citi- zens are able to interact better since public services have improved and easily deliverable (OECD, 2016).

2.1. O

PEN

G

OVERNMENT

D

ATA

For the promotion of transparency, open government data is obtaining growing popularity among the public sectors. Therefore, a rising number of public sectors are implementing the Open Government Data, which consists of the publication of the data concerning the government's performance and the survey ordered with public funds. Furthermore, these data are released in an open format, thereby allowing their free distribution, use and reuse under the condition that works are shared and made available and data are attributed (Ubaldi, 2013).

Related to issues of public interest, Open Government data have significantly grown over the last years as they promote the public sector integrity and performance, together with transparency and accountability towards the citizens. Moreover, they build social and eco- nomic value. One of the potentials of OGD is the improvement of public policies outcome.

“Public sector data offers opportunities for new products and services, and steps could be taken to increase its availability in open and interoperable formats” (OECD, 2016).

Figure 4: Data sharing by three actors

Nowadays, a considerable quantity of data related to supply chain management, its custom- ers' social behaviour, and government regulations is produced every day by the private sec- tor. For example, data created by Twitter’s network were shared in a compatible format with open data government to allow users to conduct data analytics. Therefore, data sharing enhances synergies between Civil Society Organizations, the private sector and govern- ments. A significant collaboration and greater data exploitation allow then the development of services as well as value creation. Moreover, performing data analytics from the data generated constitutes an opportunity for the public sector to discern social trends and adapt public services and policies according to the citizen and environmental needs. On its side, open data allow Civil society organisations to bring attention to current issues and public interest matters (OECD, 2016).

Therefore, the annual publications of the Social Report by the OPE constitute an applica- tion of the open government data concept.

2.2. D

ATA PROTECTION LAW

2.2.1. T

HE EMERGENCE OF THE

GDPR

Voigt & von dem Bussche (2013) briefly summarise the history of the data protection laws, Data Protection Directive, and the GDPR in the European Union (EU). The Directive 95/46/EC 1995 aimed to align the data standards within the European Community to fa- cilitate internal and cross-border data transfers since the national protection laws could not offer legal certainty for individuals, data controllers, and processors. Directive 95/46/EC 1995 also ensured the free flow of personal data in the EU by harmonizing individuals’

fundamental rights protection. However, in practice, the Directive failed due to difficulties in aligning the level of data protection in the EU due to legal differences arising on imple- menting acts by the individual EU Member States.

According to Voigt & von dem Bussche (2013), the General Data Protection Regulation (GDPR) was only adopted in 2016 and replaced the 1995’s Data Protection Directive. The main motivation for the change was the legal uncertainties resulting from fragmented data protection across the EU, which lead to a distortion of competition between the Member States and an obstacle to economic activities. Furthermore, the main difference between the Data Protection Directive and the GDPR is that the latter is applied directly to its ad- dresses resulting in no further implementation measures by the EU, equalizing the data protection, leading to an increase in legal certainty, obstacle-free personal data flow, and boosting the economy. However, the responsibility relies on the companies, which need to adapt to the new data regulation and obligations since the GDPR has a broad scope of application. Therefore, companies need to reframe their internal data protection procedures to comply with the GDPR.

2.2.2. D

EFINITION OF PERSONAL DATA IN THE

E

U DATA PROTEC- TION LAW

Purtova (2018) raises a discussion about the GDPR (General Data Protection Regulation - (EU) 2016/679, the version OJ L 119, 04.05.2016) and highlights important definitions,

such as “personal data”, “anonymous data”, and the implications of those definitions. While anonymous data refers to information or data whose relationship with an identified or iden- tifiable person cannot be determined, it also includes data “rendered anonymous” and, therefore, does not trigger the application of data protection law. However, “pseudony- mous data”, which is the personal data treated in a way that it is no longer possible to link it to a person, still constitutes information that concerns an identifiable individual and, therefore, subject to the law. “Personal data” on the other hand, according to the GDPR, includes any information linked to a data subject (identifiable natural person), which “can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors spe- cific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (Purtova, 2018).

Purtova (2018) highlights relevant points regarding the contexts, identifiability, and the na- ture of information in personal data. The definitions are broad, flexible, and adaptable to specific contexts, opening a space for different interpretations on what represents real pos- sibilities of linking individual and information. The author also points out that due to tech- nological advances, non-identifiable data becomes identifiable and subject to the GDPR.

