Springe direkt zu Inhalt

Notification of a New IT Process

Notification of a New IT Process

The procedure described in the following summarises the policies governing the notification of new IT processes as agreed with staff councils and the official commissioner for data protection.

The notification of IT processes serves the following objectives:

  • Comprehensive recording of the IT deployment at the Free University;

  • Initiation of co-determination procedures to obtain consent to the operation of the IT process (if necessary by conclusion of a service agreement);

  • Notification regarding the processing of personal data, if applicable.

 

Notification is made as illustrated in the following diagram:

 

Meldung IT-Verfahren

Illustration: Diagram of Notification Procedure for New IT processes

 

Documentation of IT Processes

When preparing the documentation of new IT processes, existing process documentations and the advice services offered by eAS are available for information and assistance.  In particular, the process documentation available on the BSCW-System under file "/IT-Verantwortliche/IT-Verfahren/Neue IT-Verfahren" ("/IT executive/TI processes/new IT processes") should be stated in this context by way of example:

  • IT processes „Content Management System“ (CeDiS).

This example may be used as a reference or template.  Due to the large variability of IT processes, however, it is required in each individual case to examine to which extent the example given may be used for information.

 

Minimum Requirements

Pursuant to the Berlin Personnel Representation Act (Berliner Personalvertretungsgesetz), the competent staff council must receive all required data and documents upon application for consent at the latest.  The IT process documentation to be submitted is, in terms of contents, dependent on the type of work processes covered by the IT process and the IT systems used.  The volume of the documentation and the division into individual documents depend on the dimension and complexity of the IT process.  The following list contains the features that are typical of many IT processes.  An IT process description must, as a minimum, contain information on the stated facts.  In the event that any of the facts stated does not apply in an individual case, said item may obviously be omitted in the IT process description.

 

IT Process Description

The IT process description includes:

  1. Purpose of the IT process, objective, grounds;

  2. Information about the statutory basis;

  3. Description of the working processes;

  4. Protection requirement analysis including an evaluation on the basis of the evaluation scale contained in the framework directive on IT security (as a separate document, if necessary);

  5. Risk analysis depending on the results of the protection requirement analysis according to the criteria set out in the framework directive on IT security (as a separate document, if necessary);

  6. Description of roles in accordance with the role model described in the framework directive on IT security, as a separate document in the form of an access concept;

  7. Description of interfaces with other IT processes, IT systems and other services;

  8. Information about the number and types of technical installations and devices (quantity structure);

  9. Information about the departments concerned, installation locations, work environment of equipment and devices at the workplaces;

  10. Information regarding the technical equipment of the workplaces;

  11. Description of the future workplaces/job descriptions;

  12. Description of the expected changes of, and effects on, workplaces, work contents, and work processes of the employees concerned;

  13. Human resources planning – if existing – and requirements with regard to the qualification of the employees, including a statement assessing to which extent the employees already have such qualifications and/or how such qualifications should be acquired (training concept, if necessary, as a separate document, if necessary);

  14. Time schedule on the process roll-out;

  15. If personal data of employees are intended to be processed automatically, information on the treatment of personal data.  In particular, information is to be provided on

  • who is authorised,

  • for which purposes,

  • in which manner,

  • to access which personal data, and

  • how the access policy will be technically implemented; and

  • in which way, and pursuant to which principles, access authorisations will be granted, and

  • in which way, and pursuant to which principles, said granting and modifications thereto will be supervised.

The granting of access authorisations largely depends on who is responsible for the tasks in the course of which the respective data are required.  The circle of individuals permitted to be informed about personal data of employees should be kept as small as possible.  

16.  Advice concept (as a separate document, if necessary).

 

The documentations containing the description of work processes, the description of facts relevant to co-determination, the description of data security and data security related aspects must be described in a way that is intelligible to everybody.  In particular, the IT process documentation, the protection requirement analysis, the training concept and the risk analysis must be described in a way that is intelligible to everybody.

The documentation of an IT process also includes an operational concept including all operation-relevant information on the technical systems affected by the IT process.

In the event that personal data are intended to be processed automatically, a description under data protection law is to be edited pursuant to Section 19 II of the BlnDSG and Section 2 (3) IVG.  In this context, too, it is possible to refer to the advice services provided by eAS.