Sicherheit und Zugangskontrolle

Avis du 16 septembre 2008 sur la notification d'un contrôle préalable sur l'accréditation de journalistes participant aux réunions du Conseil européen (Dossier 2004-259)
 

Answer to a notification for prior checking concerning the "access control to the premises" (Case 2008-195)

Opinion of 30 June 2008 on a notification for prior checking on CBIS identity and access management system (Case 2008-223)
The current prior check Opinion relates to processing of personal information carried out by OLAF, in particular the Information Services Division to ensure that only authorised persons have access to OLAF's core IT systems and to allow investigation of security incidents.

Authentication in CBIS is based on digital certificates and fingerprints. Certificates are stored on the personal OLAF badges (smartcards) of users and protected by a biometric Match-on-card authentication scheme. Each user will have three fingerprint templates stored on his/her OLAF badge, which is a contact interface used by the CBIS IT authentication system.

In his opinion, the EDPS specifically analyses the respect of the data quality principle. To do so, he made a thorough analysis of the implementation of fall back procedures in the case of failure to enrol. Moreover, he also examined the way the False Rejection Rate is defined and provided recommendations on that.

The EDPS considers that the processing operation is not in breach of Regulation 45/2001 if OLAF takes into account specific recommendations before implementing the intended processing operations and after the processing operations have started.

Opinion of 19 May 2008 on the notification for prior checking regarding OLAF's CCTV system (Case 2007-634)
This prior checking opinion concerns the closed-circuit television system (CCTV system) operated by the European Anti-Fraud Office (OLAF) within its premises in Brussels for security purposes. The case is the first among the EDPS opinions involving video-surveillance and constitutes a true prior checking case where the EDPS issued his opinion before OLAF started to operate the system.

On the whole, the EDPS was satisfied with the proportionality of the CCTV system and the data protection safeguards implemented by OLAF.

The positive outcome of the EDPS proportionality analysis was based primarily on the grounds that (i) the purposes of the system are clearly delineated, relatively limited, and legitimate and (ii) the location, field of coverage and resolution, and other aspects of the set-up of the CCTV system appear to be adequate, relevant and not excessive in relation to achieving the specified purposes, taking into consideration also the sensitivity of the information held by OLAF.

In particular, the main purpose of OLAF’s CCTV system is protection against unauthorized physical access, in particular, to sensitive operational information and IT equipment. Cameras are only located near exit and entry points to the OLAF secure area and at certain other strategic locations such as certain unattended IT rooms and the OLAF Document Management Centre.

None of the cameras monitor areas where staff would be continuously present and there are no instances where a staff member working in a certain area would be constantly in the field of vision of a camera. There are also no cameras in individual offices, in the cafeteria/kitchen areas, near or in restrooms, or in other areas where staff members and visitors would expect a high degree of privacy. Neither is the cameras' field of vision directed towards parts of the Commission building occupied by others than OLAF. Finally, the cameras' field of vision is also not directed to any areas outside the building on Belgian territory, with a view of neighbouring streets, buildings or other private or public areas.

Nevertheless, the EDPS made important recommendations. First and foremost, it recommended OLAF to reconsider the planned conservation period to ensure that data are kept no longer than necessary for the purposes initially contemplated.

In addition, although OLAF made significant efforts to set appropriate data protection safeguards, improvements could still be made, primarily in the way these safeguards are documented and communicated to data subjects. Importantly, the EDPS recommended that OLAF adopts an internal document describing its CCTV system and providing for appropriate data protection safeguards.

Finally, whereas the EDPS also welcomed OLAF's efforts to provide a layered notice in a user-friendly manner, he further encouraged OLAF to provide more specific and accurate information to data subjects regarding some items listed under Article 12 of the Regulation.