Executive Summary of The Study On The Security of Personal Data at Local Bodies

Instituto Nacional
de Tecnologías
de la Comunicación
Executive Summary of the Study

on the Security of Personal Data
at Local Bodies
Assessment of the degree of adaptation to the
Data Protection Act (LOPD) and the new
Implementing Regulation (RDLOPD)
INFORMATION SECURITY OBSERVATORY

Instituto Nacional
de Tecnologías
de la Comunicación
Edition: January 2008
INTECO would especially like to thank the following for their assistance in
preparing this study:
The present publication is the property of the National Institute of Communication Technologies (INTECO) and is under an
Attribution-Noncommercial 2.5 Spain Creative Commons license. It is therefore permitted to copy, distribute and publically
communicate this work under the following conditions:
• Attribution: The content of this report can be reproduced in whole or in part by third parties, citing its origin and making
express mention of INTECO and its website: www.inteco.es. This attribution may not under any circumstances suggest
that INTECO provides support to said third party or supports the use made of its work.
• Noncommercial Use: The original material and the resulting work may be distributed, copied and exhibited so long as their
use is not for commercial purposes.
On reusing or distributing the work, the terms of the license for this work must be made clear. Some of these conditions may
not be applicable if permission is obtained from INTECO as holder of the copyright. Nothing in this license diminishes or
restricts the moral rights of INTECO.
Full text of the license:
http://creativecommons.org/licenses/by-nc/2.5/es/
Executive Summary of the Study on the Security of Personal Data Within the Scope of Local Bodies
Information Security Observatory Page 2 of 55
Instituto Nacional
de Tecnologías
de la Comunicación
INDEX
INDEX..................................................................................................................................3
1 INTRODUCTION AND OBJECTIVES ..........................................................................7
1.1 Introduction ..........................................................................................................7
1.2 Objectives of the study .........................................................................................7
1.3 Presentation: Participating bodies .......................................................................7
1.3.1 Instituto Nacional de Tecnologías de la Comunicación (Spanish National

Institute of Communication Technologies, INTECO) ....................................................7
1.3.2 Federación Española de Municipios y Provincias (Spanish Federation of

Municipalities and Provinces, FEMP) ...........................................................................9
2 METHODOLOGICAL DESIGN ...................................................................................10
3 knowledge, awareness and allocation of resources according to current legislation .12
3.1 Level of knowledge about the RDLOPD at LPBs ...............................................12
3.2 Level of awareness regarding compliance with data protection regulations ......12
3.3 Allocation of resources .......................................................................................12
3.4 Degree of adaptation to and implementation of the regulations ........................13
4 CLASSIFICATION OF FILES BY SECURITY LEVEL AND PROCESSING OF

ESPECIALLY SENSITIVE FILES ......................................................................................14
4.1 File classification by security level .....................................................................14
4.2 Processing of standard data by local bodies .....................................................15
4.2.1 Register of inhabitants ...................................................................................15
4.2.2 Vehicle register ..............................................................................................15
4.2.3 Social services ...............................................................................................16
4.2.4 Trading license for business premises ...........................................................16
4.2.5 Video surveillance ..........................................................................................16
Instituto Nacional
de Tecnologías
de la Comunicación
5 REGISTRATION OF PERSONAL DATA FILES, SECURITY OFFICER, SECURITY

DOCUMENT ......................................................................................................................18
5.1 Registration of files ............................................................................................18
5.2 Security officer ...................................................................................................18
5.3 Security document .............................................................................................18
5.3.1 Scope of application .......................................................................................18
5.3.2 Measures, procedures, rules and standards ..................................................19
5.3.3 Duties and obligation of personnel .................................................................19
5.3.4 File structure and description of systems used for processing ......................19
5.3.5 Incident notification, management and response procedures........................19
5.3.6 Procedures for making back-up copies and data recovery ............................19
5.3.7 Measures to be adopted for transport, reuse and destruction of media and
documents ..................................................................................................................19
6 DATA AUTHENTICATION: INFORMATION, CONSENT, TRANSFER AND

