Very often we hear about an important figure in the field of privacy , that of the system administrator. It is a profession whose main task is to manage and maintain a company’s information system.
In order to fully understand the peculiarities and importance of the figure, it is necessary to consider the definition provided by the Guarantor: “professional figure aimed at the management and maintenance of a processing plant or its components” .
So the AdS is the one who, in carrying out purely technical tasks such as saving data, organizing network flows, managing storage media, installing and updating antivirus and firewalls, managing the credentials and authentication systems, authorization and hardware maintenance, access in a privileged way or by chance, to a significant amount of business information that can be considered to all intents and purposes a processing of personal data .
The Figure of The Ad In A Company
The system administrator can be internal or external to the company: the first case occurs in the most complex companies with a more complex IT infrastructure, where it is generally the IT Manager who carries out the typical activities of the AdS .
In fact, small and medium enterprises tend to turn to external technicians for the management of computer systems in use . In this case we are dealing with subjects that only occasionally operate on a computer system for maintenance or to resolve a fault.
Considering the tasks performed by the subject, the relevance attributed to the same within the corporate privacy management system will be understood , especially in order to avoid unwarranted reliance on the role.
How does the system administrator’s profession change?
The lack of awareness of the ability to act on company data, typical of the system administrator , has led the Privacy Guarantor to issue the provision of November 27, 2008 containing the ” Measures and precautions prescribed to the holders of the processing carried out with electronic instruments relating to the attributions of the functions of system administrator ”, thus making up for the unjustified lack of legislation of the current Privacy Code that did not include within it a specific discipline of the role and tasks of the figure.
Even the EU Regulation 679/2016 , following the line of the Privacy Code, does not include the figure of the system administrator in the process of processing and keeping the data , limiting itself to implicitly recalling it in some rules, due to its specific technical skills.
Therefore, the provisions of the Guarantor in the previously cited provision, it is still considered valid, not having been repealed either by the GDPR, or by the decree of harmonization to the European legislation, the Legislative Decree 101/2018.
Obligations of The Data Controller Towards The Ad
As a first step, the Data Controller will have to verify whether to provide the ADS within its organization: the appointment obligation only applies to those who handle sensitive third-party data in addition to that of employees . From the scope of application of the provision, subjects who carry out processing for administrative and accounting purposes are considered excluded.
In the first situation the Owner is required to comply with a series of obligations. On the point indeed,
the Guarantor has identified a series of measures and measures aimed at the Holders of the processing carried out with electronic instruments, requesting in particular:
- Evaluation of the subjective characteristics , which is not limited to technical knowledge, but also to the experience, capacity and reliability of the designated subject;
- Analytical indication of permitted operating areas ;
- Preservation of the identification details of the AdS natural persons , with the list of the functions attributed to them;
- Verification of tasks performed at least annually ;
- Adoption of systems suitable for the registration of logical accesses to computer systems and electronic archives.
- Need to inform workers on the identity of the AdS, if the latter, in the performance of their duties, a hyphen of their personal data.
The Figure Of The Ad In The GDPR
As previously anticipated, the GDPR does not provide for ad hoc regulations on the matter, consequently the provisions of the Guarantor set out above are still valid.
The Owner is obliged to fulfil these obligations by the principle of accountability or accountability , pursuant to art. 24 of the Regulation, which requires the adoption of security measures to ensure compliance with the European Regulation.
The implicit reference to the figure of the AdS can be derived precisely from the reading of the art. 32, which among the technical security measures to be implemented in order to ensure the security of electronic instruments, includes data encryption, pseudonymisation, data recovery in the event of physical or technical incidents and periodic checks of technical and organizational measures adopted. It is clear that the application of such measures necessarily requires the participation of specialized and competent personnel , precisely the System Administrator, from the data design and protection phases.
In the event that the AdS is an internal entity within the company, it must receive a specific letter of appointment that will describe the tasks in detail. If, on the other hand, the tasks are outsourced to an external party, they will be appointed Manager.
It is considered appropriate to specify that with the GDPR the significant part of the discipline focuses on the duties of the owner and manager, on the so-called accountability. In this sense, we see a perfect coherence between what was prescribed in the 2008 provision by the Guarantor Authority and the provisions of the GDPR: the Guarantor in prescribing measures and measures to the Holders regarding the figure of the ADS, has fully responded to the principles of responsibility and effectiveness of the organizational and security measures required by the GDPR.
In September 2018, the decree of harmonization with the European Regulation came into force , Legislative Decree 101/2018 which adapts the national legislation, ie the Privacy Code , to the GDPR.
With regard to the figure of the system administrator, once again there are no explicit references, therefore we refer again to the aforementioned provision.