now that you are responsible for security will face the challenge of the correct application of art. 81 of RLOPD , or put another way, must determine the security level of your company files.
Today
study one of the most difficult aspect of this task: exceptions to the application of high security level, set out in paragraphs 5 and 6 of that art. 81.
But first, let me explain some basics.
First of all, I do not whether you are tacky and call things by their name. The security levels are " basic, intermediate and high " no " 1, 2 and 3 " or " low, intermediate and high ." A security official FETEN, who aspires to respect the external auditors and attorneys of the house, you should use the terminology lopedera corrected.
Well, the rules for determining when to implement the measures for each level, as you may have guessed, are in the art. RLOPD 81. These measures are allocated based on the data processed, the importance which the legislature granted. Thus, bearing in mind that all files and processing, as a rule, should be implemented basic security measures are selected that can contain some data categories require further protection.
one hand, the average level is applied to files and treatments that are indicated below:
- The commission relating to administrative or criminal violations.
- those whose operation is governed by Article 29 of Law 15/1999 of 13 December (that is, files with information on creditworthiness and credit).
- Those who are responsible for the tax authorities and is related to the exercise of their taxing powers.
- Those who are responsible for the financial institutions for purposes connected with the provision financial services.
- Those who are responsible for the administrative entities and common services of Social Security and is related to the exercise of its powers. Similarly, those who are responsible for the accident insurance and occupational disease of Social Security.
- Those containing a set of personal data that offer a definition of the characteristics or personality of citizens and to evaluate certain personal aspects or their behavior.
For its part, the high security level applies to the files and following treatments:
- The data relating to ideology, union affiliation, religion, creed, ethnicity, health or sexual life .
- Those that contain or refer to data collected for law enforcement purposes without the consent of those affected.
- Those containing data derived from acts of violence against women.
not make the mistake of identifying sensitive data (Article 7 of the Data Protection Act) with high-level data. The legislature does not provide that correspondence (among other things, because otherwise there would be two levels of security, not three). It is also possible to apply the basic level of security, still trying to sensitive data, when the circumstances referred to in art. RLOPD 81.5 and 6.
Such circumstances are very important in practice, since they operate in almost all HR files a typical company. The Agency has issued several legal opinions clarifying paragraphs 5 and 6 of Art. RLOPD 81. The clearest of them all el Informe 511/2009 , dice:
"La consulta plantea el nivel de seguridad exigible a los ficheros mantenidos por los colegiados pertenecientes a la Corporación consultante y relativos a la gestión de recursos humanos de empresas clientes de los mismos o a la realización de actividades de asesoría fiscal de clientes que sean personas físicas.
En relación con estas cuestiones, debe tenerse en cuenta el parecer mantenido por esta Agencia en diversos informes y que puede ser resumido de la siguiente manera:
a) En relación with the work of human resource management, and data regarding the health of employees, the agency noted in various reports from 1 July 2008 that will be implementing the provision contained in Article 81.6 of the Rules Development of the Organic Law and, therefore, are solely due security measures baseline in those files that contain one or more of the following:
- The mere indication of the degree or percentage of disability of the affected or members of your household for the purposes provided for the calculation of retention legislation regulating the Income Tax of Individuals.
- The display of the data "fit" or "not" a worker for the purposes specified in the Law on Prevention of Occupational Risks.
- Data related to the obligations imposed on the employer by law social security which is limited to only point out the existence of common disease, occupational disease or work accident or not labor, and the incapacity of an employee.
On the contrary, if the file contains any data related to the results of the surveillance of health than merely referring to the ability of the worker or incorporate the specific data related to illness or accident suffered by the worker not be possible to understand the ambit of Article 81.6 of the Regulation, while the measures implemented high-level security.
b) With respect to treatment in these data files of unionization of workers, the Agency has referred to treatment on the payroll of the status of member of a union worker in order to proceed to the withdrawal of union dues, meaning that it can be subsumed under the circumstances described in Article 81.5 a) of the implementing regulation of Law 15/1999, which excludes the implementation of measures High level security treatments aimed at making a cash transfer to the organization that is a member of the worker. "
Anyway, thought also devote a few lines to the fourth level of security (yes, , there is a fourth security level, a Cinderella of the lopedé that have not, has no name), but my health condition I permits. I think it's time to go to bed.
Goodnight.
0 comments:
Post a Comment