Purtova (2018) aimed to analyse the concept of personal data through the lens of the EU data protection law and the GDPR and revealed problems in how the definitions are framed. If no action is undertaken, all data might be considered personal due to technology progresses, potentially broadening the law's coverage and ultimately making it inapplicable.

Further, smart environments foster data collection that relates to people in real-time and, therefore, one can argue that any information related is probably associated with a person.

The authors suggest that the definition of personal data should be interpreted broadly in- stead of articulated understandings of information.

2.2.3. P

ERSONAL

D

ATA

– D

EFINITION ISSUES AND THE

G

ENERAL

D

ATA

P

ROTECTION

R

EGULATION

(GDPR)

With the progress in data analytics, the information becomes over the year more easily identifiable (Purtova, 2018).

According to several authors (Purtova, 2018; Voigt & von dem Bussche, 2013), personal data is a broad concept whose protection is applicable under the GDPR (General Data Protection Regulation) in Europe (also called European data protection law). They also argue that the distinction between personal data and non-personal data should be aban- doned in the future since hyperconnectivity and massive generation data will make it diffi- cult to distinguish what is personal and what is not. Purtova (2018) states that this specific issue comes from the concept of personal data, which is per se broad and is currently ex- panding due to its application in a rising range of situations. This is a result of the evolving

2.2.4. B

IG DATA AND

GDPR

In the context of human resources, (Hamilton & Sodeman, 2019) states that the use of big data allows addressing significant strategic human capital questions, such as gender equality in terms of wages, among others. Thus, HR analytics enables the improvement of the per- sonnel evaluation and deployment and the relationship between the HR and other depart- ments, thereby enabling HR to participate at a strategic level. Consequently, the use of big data by HR could enhance the organisation's overall performance (Hamilton & Sodeman, 2019).

As mentioned earlier, extensive data treatment can violate the GDPR as it can contain per- sonal data. In addition, non-compliance with this law can lead to enormous amounts of administrative fines for the companies. Analysis and data crossing capacities have evolved to the extent that the unexpected presence of personal data in databases is plausible since data previously anonymous can become (again) personal. For instance, behind a-priori in- nocuous data, such as numbers, were hidden personal data (Delforge, 2018). Purtova (2018) goes beyond and suggests that anonymity is no longer possible given the progress of tech- nology and, concerning the definition of “data protection”, the author highlights one solu- tion found in the literature. It is proposed to instead of having fix definition such as de- scribing what personal data is, define if something is personal data or not by the risk of identification on a scale from 0 probability to “identified” (e.g. who the person is) and therefore treat the information according to degrees of identifiability. However, it is also pointed out that identifiability is an oversimplified way for defining “personal data” since the concept fails to include the degree to which information is related to a person.

The principles of GDPR appear to be opposed to big data logic. While big data aims to re- use data already collected for other purposes, including predicting tendencies, the GDPR provides that personal data can be treated only for the purpose they have been collected.

For big data, the more data are collected, the better the results will be. The GDPR, on the other hand, requires the collection of the minimum data possible. Another difference con- sists of the accuracy: whereas big data does not allow to obtain accurate data, the GDPR forbid the collection, treatment and storage of incorrect data. Despite the contrasting dif- ferences cited above, the GDPR does not prevent organisations from operating big data since it adopts several principles to protect each stakeholder's interests and build a climate of confidence among users and citizens (Delforge, 2018).

2.2.5. T

HE

LIPAD

As European Law, the GDPR does not apply to companies located in Switzerland unless they process or store the personal data of EU residents. Instead, the Swiss law on data protection named the Swiss Federal Act on Data Protection (FADP) applies to the private and federal bodies that process sensitive personal data, thereby protecting privacy. Being considered outdated, the law has been reviewed to align with the last update of the GDPR entered in force in May 2018 (PWC, 2018). The objective of the revision was to protect the personality rights better, enhance transparency and strengthen the rights of people whose data are processed. Being passed in September 2020 by the Swiss parliament, the FADP may enter into force in 2022 (Seipp, 2020). Below are presented its most relevant changes (PWC, 2018):

1) The data object will regard only natural persons without regulating the data of legal persons anymore.

2) Clear sanctions are defined for individuals breaching the new FADP intentionally, namely fines up to 250 000 CHF.