CONFIDENTIALITY ...........................................................................................................20
6.1 Duty to inform the interested party of the purpose of the processing.................20
6.2 Duty to obtain the consent of the interested party for data processing ..............20
6.3 Managing transfer of data ..................................................................................21
6.4 Data confidentiality .............................................................................................21
7 ARCO RIGHTS...........................................................................................................22
8 SECURITY MEASURES ............................................................................................23
8.1 Security measures with technical controls .........................................................23
8.1.1 Record of incidents ........................................................................................23
8.1.2 Identification and authentication.....................................................................23
8.1.3 Control of access ...........................................................................................24
Instituto Nacional
de Tecnologías
de la Comunicación
8.1.4 Record of accesses........................................................................................25
8.1.5 Telecommunications ......................................................................................25
8.2 Security measures with management controls ..................................................26
8.2.1 Media and document management................................................................26
8.2.2 Back-up copies and recovery .........................................................................27
8.2.3 Tests using real data ......................................................................................29
8.2.4 Audits .............................................................................................................29
9 SUPERVISION, INSPECTIONS, COMPLAINTS AND PENALTIES RESULTING

FROM FAILURE TO COMPLY WITH DATA PROTECTION REGULATIONS ..................31
9.1 Inspections .........................................................................................................31
9.2 Complaints and penalties ...................................................................................31
10 THE OPINION OF EXPERTS REGARDING THE DEGREE OF ADAPTATION TO

AND IMPLEMENTATION OF REGULATIONS .................................................................33
10.1 Maturity levels ....................................................................................................34
10.1.1 Maturity level 1 ...........................................................................................35
10.1.2 Maturity level 2 ...........................................................................................35
10.1.3 Maturity level 3 ...........................................................................................36
10.2 Best practices ....................................................................................................37
10.2.1 From an organizational point of view .........................................................37
10.2.2 From a technical point of view ....................................................................37
10.3 Examples of success cases for applying good practices ...................................38
10.3.1 Data protection structure, management model and specific actions: Santa
Cruz de Tenerife city council ......................................................................................38
10.3.2 Audits: Audit and Information Security Coordination Area of the Catalan
Data Protection Agency ..............................................................................................40
Instituto Nacional
de Tecnologías
de la Comunicación
10.3.3 Consulting: File Register and Consulting Sub-department of the

Community of Madrid Data Protection Agency...........................................................41
10.3.4 Data protection structure, management model and specific actions: the
Municipal Institute of Computing of the Barcelona city council ...................................42
11 CONCLUSIONS OF THE STUDY .........................................................................45
12 PROPOSALS AND RECOMMENDATIONS FOR THE AUTHORITIES ................50
12.1 Proposals and recommendations concerning raising awareness and training ..50
12.2 Proposals and recommendations concerning assessment and information ......51
12.3 Proposals and recommendations concerning funding .......................................52
12.4 Proposals and recommendations concerning standardization and certification 52
12.5 Proposals and recommendations concerning promotion and motivation for

maturity levels and good practices .................................................................................53
Instituto Nacional
de Tecnologías
de la Comunicación
1 INTRODUCTION AND OBJECTIVES
1.1 Introduction
The main aim of the present report, prepared by the Instituto Nacional de Tecnologías de
la Comunicación (National Institute of Communication Technologies, known hereinafter by
its Spanish acronym, INTECO), is to carry out an exhaustive analysis of the current
situation regarding the protection of personal data at local public bodies (hereinafter,
LPBs) in Spain, heretofore unpublished to this extent and in such depth.
This study provides a complete and specialized assessment of the degree to which
current legislation has been adopted, as well as a set of recommendations which will
enable government bodies to implement plans for regularization and adaptation.
The regulatory framework considered in the study encompasses:
• Act 15/1999, of 13 December, on Personal Data Protection (LOPD in its Spanish

acronym).
• Royal Decree 994/1999, of 11 June, passing the Regulation on Security Measures

