info@avrupagozgaziemir.com
+90 (232) 251 24 25 (PBX)
Online Services
Contact Us

+90 (507) 460 00 80

INFORMATION SECURITY AND PERSONAL DATA PROTECTION PROCEDURE

DOCUMENT CODE: BY.PR.004 PUBLICATION DATE: March 4, 2024 REVISION NO.: 00 REVISION DATE: PAGE NO. / TOTAL PAGES: 1 / 11

1. PURPOSE

Since the Personal Data Protection Law (KVKK) came into effect, we have placed great importance on protecting the personal data of all individuals with whom we come into contact in any way while conducting our business operations, and on fully complying with the requirements set forth in the KVKK.

The primary purpose of this procedure is to provide information regarding the company’s lawful processing of personal data and the systems adopted to protect personal data; and to ensure transparency by informing individuals whose personal data is processed by our company—including our customers, potential customers, employees, job applicants, company officials, visitors, employees and officials of organizations we collaborate with, and third parties whose personal data is processed—within this scope.

2. SCOPE

This procedure; applies to all personal data of our employees, job applicants, company officials, customers, potential customers, visitors, employees of organizations with which we collaborate, and third parties whose personal data is processed, whether processed automatically or through non-automated means as part of any data recording system.

3. ABBREVIATIONS

KVKK: Law on the Protection of Personal Data

4. DEFINITIONS

Matters Concerning the Processing of Personal Data: Pursuant to the Personal Data Protection Law No. 6698 (“KVKK”), everyone has the right to request the protection of personal data concerning them. Regarding the protection of personal data, which is a constitutional right, Özel AG European Ophthalmology Center (“the Company”) exercises due diligence in protecting the personal data of its customers, potential customers, employees, job applicants, company officials, visitors, employees and officials of partner institutions, and third parties, as governed by this Procedure, and has established this as a Company procedure.

In accordance with the law and within the scope of this procedure;

  • Informed Consent: Consent that is based on information and freely given regarding a specific matter,
  • Anonymization: The process of rendering personal data incapable of being associated with any identified or identifiable natural person, even when combined with other data,
  • Relevant User: Persons within the data controller’s organization who process personal data, or persons who process personal data on behalf of the data controller in accordance with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection, and backup of the data,
  • Destruction: The erasure, destruction, or anonymization of personal data,
  • Law: The Law on the Protection of Personal Data No. 6698,
  • Data Subject: Customers, or non-customers whose personal data is processed; potential customers, employees, job applicants, shareholders, visitors, entities and organizations with which a business relationship exists under a contract entered into with them (such as support services, independent audits, ratings, consulting, services, procurement, collaboration, partnership, etc.), and their employees, shareholders, and authorized representatives, as well as any third-party individuals,
  • Personal Data: Any information relating to an identified or identifiable natural person,
  • Processing of Personal Data: Any operation performed on personal data, such as the collection, recording, storage, retention, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or restriction of use of such data, whether fully or partially automated or carried out by non-automated means as part of a data filing system,
  • Agency: The Personal Data Protection Agency,
  • Customer: The individual who receives services from the Company pursuant to a contract signed with the Company and whose data is processed,
  • Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller,
  • Data Recording System: A system in which personal data is processed according to specific criteria,
  • Data Controller: A natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data processing system.

5. RESPONSIBLE PARTIES

This procedure takes effect upon approval by the General Manager, and all employees are responsible for its implementation.

6. WORKFLOW

6.1. ACCESS AND AUTHORIZATION CONTROL

Basic Principles for the Processing of Personal Data:

6.1.1. Processing in Compliance with the Law and the Principle of Fairness:

Our company acts in accordance with the principles established by legal regulations regarding the processing of personal data, as well as the general principles of good faith and integrity.

6.1.2. Accuracy and Timeliness:

The company takes the necessary measures to ensure that the personal data it processes is accurate and up-to-date, and provides data subjects with the necessary means to ensure that the processed data reflects the actual situation by issuing notifications.

6.1.3. Processing for Specific, Explicit, and Legitimate Purposes:

Our company clearly and precisely defines the legitimate and lawful purposes for processing personal data. Our company processes personal data only to the extent necessary for the services it provides. The purposes for which personal data will be processed by our company are specified before any personal data processing activities begin.

