Advanced Search

Regulation Of The Minister Of Internal Affairs And Administration Of 29 April 2004 On The Documentation Of The Processing Of Personal Data And The Technical And Organizational Conditions, Which Should Correspond To The Devices And Information Systems F...

Original Language Title: ROZPORZĄDZENIE MINISTRA SPRAW WEWNĘTRZNYCH I ADMINISTRACJI z dnia 29 kwietnia 2004 r. w sprawie dokumentacji przetwarzania danych osobowych oraz warunków technicznych i organizacyjnych, jakim powinny odpowiadać urządzenia i systemy informatyczne służące d

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$40 per month.

ORDINANCE OF THE MINISTER OF THE INTERIOR AND ADMINISTRATION 1)

of 29 April 2004

on the documentation of the processing of personal data and the technical and organisational conditions to which the devices and information systems used for the processing of personal data should correspond

On the basis of art. 39a of the Act of 29 August 1997. on the protection of personal data (Dz. U. of 2002. No. 101, pos. 926 and No. 153, pos. 1271 and 2004 Nr 25, pos. 219 i Nr 33, poz. (285) the following shall be managed:

§ 1. The Regulation shall specify:

1) the conduct and scope of documentation describing how personal data is processed and technical and organizational measures ensuring the protection of processed personal data appropriate to the threats and categories of data covered by the protection;

2. the basic technical and organisational conditions to which the equipment and information systems used for the processing of personal data should correspond;

3) the requirements for the recording of the provision of personal data and the security of processing of personal data.

§ 2. Whenever there is a regulation in the regulation:

1) Act-this is understood by the Act of 29 August 1997. on the protection of personal data, hereinafter referred to as 'the Act';

2) user ID-it is understood by this string of literary, digital or other characters that uniquely identify the person authorized to process personal data in the IT system;

3) a password-it shall be understood by a string of letters, digital or other, known only to the person entitled to work in the computer system;

4) telecommunications networks-it is understood by this telecommunication network within the meaning of Art. 2 pt. 23 of the Act of 21 July 2000. -Telecommunications law (Dz. U. Nr. 73, pos. 852, as of late. 1. 2) )

5) the public network, which is understood by the public network within the meaning of the Article. 2 item 22 of the Act of 21 July 2000. -Telecommunications law;

6) teletransmission-it is understood by this transmission of information through the telecommunications network;

(7) accountability-this shall mean a property which ensures that the activities of a body can only be attributed to that entity in a clear way;

8) data integrity-it is understood by this property to ensure that the personal data has not been altered or destroyed in an unauthorized manner;

9) the report-this is understood by the information system prepared by the IT system of the scope and content of the processed data;

10. confidentiality of the data-this means that the data shall be understood to ensure that the data are not made available to unauthorised entities;

11) authentication-it is understood by this action, which is intended to verify the claimed identity of the subject.

§ 3. 1. The documentation referred to in § 1 (1) shall consist of a security policy and a statement of management of the IT system used for the processing of personal data, hereinafter referred to as the "statement".

2. The documentation referred to in § 1 (1) shall be carried out in writing.

3. The documentation referred to in § 1 (1) shall be implemented by the controller.

§ 4. Security policy as referred to in § 3 (3) 1, shall include in particular:

1) a list of buildings, premises or parts of premises, forming the area in which personal data are processed;

2) a list of personal data sets together with an indication of the programs used to process such data;

3) a description of the structure of the data sets indicating the contents of the individual information fields and the association between them

4) the way data flows between the different systems;

5) determine the technical and organizational measures necessary to ensure the confidentiality, integrity and accountability of the processed data.

§ 5. The instruction referred to in § 3 par. 1, shall include in particular:

1) procedures for the granting of data processing power and recording of those powers in the IT system and an indication of the person responsible for these activities;

2. the methods and means of authentication used and the procedures related to their management and use;

3) procedures for the commencation, suspension and termination of work intended for users of the system;

4) procedures for the backup of data sets and software programs and tools for their processing;

5) the manner, place and period of storage:

(a) electronic media of information containing personal data,

(b) the backups referred to in point 4,

6. the manner in which the computer system is protected against the software activities referred to in point III (1) of the Annex to the Regulation;

7) the manner of realization of the requirements referred to in § 7 paragraph. 1 point 4;

8) procedures for performing maintenance reviews and maintenance of the systems and media of information used to process the data.