for automated databases which contain personal data (RMS in its Spanish
acronym).
• Royal Decree 1720/2007, of 21 December, passing the Implementing Regulation

for Act 15/1999, of 13 December, on Personal Data Protection (RDLOPD in its
Spanish acronym).
1.2 Objectives of the study
The basic objective of the study is to analyze the current situation at local public bodies in
Spain with regard to personal data protection regulations, in two aspects:
• Assessment of both the current status of effective compliance with the legislation
and the extent to which LPBs in Spain are prepared to adapt to the RDLOPD.
• Raising awareness among LPBs in order to increase the level of compliance with
data protection regulations.
1.3 Presentation: Participating bodies
1.3.1 Instituto Nacional de Tecnologías de la Comunicación (Spanish National

Institute of Communication Technologies, INTECO)
INTECO, the Spanish National Institute of Communication Technologies, sponsored by
the Ministry o Industry, Tourism and Trade, is a platform for the development of the
Instituto Nacional
de Tecnologías
de la Comunicación
Information Society through innovative and technological projects: firstly, to contribute to

the convergence of Spain with the European Information Society, and secondly, to
promote regional development, establishing a project with a global approach in Leon.
The mission of INTECO is to promote and develop innovative projects related to the field
of Communication and Information Technologies (TIC) and the Information Society, in
order to improve the position of Spain in Europe and to provide the country new
competitive advantages, by extending its abilities in both the European and the Latin
American environment. Thus, the Institute intends to be a development center of strong
public interest aiming at developing the use of new technologies in Spain.
The social objective of INTECO is the management, counseling, advocacy and spreading
of technological projects related to the Information Society. To do this, INTECO develops
actions that follow the strategic lines of a) the Technological Security, b) the Accessibility
and c) the Software Quality.
More Information: http://www.inteco.es
Observatorio de la Seguridad de la Información (Information Security Observatory)
The Information Security Observatory is part of INTECO’s strategic line of action in the
area of technological security.
The Observatory aims at describing in detail the level of security and trust regarding the
Information Society. It seeks to generate expertise in the area. Thus, it is at the service of
the citizens, the companies and the Spanish administration to describe, analyze, and
spread the culture of Information Security and e-Trust.
The Observatory has designed an Activities and Researches Plan in order to produce
useful knowledge and expertise related to security on the Internet and to develop
recommendations and proposals to define trends that will be valid for future decisions of
public authorities.
Within this action plan are carried out researches, analysis, studies, counseling and
outreach to address, inter alia, the following aspects:
• Development of internal studies and studies on the Security of TIC, with special
emphasis on the Internet Security.
• Monitoring of key indicators and of public policies related to the security of

information at the national and international level.
• Creation of a database to enable the analysis and evaluation of the security and
trust with a time perspective.
Instituto Nacional
de Tecnologías
de la Comunicación
• Promotion of researches on secure technologies.
• Spreading of studies and reports published by other entities and national and
international organizations, as well as of information on current national and
European policy on security and trust regarding the Information Society.
• Advising the government on the security of information as well as supporting the

development, monitoring and evaluation of public policies in this field.
More Information: http://observatorio.inteco.es
1.3.2 Federación Española de Municipios y Provincias (Spanish Federation of

Municipalities and Provinces, FEMP)
The Spanish Federation of Municipalities and Provinces (FEMP in its Spanish acronym),
is an association of local government bodies which encompasses city councils, provincial
councils and island councils, more than 7,200 municipalities in total. Its goals and
founding and statutory aims are the following:
• To promote and defend the autonomy of local bodies.
• To represent and defend the general interests of city, provincial and island
councils in relations with other public administrations.
• To provide a full range of services for local bodies.
• To develop and consolidate a European spirit at the local level based on autonomy
and solidarity among all local bodies.
• To promote and encourage friendly and cooperative relations between city,

