Can entity other than natural person be an administrator of information security?
Who can be an administrator of information security?
In the Inspector General’s opinion the obligations of an administrator of information security (AIS) can be met solely by a natural person. Therefore, any other entities cannot be appointed as administrators of information security. In reference books it is also stated that “AIS should be a natural person despite the fact that Data Protection Act does not regulate it clearly. Consequently, a controller is able to take the obligations of AIS only when the controller is a natural person. (A.Drozd ‘Data Protection Act. Commentary. Specimens and provisions. Wydawnictwo Prawnicze LexisNexis 2005, p. 252 and cons.).
According to Article 36 (3) of Data Protection Act the essence of an administrator of information security is to supervise the observance of data protection principles established by a controller in order to ensure data security. The performance of supervision concerned is connected with being authorized to have access to personal data. Under Article 37 of Data Protection Act persons who are authorized by the controller shall be exclusively allowed to carry out the processing of data. Without any doubt, the mentioned provisions refer to particular natural persons listed in a record of persons who are authorized to process data and obliged to keep data and data security measures secret.
There should also be a reservation made that an administrator of information security must not be a person who is employed by a data controller (e.g. it can be an employee of other entity as the Act does not determine under which legal relationship the obligations of AIS shall be performed. However, according to the commentary by A. Drozd – ‘controller shall influence upon the choice of particular person as just the controller and not any other entity is obliged to appoint AIS according to Article 36 (3). Moreover, a controller shall make that choice with due diligence so that the chosen person would guarantee a proper performance of the obligations connected with supervision of the observance of personal data security principles. A controller shall appoint AIS in a way that guarantees that his/her obligations will be constantly performed. It would be improper to conclude a contract of service provision concerning the supervision of the observance of personal data security with an entrepreneur if he/she would – according to that contract – arbitrarily appoint AIS who would then perform obligations for the controller who is the other party to the contract.