6.1.4. Relevance, Limitation, and Proportionality to the Purpose for Which They Are Processed:

The Company processes data in accordance with the Personal Data Protection Law (KVKK) and other relevant legislation, ensuring that such processing is suitable for achieving the purposes specified for each data category, relevant to the achievement of those purposes, and proportionate; the Company refrains from processing personal data that is not necessary.

6.1.5. Retention for the Period Specified in Applicable Laws or as Necessary for the Purpose for Which the Data Is Processed:

Personal data processed by the Company is retained only for as long as required by applicable laws or for the purpose for which it was processed. In this regard, the Company complies with any retention period specified in applicable laws; if no such period exists, the Company retains the data only for as long as necessary for the purpose for which it was processed. The Company does not retain data based on the possibility of future use.

6.2. Physical and Environmental Security Management
  • All staff members must comply with the established rules regarding physical security measures (such as entry and exit doors, office spaces, product delivery areas, warehouse security, and the use of staff ID cards, etc.).
  • Protection against viruses and cyberattacks is the responsibility of the IT Manager. The IT Manager reports the necessary hardware and software for protection against viruses and cyberattacks to senior management and takes the necessary measures. These measures consist of the minimum requirements specified by the Ministry of Health, including hardware and software tools such as antivirus software and firewalls. Updating this software is the responsibility of the Information Management System Officer. When updates are due, the Officer notifies senior management and performs the updates.
6.2.1. Ensuring that Personal Data Processing Activities Are Conducted in Compliance with the Personal Data Protection Law:

The conditions for the processing of personal data are regulated by the Personal Data Protection Law (KVKK), and the Company processes personal data in accordance with the conditions specified below.

Except for the exceptions listed in the Law, the Company processes personal data only after obtaining the explicit consent of the data subjects. However, in the cases listed in the Law below, personal data may be processed even without the data subject’s explicit consent.

  • as expressly provided by law,
  • where a person is unable to express consent due to actual impossibility, or where their consent is not legally valid, and it is necessary to protect their own life or physical integrity or that of another person,
  • The processing of personal data belonging to the parties to the contract is necessary, provided that such processing is directly related to the conclusion or performance of the contract.
  • It is necessary for the data controller to be able to fulfill its legal obligations,
  • The fact that the data has been made public by the data subject,
  • Data processing is necessary for the establishment, exercise, or defense of a legal claim,
  • Provided that it does not infringe upon the data subject’s fundamental rights and freedoms, the processing of data is necessary for the legitimate interests of the data controller.

The Company exercises particular care when processing special category personal data, which is considered to be of critical importance to data subjects from various perspectives. In this context, such data is not processed without the explicit consent of the data subjects, provided that adequate safeguards determined by the Quality Department are in place. However, special category personal data other than data related to health and sexual life may be processed without the data subject’s explicit consent in cases provided for by law.

6.2.2. Data relating to health and sexual life may be processed without obtaining explicit consent, provided that adequate safeguards are in place and where one of the following grounds applies:
  • The protection of public health,
  • Preventive medicine,
  • Medical diagnosis,
  • The provision of treatment and care services,
  • Planning and management of health services and their financing.
6.3. Communication Security

To provide information regarding the company’s lawful processing of personal data and the systems adopted to protect personal data, and to ensure transparency by informing individuals whose personal data is processed by our company—including our customers, potential customers, employees, job applicants, company officials, visitors, employees and officials of institutions we collaborate with, and third parties whose personal data is processed—within this scope.

  • In accordance with the medical center’s “Information Security Management System Policy,” a domain structure has been established, and all computers operate within this domain structure while logged in. Computers not connected to the domain are removed from the local network, and no data is exchanged between devices on the local network.
  • No files may be exchanged via computers, except for official documents, software, and educational materials
  • Internet access and email usage are monitored by the firewall device located at the medical center.
  • All authorized staff members who start working at the medical center are assigned a corporate email address.
  • Email addresses and passwords are provided to the relevant staff during training.
  • The user acknowledges that all statements made in the email are their own. The user is responsible for sending messages that may constitute a crime; or that are threatening, illegal, abusive, profane, or defamatory; or that are contrary to public decency.
  • Users may not post material or documents on their accounts that constitute a criminal offense, nor may they engage in practices that harm individual account holders.
  • You may not use another system's server or another user's account to send messages without that person's permission.
  • Users may not use their accounts for commercial or profit-making purposes. Users may not send bulk emails (SPAM) to a large number of users for advertising, promotional, or announcement purposes.
  • The user is solely responsible for any legal liabilities arising from the publication rights of any information contained in their account.
6.3.1. Informing and Notifying the Data Subject

In accordance with Article 10 of the Personal Data Protection Law, our company provides information to data subjects at the time their personal data is collected. In this context, the Company provides information regarding the purposes for which personal data will be processed, to whom and for what purposes the processed personal data may be transferred, the method and legal basis for collecting personal data, and the rights of the data subject.

