Data Protection for All
What a stir… was caused by two articles in the last issue of the Bulletin, on “New Snail Mail Scanning Service” and “CERN meets Facebook”!
_image.jpg?subformat=icon)
Indeed, respondents were completely correct that opening letters addressed to others and scanning such letters violates basic privacy rules. Also, giving your photo, address, computing accounts, personal files and documents to a third party - especially an external party - is a NO-NO, as CERN considers some of this data to be personal. For example, your CERN mailbox and your “private” folders on AFS and DFS are 100% yours. Neither your supervisor, the AFS/DFS/mail service administrators nor the Computer Security Team have any right to access this data. Strict procedures have been established for the rare cases where such access is necessary, and these require the approval of the CERN Chief Information Officer (CIO), the Legal Service and the DG.
But did you know that CERN is currently developing a data protection policy and the role of an appointed CIO (currently assumed by a combination of the head of the IT department and the Computer Security Officer)? Apart from Administrative Circular No. 10, data protection currently relies on the awareness and care of the individual. Not one of your problems? Indeed, CERN thrives on an open culture, so it is tempting to assume “we have nothing to hide”. Losing physics data might be a nuisance, but is that all? There are also your personal files, mailbox, financial and contractual data, confidential notes and minutes, passwords and credentials, and your medical records. These have to be protected in a consistent and clear way!
So we are set for change. In collaboration with the Legal Service and the GS, HR and IT departments, the computer security team is drafting a comprehensive data protection policy for storing, accessing and transferring data. Currently, the focus is on the proper definition of classification levels, i.e. “public”, “internal”, “restricted” and “sensitive”, and an exhaustive list of examples for each level (see here). This policy will be supplemented by policies on data storage, transfer and access. The list of examples will help to clarify classification and avoid incorrect classification within a data store. Finally, the data protection policy includes a policy on data destruction that has already been deployed (see here; see also our article in the Bulletin 10-11/2012).
However, the best way to protect data is still by being conscious and cautious! If you think some documents, files or data should be protected, make sure that they are. We are ready to help you with that.
For further information, check our web site or contact us at Computer.Security@cern.ch.
