August 2, 2018
The Agency of Access to Public Information issued a new regulation establishing recommendations for the security of personal data.
On July 25, 2018, Agency of Access to Public Information (the “Agency”) Resolution No. 47/2018, which deals with the security of personal data (“Resolution 47/2018”), was published in the Official Gazette.
Resolution 47/2018 repealed Resolutions Nos. 11/2006 and 9/2008, which established mandatory security measures to be implemented by data controllers and data processors, and established there security levels (basic, medium and critical) depending on the characteristics of the databases (for further information on these regulations see Processing and Storage of Personal Data and Personal Data Protection - Security Measures)
Resolution 47/2018 brings a new approach by way of approving two sets of recommended security measures for the processing and conservation of personal data. Annex I includes recommendations in connection with personal data stored by electronic means, while Annex II includes recommendations that apply when the personal data is not stored by electronic means. The recommendations are aim to ensure the continuous improvement of the administration, planning and control of information security.
In particular, Annex I includes recommendations regarding a) the collection of data; b) control of access to data; c) control of modifications; d) backup and recovery; e) vulnerability management; f) information destruction; g) security incidents; and h) development environment.
On the other hand, Annex II includes recommendations regarding a) the collection of data; b) control of access to data; c) information conservation; d) information destruction; and e) security incidents.
Furthermore, some of the recommendations also include additional guidelines regarding the processing of sensitive personal data.
Resolution 47/2018 entails a change in the approach towards personal data security. While the prior regulations provided for mandatory security measures, Resolution 47/2018 establishes a set of recommendations that can be adopted or be replaced by other more effective measures based on the practices and circumstances of the processing of personal data. This is in line with the principle of accountability, which was introduced by the Agency in other recent regulations and which is in line with both the European General Data Protection Regulation (GDPR) and the Argentine draft bill aimed at replacing the current Argentine Data Protection Law No. 25,326.
This article is a brief comment on legal news in Argentina; it does not purport to be an exhaustive analysis or to provide legal advice.