When creating a new Service the following should be done:
-
Firstly, the Service must be registered in the CERN Service Catalogue.
-
The processing operations and potential privacy issues should be identified by the Service designers.
-
Services shall be set by default in a manner ensuring the minimum level of collecting, processing and sharing of personal data. This includes transferring in and out of the Service. Such data transfers should be documented in the privacy notice.
-
Users must remain in full control of their data which requires that no implied consent is allowed (CERN’s policy when relying on consent is to require explicit consent, see the consent procedure) and that they can easily decide and change the amount of personal data they want to disclose. The ability to exercise their right of access, and of being forgotten must be implemented.
-
This should be reviewed with all the appropriate stakeholders, including the Office of Data Privacy (ODP) if needed.
-
A RoPO and if necessary, a privacy impact assessment in ServiceNow should be completed.
-
If it appears that the processing would result in high risk in absence of measures taken to mitigate it, a prior consultation with the ODP is required.
-
Adequate security measures shall be put in order to ensure security during the whole lifecycle of the Service. This is in order to guarantee that when a Service is stopped all the personal data stored related to that Service is deleted with no possibility for anyone to access it.