3) Any data protection breach will have to be reported to the Swiss Fed- eral Data Protection and Information Commissioner without delay and the affected persons.

4) The list of sensitive data is expanded, including genetic and biometric data (such as fingerprints).

5) Roles and obligations of data processors and controllers will have to ensure, during the planning phase, risk mitigation of privacy breaches.

Besides, they will guarantee that the data are processed within the de- fined purpose through appropriate default settings.

6) Privacy impact assessments have to be executed by data controllers or data processors if the data processed represent a threat to the pri- vacy of fundamental rights of the individuals.

In the specific context of this work, the focus is brought on the LIPAD, the Geneva law for the public’s information, documents access, and personal data protection of the 5^th October 2001 entered into force for the first time the 1rst of March 2002. Its objective consisted of enhancing the activities transparency of public bodies in Geneva through an active information and communication policy to encourage the free formation of the public opinion and promote the citizens’ participation in public life (LIPAD). The law also recog- nizes the individual right of documents access. Therefore, citizens and public personnel have permanent access to their personal data that can be verified and corrected. More spe- cifically, the LIPAD applies to the State and the public bodies of Geneva and all private bodies publicly financed at least at 50% (Ville de Genève, 2012). Furthermore, the last re- vision of November 2019, which entered in force in October 2020, underlines the auton- omy and independence of the data protection controllers of Geneva, which is only admin- istratively attached to the State Chancellery (LIPAD).

2.3. T

HE

ISO/IEC 27000 - I

NFORMATION

S

ECURITY

M

ANAGE- MENT

S

YSTEMS

(ISMS)

STANDARDS

The starting point of this work the ISO/IEC (International Organization for Standardiza- tion/International Electrotechnical Commission) 27002 standard. Therefore, this section briefly explains why we have chosen this standard and why it is relevant for this case. The ISO as an organization comprises a network of representative national standards bodies from over 160 countries and develops international standards, among other deliverables.

The international standards are rules, guides, and characteristics that generally describe the best-known practices for a given activity. After publishing it, the follow-up comprises sys- tematic reviews to ensure that the standard is updated and relevant.

and management of risks related to information (Lazarte, 2015). Therefore, the series pro- vides recommendations on best practices for Information Security Management Systems (ISMS), whose broad scope includes privacy, confidentiality, and cybersecurity issues. Thus, using these standards allows organisations to manage the security of their assets, notably employee information or details, financial information, and intellectual property(ISO, n.d.).

In addition, regular updates of these standards provide added value and confidence to the organisations, thereby satisfying the latest requirements in various environments and indus- tries as technology evolves rapidly and continually (IT Governance Uk, 2020).

Figure 5 Illustration from ISMS PDCA process (Bamakan & Dehghanimohammadabadi, 2015)

More specifically, an ISMS is a comprehensive and practical management system (ISMS.online, 2021) that helps organisations implement secure information procedures and processes, thereby establishing a safe information environment (Bamakan &

Dehghanimohammadabadi, 2015). Security information is addressed through three pillars:

people, processes and technology (IT Governance Uk, 2020). In order to achieve this ob- jective, several actions need to be undertaken: identifying the information security needs and implementing strategies to address them, measuring the results, and enhancing the ISMS as well as the protection strategies over the years. The ISO/IEC 27001 follows the scheme of a PDCA cycle, as illustrated in Figure 5, since risks and security are constantly changing and, therefore, this feature helps mitigate vulnerabilities, threats, and incidents.

Consequently, organisations are able to verify the effectiveness risks assessments by con- tinuously monitoring and checking their system and take appropriate actions for further improvements (Bamakan & Dehghanimohammadabadi, 2015).

For this study, the focus will be brought on three standards:

- ISO/IEC 27000, which provides an overview of the ISO/IEC 27000 series;

- ISO/IEC 27001, the central standard of the family;

- ISO/IEC 27002, the standard chosen for the HR guideline in the State of Geneva.

Firstly, “ISO/IEC 27000 provides the overview of information security management sys- tems (ISMS), and terms and definitions commonly used in the ISMS ISO/IEC 27001 family of standards.” In other words, all essential terminology present in the other standards of the family is regrouped in this standard, which also explains how the different standards from the family are combined through their “scopes, roles, functions and relationship to each other”. The last version, updated in 2018, can also apply to government agencies and NGOs (ISO, 2018).

