SECURITY POLICY DOCUMENT According to art. 34 d. lgs. 30 June 2003, n. 196
SECURITY POLICY DOCUMENT According to art. 34 d. lgs. 30 June 2003, n. 196
Chapter I Organizational structure and information system of the company/institution
(seat) The dental laboratory : (headoffice) location (town, street, street number)
(branch office) : location (town, street, street number)
information system:
number of stand-alone computer
operating system
internet connection (dial-up…)
number of portable computer
operating system
internet connection
Chapter II List of processing operations concerning personal data
- (Whom the data are referred to?)
Patient data
-(Which kind of data are stored?)
personal data
(any data that can be used to identify a person)
identification data
(personal data that permit the direct identification of the data subject)
sensitive data
(any data that disclose information about health life, disease, especially contagious disease, pregnancy)
Employees data
Personal data
Identification data
Sensitive data (health life)
Suppliers data
Personal data
Identification data
Chapter III distribution of tasks and responsabilities among the departments/division in charge of processing data
The person in charge for data is the doctor with regard to patients, employees and suppliers data
You can identify a single employee in charge for data
Chapter IV Analysis of the risk applying to the data
Physical Risks
Risk of entry by unauthorized person - Level: low
Risk of fire - Level: medium
Risk of flooding- Level: low
Chapter IV Analysis of the risk applying to the data (2)
Data Processing Risks
Risk of damages, loss or modification of data caused by unauthorized access to the information system
Level: low
Risk of damages, loss or modification of data caused by software bugs (e.g. virus, trojan horse, worm)
Level: low
Risk of damages, loss or modification of data caused by malfunctioning of the information system
Level: low
Risk of damages, loss or modification of data caused by a wrong utilization of the computer technology
Level: low
Risk of damages, loss or modification of data caused by power failure
Level: low
Chapter V measures to be taken in order to ensure data integrity as well as protection of areas and premises insofar as they are relevant for the purpose of keeping and accessing such data
Physical Risks
1.Risk of entry by unauthorized person:
Surveillance system
Alarm system
Night watchman
Security guard
Risk of fire
Fire escape
Fire preservation system
Fireproof wall
Risk of flooding
The office is on the 2nd floor
Chapter V measures to be taken in order to ensure data integrity as well as protection of areas and premises insofar as they are relevant for the purpose of keeping and accessing such data (2)
Data Processing Risks
Risk of damages, loss or modification of data caused by unauthorized access to the information system
Firewall
Password (that is changed every six months)
Risk of damages, loss or modification of data caused by software bugs (e.g. virus, trojan horse, worm)
Anti-virus software (e.g. Avast professional) automatically updated through internet connection
Risk of damages, loss or modification of data caused by malfunctioning of the information system
Periodic software updating
Periodic technical assistance
4.Risk of damages, loss or modification of data caused by a wrong utilization of the computer technology
Password
Periodic computer science and data processing training of employee
Risk of damages, loss or modification of data caused by power failure
Power generator
Uninterruptible Power Supply
Chapter VI Description of criteria and mechanisms to restore data availabitlity following destrcution and/or damage
Back-up copy
Frequency (e.g. monthly back up)
Back up copy diskette are replaced every year
There are two back up copy diskettes
Back up copy diskettes are locked
Chapter VII Schedule of training activities concerning the persons in charge of the processing
Periodical training of the employee with regard to:
legal aspect of privacy protection;
tort, criminal and administrative liability for illegal processes of data
lawful behaviours with regard to data process
technical aspect of electronic data storage
Chapter VIII Criteria to be implemented in order to ensure adoption of the minimum security measures whenever the processing operations concerning personal data are externalized
Personal data will be externalized to third person:
- For book-keeping purposes, to business consultant sig. X
- For dental furniture, to dental technician, sig. X
-For other medical products, to suppliers sig. X, Y., Z
Personal data externalized are the only strictly necessary to the collaborator activity
The above mentioned person are supposed to respect the same rule implemented by the Dental laboratory
The Dental Laboratory will verify privacy rules observance
Comments