Data security administrator


The information security administrator (ISA) is appointed by the data controller. Who can become an ABI and what tasks are up to him - we explain below.

Who can become an information security administrator?

According to the position of the Inspector General for Personal Data Protection (GIODO), only a natural person may be the security administrator. As it follows from Art. 36 sec. 3 of the Act on the Protection of Personal Data, the main task of ABI is to supervise compliance with the protection rules established by the data controller in order to ensure data security. On the other hand, Art. 37 of the Act indicates that only persons authorized by the data controller may be allowed to process data. In the opinion of GIODO, these provisions undoubtedly refer to specific natural persons who are listed in the records of persons authorized to process data and who are obliged to keep the data and methods of securing it secret.

Importantly, a person appointed to the position of an information security administrator does not have to be employed by the data controller. However, this appointment should certainly be made in writing.

Nothing prevents the ABI from performing other functions in an entity, and their performance should not create a conflict of interest.

Information security administrator - what are his tasks?

The Act on the Protection of Personal Data does not define the detailed tasks of ABI, but the most important ones include:

  1. supervising the correctness and updating of documentation related to the protection of personal data;
  2. control of the status of issued authorizations and records of authorized persons;
  3. responses related to inspections by the Inspector General for Personal Data Protection and other authorities, initial and periodic training for individual departments;
  4. supervising the sharing of personal data with data recipients and other entities;
  5. supervising the implementation of appropriate measures to ensure the security of personal data;
  6. supervising the functioning of the security system implemented to protect personal data;
  7. control of unauthorized access to the system in which personal data are processed;
  8. supervising and taking appropriate actions in the event of detection of breaches in the security system or suspected breach;
  9. monitoring user access to systems processing personal data.

Responsibility of the information security administrator

The issue of ABI's liability is set out in Art. 51 of the Personal Data Protection Act. In a situation where ABI makes it available or allows access to personal data to unauthorized persons, it is subject to a fine, the penalty of restriction of liberty or the penalty of deprivation of liberty for up to 2 years.