provincial and island councils and international organizations, especially
European, Latin American and Arab.
• To manage government programs targeting local areas.
More Information: http://www.femp.es
Instituto Nacional
de Tecnologías
de la Comunicación
2 METHODOLOGICAL DESIGN
The main phases of the project were the following:
• Surveys administered to non-civil service staff, civil servants, political managers

and associates at local bodies in the form of a specific questionnaire according to
the number of inhabitants in each participating municipality.
• Interviews with experts from LPBs, industry and other public administrations.
These experts contributed their assessment of good practices, proposals and a
definition of maturity levels in order to make it possible to assign priorities when
implementing security measures.
• Preparing the present report, which includes analysis and conclusions from the
previous phases, as well as suggestions and recommendations for action.
601 local public bodies participated in the study. Of the surveys, 91 were submitted
anonymously, 474 came from city councils, 36 from provincial and island councils, and 24
were from experts (professionals and representatives of institutions in various areas of
knowledge).
The sample selection method used was stratified, with the size of the sample being
determined using the formula corresponding to a finite population. The margin of error is
estimated to be ± 4.42%, providing a confidence level of 95%.
The sample of city councils was defined using segmentation according to the number of
inhabitants in the municipality, creating nine strata (Table 1).
Table 1: Participation of bodies by stratum based on the presample of municipalities and

population coverage
Participation
No. inhabitants No. Presample: No. Sample: No. Population
Stratum as % of
(thousands) municipalities municipalities municipalities coverage
presample
A More than 500 6 6 3 50.0% 50.0%
B 100-500 55 53 25 47.2% 45.5%
C 50-100 76 75 39 52.0% 51.3%
D 10-50 648 584 137 23.5% 21.1%
E 5-10 527 58 33 56.9% 6.3%
F 2-5 1,016 86 67 77.9% 6.6%
G 1-2 923 80 59 73.8% 6.4%
H 0.5-1 1,054 57 38 66.7% 3.6%
I Less than 0.5 3,807 87 73 83.9% 1.9%
TOTAL 8,112 1,086 474 43.6% 5.8%
Source: INTECO
Instituto Nacional
de Tecnologías
de la Comunicación
The participation of provincial and island councils was significant. 36 out of 57 bodies
took part, representing a participation rate for the study of 63.2% for this type of local
government.
The participating professionals who responded to the questionnaire at local public

bodies represented a variety of profiles, as shown in Graph 1, which indicates the
professional category or profile of the person interviewed and the percentage of active
participants per profile.
According to the results, the professional profile of the largest group of participants who
answered the questionnaire is that of the head of IT, accounting for 36.8% of participants.
This is due to the fact that these are the professionals who are normally assigned
responsibility for implementing security measures. The second largest group of
respondents to the questionnaires was secretaries at the LPBs, with 28.7%, as those
technically responsible for legal matters. Technical appointees and delegated councilors
or representatives accounted for fewer participants, with 15.1% and 6.1%, respectively.
However, the percentage of responses obtained from participants holding the position of
head of security at LPBs was 8.3%, a factor which indicates a lack of specific
appointments to this important position at these bodies.
Graph 1: Profile of professionals participating in the survey as representatives of

participating LPBs (%)
1.1% 0.7% 0.2%

1.1%
1.5% 0.2% Head of IT Service
6.1%
Secretary
8.3% Technical Position
Head of Security
36.8%
Political Appointee
Head of Services
15.1%
HR Manager
Head of Legal Department
Administrative Assistant
IT Technician
28.7%
Other
Source: INTECO
Instituto Nacional
de Tecnologías
de la Comunicación
3 KNOWLEDGE, AWARENESS AND ALLOCATION OF

