Page 1

AGENCY FOR ACCESS TO PUBLIC INFORMATION
Resolution 47/2018
RESOL-2018-47-APN-AAIP
City of Buenos Aires, 07/23/2018
SEEN EX-2018-33523527-APN-DNPDP # AAIP, Law No. 25,326, Law No. 27,275, Decree No. 1558 of November 29, 2001 modified by Decree No. 1160 of August 11, 2010 , Decree No. 746 of September 25, 2017, Decree No. 899 of September 6,
of November 2017, the Provisions of the NATIONAL DIRECTORATE OF PERSONAL DATA PROTECTION No. 11 of September 22, 2006 and No. 9 of September 3, 2008; Y
CONSIDERING:
That by article 19 of Law No. 27,275 the AGENCY OF ACCESS TO PUBLIC INFORMATION was created as an autarkic entity with functional autonomy, within the orbit of the HEAD OF MINISTERS 'CABINET.
That by Decree No. 746 of September 25, 2017, Article 19 of the Law on Access to Public Information No. 27,275 was replaced, attributing to the aforementioned Agency the power to act as the Enforcement Authority of the Law on Protection of Personal information
N ° 25,326, as well as in its article 13, it was incorporated as subsection t) to article 24 of chapter IV of Law 27,275 on the Right of Access to Public Information, the competence of “Overseeing the comprehensive protection of data personnel recorded in archives,
registries, data banks, or other technical means of data processing, whether public or private, destined to give reports, to guarantee the right to honor and privacy of people, and access to the information that is registered about them ”.
That by article 29 of ANNEX I to Decree No. 1558 dated November 29, 2001, the NATIONAL DIRECTORATE FOR THE PROTECTION OF PERSONAL DATA was created within the scope of the then SECRETARIAT OF JUSTICE AND LEGISLATIVE AFFAIRS of the
MINISTRY OF JUSTICE AND HUMAN RIGHTS, to fulfill the functions of control body and enforcement authority of the Personal Data Protection Law No. 25,326 and its regulations.
That Decree No. 899 dated November 6, 2017, reordered the current regulatory plexus in relation to the powers assigned to the aforementioned bodies and in accordance with the terms of article 19 of Law No. 27,275, replaced by article 11 of the
Decree No. 746/17, attributed to the AGENCY OF ACCESS TO PUBLIC INFORMATION, the exercise of the function of control body of Law No. 25,326, which until then held the then NATIONAL DIRECTORATE OF DATA PROTECTION
PERSONAL dependent on the MINISTRY OF JUSTICE AND HUMAN RIGHTS.
That, by virtue of the foregoing, Decree No. 899/17 established in article 2 that “Any normative reference to the NATIONAL DIRECTORATE OF PERSONAL DATA PROTECTION, its competence or its authorities, shall be considered referred to the AGENCY OF
ACCESS TO PUBLIC INFORMATION" .
That, among the attributions assigned to the AGENCY OF ACCESS TO PUBLIC INFORMATION is to dictate the rules and regulations that must be observed in the development of the activities included in Law No. 25,326 article 29, paragraph 1,
section b), as well as that of controlling the observance of the rules on data integrity and security by the files, records or databases, article 29, subsection 1, section d), of Law No. 25,326.
That, the then NATIONAL DIRECTORATE OF PERSONAL DATA PROTECTION of the MINISTRY OF JUSTICE AND HUMAN RIGHTS, issued norms regarding the security conditions that must be observed for files, records and databases or banks.
of personal data, and approved the security measures for the treatment and conservation of personal data, which must be applied by those responsible and users of files, registries, databases and public, non-state and private databases.
That by Provision No. 11 dated September 22, 2006 the then NATIONAL DIRECTORATE FOR THE PROTECTION OF PERSONAL DATA approved the document "Security Measures for the Treatment and Conservation of Personal Data Contained in
Non-state and Private Public Archives, Registries, Banks and Databases ”, as an instrument for the specification of security regulations, to which those responsible and users of files, registries, databases and public non-state databases had to adapt and
private.
That, likewise, by DNPDP Provision N ° 9 dated September 3, 2008 a model of "Personal Data Security Document" was approved that contained the minimum essential guidelines that allowed those obliged to design an instrument that
It adapts to the needs of your organization and complies with the norms dictated in the matter.
That the development of technology and the Internet has evolved over the years at a dizzying pace, as well as social networks, instant messaging services and commerce through the network. This puts the security, integrity and
confidentiality of information containing personal data.
That, aware of the importance of safeguarding the integrity and security of information in terms of personal data, it is encouraged to update the security measures that must be observed by those who process personal data in files,
public and private registries, banks and databases, in order to eliminate and / or mitigate the risks of said information.
That, in accordance with the provisions of article 9 of Law No. 25,326, the person responsible or user of the data file must adopt the technical and organizational measures necessary to guarantee the security and confidentiality of personal data, in order to avoid its
adulteration, loss, consultation or unauthorized treatment and that allow detecting deviations, intentional or not, of information, whether the risks come from human action or the technical means used.
That Decree No. 891 dated November 1, 2017, approves the "Good Practices in the Matter of Simplification", promoting, among other measures, regulatory simplification and continuous improvement of processes.
That, this AGENCY FOR ACCESS TO PUBLIC INFORMATION, in compliance with the functions assigned by Law No. 25,326 and in its capacity as Control Body, deems it pertinent to approve new recommended security measures, which are consistent
with international standards as of the date of its issuance, for the protection of the confidentiality and integrity of the information that contains personal data throughout the treatment process, from its collection to its destruction.
That to this end, it is necessary to establish new recommended security measures for the administration, planning, control and continuous improvement of information security, regarding the processing of personal data.
That the GENERAL DIRECTORATE OF LEGAL AFFAIRS of the UNDER SECRETARIAT FOR ADMINISTRATIVE COORDINATION of the HEAD OF THE CABINET OF MINISTERS has taken the appropriate intervention.
That, this measure is issued in use of the powers conferred by article 29, paragraph 1, sections b) and d) of Law No. 25,326, amending and complementary.
Thus,
THE DIRECTOR OF THE PUBLIC INFORMATION ACCESS AGENCY
RESOLVES:
ARTICLE 1.- Derogate the Provisions of the then NATIONAL DIRECTORATE FOR THE PROTECTION OF PERSONAL DATA of the MINISTRY OF JUSTICE AND HUMAN RIGHTS No. 11 of September 22, 2006 and No. 09 of September 3, 2008.
ARTICLE 2.- Approve the document called "RECOMMENDED SECURITY MEASURES FOR THE TREATMENT AND CONSERVATION OF PERSONAL DATA IN COMPUTER MEDIA", the text of which forms an integral part of the present
as Annex I (IF-2018-34800234-APN-AAIP).
ARTICLE 3.- Approve the document called "RECOMMENDED SECURITY MEASURES FOR THE TREATMENT AND CONSERVATION OF PERSONAL DATA IN NON-COMPUTER MEDIA" whose text is an integral part of the
present as Annex II (IF-2018-34800290-APN-AAIP).
ARTICLE 4.- Communicate, publish it, give it to the NATIONAL ADDRESS OF THE OFFICIAL REGISTRY and, in due course, file it. Eduardo Andrés Bertoni
NOTE: The Annex / s that make up this Resolution are published on the BORA web edition -www.boletinoficial.gob.ar-

