THE OFFICE OF THE DATA PROTECTION OMBUDSMAN

PREPARE A DATA BALANCE SHEET

__________________
24.4.2012

www.tietosuo !."i

CONTENTS 1. WHAT IS A DATA BALANCE SHEET 2. WHY SHOULD AN ORGANIZATION PREPARE A DATA BALANCE SHEET 2.1. The data balance sheet as an element of trust 2.2. The data balance sheet as a management tool 2.3. The data balance sheet as a tool for internal and external control 3. HOW TO PREPARE A DATA BALANCE SHEET 3.1 Information to be included in the data balance sheet 3.2. Information resources controlled by the organization 3.3. The procedures and principles applied to data processing 3.4. Data security 3.5. onitoring and control of data processing

3.!. "ealization of the rights of the data sub#ects 4. ASSESSMENT AND THE DEVELOPMENT TARGETS

1. WHAT IS A DATA BALANCE SHEET $inancial statements ha%e a long history as a form of reporting the financial status of an or& ganization. $inancial statements reporting has also been extended to the different sub& areas of an organization's acti%ities and its internal control and ris( management. )ther forms of reporting *hich supplement the financial statements are the sustainability reports and the statement of human resources prepared by companies and organizations. +xtend& ing the financial statement approach to information resources, information management, data processing and information security is naturally the next step in this de%elopment. -hile the data balance sheet may supplement statutory reporting based on financial state& ments and annual re%ie*s, the purpose is not to unduly add to the administrati%e burden of the organization. The data balance sheet is intended as a dynamic tool, *hich supports the efficiency, impact, and competiti%eness of the organization. The purpose of this guide is not to present an exhausti%e formula or list of the information to be included in the data balance sheet. Its contents may %ary, depending on the sector in *hich the organization operates and the nature of its operations. Therefore, it is ad%isable to introduce the data balance sheet to the extent to *hich it is expected to ha%e a positi%e impact on the organization's operations. The data balance sheet is an element of (no*ledge management and the organization may use it as an internal (no*ledge management report. The data balance sheet may also be used to report on (ey data processing issues to the organization's sta(eholders. The data balance sheet is a report based on an internal re%ie*, *hich. & pro%ides an o%er%ie* of the current status of data processing in the organization & describes the information resources controlled by the organization & describes the information flo*s related to the organization's operations & describes the interoperability of the organization's information flo*s and data processing & describes ho* data protection and information security are realized in the organization's operations & describes the ris( management procedures related to data processing & supports planning and acti%ities in the organization & supports reporting and leadership in the organization & ser%es as a follo*&up tool for monitoring de%elopment measures & ser%es as a tool for external sta(eholder reporting & ensures compliance *ith applicable legislation. The principles of the /ersonal Data 0ct 1including the duty of planning, duty of care and duty of protection2 already address many of the issues to be included in the data balance sheet. The data balance sheet also complies *ith the principle of accountability, according to *hich an organization itself demonstrates its compliance *ith legislation and good prac& tice in data processing and information management. In the future, data protection legisla& tion may re3uire the introduction of practices complying *ith the accountability principle. 4efore this happens, organizations may ne%ertheless proacti%ely introduce the data bal& ance sheet at any time. The documentation of issues during the data balance sheet pro& cess also guides to*ards a more systematic and critical re%ie* of issues.

