The main tasks of the controllers as regards technical and organisational requirements
which should be fulfilled by devices and computer systems used for personal data
processing.
(pursuant to the Act on the Protection of Personal Data of 29 August 1997, i.e.
Journal of Laws of 2002, No. 101, item 926)
The Act on the Protection of Personal Data, hereinafter referred to as the Act, defines the term
“controller” as a body, an organisational unit, an establishment or a person who decides on the
purposes and means of the processing of personal data (Art. 7 of the Act). The Act shall apply
to state authorities and local government authorities, as well as to other state and municipal
organisation units and non governmental bodies carrying out public tasks. The Act shall also
apply to natural and legal persons, and organisational units without the status of a legal person
involved in the processing of data as a part of their business or professional activity or the
implementation of statutory objectives. The Act shall apply to the subjects having or not
having the seat or residing or not residing on the territory of the Republic of Poland involved
in the processing of data by means of technical devices located on the territory of the
Republic of Poland. The Act shall not apply to natural persons involved in the processing of
data in the exercise of activities which are exclusively personal or domestic (Art. 3 of the Act).
The Act imposes on the controller a number of obligations and restrictions, including inter
alia the obligation of adequate protection of personal data filing systems (Chapter 5 of the
Act). The following terms are defined in the Act (Art. 7 of the Act).
-
data filing system - shall mean any structured set of personal data which are accessible
pursuant to specific criteria, whether centralised, decentralised or dispersed on a
functional basis,
-
computer system - shall mean a set of devices, utilities, procedures of data processing and
software tools which assist personal data processing,
-
processing of data - shall mean any operation which is performed on personal data, such
as collection, recording, storage, organisation, alteration, disclosure and erasure, and in
particular those performed in the computer files,
-
security of data within computer systems - shall mean an implementation and usage of
appropriate technical and administrative measures applied to protect data against
unauthorised processing,
-
data erasure - shall mean destruction of personal data or such modification which would
prevent determining the identity of the data subject,
Detailed instructions related to the obligations of the controller as regards technical and
organisational conditions which should be fulfilled by devices and computer systems used for
the personal data processing were specified by virtue of the Act (Art. 45) in the Regulation of
June 3, 1998 by the Minister of Internal Affairs and Administration.
The main tasks of the controllers as regards technical and organisational requirements which
should be fulfilled by devices and computer systems used for personal data processing are as
follows:
1. Analysing technical and organisational conditions influencing the management of
computer systems in which personal data are processed. The controller of personal data
shall pay special attention to these management elements which have a significant
influence on data security understood as the protection of data against their unauthorised
collection, modification or destruction. This applies not only to information on personal
data kept in traditional files and databases of various computer systems, but also to those
data which are transferred in computer networks. In the latter case the main aim is the
security of the transferred data during their electronic transport which occurs when data
are transferred:
-
from one database to another,
-
from terminals, where they are entered by operators to central or local databases of the
computer system,
-
from database of the computer system to the terminal as a result of execution of a
command to search the database, to display its contents or to modify it.
The aim of the analysis referred to above shall be inter alia to:
-
define the aims, the strategy and the policy of data security of computer systems in
which personal data are processed
-
identify and analyse any danger and risk to which personal data processing may be
exposed,
-
define needs as regards security of personal data files and computer systems, including
the cryptographic protection of personal data, in particular during their delivery by
means of devices used for data transmission,
-
define security measures appropriate to any risk,
-
screen functioning of security measures to be implemented in order to protect and
thereupon process personal data,
-
work out and implement a training programme as regards the computer system,
-
detect and react appropriately if any violation of security, either of personal data or of
computer systems, has been revealed.
2. The application of technical and administrative measures to protect data against their
unauthorised disclosure, dissemination or destruction. Defining the technical and
organizational means to be applied shall result from analysis referred to in point 1 and
basic technical and organizational conditions which should be fulfilled by devices and
computer systems used for the processing of personal data specified in the regulation.
3. Ensuring control as to what personal data, when and by whom have been entered into the
filing system and to whom they are transferred, in particular during their delivery by
means of devices used for data transmission (see Art. 38 of the Act).
4. Keeping the register of persons involved in the processing of personal data (Art. 39
paragraph 1 of the Act). Pursuant to § 14 paragraph 4 of the Regulation this register
should include name and surname, and in case of persons using the computer system for
the processing of personal data it should additionally include the user’s identifier assigned
to a given person in the computer system.
5. Appointing a person referred to as "an administrator of information security", who is
responsible for personal data security within the computer system. The scope of duties of
this person shall include counteracting access to the processing system of unauthorised
persons, including monitoring the security of computer systems and taking appropriate
actions where a breach of the security system has been revealed.
6. Determining individual job specifications and responsibilities for the persons authorised to
process personal data. The scope of job and responsibilities should specify the operations
which can be done by a given user in the personal data processing system.
7. Working out an instruction of conduct in cases when personal data protection has been
violated; the instruction is designed for employees working on personal data processing
(§6 of the Regulation). The mentioned instruction shall stipulate a mode of conduct in
cases when:
a) the violation of the computer system security has been revealed,
b) the state of the appliances, contents of the personal data file, revealed methods of work,
procedures of programme functioning or the quality of communication within the
telecommunication network indicate any breach of the data security.
8. Determining the buildings, premises or their parts where personal data are processed by
means of stationary computer equipment.
9. Working out an instruction that would define the way in which the computer systems used
for personal data processing are to be managed. The instruction should, in particular,
include requirements concerning information security (§11 of the Regulation). The
instruction should comprise in particular:
a) definition of how to lay down methods of passwords distribution between users and
frequency of their changes and an indication of a person who is responsible for the
aforesaid activities,
b) a definition of how to lay down methods in which users will be logged in and out and
an indication of a person responsible for the aforesaid activities,
c) procedures of clocking employees in and out (measuring the beginning and the end of
work),
d) methods and frequency of making emergency copies,
e) methods and frequency of detecting and deleting computer viruses,
f) methods and period of information media storing including data copies and printouts,
g) methods of performing system and personal file service routine,
h) procedures of communication within a computer network.
10. Monitoring the data security and the fact whether the administrative duties related to
information system management are performed appropriately.