§ 6. 1. Taking into account the categories of data processed and the risks, the security levels of the processing of personal data in the IT system are introduced:

1) basic;

2. increased;

3) high.

2. At least the basic level shall be applied when:

1) in the IT system are not processed the data referred to in art. 27 of the Act, and

2) none of the devices of the IT system used for the processing of personal data shall be connected to the public network.

3. The level at least increased shall be applied when:

1) in the IT system shall be processed the personal data referred to in art. 27 of the Act, and

2) none of the devices of the IT system used for the processing of personal data shall be connected to the public network.

4. A high level shall be applied when at least one device of the IT system used for processing personal data is connected to the public network.

5. Description of the security measures applied at the levels referred to in paragraph. 1, specifies the Annex to the Regulation.

§ 7. 1. For each person whose personal data is processed in the IT system-with the exception of systems used for processing personal data limited solely for editing the text in order to make it available in writing-this system provides recording:

1) the date of the first entry of data into the system;

2) the ID of the user submitting personal data to the system, unless the access to the computer system and the data processed in it has only one person;

3) the data sources, in the case of data collection, not from the person to whom they concern;

4) information about the recipients, within the meaning of art. 7 item 6 of the Act, the personal data of which has been made available, the date and extent of that provision, unless the IT system is used for processing of data contained in explicit collections;

5) the opposition referred to in art. 32 par. 1 point 8 of the Act.

2. Notice of the information referred to in paragraph. 1 (1) and (2), shall be automatically followed by the user approval of the data entry operation.

3. For each person whose personal data is processed in an IT system, the system shall ensure that a report containing in a widely understood form the information referred to in the paragraph shall be drawn up and printed. 1.

4. In the case of processing of personal data, in at least two IT systems, the requirements referred to in the paragraph. Article 1 (4) may be implemented either in one of them or in a separate IT system designed for that purpose.

§ 8. An IT system used for processing data which has been authorized by the competent State security service for processing classified information, after obtaining a certificate issued on the basis of the provisions of the Act of 22 January 1999. on the protection of classified information (Dz. U. Nr 11, pos. 95, of late. 1. 3) ) meets the requirements of this Regulation in terms of safety at a high level.

§ 9. The administrator processed on the date of entry into force of this Regulation of personal data is obliged to adapt the IT systems for processing these data to the requirements set out in § 7 and in the annex to the regulation in a period of 6 months from the date of entry into force of this Regulation.

§ 10. The Regulation shall enter into force on the date of obtaining by the Republic of Poland the membership of the European Union 4) .

Minister of Internal Affairs and Administration: w z. T. Matusiak

1) The Minister of the Interior and Administration heads the government administration department-public administration, pursuant to § 1 paragraph. 2 point 1 of the Regulation of the Prime Minister of 14 March 2002. on the detailed scope of the action of the Minister of Internal Affairs and Administration (Dz. U. Nr 35, pos. 325 and No. 58, pos. 533).

2) The amendments to the said Act were announced in Dz. U. of 2001. No 122, pos. 1321 and No. 154, pos. 1800 and 1802, 2002. Nr 25, pos. 253, No. 74, pos. 676 and No. 166, pos. 1360 and 2003 Nr 50, poz. 424, Nr 113, poz. 1070, Nr 130, poz.1188 i Nr 170, poz. 1652.

3) The amendments to the said Act were announced in Dz. U. 2000 r. No 12, pos. 136 and No 39, pos. 462, 2001 Nr 22, pos. 247, Nr 27, pos. 298, No. 56, pos. 580, Nr 110, poz. 1189, No 123, pos. 1353, Nr 154 pos. 1800, 2002 No. 74, item. 676, No. 89, pos. 804 and No. 153, pos. 1271, 2003 No 17, pos. 155 and 2004 Nr 29, pos. 257.

4) This Regulation was preceded by the Ordinance of the Minister of Internal Affairs and Administration of 3 June 1998. on the determination of the basic technical and organisational conditions to which the equipment and information systems used for the processing of personal data should correspond (Dz. U. Nr 80, poz. 521 and 2001. Nr 121, pos. 1306), which will lose power on the date of entry into force of the Act of 22 January 2004. amending the Act on the protection of personal data and the Act on the remuneration of persons occupying managerial positions (Dz. U. Nr 33, pos. 285).

Annex 1.

Annex to the Regulation of the Minister of Internal Affairs and Administration
of 29 April 2004 (pos. 1024)

infoRgrafika

infoRgrafika