2. WHY SHOULD AN ORGANIZATION PREPARE A DATA BALANCE SHEET The high 3uality of data and efficient data processing procedures ha%e a positi%e effect on all of the functions of an organization. Information is a %aluable production factor, and the only one *hich increases strongly. 5e* ser%ices are continuously being created around %arious (inds of information resources. These ser%ices are important for the success of the information society as a *hole. In the net*or( and information society, data processing is of great significance to the real& ization of the rights and obligations of indi%iduals and organizations. $or instance, in its de& cision 5o. 26511763, the +uropean 8ourt of 9uman "ights found that the 8on%ention for the /rotection of 9uman "ights and $undamental $reedoms is also applicable to the as& sessment of the effects of data systems. In the public sector, data protection and informa& tion security ha%e also become permanent elements of good go%ernance. Data processing is also crucial to an organization's competiti%eness, impact, and efficiency. 5e* ser%ices and electronic ser%ice processes necessitate the de%elopment of information structures and data management&related methods. This creates ne* challenges for the se& cure and responsible processing of data. +xamples of ne* challenges include the purchas& ing and utilization of computing capacity and ser%ices %ia %arious cloud ser%ices. There is a need today for an across&the&board approach to information resource management. /re& paring a data balance sheet offers a solution for such needs. The data balance sheet describes compliance *ith the good data processing practices as referred to in the /ersonal Data 0ct. 0s regards public officials, the data balance sheet de& scribes compliance *ith good practice in information management as referred to in section 1: of the 0ct on the )penness of ;o%ernment 0cti%ities 1!2171<<12. ;ood practice in in& formation management re3uires that the a%ailability, protection, and 3uality of the data are secured. The data balance sheet may be used to e%aluate and promote the interoperability of information systems referred to in the 0ct on Information anagement ;o%ernance in /ublic 0dministration 1!34726112. +xperience sho*s that the data balance sheet is particularly useful in public administration organizations, the operations of *hich are based on the processing of extensi%e informa& tion resources and cooperation bet*een controllers. $rom the perspecti%e of good data processing practice, the most important pro%isions of the Perso !" D!#! A$# are the (ey principles of 8hapter 2 of the 0ct. & duty of care and la*fulness 1section 52 & predefined purpose of processing of personal data 1section !2 & exclusi%ity of purpose of processing and restrictions to the processing 1sections = and :2 & principles relating to data 3uality 1section <2 8hapter = of the /ersonal Data 0ct contains pro%isions on information security and the storage and protection of data. 8ompliance *ith other legislation or information security standards may also be described in the data balance sheet.

2.1. T%e &!#! '!"! $e s%ee# !s ! e"e(e # o) #r*s# inimizing ris(s, building a good reputation, and retaining the trust of citizens and con& sumers are all issues increasingly important to success in all sectors. In order to promote these ob#ecti%es and to gain competiti%e edge, responsible organizations use methods *hich support their acti%ities and do more than *hat the minimum re3uirements in legisla& tion re3uire. In a net*or( en%ironment in particular, inade3uate data protection is regarded as a prob& lem *ith regard to the trust*orthiness and a%ailability of the ser%ice. In the *rong hands, personal data poses a ris( to the rights of the data sub#ect 1the person to *hom the data pertains2 and to the operations of the organization neglecting its responsibility for data pro& tection. The trust of customers and sta(eholders in an organization's data protection and informa& tion security practices is an element *hich strongly supports the organization's operations. )bser%ing data protection and information security in connection *ith online ser%ices, for instance, is a duty prescribed in la*. It is also an essential element of good ser%ice. The existence of a data balance sheet tells sta(eholders that the organization considers it important to focus resources on data processing procedures and on compliance *ith good practice in data processing and information management. 2.2. T%e &!#! '!"! $e s%ee# !s ! (! !+e(e # #oo" Integrating information management as part of the o%erall management of the organization is a ma#or operational challenge. The executi%e management must ha%e an o%erall idea of the information architecture and the information the organization's operations re3uire, as *ell as the relations bet*een them. The data balance sheet supports the management's decision&ma(ing ability and ser%es the information&related needs of the organization's customers and sta(eholders. The data bal& ance sheet is also an element of information management and the associated ris( man& agement and internal control. "egular e%aluation of information security and data protection is part of the organization's information management. The purpose is to ensure the operability and a%ailability of the ser%ices offered, the 3uality of data and the security of the information technology solutions in place. 0 further goal is also to secure the operation of the information security manage& ment and control systems related to the ser%ice production. 2.3. T%e &!#! '!"! $e s%ee# !s ! #oo" )or , #er !" ! & e-#er !" $o #ro" 0n organization must ensure that its internal control has been properly organized. The management is responsible for the appropriate organization and sufficient extent of internal control. It is in the organization's interests to efficiently control its information processing systems and to re%ie* them by *ay of internal and external audits. )n the other hand, there is also a strong aspect of general legality control. The data balance sheet satisfies both needs. It also ser%es the need for information of the authorities responsible for legality control.

