Handling of Personal Data within NFB

2018-09-07
Regulations regarding the handling of personal data were previously governed by the Personal Data Act (PuL). As of May 25, 2018, the General Data Protection Regulation (GDPR) applies, which will also be enforced as law in all EU member states. The regulation will entail some changes for those processing personal data and strengthened rights for individuals concerning personal privacy.

NFB only handles personal data that the board needs to issue and maintain permits and certificates for recreational boating.

Information Security

Information security refers to the protection of confidentiality, accuracy, and availability of information within NFB’s operations.

Confidentiality means:
The condition where information is not made available or disclosed to unauthorized individuals.

Accuracy means:
The characteristic of information that ensures it is not altered unauthorizedly, by mistake, or due to malfunction. In this context, traceability is an important concept. Traceability refers to the ability to uniquely trace performed activities and identify the person or system function that carried them out.

Availability means:
The ability to use information to the expected extent and within the desired time frame.

Goals and Focus of Information Security within NFB

NFB’s goals with its information security are as follows:

  • Confidential information regarding NFB or its members should never be made available or disclosed to unauthorized parties, regardless of the reason.
  • Information regarding personal data should always be accurate and not manipulable. If information recorded is incorrect, correction should be made immediately upon detection of the error.
  • Information about NFB’s activities in its annual report should always comply with applicable laws and be representative of NFB’s operations.
  • NFB should always have systems for its information security that meet legal and commercial requirements to access necessary information in a timely manner.
  • The focus of work on information security should be to obtain access from external suppliers, established in the market, to systems with high functionality, security, and performance that promote NFB’s goals for information security.

The board should, as needed, establish additional instructions and guidelines describing how work on information security should be conducted to comply with the board’s specified goals and focus.

Responsibility and Coordination for Information Security

The board is responsible for leading and coordinating work on information security. This includes allocating responsibility within NFB for tasks to be performed. Tasks, but not assigned responsibility, may be delegated to others within the organization.

Risk Analysis

The secretariat should annually and when changes affecting information security occur, analyze existing risks in NFB’s information security. Identified risks should be managed. Decisions on measures should be made by the board.

Internal Rules for Information Security
The secretariat should establish internal rules for work on information security. These internal rules should include, among other things, physical security, protection of data communication and operation, traceability in IT systems, and rules for access rights to IT systems. The internal rules may be divided into several documents and should be regularly evaluated and updated as needed.

Physical Security

The secretariat’s premises should have a perimeter protection system that prevents unauthorized access to NFB documents and IT resources. The perimeter protection should include fire and burglary alarms connected to a monitoring center with 24/7 surveillance. There should always be redundancy for data communication and operation. NFB should be able to track through logs what each individual has done in terms of changes and when. When NFB uses external suppliers for support in various parts of the operation, the suppliers should be informed of NFB’s requirements regarding information security.

Access to Information

Fundamental to access to information is that employees and officials should only have access to the information needed to perform their duties. All IT systems should have the ability to assign permissions based on roles or on an individual basis. IT systems should be designed so that access and authorization can be specified per function or functional group. It should also be possible to allow certain users to view information but not be able to modify it. NFB should regularly, but at least annually, verify that existing access rights are limited to the needs based on assigned tasks.

Reporting & Handling of Incidents Related to Information Security

All incidents involving business-critical disruptions or incidents regarding personal data should be reported to the board as soon as possible. With the EU’s General Data Protection Regulation, NFB will be subject to rules regarding the obligation to report incidents involving personal data to the Data Inspectorate.

Deletion Procedures for Personal Data

In connection with the data subject’s right under the GDPR to be forgotten and the rules on deletion, NFB needs to establish an internal procedure for how deletion of personal data should occur. Deceased individuals should be purged after 2 years. All of this applies regardless of whether there are outstanding fees owed because NFB does not collect unpaid fees from deceased individuals.

Evaluation of Internal Rules

NFB should regularly evaluate the internal rules and update them as needed.