The Peruvian Ministry of Justice published – on 12 October 2013 – Resolution No. 019-2013-JUS/DGPDP on Information Security for Personal Databases. The Resolution categorises databases in order of severity and provides guidance on the conditions, requirements and technical measures to be taken into account for each category, in accordance with the Law on the Protection of Personal Data.
Dr. Cynthia Tellez, Head of the Division of Personal Data Protection and Access to Information at Iriarte & Asociados, told DataGuidance: "The [Resolution] provides five different categories for personal databases which are: basic, simple, intermediate, complex and critical. Each category is based on special features of the personal database, for example if the holder of personal data bank is a natural person or a legal person, whether it contains sensitive data, time of processing of personal data is greater than or less than one year, among others. The highest category is reserved for personal databases of public services."
The Resolution also details specific security requirements in situations such as the transfer of personal data, including mandatory encryption and integrity verification mechanisms prior to transfers. Other areas covered under the Resolution include physical security requirements, reproduction of data, and internal auditing procedures.
Tellez said: "This rule complements security mandates in the treatment of personal data under the Data Protection Act Personal which requires the appointment of a Data Protection Officer with capabilities and the necessary authority to carry out their functions."