In addition, the central standard of the ISO/IEC 27000 series is the ISO/IEC 27001, which is entitled “information technology – security techniques – information security manage- ment systems – Requirements”. It was the only standard of the family for which an organ- isation can be audited and certified (IT Governance Uk, 2020). Within the organisation's context, the standard contains specifications concerning the establishment, implementa- tion, maintenance and continual improvement of an ISMS. The standard provides, there- fore, requirements for an ISMS. Assessing and treating risks related to security information considering the needs of an organisation are also included among the requirements.

ISO/IEC 27001 applies to all size and type of organisations (ISO/IEC 27001:2013). As mentioned in the introduction of the ISO standard itself, an ISMS “preserves the confiden- tiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed”, which is closely related to the scope of the HR guideline.

2.3.1. ISO/IEC 27001

^VS

ISO/IEC 27002

The ISO/IEC 27002, entitled “Information technology — Security techniques — Code of practice for information security controls” (ISO/IEC, 2013), constitutes a guidance docu- ment of the ISO/IEC 27001. It provides recommendations on best practices for infor- mation security controls for the agents responsible for managing information to preserve the information’s confidentiality (authorized-only access), integrity (completeness), and availability. While ISO/IEC 27001, a management standard focusing on the organisational ISMS, defines requirements for the audit and dedicates one sentence per control, the ISO/IEC 27002 develops each control on an entire page and (“ISO 27001 vs. ISO 27002 - What’s the difference?,” n.d.), hence explaining the mechanisms of each control, their objective and implementation (IT Governance Uk, 2020). Thus, ISO/IEC 27002 has been designed for organisations that intend to develop their own ISMS guidelines by selecting (ISO/IEC, 2013).

For the features of the standard mentioned in the literature review and as suggested in introducing the standard itself, ISO/IEC 27002 has been used as a starting point for developing the HR guideline for data protection in the State of Geneva. No previous versions of the document existed earlier.

e.g. identity verification and professional references, signing a binding confidentiality agree- ment, the Human Resources department must inform other departments of the employee status, IT equipment and credentials should be returned in the last working day, among others. Additional details on how this norm was applied are specified in the chapters of

“Concrete Tasks” and “Results and Analysis”, as well as insights provided on “Conclusions and Recommendations”.

2.3.2. U

SE OF

ISO/IEC 27001

There is little information about the use of ISO/IEC 27001. Consequently, to determine the use of ISO 27001 in the German companies, (Mirtsch et al., 2021) used data mining as a source by identifying ISO/IEC 27001 reference on the companies’ websites on the side of the demand and supply. Although the methodology presents some limitation regarding the reliability on the number of certifications, several interesting outcomes emerged from the study. The authors observed that a number relatively small of valid certificates reported by the ISO survey does not imply a low use of ISO/IEC 27001 since companies have the possibility to implement an ISMS without certification or with the help of certified IT per- sonnel. Moreover, cloud suppliers and data centres referred to as partners on companies' websites, contribute to the indirect certification of the firms as they provide them with information security. They, therefore, have a multiplier effect on the number of uses. In addition, small companies have a lower tendency to seek certification than larger compa- nies. Finally, within the context of the GDPR, the authors state that the use of ISO/IEC 27001 might be no longer voluntary shortly since it can evidence the firms’ compliance with organisational and technical measures in order to protect information (Mirtsch, Kinne, &

Blind, 2021).

When analysing the ISO/IEC 27000 series and their use, (Topa & Karyda, 2019) identified a lack of specific guidelines promoting the security compliance of employees. For this pur- pose, the authors presented some recommendations for security managers to improve their practices by addressing issues that significantly affect security measures effectiveness.

Therefore, security management needs to address the following factors which are not in- corporated in the ISO/IEC 27000 series (Topa & Karyda, 2019):

- Organisational and cultural context: the socio-cultural environment needs to be considered by security managers when they define the ISMS scope. Na- tional culture shape employees’ security behaviour and requires different methods. Group approach should be used for raising awareness and training employees in a collectivistic context by setting, for instance, regular meetings.

On the other hand, individualistic societies necessitate methods that encour- age individuals, such as sending emails or providing online courses. The cre- ation of the organisational culture also constitutes a determinant of the em- ployee’s security behaviour. It consists of defining goals and rules followed, with a system of rewards and sanctions related to security compliance. In addition, the motivation of employees is higher when their views are consid- ered in organisations with flat management.

