THE GOVERNMENT OF THE REPUBLIC OF CROATIA

Transcription

1 THE GOVERNMENT OF THE REPUBLIC OF CROATIA 2433 Pursuant to Article 8, paragraph 4 of the Act on the Protection of Personal Data (Official Gazette, No. 103/2003) and subject to the prior opinion of the Agency for the Protection of Personal Data, at its session held on 30 June 2004 the Government of the Republic of Croatia passed the following REGULATION ON THE PROCEDURE FOR STORAGE AND SPECIAL MEASURES RELATING TO THE TECHNICAL PROTECTION OF SPECIAL CATEGORIES OF PERSONAL DATA I. GENERAL PROVISIONS Article 1 This Regulation lays down measures, tools and conditions for the storage, safety and protection and for the transfer of special categories of personal data and the corresponding data filing systems; measures for the maintenance and control of correct functioning of the computer and telecommunication equipment and of the software of the system for the maintenance ("system") of filing systems containing special categories of personal data; provision of working premises for such equipment; persons authorised for the implementation of anticipated measures, and persons competent for the supervision of their implementation. The provisions of this Regulation shall also apply to filing systems containing special categories of personal data that are processed manually. Article 2 For the purposes of this Regulation, the following definitions shall apply: 1. System for the personal data filing system maintenance is any system consisting of the computer, telecommunication and control equipment and of the corresponding software, as well as consisting of all personal data that are entered, stored and transferred by this system. 2. Computer for the filing system maintenance is any computer with the installed control equipment and software of the system for the personal data filing system maintenance. 3. Central computer of the filing system is any computer with the installed control and software equipment for the processing and storage of personal data filing system. 4. Developing computer is any computer with the installed control equipment and software under development, the equipment that is being checked and the equipment that is completely identical to the equipment installed in the computer for the personal data filing system maintenance. 5. Administrator of the personal data filing system is any person authorised to take care of personal data filing systems and all aspects of data safety and storage. 6. Network administrator is any person authorised to take care of telecommunication equipment, access paths, network, modem and other connections between computer systems. 7. Control system administrator is any person authorised to take care of the installation and correct functioning of the control system and other control software.

2 8. The uninterruptible power supply device is the device that enables the undisturbed use of the computer and other equipment through a specified short period of time in the event of power failure so that the ongoing activities can be completed without any threat related to the completeness of information being processed and that the computer and other equipment can be turned off during that time. 9. The system data storage is the procedure for storage of the backup copy in the event of data loss, damage or destruction. 10. The restoring of stored data is the procedure for restoring the data from the backup copy to their previous status after loss, damage or destruction. The restored set of data has to comply with its latest status and no data can be lost. 11. The resetting of the computer system is the set of procedures for resetting the computer system and all initiated activities to their latest compliant status. 12. The restarting of the system is the set of procedures for restarting the computer system after any unusual stoppage. II. SAFETY MEASURES Connection of computers and other system components Article 3 The connection of computers, telecommunication equipment and other system components to the mains shall be carried out in accordance with the instructions of equipment manufacturer and in line with valid technical standards. Obligatory use of the uninterruptible power supply device Article 4 The computers for the personal data filing system maintenance and the central computers of filing systems shall be connected to the mains via the uninterruptible power supply devices. Modem connections for system access Article 5 Modem connections and their numbers, which are used for access to the system storing the filing systems with special categories of personal data, shall not be published in telephone directories and shall not be available via the services providing information about telephone numbers. Positioning, placing and installation of computers and computer network Article 6 In accordance with the project documentation, the computers for the personal data filing system maintenance, central computers of filing systems and computer network shall be positioned, placed and installed by the qualified person subject to the approval of the head of the personal data filing system and compliant with valid standards and technical instructions. One copy of project documentation from paragraph 1 of this Article shall be kept at a safe place in both the office of the head of the personal data filing system and of the processor, if any, and it shall be made available for review to the Agency for the Protection of Personal Data. Mechanisms for the protection of special categories of personal data Article 7 The computer for the maintenance of filing systems containing special categories of personal data and the central computer shall have: the mechanism for security logging with the possibility of storing the logging data in