0 data balance sheet is prepared for one re%ie* period at a time. This means the issues described and re%ie*ed in the document can be systematically follo*ed. The re%ie* period may be a calendar year or another period determined on the basis of the organization's needs. $rom the perspecti%e of the organization of internal control and ris( management, the data balance sheet may also be integrated *ith the organization's o%erall financial statements or annual re%ie* process, performance&based management or results report& ing. 3. HOW TO PREPARE A DATA BALANCE SHEET The purpose of the data balance sheet is to describe the current status of data processing and assess the realization of data protection and information security. The data balance sheet also re%ie*s de%elopment needs related to data processing and the de%elopment measures re3uired. T%e &!#! '!"! $e s%ee# (!. &es$r,'e/ )or , s#! $e0 & the information resources the organization controls & the organization's information architecture & the 3uality and a%ailability of the data possessed by the organization & the data processing procedures and principles & measures ta(en to protect the information & measures ta(en to control the use of information & the *ays in *hich the rights of data sub#ects are realized in data processing The data balance sheet includes an e%aluation of any de%elopment needs relating to data processing and the necessary de%elopment measures.

0t least those responsible for information technology, data protection and information se& curity and the organization's core acti%ities may participate in preparing the data balance sheet. 3.1. I )or(!#,o #o 'e , $"*&e& , #%e &!#! '!"! $e s%ee# The information included in the data balance sheet may %ary, depending on sector in *hich the organization operates and the nature of its operations. +xamples of issues *hich may be included are gi%en belo*. 3.2. I )or(!#,o reso*r$es $o #ro""e& '. #%e or+! ,1!#,o 0n organization collects and processes information in a number of information systems and solutions. The management team does not al*ays ha%e a clear understanding of *hat (ind of information the organization possesses. The processing of separate pieces of in& formation in separate information systems is highly resource&intensi%e and poses a threat for the realization of data protection and information security. $rom the perspecti%e of the processing of personal data, it is important to e%aluate the %ari& ous personal data files created for %arious purposes, their information content and the reasons for maintaining such files. $rom the perspecti%e of good practice in information management, an organization must ha%e a clear understanding of its information systems, and it must ensure the 3uality and a%ailability of the information.

-hen re%ie*ing the information resources, it is appropriate to also re%ie* issues such as the le%el of protection applied to the resources, confidentiality, and the sensiti%e nature of the information at the same time. Identifying information flo*s bet*een information re& sources is important since the management of e%er increasing information flo*s leads to 3uestions such as *ho is the data o*ner. 0 description of the information resources and in& formation flo*s may be prepared for the data balance sheet, or such descriptions may be separately maintained by the organization, as architecture descriptions or other similar de& scriptions. The data balance sheet may include a description of the organization's (ey information re& sources and information flo*s, as *ell as an assessment of the 3uality of the information. It may also describe the (ey indicators rele%ant to data processing, such as the number of in& formation units processed, items of information recei%ed and disclosed, and disclosure transactions. The assessment of data 3uality is closely related to the assessment of the %alue and a%ailability of the information. The 3uality of information may be assessed from different perspecti%es, such as. & the procedures and criteria related to 3uality assessment & the results of 3uality assessment . the > accuracy > necessity > completeness > currency of information. 3.3. T%e 2ro$e&*res ! & 2r, $,2"es !22",e& #o &!#! 2ro$ess, + 0s regards procedures, the description may include aspects such as. & the most important la*s and regulations affecting the processing of information & the operating principles & code of practice & information security and contingency plans & other guidelines and instructions on data processing & procedures and agreements related to the outsourcing of data processing & procedures and agreements related to the maintenance and procurement of information systems -hen e%aluating the data processing process, the entire life cycle of information should be considered. 0s regards the operating principles of data processing, issues to be assessed may include the follo*ing. & procedures related to access to and disclosure of information & administration of user rights & data protection and information security re3uirements, particularly as regards electronic data interchange. The data balance sheet pro%ides an assessment of *hether the organization's personnel has the necessary information concerning the existence of the data in the public sphere, its confidentiality, and the procedures applied to data protection, as *ell as the information se& curity arrangements and the di%ision of responsibilities. The purpose is also to assess the pro%ision of personnel guidance and training and the *ays in *hich the organization en& sures instructions and training are (ept up to date.

