Technical and Organizational Measures in the Digital Preservation Services
Translated 15th May 2024.
Translation from the original Finnish version (last updated 15th May 2024). Should this translation conflict with the Finnish version, the Finnish version will have a higher priority.
1. Purpose of This Document
The technical and organizational measures (TOMs) describe the agreement between the data controller and the data processor on how to process personal data as stated in article 28 of the General Data Protection Regulation (EU) 2016/679. The Data Protection Act (1050/2019) stipulates the obligations on how to protect special categories of personal data. On behalf of the partner organization, CSC - IT Center for Science Ltd. ("CSC") processes personal data, where the partner organization acts as a data controller, to produce the services agreed in the service contract. The measures taken to protect this data by CSC when producing the Digital Preservation Services ("DPS") are listed below.
The data processor can unilaterally change the protective measures without notification when the changes retain or improve the general level of protection. Single protective actions can be replaced as long as it doesn't affect the level of protection regarding personal data. CSC can make changes to this document when the protective measures are changed. Pertinent changes are reported to the data controller.
2. Protective Measures in the DPS
2.1. General
- All processing actions performed by CSC are agreed upon in writing.
- Access rights are role based, and access is granted on the principle of least privilege.
- The data controller maintains access rights for its personnel.
- CSC maintains access rights for its personnel. Access to data is granted only to employers whose work description includes processing personal data and only in a scope as deemed necessary by the work description.
- Users with access to personal data are unequivocally identified.
- Content that is ingested to the services is validated using automated procedures. This processing can generate logs containing personal data.
- Logged data is stored for at least 5 years.
- The data protection expertise of the personnel processing personal data is constantly improved. Completed training courses are collected into an internal register.
- The personnel of CSC have an obligation to remain silent as stated in § 35 of the data protection act, and they have an obligation not to benefit from non-disclosable information.
- CSC employs a data protection officer.
- Data in the DPS's that is transferred via public networks is exchanged using secured communication or by using other encryption methods.
- Software and its deployment is reviewed, and it is verified using automated integration testing before approved for production.
- The integrity and availability of the DPS's are monitored using an external monitoring system.
- The DPS's employ a virus scan that is kept up to date and a multi-layered security architecture.
- The DPS's are part of the ISO/IEC 27001:2013 certificate granted to CSC regarding information security management.
- The data is stored in the EU (Finland).
2.2. Measures when Ingesting Data
- Content is accepted only from data controllers that have a service agreement with the DPS's, and the content is submitted to the DPS's using secure communication.
- Content is accepted only in a predefined format, and it must be digitally signed by the data controller.
- Content is only accepted into long-term preservation after it has been successfully validated in the ingest process.
2.3. Measures when Preserving Data
- Content integrity is verified against checksums provided by the partner organization ingesting the data. Automated regular integrity checks are performed on the content.
- All content is stored on at least three separate copies, all whose integrity is regularly checked.
- Only the data controller of the content can disseminate the content using APIs of the DPS.
- Deviations detected by the regular integrity checks are acted upon immediately.
2.4. Measures when Accessing and Processing Data
- The data controller is given a user account and uses RSA keys to authenticate to the services. An SSL certificate is used to digitally sign all content sent to the DPS. Partner organizations authenticate with a user name and password when using APIs for disseminating data. All keys and user accounts are managed using a centralized configuration management system.
- User accounts are bound to the service contracts. The API requests are logged.
- The content is findable in the DPS using unique identifiers bound to the data controller. This allows for representatives of the data controller to access their content in DPS.
- All measures that guarantee the authenticity of the content is documented.
- Permission to access submitted content for analysis is always asked from the data controller when problems with data quality is detected in the ingest process. All such permissions are logged.
2.5. Measures when Disseminating Data
- Every content is fitted with a service contract identifier, and the content can only be disseminated by the data controller of the content or a donee authorized by the data controller.
- The data controller authorizes themselves using a user name and password.
- The disseminated content includes checksums for verification, and the content is accessible to the data controller via secured communication using SSL protocols.
2.6. Measures when Deleting Data
- The content is stored on at least three separate copies that cannot be deleted simultaneously.
- Access to the contents is prevented after a service contract has been terminated. All data related to the terminated service contract is immediately deleted after the protection period stated in the contract has ended, unless agreed upon otherwise.