October 12, 2006
On September 22, 2006 the Argentine Authority for Personal Data Protection (“DPDP”) enacted Executive Order No 11/2006 (the “Executive Order”), which establishes the security measures for the processing and storage of personal data in private and non-governmental databases.
The Executive Order regulates Section 9 of the Law No 25,326 on Personal Data Protection, which established an obligation upon owners of databases to adopt the technical and internal measures necessary to guarantee the security and confidentiality of personal data. Such measures must be taken to avoid data manipulation, loss or non-authorized access, and to allow the detection of misuse of information. In this regard, Law No 25,326 forbade the storage of personal data in unsafe databases.
The Executive Order establishes three security levels:
(i) basic, for databases which contain personal data; when the databases contain personal data from which it may be possible to ascertain someone’s personality or behavior, the basic measures must comply with certain measures relating to the medium security level;
(ii) medium, for databases owned by companies which render public services, as well as for databases owned by public and private entities which must observe duties of secrecy of the information imposed by legal order (i.e.: banking secrecy);
(iii) critical, for databases which store “sensitive” personal data, except for databases that have to process sensitive personal data for administrative purposes or by legal order; nevertheless, such databases have to implement those security measures that would be necessary and appropriate for the kind of data stored or processed.
Every security level must comply with its own stipulated security measures as well as the measures of the previous lower level.
As from the enactment date, the Executive Order sets different terms for the implementation of each security level:
(i) 12 months for the basic security measures;
(ii) 24 months for the medium security measures; and
(iii) 36 months for the critical security measures.
The terms may be extended only at the request of any interested party, which has to be properly founded.
The basic security level databases must have a Personal Data Security Document. This document must specify, among other things, the procedures and security measures that have to be complied with by the database.
The medium security level databases must carry out internal or external audits to verify due compliance with the personal data security measures and instructions in force.
Furthermore, they must provide an access and exit registry, as well as measures to avoid any recovery of information subsequent to the disposal or reutilization of an informatics medium or when that medium will be destroyed, or when the information is sent outside the premises where it is stored.
They also have to establish control over physical access to the premises where the information systems containing personal data are located.
The critical security level databases have to, among other duties, encode the personal data when the informatics medium containing such data is distributed, in order to guarantee that it cannot be read or manipulated during transportation, or when it is transmitted through communication networks.
It is also necessary to set up an access registry, which must identify the accessing user, the access date and time, the type of access and whether the access was authorized or denied.
Lastly, they must implement a system for external backup copies, located outside the database premises, in fireproof and gasproof boxes or in a bank safe, which have to be located at a safe distance from the database premises. They must also arrange a recovery procedure for the information and its processing to be available in an emergency situation that may render the normal processing equipment inoperative.
This article is a brief comment on legal news in Argentina; it does not purport to be an exhaustive analysis or to provide legal advice.