The Agency of Access to Public Information, the governmental entity tasked with enforcing the Argentine Data Protection Law, recently issued two regulations dealing with the privacy practices of public national agencies and budgetary conduct of the AAPI.

Administrative Decision 1274/2018

July 5, the AAPI issued Administrative Decision 1274, which created the Technical Administrative Directorate. Its primary role is to administer policies and regulations that concern personnel, administration, training and development of the AAPI in order to oversee its budgetary and financial health.

Specific powers and responsibilities granted to the directorate include the following: prepare draft budgets; manage the approved budget; supervise the maintenance and services of the buildings in which the AAPI is located and coordinate any contracts thereto; determine the AAPI’s needed goods, services, and security and supervise the corresponding contracts; manage the AAPI’s administrative documentation; maintain, update, and care for the AAPI’s personnel database and generate the pertinent information and statistics to assist the corresponding authorities; coordinate and update the disclosure and evaluation system for job positions, as well as work processes, flows, and procedures, and propose modifications and simplifications; coordinate and give technical assistance for the process of staff search, selection, and integration; provide technical coordination and assistance in the process of AAPI staff plant training; and manage relations with union representatives and intervene in negotiations or agreements entered into by AAPI staff.

Resolution 40/2018

The following day, July 6, the AAPI issued Resolution 40 which approved a “Template Privacy Policy for National Public Agencies.” This document is the basic standard privacy policy suggested for public agencies that manage personal data. The template document contains a number of policy provisions that public entities may adopt for their databases.

Among these provisions are guidelines for the entity to: ensure that its databases are registered with AAPI; identify ways in which the data was collected; delete the data when it is no longer needed for the purpose for which it was collected; adopt the necessary methods to guarantee the data’s security and confidentiality and a procedure to notify the AAPI in the case of a data breach which is likely to pose a significant risk to the data subjects; allow for the direct transfer of data to other public entities or third parties under certain circumstances; designate a data protection officer; and only process sensitive data in the case of a legal mandate as per a general interest.

Resolution 40 also recommends that national public agencies (i) adopt a personal data protection policy, which should be updated and communicated through each organization’s usual channels of communication, and (ii) designate an employee as its personal data protection officer, who will be tasked with the internal implementation of and compliance with the personal data protection policy.

photo credit: < Lucas > Día de la Bandera Argentina via photopin (license)