RESOURCES ACCORDING TO CURRENT
LEGISLATION
This section considers the level of knowledge – taking the aspects contained in both the
LOPD and RDLOPD as basic knowledge – at local bodies in accordance with current
regulations.
3.1 Level of knowledge about the RDLOPD at LPBs
Of the LPBs that participated in this study, 66.7% of the provincial and island councils and
only 28% of the city councils stated that they have knowledge of the RDLOPD.
An in-depth analysis for each of the municipalities reveals that those with more than
500,000 inhabitants have full knowledge of the publication of the RDLOPD. However, the
percentage of small municipalities, especially those with fewer than 500 inhabitants,
stating that they know about it is 21.9%.
The main new elements contained in the RDLOPD are processing, storage and
destruction of and access to paper files. Knowledge of this aspect on the part of city
councils varies, although it can be considered positive. At city councils, the level of
knowledge decreases with the size of the municipality. This means that, for example, in
the case of municipalities with fewer than 500 inhabitants, 78.1% do not have knowledge
of the fact that the new regulations describe security measures for paper files containing
personal data.
3.2 Level of awareness regarding compliance with data protection regulations
All employees of LPBs – regardless of their position – who handle personal data must
know the security regulations which apply to performing their duties for the type of
personal data processing which they may carry out. In the present study, 74.8% of the
public bodies comply with this.
3.3 Allocation of resources
Local public bodies must have a compliance calendar in order to adapt to the RDLOPD
before the established deadlines. On this matter, they were asked about the allocation of
resources as an indicator of a suitable level of planning.
Only 21.4% of the LPBs participating in the study have allocated these resources. As a
result, this measure is evidence of the effort which these organizations must make in
order to come into compliance. An analysis by stratum and size shows inconsistent
compliance with this obligation. 56.5% of city councils in large municipalities have planned
Instituto Nacional
de Tecnologías
de la Comunicación
this allocation, while only 31.1% of city councils in mid-sized municipalities and 16.8% of
smaller ones have done so. Clearly, these results are influenced by the level of knowledge
of the RDLOPD, as a high percentage of those municipalities which state that they know
about the RDLOPD have planned for adaptation.
3.4 Degree of adaptation to and implementation of the regulations
This section provides an overview of the percentage of LPBs which have already
implemented security policies and procedures.
Of all the LPBs participating in the study, it is the large municipalities which have put
establishing the security procedures specified in the regulations into practice to a larger
extent (between 58.2% and 46.3%). This is a logical result, as this type of city council has
greater technical and organizational resources, allowing them to develop these
procedures.
Instituto Nacional
de Tecnologías
de la Comunicación
4 CLASSIFICATION OF FILES BY SECURITY LEVEL

AND PROCESSING OF ESPECIALLY SENSITIVE
FILES
Current data protection regulations are based on differentiating among data and sensitivity
requirements for their protection level.
4.1 File classification by security level
Files are classified according to the type of personal data they contain: basic-, mid- and
high-level files. This classification involves establishing security measures in a cumulative
fashion, based on a consideration of minimum legal requirements.
Table 2: Security Levels
BASIC LEVEL MID LEVEL HIGH LEVEL

• Name, last name(s), national • Administrative or legal infractions • Ideology or union
Identity card (DNI) number, committed. membership.
telephone number, address, bank • Data on those responsable for tax • Religion or beliefs.
account number. administration and related to the • Racial or ethnic origin.
• Information regarding ideology, exercise of their tax-related powers.
• Health (social services,
union membership, religion or • Files on administrative bodies, shared special health care
beliefs, racial origin, health or sex Social Security services, mutual needs).
life, when the information is used industrial accident insurance
solely for the purpose of making • Sex life.
companies and Social Security
monetary transfers to bodies occupational illnesses. • Data gathered for
which the affected parties are political purposes
• Tax authorities (information regarding
members of. without the consent of
taxes or other fiscal obligations which
• Non-automated files which may the interested party.
are handled by the government – not
incidentally contain specially that regarding taxes declared by • Gender-based violence.
protected data. companies).
• Files for which the purpose of • Data which make it possible to
processing is to comply with deduce the behavior of citizens.
public obligations, in the case of
information such as the level of
disability or a declaration status.
Source: INTECO
In order to evaluate the classification of files by level at LPBs, the following six types of
personal data files which are normally processed were selected:
• Cultural, educational and sports activities.
• Managing administrative records.
• Cemeteries.
• Aid and subsidies.
Instituto Nacional
de Tecnologías
de la Comunicación
• Historical archives.
• Municipal libraries.
The results show that data are predominantly classified as having a basic security level,
more than 68%. However, there are clear differences in this classification for the same
type of file. For example, 68% of record files are classified as low-level and 24.6% as mid-
level.
It is city councils in small municipalities which assign high-level classification, with

