Data security under Polish data protection law

The ‘security of data within computer systems’ (‘zabezpieczenie danych w systemie informatycznym’) has been defined in art. 7(2b) of the Personal Data Protection Act as ‘an implementation and usage of appropriate technical and organizational measures applied to protect data against unauthorized processing’.

The obligation of implementing such technical and organizational measures lies with the controller. He/she must also keep the documentation describing the way of data processing and the undertaken measures. These measures must be appropriate to the risks, as well as to the category of data being protected and particularly ensure protection against:

  • unauthorized disclosure
  • takeover by an unauthorized person
  • processing with the violation of the PDPA
  • any change, loss, damage or destruction.

The Regulation 2004, provides the details on:

  • the manner of keeping the personal data documentation
  • the scope of personal data documentation
  • technical and organizational conditions, which should be fulfilled by the devices and information systems used for personal data processing
    • these technical and organizational conditions must ensure that the protection is appropriate to the:
      • risks and category of the protected data
      • requirements on keeping record of data disclosure and security of the processed data

The document defining the data security policy should be very specific and should include at least the following elements:

  • Mechanism for sharing information
  • Statement on management’s intentions that confirms the goals and principles of IT security related to business strategies and requirements
  • Structure for determining the purposes, including risk estimation and management
  • Short explanation of the security policy, essential rules, norms and compliance requirements:
    • Compliance with law, internal regulations and requirements resulting from contracts
    • Requirements for education, training and security awareness
    • Business continuity management
    • Consequences for breaching the security policy
  • Definitions of general and specific obligations related to the IT security management, including reporting of IT incidents
  • Links to documentation complementing the policy, such as more detailed security policies and procedures for individual IT systems etc.

All the rules, norms and principles should be backed by an explanation why they have been adopted.

Moreover, §4 of the Regulation 2004 indicates further information to be included in the security policy:

  • List of buildings, rooms or their parts forming the area in which data are processed
  • List of personal data files with an indication of the programs used to process these data
  • Description of the data sets structure indicating the content of individual information fields and the links between them
  • Method of data flow between individual systems
  • Specification of technical and organizational measures necessary to ensure confidentiality, integrity and accountability in the data processing

The technical and organizational measures have been divided in § 6 of the Regulation 2004 into three security levels: (1) basic (no sensitive data processed and none of the IT devices used for processing is connected to a public network) (2) elevated (sensitive data but none of the IT devices used for processing is connected to a public network and (3) high (if any IT device used for processing is connected to a public network). The list of minimum security measures that must be applied for each security level have been included in the annex of the Regulation 2004.

In accordance with §3 of the Regulation 2004, the controller is obliged to prepare instructions, that specify the way of managing the IT system used for data processing. The instructions should contain a general information about the IT system and data files, applied technical solutions, operating procedures and usage rules. The procedures and guidelines included in such instructions, should be forwarded to persons within the company, that are responsible for their implementation accordingly to their assigned powers and responsibilities.

For more details on data security in IT systems (documentation, basic requirements of IT system’s functionality,  security levels of the IT system and  IT system management instruction), see the commentary available at the Inspector’s General educational portal (in Polish) at: https://edugiodo.giodo.gov.pl/mod/resource/view.php?id=39.