and. 07/25/2018 N ° 53148/18 v. 07/25/2018
( Note Infoleg : The annexes referenced in this standard have been extracted from the web edition of the Official Gazette.)

Annexed
Number : IF-2018-34800234-APN-AAIP
BUENOS AIRES CITY
Friday, July 20, 2018
Reference : ANNEX I Recommended security measures for the treatment and conservation of Personal Data in computerized media
ANNEX I"Recommended security measures for the treatment and conservation of Personal Data in computerized media".
As a reference and with the aim of facilitating compliance with Law No. 25,326 on Protection of Personal Data, the recommended security measures are established for the administration, planning, control and continuous improvement of the security of the
information.
The processes outlined here bring together the set of tasks and specialties that entities may possess, with these or other names and in the organic composition that best meets their interests and operation.
Law N ° 25,326 in its article 2 defines: Personal Data (hereinafter DP) to "Information of any kind referring to specific or determinable natural persons or ideal existence". Sensitive Data (hereinafter DS) to "Personal data that reveal racial origin and
ethnicity, political opinions, religious, philosophical or moral convictions, union membership and information regarding health or sexual life. "
A - Data collection
Related to the processes necessary to ensure the completeness and integrity of the data, minimize errors and implement technical measures in order to ensure confidentiality and limit access during collection.
DP

B - Access control
Related to the implementation of security measures, authentication mechanisms, segregation of roles and functions, and other characteristics of access to systems for the protection of identity and privacy.
DP

C - Change control
Related to the implementation of the processes to reliably identify any person who agrees to make changes in the production environments that contain personal data, guaranteeing their identification, authentication and corresponding authorization.

D - Backup and recovery
Intended for the implementation of backup processes that allow a correct recovery from an incident that prevents access to the information originally stored, defining security practices, dissemination, training and qualification, for development
of preventive and corrective tasks of security incidents.
DP

E - Vulnerability management
Intended for the implementation of continuous review processes that allow identifying, analyzing, evaluating and correcting all possible vulnerabilities of the computerized systems that process information, applying integrity control techniques, registration, traceability
and verification.
DP

F - Destruction of information
Related to the implementation of data elimination processes, ensuring that confidential content is properly destroyed, using secure erasure methods and applying effective process control.
DP

G - Security incidents
Relating to the treatment of events and consequent security incidents that may affect personal data, its detection, evaluation, containment and response, as well as the escalation and correction activities of the technical and operational environment.
DP

H - Development Environments
Relating to the definition of the development environments of the information systems, whether they are their own or those of third parties.
DP

Annexed
Number : IF-2018-34800290-APN-AAIP

BUENOS AIRES CITY
Friday, July 20, 2018

Reference : ANNEX II Recommended security measures for the treatment and conservation of Personal Data in non-computerized media
ANNEX II "Recommended security measures for the treatment and conservation of Personal Data in non-computerized media".
As a reference and with the aim of facilitating compliance with Law No. 25,326 on Protection of Personal Data, the recommended security measures are established for the administration, planning, control and continuous improvement of the security of the
information.
The processes outlined here bring together the set of tasks and specialties that entities may possess, with these or other names and in the organic composition that best meets their interests and operation.
Law N ° 25,326 in its article 2 defines: Personal Data (hereinafter DP) to "Information of any kind referring to specific or determinable natural persons or ideal existence". Sensitive Data (hereinafter DS) to "Personal data that reveal racial origin and
ethnicity, political opinions, religious, philosophical or moral convictions, union membership and information regarding health or sexual life. "
A - Data collection
Related to the processes necessary to ensure the completeness and integrity of the data, minimizing errors.
DP

B - Access control
Related to the implementation of security measures for the protection of identity and privacy.
DP

C - Conservation of information
Related to the implementation of control measures for ventilation, lighting and other conditions that guarantee the physical and functional integrity of the information.
DS

D - Destruction of information
Related to the implementation of data elimination processes, ensuring that confidential content is properly destroyed, using secure destruction methods and applying effective control.
DP

E - Security incidents
Relating to the treatment of events and consequent security incidents, which may affect personal data, its detection, evaluation, containment and treatment.
DP

Page 2