- Establishment of a facilitating organisational environment: Information se- curity compliance is fostered by providing appropriate resources, including effective communication practices (e.g. newsletters), training, help from

experts, easy online access to information security policy (ISP). Another im- portant factor determining the security behaviour for non-IT employees is job satisfaction, which can be enhanced through job enrichment programs, such as the assignment of new tasks and providing regular feedback. Thus, a working environment promoting job satisfaction improve work quality and cultivate the appropriate security behaviour. The organisational support should, in addition, be balanced since an adequate understanding of em- ployee’s contribution and help enhance the employees’ motivation to comply with ISP. In contrast, excessive support might mislead the employee, which might consider the security information only under the responsibility of the security personnel.

- Management’s involvement and compliance: Upper management should be not only actively involved in the creation, implementation and enforcement of ISP but also responsible for security decisions. More than approving ISP, as suggested by ISO/IEC 27002, top management, but also the immediate employees’ superiors, should adopt security practices visibly. In large organ- isations, they can, for example, participate in security seminars and meetings and send emails related to security.

- Security knowledge and individuals’ confidence: By implementing security education, training and awareness (SETA) programs, employees are in- formed about security risks and threats with concrete examples relevant to their organisation and instructed on the use of security technologies tools.

Additionally, employees should feel confident in their abilities to deal with security threats by acquiring adequate skills and appropriate knowledge.

- Social influence and promotion of security communication: A further rele- vant determinant of security behaviour is the social influence, which is not addressed in the ISO/IEC 27000 series. Organisational values are more likely of being integrated by employees when socialising with their colleagues; the same applies to ISP compliance as it would be considered a social issue, whose benefit would imply the organisation and employees. Concerning communication, security managers should involve employees in meetings re- lated to security and developing relationships with employees whose perspec- tive on security is in accordance with the organisation. On the contrary, em- ployees should report security incidents by contacting key security personnel within an acceptable time.

2.3.3. ISO/IEC 27001/2

^AND

GDPR

Several authors identified common ground between ISO/IEC 27001/2 and the GDPR.

the ISMS (Diamantopoulou et al., 2020). Also focused on accountability, the GDPR pro- motes the implementation of appropriate organizational and technical measures to ensure an appropriate security level (GDPR/article 32).

With only a few adjustments needed, the organisations having developed an ISMS may already satisfy the GDPR requirements. The ISMS can also be used as a general framework for personal data management regarding information risks, data security and compliance, incident management, and business continuity issues. The organisations should take addi- tional actions ISO/IEC 27001 certified to comply with GDPR, concerning children con- sent, criminal convictions and offences, prior consultation of the supervisory authority for processing resulting in high risks, transfer of personal data to third countries, and data used for archiving purposes in the public interest, scientific or historical research (Diamantopoulou et al., 2020).

3. M

ETHODOLOGY

Data quality, data security, and data transparency are interconnected and fundamental prac- tices for the public sector. No practical framework concerning HR data protection was previously elaborated and tested in Geneva’s public administration system. Therefore, based on the findings mentioned in the literature review and the guidance of ISO/IEC 27002, the authors propose the best practices for information security in the State of Ge- neva.

In a qualitative approach, this case study starts by gathering the recommendations of the Internal Auditing Service of the State of Geneva, the theories about data protection, and the guidance of the ISO/IEC 27002 and systematically develops them as described below.

Finally, the Concrete Tasks as described, followed by a discussion, as well as the Conclu- sions and Recommendations are drawn. The final deliverable is the Internal Control System document (OPE) elaboration, whose summary is introduced in the appendix. The following steps were adopted to write the HR life cycle information document:

1. There was an issue: lack of compliance with the LIPAD in the HR processes 2. After noticing the lack of compliance, the OPE received several recommendations

from the IAS for adapting the HR processes within the data protection law.

3. We have also checked the literature, the standards, and the law.

4. Selection of ISO/IEC 27002 as the starting point. Steps for writing a document for guidance based on the ISO/IEC 27002 are listed as follow:

a. Defining the purpose and objective of the document;

b. Search for all sources needed: documents, legislation regulations;

c. Determine the current practices that should be written;

d. Determine which chapter of the norm belong to the department concerned;

e. Keep and/or adapt the structure of the norm according to the current con- text and include the critical points addressing/fulfilling the purpose and ob- jective.

