Information Security and Data Protection Legal and Policy Frameworks Applicable to European Union Institutions and Agencies

by Neil Robinson, Jan Gaspers

Full Document

Full Document

FormatFile SizeNotes
PDF file 0.9 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

Summary Only

FormatFile SizeNotes
PDF file 0.1 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

This study reviews the legal and policy frameworks that govern the use of information and communications technology by European Union institutions and agencies in terms of the extent to which they account for information security and data privacy.

The first set of findings is presented in Chapter 2, which suggests that legacy equipment, path dependency when it comes to law and policymaking, and the natural conservativeness of a large and complex administrative machine may act as inhibitors to building greater information security in EU institutions and agencies.

Examining legal and policy frameworks that govern and regulate the use of ICT across EU institutions and agencies, Chapter 3 finds that the overall tone of EU policy and legal frameworks governing and regulating information security resonates with a model of security based on an internally secure organisation and insecure external environment, which appears to be inconsistent with the latest evolving canon of best practice concerning inter-organisational security. Moreover, key EU information security and data protection frameworks would appear poorly aligned with many modern models of technology service delivery and use, and the potential for security and privacy requirements to be built in from the start through Security Engineering or Privacy by Design principles appears to have little visibility in many EU legal and policy frameworks.

Mapping legal and policy frameworks, which cover policy domains that are unique to EU institutions and agencies, Chapter 4 reveals that there is a complex landscape of very specific information security and data protection requirements for different EU policy domains. The unique nature of some of these policy domains and their attendant security or privacy considerations seem difficult to reconcile with the appetite for more innovative types of technology provision. The Chapter concluded by highlighting that information security governance and data protection remains a challenge within many EU frameworks, which are often managed in a federated fashion through obligatory standards and rules set at a strategic EU level and implementation at the national level.

Table of Contents

  • Chapter One

    Introduction

  • Chapter Two

    European Union ICT requirements and infrastructure

  • Chapter Three

    Cross-cutting legal and policy frameworks applicable to EU institutions and agencies

  • Chapter Four

    Legal and policy frameworks covering policy domains unique to EU institutions and agencies

  • Chapter Five

    Conclusions

Research conducted by

The research described in this report was sponsored by Microsoft Europe and conducted by RAND Europe.

This report is part of the RAND Corporation research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

Permission is given to duplicate this electronic document for personal use only, as long as it is unaltered and complete. Copies may not be duplicated for commercial purposes. Unauthorized posting of RAND PDFs to a non-RAND Web site is prohibited. RAND PDFs are protected under copyright law. For information on reprint and linking permissions, please visit the RAND Permissions page.

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.