What shall I do when another service wants access to my data?

If you are asked to provide data to another service, you need to consider the following questions:

  • Why does this service want my data? Is there a clear purpose?
  • Can I provide the data in pseudonymised, or preferably fully anonymised form to avoid transferring personal data. This will often be the case for services that are doing statistical or analytical work, however, you may need then to process the data before passing it to them.
  • Can I rely on the recipient to fully comply with the privacy obligations of CERN?

As the service doing the transferring you are responsible for ensuring that the privacy protection transfers along with the data. Again, if personal data is not really required, anonymise the data first.

Data requested by the CERN Internal Audit Service (IAS)

Where the request is submitted by the IAS for the purposes of an audit or fraud investigation, it is to be considered that the Director-General has already authorised access to personal data necessary for the fulfilment of the IAS’ mission: for audit purposes (see § 8 CERN Internal Audit Charter) and for fraud investigation purposes (§§ 10 and 31, OC 10). Hence, a clear purpose and legal grounds exist to access data that is necessary and proportionate.

Therefore, as long as the respective Records of Processing Operations of both IAS and your service clearly specify that access to personal data is required for the execution of the IAS’s mandate, you shall transfer the relevant personal data as requested.

In case you are the processing service of the requested data and you have not been specifically instructed by the data controller to transfer data to the IAS, you should forward the request to the data controller if it has been submitted in the context of an audit.
Else - if you are informed that the request is submitted in the context of a fraud investigation, which obliges you to fully cooperate and maintain confidentiality throughout the fraud investigation - you have to disclose the personal data requested by the IAS.
In this respect it is noted that the IAS has to notify you of the context in which it is submitting the request for data, however without mentioning any details with regard to the specific investigation.

Don't hesitate to contact the ODP in the event of questions or doubts.