Computer Security: Coming soon, a pragmatic Data Protection Policy for an open Organisation
Like any other organisation/employer, CERN holds confidential data, e.g. medical records, personnel files, files on harassment cases, NDAs & contracts, credit card information, and even unpublished scientific results. Unfortunately, our current methods of handling such documents are inadequate owing to a lack of clarity with regard to responsibilities and obligations.
So, from time to time, some documents have become public that should not have (such as the premature publication of videos about the 2012 “Higgs” announcement); some of us have accidentally leaked confidential information (such as passwords used to access accelerator and experiment control systems in 2011); other colleagues have lost their laptops or had them stolen (e.g. from a delegation on duty travel in 2013) along with the e-mails and private files saved on them. Fortunately, these times of inadvertent data loss and lack of clarity concerning our obligations should soon be over.
A proposal for the establishment of a CERN-wide Data Protection Policy (DPP), adapted to the open environment of the Organization was presented at the most recent meeting of the Enlarged Directorate. This policy is intended to establish rules on how to classify data systematically, how to subsequently store and handle it, how to control access to it, and how and when to purge data within the Organization.
The policy will be as holistic as possible and as pragmatic as necessary, and will help CERN to comply with international standards on data protection without diminishing its openness or academic character. There will be a particular focus on rules concerning confidentiality and the handling of personal data (currently only partly specified in Administrative Circular No. 10). Handling procedures for other data (e.g. those kept by the HSE Department) will be developed in close collaboration with the relevant departments and experiments.
A draft policy has already been prepared by a small working group with members from the GS, HR and IT Departments, the CERN Legal Service and the Computer Security Team. In parallel, this working group is in contact with GS and IT service providers in order to start applying similar data handling guidelines to their computing services to reach consistency in data classification, storage and protection and to provide adequate storage facilities for each data classification level. This working group will also provide data protection awareness training for key people, suggest quick and easy steps to improve data protection in the DG Unit as well as in the FP and HR Departments, e.g. through the deployment of uncomplicated disk encryption tools for laptops (more about this here), assist departments and experiments in reviewing and adapting their internal data handling guidelines in line with the new data protection policy, and help them to establish good practices.
Check out our website for further information, answers to your questions and help, or e-mail Computer.Security@cern.ch.
If you want to learn more about computer security incidents and issues at CERN, just follow our Monthly Report.
Access the entire collection of Computer Security articles here.