3 order to monitor and limit the computer access; the mechanism for the prevention of unauthorised data export and import by applying the devices with removable storage, communication connections and connections for data printout; the mechanism for the protection from computer viruses and other harmful software; the mechanism for cryptologic protection of special categories of personal data on devices with removable storage and during the transfer of such data by IT and telecommunication systems. Access to the rooms with computers and telecommunication equipment Article 8 Computers and telecommunication equipment shall be placed and installed in specially protected rooms as defined by the project documentation. The access to the rooms with the central computers of the personal data filing system or the computers for the personal data filing system maintenance shall be allowed only to the authorised staff having a special access permit. The head of the personal data filing system or processor, subject to the heads approval, shall appoint the authorised persons who can enter the rooms from paragraph 2 of this Article. The rooms from paragraph 2 of this Article shall be equipped with a video surveillance system and a two-way system for the control of entry and exit in order to limit and supervise the access and stay in such rooms. Access to system data Article 9 The access to personal data stored in data filing systems shall be allowed only to the head of the personal data filing system or processor's authorised staff ("authorised staff) and to the authorised persons responsible for the maintenance and development of the system for the personal data filing system maintenance ("authorised experts"). The head of the personal data filing system shall appoint the persons from paragraph 1 of this Article. The processor shall not be entitled to appoint the persons from paragraph 1 of this Article. The request for access or processing and the request for the cancellation of authorised access to personal data filing systems or the request for the cancellation of authorised processing of personal data shall be filed with the head of the personal data filing system, who shall either grant or revoke the access permit. Access to the telecommunication, computer and software system Article 10 The access to the telecommunication, computer and software system for the maintenance of personal data filing systems or for data processing shall be allowed subject to the use of appropriate user names and the corresponding passwords. Obligatory use of unique user names and passwords for system access Article 11 The access to data stored in personal data filing systems shall be allowed by the allocation of the unique user name and password. The cancelled user name cannot be allocated to another person. The user name and the password must not be disclosed and given to another person for use. Article 12

4 The procedure for the allocation and the obligation to change the password shall be laid down by the head of the personal data filing system. Records, access monitoring and attempts of unauthorised system access Article 13 Any access to the telecommunication and computer system for the maintenance of personal data filing systems shall be automatically recorded, indicating the user name, date and the log in and log out times. Any attempt of unauthorised system access shall be automatically recorded, indicating the user name, date and time, and, if possible, the place from which such access was attempted. The processor, the network administrator, the computer administrator and the administrator of the personal data filing system shall notify the head of the personal data filing system of any attempt of unauthorised system access. Fire protection Article 14 The computer and telecommunication equipment shall be placed in the rooms with fire detectors and automatic fire alarms. The rooms housing the equipment from paragraph 1 of this Article shall have the automatic fire extinguishers (based on halons, etc.), and in the vicinity, i.e. in front of these rooms and in the rooms themselves, the written fire fighting procedures shall be placed at visible and easily noticeable points. Protection from electrical and magnetic fields Article 15 No sources of strong electrical or magnetic field shall be placed in the vicinity of the computer and telecommunication equipment. Protection from ionising radiation Article 16 No sources of ionising radiation shall be placed in the vicinity of the computer and telecommunication equipment. Protection from electrostatic electricity Article 17 No sources of electrostatic electricity shall be placed in the vicinity of the computer and telecommunication equipment. Protection from humidity, cold and heat Article 18 The relative humidity between 20% and 80% and the temperature between 5 and 30 C shall be maintained in the rooms with the computer and telecommunication equipment. Protection from corrosive and volatile liquids, explosives and similar substances Article 19 No corrosive and volatile liquids, explosives and similar dangerous or harmful substances shall be placed in the rooms and in the vicinity of rooms with the system equipment. Protection from dust Article 20

5 No equipment releasing dust particles shall be placed in the rooms with computers. The dust sensitive instruments shall be adequately protected. The particularly sensitive air-cooled equipment air shall have air filters. When not in use and if this is allowed by technical instructions, the instruments can be protected with dust bags. Safety measures in the event of earthquake or other natural disasters, war and imminent threat of war Article 21 In the event of earthquake and other natural disasters, war and imminent threat of war, the head of the personal data filing system shall arrange the transfer of the computercommunication equipment to a safe place. The obligation of data storage Article 22 The head of the personal data filing system shall store all special categories of personal data on devices with removable storage that guarantee the safety and confidentiality of stored personal data. The administrators of personal data filing systems shall be responsible for the implementation of measures relating to the storage of system data on devices with removable storage. Daily, weekly, monthly and annual data storage Article 23 The filing systems with special categories of personal data shall be stored on devices with removable storage on daily, weekly, monthly and annual bases, as well as upon the completion of all assignments relating to the maintenance of the personal data filing system, for the purpose of the filing system renewal in the event of fire, flood, earthquake or any other force majeure. The number of daily copies for the storage of system data shall comply with the number of working days in the week. The weekly storage of system data shall be carried out on the last working day of the week after the completed daily storage of data. The number of weekly copies for the storage of system data shall comply with the number of the last working days in the week of that month (4 or 5). The monthly storage of system data shall be carried out on the last working day in the month, for each month separately, in 12 copies per year. The annual storage of system data shall be carried out on the last working day in the year. Each copy of data stored annually shall be kept in the period defined by special regulations. The oldest copy of the device with removable storage for daily, weekly and monthly storage of data shall be used during the first next daily, weekly or monthly data storage. Each copy of data stored on a device with removable storage shall be identified with a number, type (daily, weekly, monthly, annually), date of storage and name of the person who stored the data. The head of the personal data filing system shall keep the records of all copies of devices with removable storage containing the filing systems with special categories of personal data. The reproduction of devices with removable storage containing the filing systems with special categories of personal data shall be subject to the head of the personal data filing system supervision and approval. Authorisation for data storage

