You are here

Argentina

Country:
Survey Answer:

The Data Protection Law states that the data controller and the user of a database containing personal data must adopt the necessary technical and organizational measures to guarantee the protection and confidentiality of the content, in order to prevent any adulteration, loss or unauthorized access or processing.
In addition, under the Data Protection Law it is mandatory for all databases containing personal data to be registered before the Data Protection Authority. However, the registration of databases which do not comply with the abovementioned security requirements is forbidden.
Moreover, DPA Rule No. 11/2006 establishes three different security levels (basic, medium and critical) detailing the mandatory measures that each level must implement according to the nature of the data to be protected.
• Basic security level: The basic security level applies to almost all databases, except those which qualify as medium or critical.
In basic security level databases, Rule No. 11/2006 requires the implementation and update of a data security document which should contain, among others, the following information:
- Functions and obligations of employees.
- Description of the files containing personal data and the systems which store and treat them.
- Description of the control routines.
- Description on the notification, management and response to security incidents.
- Procedures to make back-up copies and to recover data.
- Updated information on authorized users.
- Procedures to identify and authenticate the authorized users.
- Control of access of the users.
- Measures to prevent malicious software.
- Procedures that guarantee the proper management of the database.
• Medium security level: The medium security level corresponds to those databases owned by companies which render public services, as well as those databases owned by public and private entities which must observe duties of confidentiality with regards personal data as imposed by legal provisions (i.e. financial entities must observe banking confidentiality as imposed by financial regulations issued by the Central Bank of Argentina).
In medium security level databases, Rule No. 11/2006 requires the implementation of the measures required for basic level databases, as well as requiring those responsible for the database to:
- Appoint an IT security responsible person or area.
- Perform periodical audits on data security.
- Restrict attempts of access to systems containing information.
- Control the physical access to places where systems are stored.
- Implement a registry of logs to systems containing information.
- Implement required measures to prevent the recovery of information previously erased or deleted.
- Implement a back- up or information recovery procedure.
- Performance tests on systems containing information before its launch cannot be conducted on real files or data unless proper security measures are implemented.
• Critical security level: Critical level includes databases which store sensitive data, which is defined as data revealing racial and ethnic origin, political opinions, religious, philo-sophical or moral beliefs, labor union membership, and information concerning health conditions, or sexual habits or behaviors. However, databases that have to process sen-sitive data for administrative purposes or under a legal mandate are not encompassed by this category.

In critical security level databases, Rule No. 11/2006 requires the implementation of the measures required for basic and medium level databases, as well as:

- Encrypt storing devices containing personal data that need to be transfer.
- Implement a registry of accesses with detailed information about each access and relevant authorizations. The information of the registry shall be kept for three years.
- Keep additional back-ups outside the premises of the company and under strict security measures (i.e. use fireproof boxes).
- Adopt encryption measures or similar requirements when transferring in-formation.

Provided By:
Diego Fernandez: Marval, O´Farrell & Mairal