Additional legal requirements relating to security measures for system administrators

15 April 2009

Debora Stella

On 27 November 2008, the Italian Data Protection Authority, the Garante, issued a general prescription which requires organisations to implement additional security measures. These measures should be applied in relation to personal data that are processed by, or accessible to, system administrators.

Inspections carried out in recent years by the Garante showed several cases where there was a general lack of awareness of the importance of the role played by their system administrators. Recently, severe cases of data protection breaches have occurred revealing a dangerous underestimation of the risks which may arise where the activities of these experts are conducted without necessary controls.

Due to this, the Garante has decided to outline new rules in order to draw attention to the importance of the role of system administrators.

For the purpose of this new legal requirement, “System Administrator” is defined to cover the following:

  • the usual use of “system administrators”, i.e. those professionals who manage and maintain an IT system and its components;

  • database administrators;

  • network administrators; and

  • any other professional comparable to system administrators (e.g. security administrators and administrators of any complex system software). The requirements apply to this group if they can access personal data in the performance of their functions (e.g. hardware maintenance, backup and recovery operations, organisation of network data flows, etc.).

According to the new requirements, all controllers (i.e. public and private entities, as well as governmental bodies and public institutions) processing personal data using electronic means (other than for administrative and accounting purposes), must comply with the following:

  1. system administrators must be chosen from experienced, capable and reliable individuals and must ensure full compliance with the data protection legislation. This requirement must be met not only where the system administrator is appointed as data protection officer (Responsabile del trattamento) but also where (s)he is the person in charge of the processing (Incaricato del trattamento);

  2. the appointment of the system administrator must include a detailed list of the operations that the system administrator can perform within his/her profile authorisation;

  3. the identity of the system administrator and his/her functions must be included in the DPS (Documento Programmatico sulla Sicurezza) or, if the controller is not required to draft a DPS, in an internal document (available in case of investigation by the Authority). Details of system administrators must be provided to employees if the functions of the system administrator concern, even indirectly, HR data. Where IT functions are outsourced, details of the individuals acting as system administrators must be directly available to the controller;

  4. records of the System Administrators’ access to the processing systems and to electronic archives must be properly retained. Access logs should be complete, inalterable and subject to integrity checks. Records must include time references and descriptions of the generated events and should be retained for a reasonable period of no less than six months; and

  5. periodic audits (at least annually) should be undertaken on the system administrator’s compliance with the organisational, technical and security measures prescribed by the Italian data protection law.

These measures must be put in place by 30 June 2009.