Article 20 of the Constitution establishes that everyone has the right to be informed about personal data concerning them. In line with this, Article 11 of the Personal Data Protection Law lists “requesting information” among the rights of the data subject. In this context, our company provides the necessary information in accordance with Article 20 of the Constitution and Article 11 of the Personal Data Protection Law when the data subject requests information.

6.3.2. Purposes of Processing Personal Data

Your health data, as well as your special category personal data and other personal data, may be processed by the Company in a manner that is relevant, limited, and proportionate to the purposes listed below, including but not limited to the following:

  • Your first name, last name, Turkish ID number, temporary Turkish ID number, passport number, place and date of birth, marital status, gender, insurance or patient ID number, and other identifying information.
  • Your address, phone number, and email address
  • Your health and sexual health data—including, but not limited to, your test results, laboratory and imaging results, examination data, and prescription information—obtained during the provision of medical diagnosis, treatment, and care services,
  • Your IBAN number, your credit card information,
  • The video and audio recordings captured by our closed-circuit television system during your visit to our medical center,
  • If you contact Patient Registration/Information, your recorded phone calls,
  • Your data regarding private health insurance for the purposes of financing and planning health services

Our company processes personal data solely for the purposes and under the conditions specified in Article 5, Paragraph 2, and Article 6, Paragraph 3, of the Personal Data Protection Law No. 6698.

These purposes and conditions;

  • The processing of your personal data by our Company is expressly provided for by law,
  • The processing of your personal data by our Company is directly related to and necessary for the conclusion or performance of a contract,
  • The processing of your personal data is necessary for our Company to fulfill its legal obligations,
  • Provided that you have made your personal data public, its processing by our Company is limited to the purpose of such disclosure,
  • The processing of your personal data by our Company is necessary for the establishment, exercise, or defense of the rights of our Company, you, or third parties,
  • provided that such processing of personal data is necessary for the legitimate interests of our Company and does not infringe upon your fundamental rights and freedoms,
  • Where the processing of personal data by our company is necessary to protect the life or physical integrity of the data subject or another person, and where, in such a case, the data subject is unable to give consent due to actual impossibility or legal invalidity,
  • The processing of special category personal data, other than that relating to the data subject’s health and sex life, must be provided for by law,
  • The processing of special category personal data relating to the data subject’s health and sex life by persons or authorized institutions and organizations subject to a duty of confidentiality, for the purposes of protecting public health, preventive medicine, and the provision of medical diagnosis, treatment, and care services, as well as the planning and management of health services and their financing.

Under the conditions specified above, our Company processes personal data, including but not limited to the conditions and purposes of personal data processing set forth in Article 9,

  • The Ministry of Health and its subordinate units,
  • The representatives you have authorized,
  • Private insurance companies,
  • Social Security Institution,
  • The General Directorate of Security and other law enforcement agencies,
  • General Directorate of Population,
  • The Turkish Pharmacists' Association,
  • Courts and all judicial authorities, central authorities, and other third parties,
  • Lawyers,
  • The laboratories, medical centers, ambulance services, medical device suppliers, and healthcare providers with whom we collaborate for medical diagnosis and treatment,
  • This information may be shared with our suppliers on a limited basis for the purpose of providing services.
6.4.3. Transfer of Personal Data Abroad

Our company may transfer the personal data and special category personal data of data subjects to third parties abroad, provided that it takes the necessary security measures in accordance with lawful purposes for processing personal data. Personal data processed by our company may be transferred to foreign countries declared by the Personal Data Protection Authority to have adequate protection (“Foreign Countries with Adequate Protection”) or, in the absence of adequate protection, to foreign countries where the data controllers in Turkeywhere data controllers in both Turkey and the relevant foreign country have provided a written commitment to ensure adequate protection and where the Personal Data Protection Authority has granted its approval (“Foreign Country Where a Data Controller Committing to Adequate Protection Is Located”). In this regard, our company acts in accordance with the provisions set forth in Article 9 of the Personal Data Protection Law.

