INFORMATION SECURITY ADMINISTRATOR
S I
As of 1st January 2015 a significant change has been introduced to the regulations of the act on personal data protection of 29th August 1997
(“The Act”). The aforementioned amendment is the result of the coming-
into-effect of the act of 7th November 2014 on the facilitation of business activity.
Dominik Sęczkowski Legal Trainee at in The Law Firm "Chudzik i Wspólnicy Radcowie Prawni” sp.p. www.chudzik.pl
T
he adopted changes pertain first and foremost to whichever entity is responsible for the internal supervision and control over the adherence to regulations on personal data protection within a given business unit – i.e. the Information Security Administrator (referred to as “ISA”). The amendment discussed in this text makes the status of the ISA more specific as well as further specifying its obligations. The goal of this article is a synthetic overview of the systemic position of the ISA as well as its obligations as they pertain to the amended regulations.
ISA status and position
In the previous legal status, the regulations discussing the ISA and its range of influence were extremely vague. The now-dismissed article 36 section 3 of the Act stated that “the data administrator appoints an ISA who supervises the adherence to personal data protection regulations unless he himself performs these activities.” Currently, the regulations specifying the manner of appointing an ISA by the data administrator have been vastly expanded, as well as those on what is required from an ISA candidate and his or her position within the organization where personal data is processed.
46
Currently, the appointment of an ISA is a privilege of the administrator. This conclusion is indisputably made based on the contents of article 36a section 1 of the Act, in accordance with which “the data administrator may appoint an information security administrator”. The elective manner of appointing the ISA has been highlighted by the legislator by means of specifying the consequences of his non-appointment – pursuant to article 36b of the Act, whenever an ISA has not been
appointed it is the data administrator who serves this function.
The appointment of an ISA or lack thereof depends solely on the data administrator’s will. However, the matter of whether an ISA should be appointed within a given business unit which processes personal data or not, depends in reality on the scale of processing such personal information as well as on the number of processes connected with it. It is generally assumed that the appointment of an ISA is beneficial to the data administrator and lies within his best interest. As a result, the data administrator may not only delegate a number of obligations onto the ISA but also the liability connected with those obligations (the civil liability as well as potential penal consequences).
A symptomatic legislative novelty is exact specification made by the legislator of the requirements which must be met by any ISA candidate. In accordance with article 36a section 5 of the Act, an ISA candidate must meet the following requirements: 1. have full capability of perming legal actions and hold all public rights, 2. possess the necessary knowledge in terms of personal data protection,
3. must not have been convicted of a deliberate crime.
Undoubtedly the requirements specified in points 1) and 3) are conclusive and raise no doubts as to their interpretation; however, the requirement of having to possess knowledge on personal data protection
OUTSOURCING&MORE | wrzesień-październik 2015