# Update of the IT Data Protection Working Group mandate ## Mandate In the context of the Office of the Data Protection (https://cern.ch/odpp) the Working Group (WG) will take a broad view and critically analyse the IT Department approach to Data Privacy Protection and in particular: * Study the Data Protection Privacy notices of the Service Now IT Service Elements and: * Determine if accountability is suitably assigned. * Determine if the processing is really necessary, can be stopped or consolidated. * Determine whether the intended purpose is clear and reasonable. * Determine whether all transfers are justified. * Propose a homogeneous set of policies, in particular for what concerns data retention times and records of processing. * Advise on a recommended set of best practices concerning the type of data that a particular service element is deemed to store (or should avoid to store) with potential risks to data subjects. * **Coordinate and follow-up on the actions to be taken by each service owner so that all IT department services will be respecting the provisions of OC11.** Proposed constraints (feasibility to be examined by the WG): * Logs should not be kept for longer than 1 month, except for computer security reasons in which case they will be transferred to the Computer Security * Providing secure LDAP services would require a major effort, which cannot be implemented in the short-term future —therefore users should not use Idap distribution lists when there are privacy concerns.