Page 49

info

review

49

tim merama bezbednosti se ne iskljucuju

i ostali podaci. Zakon u clanovima 46. i

47. govori o obavezi da se podaci moraju

zastiti od zloupotreba, unistenja, gubitka,

neovlasenih promena i pristupa i da je to

obaveza i rukovaoca i obraivaca koji treba

da preduzmu, kadrovske, organizacione i

tehnicke mere zastite u skladu sa utvrenim

standardima i postupcima.

Dosadasnja iskustva u radu poverenika

su pokazala da imamo na raspolaganju neke

tehnicke mere (na primer, u softveru postoje

tehnicka resenja za autorizaciju pristupa, ni-

voe pristupa, belezenje pristupa i slicno), ali

je evidentno odsustvo kadrovskih i organiza-

cionih mera. Cesto se predviene tehnicke

mere ni ne koriste (iskljuce se) ili su nedo-

voljno jake (proste lozinke u vidu imena). U

kadrovsko-organizacionom smislu zakon je

dao instrukciju o utvrenim standardima

(kod nas je to standard ISO 27001), ali to ne

znaci da se oni moraju uvesti. Meutim, sa

aspekta zastite podataka o licnosti duzni ste

da primenite mere iz tog standarda. Ugovor

izmeu rukovaoca i obraivaca podataka

treba da regulise najznacajnija pitanja odno-

sa i odgovornosti i obe strane treba da ih se

pridrzavaju.

U poslednje vreme imamo nekih

tehnickih pomaka i posebno bih istakao pro-

pise Narodne banke koji se ticu mera bezbe-

dnosti u oblasti finansijskih institucija. S dru-

ge strane, kroz primer Atosa i njegove opre-

of the Government to define measures to

protect data which is particularly sensitive.

Unfortunately, the Government still has not

done that. Of course, those safety measures

do not exclude other data. In Articles 46

and 47, the Law defines the obligation to

protect all data from misuse, destruction,

loss, unauthorized changes and access,

assigning that obligation both to the handler

and the processor who should undertake HR,

organization and technical safety measures

according to defined standards and policies.

Previous experience in the work of

the Commissioner have showed that we

have some technical measures available (for

example, the software contains technical

solutions for access authorization, levels of

access, assess logging and similar), but the

absence of HR and organizational measures is

obvious. Often, provided technical measures

are not even used (they are excluded) or are

not strong enough (simple passwords such as

names). From the aspect of human resources

and organization, the Law has provided and

instruction on the defined standards (ISO

27001), but that does not mean they must be

implemented. However, from the aspect of

personal data protection, you are obliged to

apply the measures defined by the standard.

The agreement between data handler and

processor should regulate the most significant

issues of relations and responsibility and both

parties should adhere to them.

Dragan Stokic,

Bosiljka Sekulic i

Vesna Cukovic