info
review
49
tim merama bezbednosti se ne iskljucuju
i ostali podaci. Zakon u clanovima 46. i
47. govori o obavezi da se podaci moraju
zastiti od zloupotreba, unistenja, gubitka,
neovlasenih promena i pristupa i da je to
obaveza i rukovaoca i obraivaca koji treba
da preduzmu, kadrovske, organizacione i
tehnicke mere zastite u skladu sa utvrenim
standardima i postupcima.
Dosadasnja iskustva u radu poverenika
su pokazala da imamo na raspolaganju neke
tehnicke mere (na primer, u softveru postoje
tehnicka resenja za autorizaciju pristupa, ni-
voe pristupa, belezenje pristupa i slicno), ali
je evidentno odsustvo kadrovskih i organiza-
cionih mera. Cesto se predviene tehnicke
mere ni ne koriste (iskljuce se) ili su nedo-
voljno jake (proste lozinke u vidu imena). U
kadrovsko-organizacionom smislu zakon je
dao instrukciju o utvrenim standardima
(kod nas je to standard ISO 27001), ali to ne
znaci da se oni moraju uvesti. Meutim, sa
aspekta zastite podataka o licnosti duzni ste
da primenite mere iz tog standarda. Ugovor
izmeu rukovaoca i obraivaca podataka
treba da regulise najznacajnija pitanja odno-
sa i odgovornosti i obe strane treba da ih se
pridrzavaju.
U poslednje vreme imamo nekih
tehnickih pomaka i posebno bih istakao pro-
pise Narodne banke koji se ticu mera bezbe-
dnosti u oblasti finansijskih institucija. S dru-
ge strane, kroz primer Atosa i njegove opre-
of the Government to define measures to
protect data which is particularly sensitive.
Unfortunately, the Government still has not
done that. Of course, those safety measures
do not exclude other data. In Articles 46
and 47, the Law defines the obligation to
protect all data from misuse, destruction,
loss, unauthorized changes and access,
assigning that obligation both to the handler
and the processor who should undertake HR,
organization and technical safety measures
according to defined standards and policies.
Previous experience in the work of
the Commissioner have showed that we
have some technical measures available (for
example, the software contains technical
solutions for access authorization, levels of
access, assess logging and similar), but the
absence of HR and organizational measures is
obvious. Often, provided technical measures
are not even used (they are excluded) or are
not strong enough (simple passwords such as
names). From the aspect of human resources
and organization, the Law has provided and
instruction on the defined standards (ISO
27001), but that does not mean they must be
implemented. However, from the aspect of
personal data protection, you are obliged to
apply the measures defined by the standard.
The agreement between data handler and
processor should regulate the most significant
issues of relations and responsibility and both
parties should adhere to them.
Dragan Stokic,
Bosiljka Sekulic i
Vesna Cukovic