Identity and access management system - OLAF

Opinion of 30 June 2008 on a notification for prior checking on CBIS identity and access management system (Case 2008-223)
The current prior check Opinion relates to processing of personal information carried out by OLAF, in particular the Information Services Division to ensure that only authorised persons have access to OLAF's core IT systems and to allow investigation of security incidents.

Authentication in CBIS is based on digital certificates and fingerprints. Certificates are stored on the personal OLAF badges (smartcards) of users and protected by a biometric Match-on-card authentication scheme. Each user will have three fingerprint templates stored on his/her OLAF badge, which is a contact interface used by the CBIS IT authentication system.

In his opinion, the EDPS specifically analyses the respect of the data quality principle. To do so, he made a thorough analysis of the implementation of fall back procedures in the case of failure to enrol. Moreover, he also examined the way the False Rejection Rate is defined and provided recommendations on that.

The EDPS considers that the processing operation is not in breach of Regulation 45/2001 if OLAF takes into account specific recommendations before implementing the intended processing operations and after the processing operations have started.