4. C

ONCRETE

T

ASKS

4.1. T

HE RECOMMENDATIONS OF THE INTERNAL AUDITING SERVICE After auditing the HR processes, an auditing report has been released in July 2018 from the internal auditing service (IAS) underlining the lack of compliance with the personal data treatment rules since some employees in charge of processing HR files ignored (lack of knowledge) the LIPAD provisions. Besides, the IAS also underlined the lack of guidelines provided concerning the treatment of personal data. In addition, several issues were more specifically identified and reported by the IAS:

• Absences management and health data: One of the administrative and HR de- partment tasks consists of monitoring the absences. More specifically, the former employees maintain numeric files concerning the State personnel, including the name of diseases that were the reasons for the employees' absences, such as “cancer”

and “burnout”, among others. However, that type of information should be confi- dential, as stated by the art. 35 of the LIPAD, and therefore only accessible to des- ignated persons.

• Recruitment process and candidates data: Nowadays, every candidate interested in a position has to apply electronically in the recruitment module of the HR infor- mation system (SIRH). Thus, each candidate has to upload any document relevant for the position applied, such as diplomas, resume and work certificates. The IAS observed that the documents of non-successful candidates were still stored in the system once the recruitment process was finished. In addition, the interviews sum- mary notes of successful candidates were regularly classified in their personal file.

The IAS considers those two situations to violate the LIPAD.

In order to solve those issues, the IAS recommended the OPE consequently to:

• Analyse the LIPAD requirements concerning the treatment, storage, archiving and deletion of personal data used in the HR processes;

• Complete the instructions to ensure adequate and consistent treatment of the LIPAD in the different departments;

• Establish rules for the management and checks for personal data stored within the recruitment process.

4.2. N

EW GUIDELINE

: “HR

LIFE CYCLE INFORMATION

- I

NTER- NAL CONTROL SYSTEM

”

To complete the existing documentation concerning data protection and bring attention to the specific points raised by IAS, a new guideline for the HR of the different departments, thereby including the good practices already implemented. The document was co-written by the project manager and me from scratch. Besides, the information security policy of the State of Geneva refers to the ISO/IEC 27002 for efficiency control. The framework adopted was consequently the ISO/IEC 27002 since it constitutes an international and acknowledged reference for the selection of controls within the implementation process of the Information Security Management System (ISMS). Easily adaptable according to the specific risk environment of an organisation, its chapters cover notably the HR-related as- pects and activities. As mentioned in the introduction of the norm, information as well as

related operations and personnel implicated in the data treatment and protection, among others, are valuable assets to an organization for which it becomes essential to adopt suita- ble measures to prevent risks concerning information security. The aim of the ISO 27002 is, therefore, relevant for the HR guideline.

Besides, the other main reference that was necessary to be introduced in the document was the LIPAD, underlining the legal aspects concerning data protection and addressing the issues mentioned by the IAS. In order to constitute a control document as complete as possible under the information security policy (PSI), various sources were used to fill the gaps, thereby regrouping the information related to HR information security. The different documents demonstrated not only which processes were already implemented across the departments but the fact that information was excessively scattered; hence, the information access was, at some degrees, inefficient since not all employees were aware of the significant number of existing documents related to information security and data protection.

Figure 6: Constituting the HR life cycle information document

Therefore, once the “HR life cycle information” would be approved, the control document could be considered a reference since all sources were grouped in one document. Hence- forth, the various sources could be more easily found and, consequently, consulted. Illus- trated in Figure 6, the work included the following sources: MIOPE documents, which are the instructions memento of the OPE; cross-cutting directives, laws, regulations, guidelines, e-learnings on information security and access management systems. The PPDT informa- tive documents provide further details and explanations about the data protection law and

for implementing the possibility of teleworking for employees rapidly, the absences due to the COVID-19 (contaminations, quarantines, and school closures), brought other priori- ties. Only a few meetings and phone calls have been possible before the crisis; hence, the good practices were based on the knowledge of the OPE, which was sufficient and still allowed to complete the document with diversified sources.