6 Article 24 The head of the personal data filing system or the processor shall nominate the person authorised for the storage of data on devices with removable storage. Distance for data storage Article 25 The system data stored on devices with removable storage on a daily basis shall be kept in the safe in the head of the personal data filing system office. The system data stored on devices with removable storage shall be kept in a safe place at least 20 km far from the building housing the personal data filing system. The system data stored on devices with removable storage on monthly and annual bases shall be kept in a safe place at least 50 km far from the building housing the personal data filing system. Place and equipment for storage of backup copies Article 26 The place for the storage of system data on devices with removable storage shall be protected from natural disasters. Devices with removable storage containing personal data filing systems shall be placed in a water- and fire-resistant safe. Transfer of devices with data filing systems Article 27 The water- and fire-resistant and password-protected safes shall be used for the transfer of devices containing the filing systems with special categories of personal data. Control of functioning of backup copies Article 28 The usability of the annual backup copy of personal data filing system shall be checked at least once a year along with the check of the procedure for restoring the filing systems stored on devices with removable storage so that the restored data are completely available and that no information is lost after the performed control. The usability of the monthly backup copy of filing systems containing special categories of personal data shall be checked at least semi-annually subject to the same conditions as those given in paragraph 1 of this Article. Time intervals for device quality control Article 29 The filing systems containing special categories of personal data stored annually on devices with removable storage shall be renewed after the expiry of a half of the guaranteed period of record duration on that particular type of medium. Persons responsible for the implementation of safety measures and for the storage and protection of filing systems containing special categories of personal data Article 30 The administrator of personal data filing systems shall be responsible for the adequate implementation of safety measures and for the storage and protection of personal data. Persons authorised for the production of backup copies and data restoring Article 31 The head of the personal data filing system or the processor shall appoint persons

7 authorised for the production of backup copies and for restoring the personal data filing systems. Persons authorised for import and export of devices with removable storage containing filing systems with special categories of personal data Article 32 The head of the personal data filing system shall appoint the persons authorised to export the system data stored on devices with removable storage from the rooms of the head of the personal data filing system or the processor for their storing in a distant safe place and their return to the rooms of the head of the personal data filing system or the processor. Persons authorised for the allocation of user names and passwords Article 33 The head of the personal data filing system shall appoint the persons authorised for the allocation and cancellation of user names and for the allocation of initial passwords to the persons authorised to work in the system and to access the personal data filing systems. Cryptologic protection of special categories of personal data in the transfer by IT and telecommunication systems Article 34 The head of the personal data filing system shall establish the system for the cryptologic protection of personal data during their transfer via IT and telecommunication systems to other authorised users. Verification of data transferred by IT and telecommunication systems Article 35 The excerpts from the filing systems containing special categories of personal data that are transferred via the telecommunication equipment to authorised persons shall have the cryptologic protection and they shall be verified by electronic signature, based on which the recipient can check the authenticity of the received excerpt. Control of authenticity of data transferred from the filing systems containing special categories of personal data Article 36 The recipients of excerpts from the filing systems containing special categories of personal data shall check the authenticity of the received excerpt by applying the sender's public key. The recipient shall forthwith notify the head of the personal data filing system about the received excerpts that are not accompanied with the certificate of authenticity. Weekly, monthly and annual check of system functionality Article 37 The head of the personal data filing system shall check the functionality of all system components on weekly, monthly and annual bases. Control of determined measures, procedures and persons authorised for system safety, storage and protection Article 38 Measures, procedures and staff authorised for system safety, storage and protection shall be defined, implemented and controlled in accordance with the plan adopted by the head of the personal data filing system in line with the respective international recommendations (ISO

8 17799). Maintenance and repair of system equipment Article 39 The computer and telecommunication equipment shall be maintained and repaired by the person stipulated in the contract on equipment purchasing or other relevant contract. The system software shall be maintained and replaced by the authorised expert. Article 40 The implementation of this Regulation shall be supervised by the Agency on the Protection of Personal Data. III. TRANSITIONAL AND FINAL PROVISIONS Harmonisation with the provisions of the Regulation Article 41 The head of the personal data filing systems and processors shall approximate the measures, tools and conditions for the safety, storage and protection of data with the provisions of this Regulation within six months of its coming into force. Coming into force Article 42 This Regulation shall come into force on the eighth day of its publication in the Official Gazette. Classification: /04-01/02 Number: Zagreb, 30 September 2004 Prime Minister Ivo Sanader, Ph.D., m.p.