percentages ranging from 90.9% at bodies which assign this level to files for cultural,
educational and sports activities and 74.9% of city councils which assign this level to
record management files.
4.2 Processing of standard data by local bodies
The following files have been identified as especially sensitive, all of which are highly
likely to exist at LPBs:
4.2.1 Register of inhabitants

All persons living in Spain are obligated to register with the municipal register of
inhabitants in the location of their regular residence, according to Law 7/1985, of 2 April,
Regulating the Basis of Local Government.
LPBs are not obligated to obtain the consent of the interested party in order to process the
data in the register, given that, as indicated in article 6.2 of the LOPD, the register is part
of the administrative duties which fall under the jurisdiction of city councils. Any
government body which requests information included in the register from a city council,
except for law enforcement forces and agencies exempted by article 22.2, must
demonstrate that it is for one of its powers recognized under the law, as well as justifying
the relevance of the residence or address for this processing.
With regard to the security measures to be applied to this type of file, it should be taken
into consideration that this data is classified as basic.
4.2.2 Vehicle register

The purpose of processing the information in this file is to collect the municipal road tax, in
addition to keeping a register of vehicles owners (for example, to handle transfers).
The LOPD allows the party responsible for the file to authorize access to personal data for
the body which is going to provide a service, which will be the party responsible for
processing. However, it is required that the contract contain a number of requirements,
such as following the instructions of the party responsible for the file, not using the data for
other purposes, not transmitting the data to other persons, stipulating the security
Instituto Nacional
de Tecnologías
de la Comunicación
measures of article 9 and, once the service has been provided, destroying the data or
returning them to the party responsible for the file.
4.2.3 Social services

Social services are available and accessible to all citizens without discrimination. Personal
data files managed by social services at local public bodies are classified as high security.
Article 7 of the LOPD determines that high level data are those related to ideology, union
membership, religion and beliefs, as well as personal data which make reference to racial
origin, health or sex life. However, with regard to the former, they can only be processed
with the express written consent of the interested party. With regard to the latter, they can
only be gathered when it is so stipulated by law or when the affected party gives express
consent.
Therefore, when LPBs collect data, they must provide suitable justification for the purpose
of the social service itself.
4.2.4 Trading license for business premises

Applying for a trading license is something which must be done prior to starting any
business activity which must be located in a business premises.
The classification level for the data in these files is basic, and so the corresponding
security measures indicated in the RDLOPD must be taken.
It is normal for this application to be submitted to LPBs on paper. Consequently, this form
must include explanatory text which clearly indicates the following:
• The existence of a file which has been reported to the Spanish Data Protection
Agency (AEPD in its Spanish acronym) in which the information on the application
will be included, indicating the party responsible for the file.
• The purpose of processing the data.
• Transfers to third parties, should these occur.
• The method by which the interested party may exercise their rights: access,
correction, cancellation and objection, providing a method of contact with the
public body so that they can make contact.
4.2.5 Video surveillance

The capture or recording of images of individuals who are identified or identifiable by
means of video camera systems is considered personal data in article 3.a of the LOPD.
Instituto Nacional
de Tecnologías
de la Comunicación
The following are considered processing of personal data: capture, recording, storage,
alteration, freezing and transfer of images.
The main requirements to be implemented are the following:
• A sufficiently visible informational sign must be placed in areas under video

surveillance. This sign must mention “Organic Law 15/1999, of 13 December, on
Personal Data Protection,” the purpose of the processing (“VIDEO
SURVEILLANCE AREA”), and who data protection rights may be exercised with.
• It will only be considered acceptable to install cameras when the aim of the
surveillance cannot be achieved by other means.
• The file of video surveillance images must be registered with the Spanish Data
Protection Agency be notified in advance.
Instituto Nacional
de Tecnologías
de la Comunicación
5 REGISTRATION OF PERSONAL DATA FILES,