6.4.4. Building and Facility Entrances, Personal Data Processing Activities Conducted Within Them, and Website Visitors
  • The company’s personal data processing activities at the entrances to its facilities and within the facilities are conducted in compliance with the Constitution, the Personal Data Protection Law, and other relevant legislation.
  • To ensure security, our company conducts personal data processing activities involving security camera monitoring at our company buildings and facilities, as well as tracking the entry and exit of visitors.
  • Our company processes personal data by using security cameras and recording visitor entries and exits.
  • The Company’s use of security cameras for surveillance purposes is intended to protect the interests of the Company and others in ensuring their safety; in this regard, our Company acts in accordance with the Constitution, the Personal Data Protection Law, and other relevant legislation.
  • Our company records video footage of visitors using a camera surveillance system at the entrances to our buildings and facilities, as well as inside the facilities.
  • Our company uses security camera surveillance for the following purposes: to improve the quality of the services we provide, to ensure their reliability, to safeguard the security of the company, our customers, and other individuals, and to protect our customers’ interests regarding the services they receive.
  • Our company conducts video surveillance activities for security purposes in full compliance with the provisions of the Personal Data Protection Law. The video surveillance activities carried out by our company are conducted in accordance with the Law on Private Security Services and relevant legislation.
  • Only a limited number of Company employees have access to records stored and maintained in a digital environment. The limited number of individuals with access to these records have signed a confidentiality agreement pledging to protect the confidentiality of the data they access.
  • In accordance with Article 12 of the Personal Data Protection Law, our company takes the necessary technical and administrative measures to ensure the security of personal data obtained through video surveillance activities.

In addition to the recordings made by the camera mentioned above, our Company processes personal data to monitor the entry and exit of visitors at our Company’s buildings and facilities for the purposes of ensuring security and as specified in this Policy.

  • When collecting the first and last names of individuals visiting our Company’s premises as guests, or through notices posted at the Company or otherwise made available to guests, the data subjects in question are informed accordingly. Data collected for the purpose of tracking guest entries and exits is processed solely for this purpose, or the relevant personal data is recorded in a physical data recording system.
  • For security purposes and for the purposes specified in this Procedure, our Company may provide internet access to Visitors who request it while they are on our premises. In such cases, log records related to your internet access are recorded in accordance with the provisions of Law No. 5651 and the relevant regulations issued pursuant to this Law; these records are processed only upon request by authorized public institutions and organizations or to fulfill our legal obligations during internal audit processes within the Company.
  • Only a limited number of Company employees have access to the log records obtained in this context. Company employees with access to these records may access them solely for the purpose of responding to requests from authorized public institutions and organizations or for use in audit processes, and may share them only with legally authorized individuals. The limited number of individuals with access to the records have signed a confidentiality agreement pledging to protect the confidentiality of the data they access.
  • Visitors to the website are informed via the Cookie Policy.
6.4.5. Categories of Personal Data
  • Personal information (first and last name, parents’ names, mother’s maiden name, date of birth, place of birth, marital status, ID card serial number, Turkish ID number, etc.)
  • Contact information (such as address, email address, mailing address, registered email address (KEP), phone number, etc.)
  • Location (geographic coordinates of the location)
  • Personnel Records (such as payroll information, disciplinary investigations, records of employment start and end dates, asset declaration information, resume information, and performance evaluation reports)
  • Legal Proceedings (such as information contained in correspondence with judicial authorities or in court files)
  • Customer Transactions (such as call center records, invoices, promissory notes, check information, information on teller receipts, order information, and request information)
  • Physical Premises Security (such as entry and exit records for employees and visitors, and surveillance footage)
  • Transaction Security (such as IP address information, website login and logout details, and password information)
  • Risk Management (such as information processed for the management of commercial, technical, and administrative risks)
  • Finance (such as balance sheet information, financial performance data, credit and risk information, and asset information)
  • Professional Experience (such as degree information, courses taken, on-the-job training, certifications, and transcripts)
  • Marketing (purchase history data, surveys, cookie records, information obtained through marketing campaigns)
  • Audio and Video Recordings (such as audio and video recordings)
  • Race and Ethnicity (such as information on race and ethnicity)
  • Political Affiliation Information (information indicating political views, such as political party membership)
  • Philosophical Beliefs, Religion, Denomination, and Other Beliefs (such as information regarding religious affiliation, philosophical beliefs, denominational affiliation, and other beliefs)
  • Dress and Attire (Information on dress and attire)
  • Association Membership (such as association membership information)
  • Foundation Membership (such as foundation membership information)
  • Union Membership (such as union membership information)
  • Health Information (such as information regarding disability status, blood type, personal health information, and details about medical devices and prosthetics used)
  • Sexual Life (such as information about sexual life)
  • Criminal Convictions and Security Measures (such as information regarding criminal convictions and information regarding security measures)
  • Biometric data (such as palm data, fingerprint data, retinal scan data, and facial recognition data)
  • Genetic Data (such as genetic data)
  • Other Information (such as data types to be specified by the user)
6.4.6. Groups of Data Subjects
  • Job Applicant
  • Employee
  • Subject
  • The person in question
  • Shareholder/Partner
  • Potential Product or Service Buyer
  • Exam candidate
  • Intern
  • Supplier Employee
  • Supplier Representative
  • Person Receiving the Product or Service
  • Parent / Guardian / Representative
  • Visitor
  • Other
6.4.7. Processing of Personal Data – Technical and Administrative Measures Taken to Ensure Its Protection

