Denmark: Data security requirements in relation to personnel administration set out by Danish data protection agency
Published 14 January 2015
Personnel administration in Denmark requires full adherence to the Danish personal data protection act, which entails fulfillment by the data controller of any requirements for data privacy set forth by the Danish Data Protection Agency.
From January 2015 the data permissions granted by the Danish Data Protection Agency will be subject to 12 new minimum requirements.
- Describing how personnel information is protection in personnel administration and detailing how requirements 2-12 have been complied with;
- Access must be limited to those who have reasonable need for access to the information;
- Those handling personnel information must receive data protection training;
- Hard copy information must be kept and disposed of securely;
- Soft copy information must be password protected;
- Failed attempts to access information must be recorded and further attempts blocked;
- Removal storage devices containing personnel data must be encrypted and kept securely;
- Adequate firewall and virus protection software must be installed on machines with internet access;
- When sensitive data is entered onto forms it must be encrypted;
- Information sent by email must be encrypted;
- When equipment is disposed of it should be ensured no data is accessible on that equipment;
- Written data processing agreements must be in place with third party data processors.
The requirements in full are available on the Danish Data Protection Agency website (Danish).
What action could be taken to manage risks that may arise from this development?
If your company operates in Denmark, it should ensure that when it carries out personnel administration data is handled in accordance with these requirements.