On the basis of article. 39A of the Act of 29 August 1997 on the protection of personal data (Journal of laws of 2002, No 101, item 926. and no 153, item 1271 and 2004 No. 25, item 219 and # 33, item 285) are managed as follows: § 1. The regulation defines: 1) the conduct and scope of documentation describing how the processing of personal data and the technical and organisational measures to ensure the protection of the processed personal data relevant to the risks and categories of data subject-matter;
2) basic technical and organizational conditions, which should correspond to the device and it systems for the processing of personal data;
3) requirements for the recording of personal data sharing and security of processing of personal data.
§ 2. Whenever a regulation is talking about: 1) Act-shall mean the Act of 29 August 1997 on the protection of personal data, hereinafter referred to as "the Act";
2) user ID is to be understood by a string of letters, or other uniquely identifying the person authorized to the processing of personal data in the information system;
3) password-shall mean a string of letters, digital or other, known only to the person entitled to work in the information system;
4) telecommunications network-shall mean a telecommunications network within the meaning of article 3. 2 paragraph 23 of the Act of 21 July 2000-telecommunication law (Journal of laws No. 73, item 852, as amended. 2)) 5) public network-shall mean a public network within the meaning of article 3. 2 section 22 of the Act of 21 July 2000-telecommunication law;
6) tele-transmission-means the transmission of information through a telecommunications network;
7) accountability – it is understood by this property to ensure that the activities of an entity can be assigned clearly only the entity;
8) data integrity – it is understood by this property to ensure that the personal data has not been altered or destroyed in an unauthorized manner;
9) report-means prepared by the information system statement of the scope and content of the data being processed;
10) the confidentiality of the data – it is understood by this property to ensure that the data are not made available to unauthorized parties;
11) authentication – it is understood by this activity, whose purpose is to review declared the identity of the entity.
§ 3. 1. The documentation referred to in § 1, paragraph 1, is composed of security policy and user management information system for the processing of personal data, hereinafter referred to as the "instructions".
2. The documentation referred to in § 1, paragraph 1, shall be in writing.
3. The documentation referred to in § 1, paragraph 1, implements a data administrator.
§ 4. Security policy referred to in § 3. 1, shall in particular: 1) a list of the buildings, premises or part of premises, forming the area where personal data are processed;
2) list of collections of personal data, together with an indication of the programs applied to the processing of such data;
3) a description of the structure of the data indicating the contents of the individual information fields and the links between them;
4) the flow of data between different systems;
5) specify the technical and organisational measures necessary to ensure the confidentiality, integrity and accountability of the processed data.
§ 5. The statement referred to in § 3. 1, shall in particular: 1) the procedure for granting permissions to process the data and logging these permissions in the information system and identification of the person responsible for these acts;
2) methods and authentication measures and procedures related to their management and use;
3) start procedure, suspension and termination of service for users of the system;
4) procedures for backing up data and programs and software tools for their processing;
5) the manner, place and period of storage: a) electronic storage media containing personal data, b) backups, referred to in paragraph 4, 6) way to secure information system before the software activities referred to in point (III) of point 1 of the annex to the regulation;
7) the requirements referred to in § 7 para. 1 paragraph 4;
8) the procedures for the exercise of inspection and maintenance systems and media used for data processing.
§ 6. 1. Having regard to the categories of data processed and introduced the security level of the processing of personal data in the information system: 1) basic;
2. Level of at least a base is used when: 1) in the information system are not processed, the data as referred to in art. 27 of the Act, and 2) none of the devices it system, to the processing of personal data is not connected to the public network.
3. the level of the least promoted apply where: 1) in the information system of the processed personal data referred to in article 1. 27 of the Act, and 2) none of the devices it system, to the processing of personal data is not connected to the public network.
4. High level applies when at least one of the information system for the processing of personal data, is connected to a public network.
5. a description of the security measures used at the levels referred to in paragraph 1. 1, set out in the annex to the regulation.
§ 7. 1. To any person whose personal data are processed in the information system, with the exception of the systems to the processing of personal data limited to only edit the text to make it in writing-this system provides recording: 1) the date of first entry into the system;
2) user ID introducing personal data to the system, unless access to the computer system and processed data has only one person;
3) data source, in the case of data collection, not from the person concerned;
4) information on the recipients within the meaning of article 2. 7 paragraph 6 of the law, which the personal data have been provided, the date and the scope of this provision, except that the information system is used to process the data contained in the collections of the explicit;
5) the opposition referred to in article 2. 32 paragraph 1. 1 section 8 of the Act.
2. Record the information referred to in paragraph 1. 1 paragraphs 1 and 2, followed by the automatically after approval by the user input operations.
3. To any person whose personal data are processed in the information system, the system provides for drawing up and printing a report that contains in an intelligible form the information referred to in paragraph 1. 1.4. In the case of the processing of personal data, in at least two information systems, the requirements referred to in paragraph 1. 1 paragraph 4, can be implemented in one of them or in a separate computer system designed for this purpose.
§ 8. The information system used to process data that has been authorised by the competent service of the protection of the country for processing classified information, after obtaining the certificate issued on the basis of the provisions of the Act of 22 January 1999 on the protection of classified information (Journal of laws No. 11, item 95, as amended. 3)) meets the requirements of this regulation in terms of high level security.
§ 9. The administrator of the processed on the date of entry into force of this regulation, of personal data is required to adjust the it systems for the processing of such data to the requirements specified in § 7 and annex to regulation within 6 months from the date of entry into force of this regulation.
§ 10. Regulation shall enter into force on the day of the Republic of Poland Union membership Europejskiej4).
The Minister of Internal Affairs and administration: with t. Matusiak 1) the Minister of Internal Affairs and administration directs Government Administration Department – public administration, pursuant to § 1 paragraph 1. 2 paragraph 1 of the regulation President of the Council of Ministers of 14 March 2002 on the detailed scope of the Minister of Internal Affairs and Administration (Journal of laws No. 35, item 325 and No. 58, item. 533).
2) amendments referred to the Act were announced in the journal of laws of 2001, no. 122, item. 1321 and # 154, poz. 1800 and 1802, 2002 No. 25, item. 253, no. 74, item. 676 and No 166, item. 1360 and 2003 No 50, poz. 424, no. 113, item. 1070, Nr 130, poz. 1188 and # 170, item. 1652.3) a change in the said Act were announced in the journal of laws of 2000 No. 12, item. 136 and # 39, item. 462, 2001 No. 22, item. 247, no. 27, item. 298, no. 56, item. 580, no. 110, item. 1189, Nr 123, poz. 1353, # 154. 1800, 2002 No. 74, item. 676, no. 89, item. 804 and No 153, item. 1271, 2003 No. 17, item. 155 and from 2004, No 29, item. 257.
4), this regulation was preceded by a regulation of the Minister of Internal Affairs and administration of 3 June 1998 on the determination of the basic technical and organizational conditions, which should correspond to the device and it systems for the processing of personal data (Journal of laws No. 80, item 521 and 2001 No 121, item 1306), which loses power on the date of entry into force of the Act of 22 January 2004 amending the Act on the protection of personal data and the law on salaries of those involved in managerial the position of the State (Journal of laws No. 33, item. 285).
The annex to regulation the Minister of Internal Affairs and administration of the Council of 29 April 2004 (1024)