4.3. W

HAT IS INCLUDED FROM

ISO/IEC 27002

NORM

A further step consisted of determining which chapters from ISO 27002 would be included in the RH internal control document. As shown in Table 1, only the parts whose compe- tencies are attributed to the Personnel Office were considered, thereby integrating the prac- tical norms directly applicable by each HR department and the OPE of the Geneva admin- istration. Although the chapters whose competencies belong to other departments have been removed in the final draft, the previous versions contain most of the chapters if there would be some changes and agreements for including them in the control document sub- sequently. For instance, the chapters related to cryptography, physical computers manage- ment and technical controls, for which do not belong to the competencies of the HR em- ployees, have been removed. Moreover, together with part of each content chapter, the structure was maintained while being adapted according to the HR specific context and the data protection law more specifically. We followed the precise structure of the ISO/IEC 27002 chapters, which included the objective, control, implementation guidance and other information. We added the paragraphs related to responsibilities and other specific topics when needed to complete the procedures. The table in the appendix provides a more de- tailed view, thereby including all the chapters of the “HR life cycle information”, the related chapters of the ISO/IEC 27002 standard, which was the work’s skeleton, the description of each chapter since the purposes and contents could, in some case, have been adapted in the State context. Finally, additional figures were included to illustrate the concepts when needed or facilitating the understanding.

Table 1 Chapters included and excluded from ISO/IEC 27002

Chapters included in the document Chapters excluded from the document 3. Terms and definitions

5. Information security policies (5.1 Management direction for information security)

6. Organization of information security (6.1 Inter- nal organization, 6.2 Mobile devices and telework- ing

7. Human resources security (7.1 prior to employ- ment, 7.2 during employment, 7.3 termination and

change of employment)

8. Asset Management (8.2 information classifica-

tion) 8.1. Responsibility for assets

9. Access control (9.1 business requirements of ac- cess control, 9.2 user access management, 9.3 user

responsibilities) 9.4 system and application access control

10. Cryptography (cryptographic controls)

11. Physical and environmental security (11.1 secure areas, 11.2 equipment)

12. Operations security (12.4 logging and monitor- ing)

12.1 Operational procedures and responsibilities, 12.2 Protection from malware, 12.3 Backup, 12.5 control of operational software, 12.6 Technical

vulnerability management, 12.7 Information systems audit considerations

13.Communications security (13.2 Information

transfer) 13.1 Network security management

14. System acquisition, development and mainte- nance

15. Supplier relationships (15.1 Information security

in supplier relationships) 15.2 Supplier service delivery management

16. Information security incident management (16.1 Management of information security incidents and improvements)

4.3.1. W

HY NOT

ISO/IEC 27701?

The norm ISO/IEC 27701, a privacy extension to ISO/IEC 27001 and ISO/IEC 27002 has been published in August 2019 with the aim of improving the existing ISMS. Therefore, the document provides guidance for establishing, implement, maintaining and continuously enhancing the Privacy Information Management System (PIMS)(ISO, 2019). With clear guidance, the standard helps the organisation manage personally identifiable information (PII), as required by the GDPR. Annexe D presents a mapping to the GDPR, thereby linking the subclauses of ISO/IEC 27701 and the articles of the law. The first part of the standard includes the requirements of ISO/IEC 27001, with the mention of privacy and, when necessary, adaptations to the PIMS. Besides the chapters from ISO/IEC 27002, the second part contains two entire chapters offering ISO/IEC 27002 guidance for PII controllers and processors.

The ISO/IEC 27701 was not chosen as the framework for several reasons. Firstly, at the internship in early 2020, the ISO/IEC 27701 was newly released and, consequently, not well known by the public since no pertinent publications could attest to the relevance of the norm. Furthermore, although certain chapters from the ISO/IEC 27002 framework have been adapted to privacy, most subchapters refer directly to subchapters in ISO/IEC 27002 with only a mention of privacy, making difficult to use as a unique base for new draft procedures document. In the same way, the ISO/IEC 27701, which contains ISO/IEC 27001 normative references, should be used in conjunction with ISO/IEC 27001. Thus, for the reasons mentioned in chapter 2.3.1, we decided to not use the ISO/IEC 27001, hence the ISO/IEC 27701. Finally, the inclusion of the additional guidance for PII controllers and processors would have to increase the file size, which had already approximately 40 pages, hence being already considerable. The aspects related to privacy, through the LIPAD application, have been incorporated along with the ISO/IEC 27002 chapters.