The National Registry of Persons released its Personal Data Protection Policy
By Mariano Peruzzotti and Mateo Darget.
Introduction
The National Registry of Persons (“ReNaPer” as it stands for its acronym in Spanish) approved on January 4, 2022, through Rule 1/2022 its Personal Data Protection Policy (“Policy”). The purpose of the Policy is to safeguard and protect the right to privacy of individuals whose personal data is processed by this public body.
Background
Renaper’s purpose is to collect, store, process and manage the data of individuals living in Argentine and Argentine citizen living abroad. It is mandated to meet the provisions of Personal Data Protection Laws in any data processing activity conducted.
In October 2021 it was reported that ReNaPer had suffered a security incident that could have compromised personal data of Argentine citizens. The affected data could have been traded in clandestine markets, involving personal information such as photos, names, addresses, ID numbers, among others. In view of the situation, ReNaPer filed a criminal complaint before the Federal Criminal Court.
The Policy
This Policy follows the guidelines of Resolution 40/2018 of the Argentine Agency for Access to Public Information (“Agency”), which approved a model policy on personal data protection for the public sector. The main purpose of Resolution 40/2019 was to set forth basic guidelines to be used when drafting and implementing personal data protection policies.
The most important aspects of ReNaPer’s Policy are the following:
1. Appointment of a personal data protection officer
ReNaPer will appoint a personal data protection officer, who will ensure compliance with this Policy and will advise to those who are involved in the processing of personal data.
2. Data Protection Impact Assessment
In cases where third parties in charge of the processing request access to the Agency’s databases, ReNaPer shall carry out a Data Protection Impact Assessment.
3. Security incidents
In case a security breach is detected, the person in charge of information security shall report the existence of the incident to the National Cybersecurity Agency and to the Agency within less than 48 hours of being aware of the breach and it must follow the guidelines imposed by Administrative Decision 641/2021. The proper remediation and mitigating measures implemented and/or to be implemented have to be reported as well.
4. Transfer of personal data
The personal data may be transferred to different State agencies directly to the extent that such transfer is required within the framework of their relevant tasks, roles and competences and provided that the processing is compatible with the purpose pursued by the transferee and the transferor. ReNaPer shall ensure that the State agencies comply with this Policy at the time of the transfer of personal data.
5. Privacy by design
ReNaPer shall use all available technical and organizational measures to ensure, from the early stages of the design and development of any project involving the processing of personal data, that personal data protection rules and principles of this Policy are properly addressed.
The full text of the Provision is available at the following link:
https://www.boletinoficial.gob.ar/detalleAviso/primera/255703/20220104?anexos=1.
For further information contact: mperuzzotti@ojambf.com.