The company takes all necessary technical and administrative measures to ensure the appropriate level of security required for the protection of personal data. The measures stipulated in Article 12 of the Personal Data Protection Law are as follows:

  • To prevent the unlawful processing of personal data,
  • To prevent unauthorized access to personal data,
  • To ensure the protection of personal data

As the Data Controller, the Company has initiated the necessary procedures to implement the following technical and administrative measures to improve the KVKK compliance process.

  • Authority Matrix
  • Authority Check
  • Access Logs
  • User Account Management
  • Network Security Implementation
  • Security, Encryption, Hacking
  • Log Data Masking
  • Data Loss Prevention Software
  • Backup Firewalls
  • Current Antivirus Systems
  • Key Management for Deletion, Destruction, or Anonymization
  • Preparation of a Personal Data Processing Inventory
  • Corporate Policies (Access, Information Security, Use, Retention, and Disposal, etc.) Agreements (Between Data Controller and Data Controller, Between Data Controller and Data Processor)
  • Confidentiality Agreements
  • Internal Periodic and/or Random Audits
  • Risk Analyses
  • Employment Contract, Disciplinary Regulations (Inclusion of Provisions in Compliance with the Law), Corporate Communications (Crisis Management, Processes for Notifying Committees and Relevant Parties, Reputation Management, etc.)
  • Training and Awareness Activities (Information Security and Legislation) Notification to the Data Controller Registry Information System (VERBİS)
6.4.8. The Data Subject’s Rights Under Article 11 of the Personal Data Protection Law

As data subjects, if you submit requests regarding your rights to our Company using the methods set forth below in this Data Protection Act Information Notice, our Company will process the request free of charge within 30 (thirty) days at the latest, depending on the nature of the request. However, if the Personal Data Protection Board has established a fee, the fee set by our Company will be charged.

In this context, data subjects;

  • The right to know whether personal data is being processed,
  • To request information regarding the processing of personal data,
  • The right to know the purpose of the processing of personal data and whether it is being used in accordance with that purpose,
  • The right to know the third parties to whom personal data is transferred, whether within the country or abroad,
  • The right to request the correction of personal data that has been processed inaccurately or incompletely, and to request that the third parties to whom the personal data has been disclosed be notified of such correction,
  • The right to request the erasure or destruction of personal data if the grounds for its processing no longer exist, even though it has been processed in accordance with the provisions of the Personal Data Protection Law and other relevant laws, and the right to request that third parties to whom the personal data has been transferred be notified of such action,
  • The right to object to a decision made solely through the automated processing of personal data that adversely affects the individual,
  • They have the right to seek compensation for any damages suffered as a result of the unlawful processing of their personal data.

As a data subject, you must submit your requests regarding your rights to our Company in writing. In this context, to ensure that your requests submitted to our Company under Article 11 of the Personal Data Protection Law are managed efficiently and promptly, please use the “Data Subject Information Request Form” document available under the “Personal Data Protection” heading on the Çevre Sağlık Tesisleri Ltd. Şti. under the “Data Protection” heading, and submit your request in person or via registered mail, along with any documents or information that may be required based on your request and the necessary identification documents. Additionally, as an online user (using the email address previously provided to our company and registered in our system), you may submit your request to us via ………………………..com.tr using the Data Subject Information Request Form.

