# Update of the IT Data Protection Working Group mandate
## Mandate
In the context of the Office of the Data Protection (https://cern.ch/odpp) the Working Group (WG) will take a broad view and critically analyse the IT Department approach to Data Privacy Protection and in particular:
* Study the Data Protection Privacy notices of the Service Now IT Service Elements and:
* Determine if accountability is suitably assigned.
* Determine if the processing is really necessary, can be stopped or consolidated.
* Determine whether the intended purpose is clear and reasonable.
* Determine whether all transfers are justified.
* Propose a homogeneous set of policies, in particular for what concerns data retention times and records of processing.
* Advise on a recommended set of best practices concerning the type of data that a particular service element is deemed to store (or should avoid to store)
with potential risks to data subjects.
* **Coordinate and follow-up on the actions to be taken by each service owner so that all IT department services will be respecting the provisions of OC11.**
Proposed constraints (feasibility to be examined by the WG):
* Logs should not be kept for longer than 1 month, except for computer security reasons in which case they will be transferred to the Computer Security
* Providing secure LDAP services would require a major effort, which cannot be implemented in the short-term future —therefore users should not use Idap distribution lists when there are privacy concerns.