In the past half year, an alarming increase in data breaches has been reported in the Belgian media. In December 2012, the National Belgian Railway Company inadvertently published a list with personal information relating to some 1.5 million of its customers online. Similarly, the Belgian Ministry of Defense released a list with 500 of its staff in January 2013, and, in that same month, recruitment website Jobat revealed salary information about 15,000 individuals who had participated in a salary survey.

The rise in data security incidents has caught the attention of the Belgian Privacy Commission (‘‘Commission’’), which is entitled to make  ecommendations on any matter relating to the application of the fundamental data protection principles in the Belgian Data Protection Act of December 8, 1992 (‘‘Act’’). Given the recent chain of events, the Commission decided to issue a recommendation (Aanbeveling nr. 1/2013, dated January 21, 2013; ‘‘Recommendation’’) on information security and, in particular, working with computer files. 

The Recommendation supplements and builds on two previously issued guidance documents from the Commission: Reference Measures for the Security of Any Personal Data Processing Operation (Referentiemaatregelen voor de beveiliging van elke verwerking van persoonsgegevens),  released in April 2012, and Guidelines Relating to Information Security of Personal Data (Richtsnoeren met betrekking tot de informatiebeveiliging van persoonsgegevens), issued in June 2012. 

Taken together, these three guidance documents are intended to assist data controllers and data processors in their efforts to implement suitable security measures in compliance with the Act. Based on Article 17 of EU Directive 95/46/EC (‘‘Data Protection Directive’’), Article 16 of the Act imposes an obligation on data controllers and processors to guarantee the security of personal data by taking appropriate technical and  organizational measures to protect the data against any unauthorized processing. The Act does not specify what constitutes an appropriate level

of information security. It merely states that the level of information security must take into account the state of the art in this field and the cost of implementation, on the one hand, and the nature of the data and the potential risks, on the other