SECURITY OFFICER, SECURITY DOCUMENT
This section demonstrates the level of knowledge with regard to registration of personal
data files, the obligation to designate a security officer and definition of the scope of the
security document.
5.1 Registration of files
Generally speaking, reporting files to the AEPD is not very common practice for LPBs.
This is demonstrated by the fact that 46.4% of city councils have done so, in contrast with
the 43% which have not reported them and 10.5% which say that they do not know. In the
case of provincial and island councils, 88.9% state that they have done so, compared with
just 8.3% which say that they have not.
An analysis by stratum shows that the level of compliance is high in the case of large
municipalities, with 92.5% doing so, and mid-sized municipalities (67.9%). On the
opposite side are municipalities of a smaller size, of which 37.2% do this. The exception
for this stratum is the governments of towns with 500 to 1,000 inhabitants (55.3%).
5.2 Security officer
Public bodies must name a security officer. This person must be known to all and ensure
compliance with regulations. However, the reality is that overall, this person has only been
designated by 28.7% of city councils and 52.8% of provincial and island councils.
Coverage by stratum indicates that three strata exceed 50% and the two strata with fewer
than 1,000 inhabitants do not reach 20%.
5.3 Security document
This document contains the technical and organizational measures which must be
followed by all staff with access to information systems. Consequently, it is necessary to
revise this document periodically so that it is always current with regard to the changes
which may take place in the public body. It must also contain the following aspects:
5.3.1 Scope of application

Among LPBs it is not common practice to define the scope, as overall, only 35.3% have
done so. However, compliance is greater among municipalities with a larger number of
inhabitants, where 79.5% of those with 50,000 inhabitants and 100% of those with
500,000 inhabitants have done so.
Instituto Nacional
de Tecnologías
de la Comunicación
5.3.2 Measures, procedures, rules and standards

The overall percentage of LPBs which have implemented these is 35.7% for city councils
and 61.1% for provincial and island councils, compared with 49.2% and 33.3% which
have not done so.
5.3.3 Duties and obligation of personnel

Overall, 46.1% of city councils and 56.8% of provincial and island councils state that they
have defined and disseminated these.
5.3.4 File structure and description of systems used for processing

38.1% of city councils carry out this function, compared with 75% of provincial and island
councils. By stratum, it is noteworthy that 100% of city councils with more than 500,000
inhabitants do so. In contrast, among smaller city councils, only 24.7% of those with fewer
than 500 inhabitants do this.
5.3.5 Incident notification, management and response procedures

27.6% of city councils and 36.1% of provincial and island councils state that they have
these. By stratum, except in the case of city councils with more than 500,000 inhabitants,
with 100%, the situation ranges from 68% to 59% for those with more inhabitants. Mid-
sized municipalities vary between 33.3% and 46.7%. Lastly, 17.8% of those with fewer
than 500 inhabitants comply with regulations.
5.3.6 Procedures for making back-up copies and data recovery

Overall, 44% of city councils and 72% of provincial and island councils establish this type
of procedures.
5.3.7 Measures to be adopted for transport, reuse and destruction of media and
documents
have these. Only city councils with between 50,000 and 500,000 inhabitants have
coverage above 64%. Municipalities with fewer than 2,000 inhabitants do not exceed
35.6%, with those with fewer than 500 inhabitants being noteworthy, as only 16.4% have
implemented this practice.
Instituto Nacional
de Tecnologías
de la Comunicación
6 DATA AUTHENTICATION: INFORMATION, CONSENT,

