Republic of Latvia
Cabinet of Ministers
30 January, 2001
MANDATORY TECHNICAL AND ORGANIZATIONAL REQUIREMENTS
FOR PROTECTION OF PERSONAL DATA PROCESSING SYSTEMS
Issued according to Article 26 of Personal Data Protection Law.
1. These regulations define obligatory technical and organizational requirements for protection of personal data processing systems.
2. General provisions for protection of personal data processing systems is regulated by Regulations No 106 of Cabinet of Ministers “Security regulations for information systems”.
3. Obligatory technical protection of personal data processing system is carried out with physical and logical protection means providing:
3.1. protection against threats to personal data processing system caused by physical impact;
3.2. protection which is realised with software, passwords, cryptography and other logical protection means.
4. Carrying out personal data processing system administrator shall provide:
4.1. access to technical resources which are used for personal data processing and protection (including personal data) only by authorised persons;
4.2. registration, transfer, arrangement, modification, transmission, copying and other processing of information carriers where personal data is saved is carried out only by exclusively authorised persons;
4.3. personal data collection, saving, arrangement of saved personal data, storing, copying modification, correction, deleting, elimination, archiving, reserve copying, blocking is proceeded only by exclusively authorised persons as well as providing possibility to track down personal data which were processed without respective authorisation, as well as processing time and person which processed personal data.
4.4. Transfer of personal data processing system using technical resources is carried out only by exclusively authorised person;
4.5. When transfering personal data information should be registered on:
4.5.1. personal data transfer time;
4.5.2. person who has transferred personal data;
4.5.3. person who has received personal data;
4.5.4. personal data which are transferred.
4.6. Inputting personal data, information should be registered on:
4.6.1. personal data input time;
4.6.2. person who has input pd in personal data processing system;
4.6.3. person from whom personal data has received;
4.6.4. personal data which are input in personal data processing system;
5. System administrator for each personal data processing system elaborates internal data processing system protection provisions, where are established:
5.1. responsible person for personal data protection, their rights and obligations;
5.2. personal data protection classification by its value and degree of confidentiality;
5.3. technical resources by which personal data processing will be provided;
5.4. managerial procedure of personal data processing, establishing personal data processing time, place and order;
5.5. activities which should be carried out for protection of technical resources in cases of emergency (fire, flood);
5.6. means with which protection of technical resources is provided against intentional damage and illegal acquisition;
5.7. order of storing and elimination of data carriers;
5.8. length of passwords and conditions on its structure (minimal length of password is 8 symbols);
5.9. regulations on password using, as well as period of time after what password should be changed;
5.10. action if password or cryptography key is got known by other persons;
6. System administrator each year carries out interior audit of personal data processing system and prepares overview of activities, which were performed in sphere of information protection.
7. System administrator informs persons, which processes the personal data on compulsory technical and managerial requirements for protection of personal data processing systems.
President of Cabinet of Ministers A.Berzins
Instead of Minister of Justice – Minister of Foreign Affairs I.Berzins