Core 7 Data Security Policy Clarifications

ADDED 4/5/2022
Q:    What are the qualifications for the Data Protection Representative?

Under Core Requirement 7.(a)(2)(B), the R2 Facility is required to assign a “competent Data Protection Representative.” The qualifications for the Data Protection Representative (DPR) can vary depending on the levels of security required and the types of sanitization performed by the facility.  At minimum, the DPR must be knowledgeable of the data security programs and controls in place, as well as any applicable legal requirements related to data security, and must also be knowledgeable of the proper methods of sanitization and verification of those activities, as applicable for the specific types of devices managed.

In addition, when determining qualifications or requirements for the DPR, consider regulatory requirements, particularly those that require an individual be assigned to the oversight of the organization’s data security and compliance programs.  For more information, consult:   https://iapp.org/resources/article/data-protection-officer-requirements-by-country/

ADDED 4/5/2022
Q:  Under Core Requirement 7.(b)(2), could background checks be used as part of the “documented evaluations”?

Yes, where permissible under local law, background checks may be used as part of the documented evaluations.

ADDED 4/5/2022
Q:   Under Core Requirement 7.(b)(5), what types of incidents would need to be disclosed?

The R2 Facility would need to define within its security program exactly the types of incidents that would need to be disclosed, but at minimum should consider items such as known or suspected data breaches, and any criminal charges or convictions that may affect security authorization.

REVISED 4/5/2022
Q:   Core 7(a)(2)(E) requires a written data security policy that “ Identifies penalties for non-compliance with the policy, including personal liability.” What is meant by “personally liable” and what would that look like?

Under some data privacy or protection legislation individuals may be held personally responsible for data breaches. As a result, when defining the penalties for non-compliance with the data security policy, the R2 Facility must include any legislated or other penalties related to personal liability.

Workers must be regularly trained on applicable data security requirements and associated controls maintained by the R2 Facility, and verified to be competent in the policies and procedures that are applicable to their role and level of security authorization.  In addition, training should reinforce the importance of data security and reporting of any known or suspected data breaches.  Workers with security authorizations and access to data containing equipment must also be subject to formal confidentiality agreements. This is not so much a new requirement as it is additional direction about the various legal requirements facilities need to consider.