3.4. D!#! se$*r,#. The data balance sheet may describe ho* the controller performs the necessary technical and organizational measures to protect personal data against unauthorized access, acci& dental or illegal destruction, amendment, disclosure, or transfer, or other illegal handling. The data balance sheet may include a re%ie* of. & the principles and procedures related to data protection & the principal ob#ecti%es and means of implementation related to information security & the information security management standards applied & internal and external e%aluations & ris( management procedures & the organization of information security & responsibilities and the de%elopment process, procedures. 3.3. Mo ,#or, + ! & $o #ro" o) &!#! 2ro$ess, + The organization must ensure compliance *ith the regulations and guidelines on the imple& mentation of good practice in data processing and information management. 8ompliance must also be monitored. The measures re3uired by good practice in information manage& ment are performed in a manner *hich ta(es account of the legal protection of all parties. The control of data processing may be part of the organization's other internal control and ris( management acti%ities. The results of control and the action ta(en should also be re& %ie*ed. The data balance sheet may describe issues such as. & assessment and management of ris(s related to data processing & the measures implemented for controlling the 3uality of information resources and inform& ation flo*s & the measures implemented to control the handling process & the measures implemented to control data processing by the personnel and partners & the action and de%elopment measures ta(en on the basis of monitoring and control. In addition to internal control, the decisions of authorities performing external legality con& trol, the decisions of courts of la*, and the impact of such decisions on the organization's operations may also be described. The data balance sheet may also include an e%aluation of *hether the extent of control and monitoring of data processing is sufficient and *hether there are any needs for de%elopment. 3.4. Re!",1!#,o o) #%e r,+%#s o) #%e &!#! s*'5e$#s The realization of the rights of data sub#ects may be assessed on the basis of the numbers of re3uests for access and rectification referred to in the /ersonal Data 0ct, and the re& sponses to such re3uests. 0s regards the pro%ision of information to data sub#ects, the a%ailability of the description of the file and the pri%acy policy should also be assessed.

4. ASSESSMENT AND THE DEVELOPMENT TARGETS The data balance sheet ser%es as a tool for identifying de%elopment and measurement needs, as *ell as related monitoring and reporting, through an analysis of the current status. De%elopment measures may be related to, for instance, the 3uality of the data itself, or the data handling process. They may also focus on the successful introduction of ne* technology or more generally, the organization's capability to introduce ne* tools for (no*& ledge&intensi%e *or(. 0s regards the central go%ernment organization, information on compliance *ith the re& 3uirements concerning the le%el of information security laid do*n in the go%ernment decree 1!:1726162 may also be included in the data balance sheet. 8onclusions may be dra*n from the data balance sheet. & The operations and data processing ha%e complied *ith the good practice in data pro& cessing and information management. & The monitoring and control of data processing has been successfully carried out in com& pliance *ith legislation, regulations, and internal guidelines. & The monitoring and control of data processing has re%ealed de%elopment needs or de%i& ations? the measures ta(en ha%e been listed separately. The data balance sheet may include, for instance. & the sub&areas of data processing concerning *hich de%elopment targets ha%e been identified? & the de%elopment targets and a re%ie* of potential solutions? & a re%ie* of the success of the de%elopment measures carried out during the pre%ious re& %ie* period.

Data balance sheet reporting may be targeted at the organization's management, employ& ees, customers, and other sta(eholders, or parties responsible for legality control. The data balance sheet may be a dynamic document, the contents of *hich may be edited accord& ing to the target group. $or instance, a detailed report on data protection and control may be submitted to the management, *hile a data balance sheet intended for other sta(ehold& ers may contain a summary or an o%erall re%ie* of these issues. The /ersonal Data 0ct and the other acts and decrees referred to in this brochure can be found in the @tate of $inland legislation database at ***.finlex.fi. ;eneral information on data protection and the /ersonal Data 0ct is a%ailable on the *ebsite of the )ffice of the Data /rotection )mbudsman at ***.tietosuo#a.fi. ;uidelines issued by the ;o%ernment Information @ecurity anagement 4oard A09TI, set up by the inistry of $inance 1***.%m.fi2, may also be used *hen preparing a data balance sheet. ;o%ernment organizations may also use the guidelines on the frame*or( for the e%aluation of internal control and ris( management issued by the ;o%ernment 8ontroller ;eneral of $inland. The data balance sheet may be integrated *ith the re%ie* performed according to these guidelines as an internal control tool 1;o%ernment 8ontroller ;eneral of $inland's guidelines 1in $innish2. Aaltion %iraston #a laito(sen se(B rahaston sisBinen %al%onta #a ris(i& enhallinta, A 23.12.2665, ***.*m.fi2 The pri%ate sector may also use these guidelines as a $innish source of good ris( management practice and its assessment. The guidelines are based on the internationally recognized 8)@)&+" frame*or( and the I5T)@0I ;)A guidelines prepared for the public sector on the basis of the 8)@)&+" frame*or(.