In July 2020, the CNIL (DPA for France) published guidelines on data retention (Guide pratique – Les durées de conservation). https://www.cnil.fr/sites/default/files/atoms/files/guide_durees_de_conservation.pdf
These reflect early CNIL recommendations from 11-Oct-2005 on the archiving of personal data.
They aim to provide practical help to define the data retention rules and periods.
Similar to DIN-66398 (German industry standard on data retention/deletion) they don’t include guidance on specific data categories. https://din-66398.de/
However, CNIL does define data retention periods in separate dcouments (“Référentiel”). Up to now, two such Référentiels have been published for the health sector:
OCR launched a new feature on HHS.gov, titled Health Apps. This new webpage takes the place of OCR’s previous Health App Developer Portal, and is available at https://www.hhs.gov/hipaa/for-professionals/special-topics/health-apps/index.html.
The new webpage highlights OCR’s guidance on when and how the Health Insurance Portability and Accountability Act (HIPAA) regulations apply to mobile health applications, including:
Evaluating the level of risk for a personal data processing operation
includes further links to risk assessment methodologies
DSK: Muster Verarbeitungsverzeichnis Verantwortlicher
Kurzpapier Nr. 1 (Verzeichnis von Verarbeitungstätigkeiten – Art. 30 DS-GVO)
(Privacy register, Privacy registry)
The perils of letting third party trackers use your CNAME / subdomain.
The German Data Protection Authorities are developing a Standard Data Protection Model (SDM), as a guideline for data controllers.
They just published the three first modules – on “Documentation”, “Logging” and “Data deletion”.
So “Data deletion” is obviously a priority to them.
The Five Safes is a framework for helping make decisions about making effective use of data which is confidential or sensitive. – The Five Safes proposes that data management decisions be considered as solving problems in five ‘dimensions’:
- projects (Is this use of the data appropriate?),
- people (Can the users be trusted to use it in an appropriate manner?),
- settings (Does the access facility limit unauthorised use?),
- data (Is there a disclosure risk in the data itself?) and
- outputs (Are the statistical results non-disclosive?).
The combination of the controls leads to ‘safe use’.
See also https://en.wikipedia.org/wiki/Five_safes