August 2, 2018
The Argentine Agency of Access to Public Information, the government agency tasked with enforcing the Argentine Data Protection Law, recently issued two regulations, the first with regard to its own budgetary policy and the second regulating the privacy practices of national public agencies.
Administrative Decision No. 1274/2018
On July 5, 2018, the Argentine Agency of Access to Public Information (AAPI) issued Administrative Decision No. 1274, which created the Technical Administrative Directorate. Its primary role is to administer policies and regulations that concern personnel, administration, training, and development of the AAPI, in order to oversee its budgetary and financial health.
Specific powers and responsibilities granted to the Directorate include the following: prepare draft budgets; manage the approved budget; supervise the maintenance and services of the buildings in which the AAPI is located and coordinate any contracts thereto; determine the AAPI’s required goods, services, and security and supervise the relevant contracts; manage the AAPI’s administrative documentation; maintain, update, and care for the AAPI’s personnel database and generate the pertinent information and statistics to assist the relevant authorities; coordinate and update the disclosure and evaluation system for job positions, as well as work processes, flows, and procedures, and propose modifications and simplifications; coordinate and give technical assistance for the process of staff search, selection, and integration; provide technical coordination and assistance in the process of AAPI staff plant training; and manage relations with union representatives and intervene in negotiations or agreements entered into by AAPI staff.
Resolution No. 40/2018
Among these provisions are guidelines for the entity to: ensure that its databases are registered with AAPI; identify ways in which the data was collected; delete the data when it is no longer needed for the purpose for which it was collected; adopt the necessary methods to guarantee the data’s security and confidentiality and a procedure to notify the AAPI in the case of a data breach which is likely to pose a significant risk to the data subjects; allow for the direct transfer of data to other public entities or third parties under certain circumstances; designate a data protection officer; and only process sensitive data in the case of a legal mandate as per a general interest.
Resolution 40 also recommends that national public agencies (i) adopt a personal data protection policy, which should be updated and communicated through each organization’s usual channels of communication, and (ii) designate an employee as its personal data protection officer, who will be tasked with the internal implementation of and compliance with the personal data protection policy.
This article is a brief comment on legal news in Argentina; it does not purport to be an exhaustive analysis or to provide legal advice.