6.5. Information Security Incident Management

Finding

Institutional staff are required to report incidents in cases of suspicious activity, such as files that are accidentally lost or discovered, issues with antivirus software, programs or windows that open unexpectedly, unauthorized personnel present in critical information processing facilities, confidential files being exposed to external interference, or failure to follow established procedures, among other similar situations.

Evaluation and Reporting

When information security incidents are reported to the quality department using the “Unwanted Incident Report Form,” the quality department evaluates the incident and, if it determines that an incident has occurred, informs senior management via a report.

The report must include at least the following sections:

  • The evidence gathered.
  • Type of evidence.
  • Evidence storage facility.
  • Date and time of the evidence.
  • If corrective action has been initiated regarding the incident, the corrective action form
  • Date and time the violation was detected.

The following are key considerations for information security incident reporting:

  • Physical security measures and access information for facilities.
  • Ineffective security check.
  • A breach of the confidentiality, integrity, or availability of information.
  • Human error.
  • Uncontrolled changes to software or hardware systems.
  • Faults.
  • Access control.
  • Non-compliance with policies and procedures.
  • Vulnerabilities detected by system security software.

Records created for the topics mentioned above are reviewed during quality management review meetings. Non-conformities are assessed as part of the risk assessment process.

The evaluation process is as follows:

  • When assessing incidents of non-compliance, the number of incidents and their impact are taken into account.
  • Data from security incidents is used as a metric in risk assessments.
  • The impact value is discussed at information security meetings and reflected in the risk probability values based on the number of records and the impact of those records.
  • If there is a 7% to 10% increase in the number of registrations by the end of the year, additional awareness training will be provided to users.
  • If there is an increase of between 11% and 30% in the number of records at the end of the year, an additional meeting will be held to review the procedures.
  • If the number of records increases by 31% or more by the end of the year, awareness training sessions will be conducted, procedures will be updated, and decisions regarding investments and structural changes will be made.
Intervention
  • No shutdown procedure will be carried out if there is any vulnerability that could destroy or compromise the evidence.
  • For all incidents identified through audits or reported incidents and for which evidence has been collected, the vulnerability that caused the incident is addressed before any other actions are taken.
  • The Information Security Continuity Procedure is implemented when deemed necessary.
Taking Precautions and Gaining Experience

Necessary measures are taken to prevent the recurrence of identified information security incidents for which evidence has been collected. All information security incidents that occur are reviewed to gain insights, and the lessons learned are documented. The goal of this process is to prevent the recurrence of any incident or, if it does occur again, to resolve the issue more quickly.

To address a security breach, any of the following steps may be taken:
  • The records created are reviewed, and the information needed to resolve the issues is documented.
  • Written procedures must be established for incidents resulting from improper practices.
  • Procedures are reviewed and revised in response to incidents caused by those procedures.
  • We check whether a risk record exists for the information security incident; if one exists, the risk is reassessed; if not, a risk record is created for assessment.
  • Access permissions are reviewed again for access-related issues, and other similar access permissions are also checked.
  • In incidents caused by software and applications, updates are reviewed, and the incident is resolved through methods such as vulnerability patching, updates, and patch development.
  • The measures taken to address issues caused by physical equipment are also applied to other similar equipment.
  • For incidents caused by malicious code, the source of the problem is identified and the adequacy of security software is assessed. The identified measures are implemented across all systems.
Recording and Evidence Collection
  • During the record-keeping and evidence-gathering phase, the first step is to verify that the integrity of the records—which can be used to identify the incident and the responsible party—has not been compromised.
  • Only records whose integrity has been preserved are used as evidence.
  • Evidence collected in connection with information security breaches is retained for three years.
  • In cases involving the detection of information security breaches, the following records must be retained, if available: camera footage, access logs, audit logs, logs maintained by system security software, records of costs incurred to resolve issues, and any other records that may be needed to assess information security breaches and determine the frequency, damage, and cost limits of future incidents.
Improvement
  • Employees should receive awareness training on information security and the protection of personal data.
  • Passwords used in the information management system must comply with the Ministry’s password policies.
  • Those responsible for the information management system and its users must sign a confidentiality agreement.
  • A risk assessment should be conducted regarding physical threats to the information management system, software and hardware issues, information security, data privacy, the protection of personal data, and user errors.
  • Following an assessment of the situation and corrective actions taken in response to information security breaches, improvements are implemented, and senior management and employees are informed of these improvements.