December 14 1999 Regulation on Technical Security Measures for Personal Data Gomez-Acebo & Pombo Abogados | Tech, Data, Telecoms & Media - Spain Tech, Data, Telecoms & Media Introduction Security Levels Basic Level Security Requirements Middle Level Security Requirements High Level Security Requirements Timetable Conclusions Introduction There has always been a duty to keep personal data secure in Spain. The recently published Regulation on Technical Security Measures for Automated Files Containing Personal Data now requires many public and private bodies operating in Spain to implement new technical and organizational security measures as a matter of urgency that will protect personal data.The regulation classifies personal data into three levels of sensitivity and provides minimum security requirements for each. It will be normal for many organizations to have data which fall into each of the categories. It is then up to the data holder to decide whether he wishes to introduce protection of a higher level for any category of data.The security of personal data is unlikely to be a distinct issue from the general security of a computer system. The adoption of security measures should therefore also be considered in this wider context.Security Levels Three levels of security - basic, middle and high - are used to classify data. Classification depends on the degree to which the confidentiality and integrity of the information needs to be guaranteed.All databases containing personal data must adopt at least basic level security measures. Databases containing data relating to administrative or criminal matters, taxation or financial services must also meet the requirements of middle level security. Databases containing data relating to ideology, religion, belief, racial origin, health or sex life, or which have been obtained for police matters without the consent of the person concerned, must also meet the requirements of high level security.Where databases contain a combination of personal data that enables an evaluation of the personality of the individual to be made, the requirements of at least middle level security must be met. Temporary databases must comply with the requirements of the level of security relevant to the type of data and must be deleted when no longer required.Basic Level Security RequirementsThe person responsible for the database must prepare a security document and provide this to the people with access to the data. As a minimum, the document must contain: the scope of application of the document; the means to be implemented to ensure the level of security is attained; the obligations of personnel; a description of the data and systems; an incident procedure; and a procedure for making back-up copies and their retrieval.A procedure for ensuring users are identified and authorized must be in place. Users must only have access to necessary data. Backup copies must be made at least once a week (unless the data is not updated during this period) and must allow the reconstruction of the database if it is lost or destroyed.Middle Level Security RequirementsIn addition to the requirements for basic level security, where a database contains middle level data, the security document must identify the person responsible for implementing the security measures. The data processing systems must be audited at least once every two years to verify compliance with the regulation and the audit report must be available to the Data Protection Agency.The mechanism for identifying and authorizing access of the user to the database must be personal. The ability to make repeated unauthorized attempts to access the data should be eliminated. Physical access to the places where systems containing personal data are located should also be restricted to those who are authorized to access the data.Tests before implementation of computer systems containing personal data may not be carried out using real data except where the correct level of security has been assured.High Level Security RequirementsEach time such data is accessed, as a minimum, records must be kept of the identity of the user, the date and time of access, the database accessed and by what means and whether access was authorized or denied. If access is authorized, a record must be kept of the data accessed. These records must be kept for a minimum of two years.A backup copy of the data and procedure for its retrieval must be kept in a different location to the systems containing the data. Where data is transmitted along communications networks the data must be protected by means of encryption or otherwise so as to prevent use by third parties.TimetableSix months are given (December 26 1999) for the implementation of basic level security measures to systems already in existence at the time of the regulation coming into force. For medium and high level security measures, the time-limits are one and two years respecively. New systems or data files that are subsequently created and registered at the Data Protection Registry must incorporate the necessary security from the beginning. Some commentators have criticised the implementation date for basic level data, which coincides with the end of the year and potential Year 2000 problems. Others have commented that the time periods for middle and high level data are much too long.ConclusionsThe requirements of the regulation must become part of the routine of all kinds of organizations. In particular, this may be a very important time for those specialized in IT security, control and audit. This regulation may also be important to Data Protection Agency who may use it to undertake systematic control of security measures applied by every business.For further information on this topic please contact Beatriz Satrustegui at Gomez-Acebo & Pombo by telephone (+34 91 582 91 00) or by fax (+34 91 582 91 21) or by e-mail ([email protected])The materials contained on this web site are for general information purposes only and are subject to the disclaimer.