TRANSFER AND CONFIDENTIALITY
Personal data processing by local bodies must comply with current regulations regarding
gathering this information (art. 5 of the LOPD), maintenance and updating (art. 4 of the
LOPD), processing and transfer to third parties (art. 11 and 12 of the LOPD), and
providing citizens with their rights (Title III of the LOPD).
6.1 Duty to inform the interested party of the purpose of the processing
The parties responsible for the files or processing are obligated to inform citizens
regarding:
• The inclusion of their data in a file.
• The identity and address of the responsible party.
• The purpose of the file.
• The recipients of the information.
• The possibility of exercising their rights of access, correction, cancellation and

objection.
67.5% of city councils and 72.2% of provincial and island councils say that they comply
with the obligation to inform citizens. At the stratum level, compliance ranges from 90.7%
to 71.1% and 65.6% of city councils in large, mid-sized and small municipalities,
respectively.
6.2 Duty to obtain the consent of the interested party for data processing
This duty involves the obligation to request explicit consent from the individuals who are
the owners of the data prior to gathering the same for later processing.
Art. 10.3 of the RDLOPD indicates that data can be processed without the need to obtain
the consent of the interested party for the exercise of duties which are characteristic of
public administrations within the scope of the powers assigned to them by regulations with
the level of law or community law regulations.
Overall, 36.4% of city councils obtain consent, with municipalities with a larger number of
inhabitants, 50,000 to 100,000, being those which most comply with this requirement,
69.2%. On the opposite side are small city councils, which do not exceed 40%.
Instituto Nacional
de Tecnologías
de la Comunicación
6.3 Managing transfer of data
Transfer of data is understood to mean any time data is revealed to an individual or legal
entity other than the interested party.
The personal data subject to processing can only be communicated to a third party for
purposes directly related to the duties of which the interested party has been informed and
with their prior consent, according to art. 11 of the LOPD and art. 10 of the RDLOPD.
This is a measure which overall, 46.9% of city councils and 55.6% of provincial and island
councils carry out. However, it is done by 71.7% city councils in large municipalities,
compared with 53.1% and 44% of city councils in mid-sized and small municipalities.
6.4 Data confidentiality
The party responsible for the files must guarantee the obligation to keep all the
information processed secret by establishing confidentiality clauses. These must be
signed by staff of the public body who have access to the files and affect personnel of the
public body itself, as well as third parties with whom there is some sort of agreement.
Overall, 28.9% of city councils do this. In the case of provincial and island councils, the
situation is better, as 44.4% do so. However, this situation is most ideal in governments of
population centers with between 50,000 and 500,000 inhabitants, where more than 74%
of public bodies follow this practice.
Instituto Nacional
de Tecnologías
de la Comunicación
7 ARCO RIGHTS
One of the key points of the LOPD is the rights of access, correction, cancellation and
objection (known as A.R.C.O. rights in their Spanish acronym), to which owners of data
are entitled. These can briefly be described as follows:
• Access: obligation to inform citizens of all data held on them at no charge.
• Correction: all individuals have the right to correct any data about them which they
consider inaccurate or incomplete, inappropriate or excessive.
• Cancellation: when the data on the interested party are inaccurate or

inappropriate, they may request that the data be blocked, this being understood to
mean identifying and retaining data for the purpose of preventing them from being
processed.
• Objection: the data will be excluded from processing by the party responsible for
the file.
As a counterpart to these rights, the law envisages the obligation of the party responsible
for the file or processing to respond to and facilitate the exercise of these rights for owners
of the data.
However, as indicated in art. 23 of the LOPD, the parties responsible for files which
contain data used for police purposes may refuse access, correction or cancellation
depending on the possible dangers to the defense of the State or public safety which may
result, protection of the rights and freedoms of third parties or the needs of investigations
being carried out.
Public bodies are obligated to provide citizens with information on how they must exercise
their ARCO rights. Therefore, the interested party must be provided with a simple, free
method of indicating a refusal to consent to data processing, as indicated more
extensively in arts. 25 and 26 of the RDLOPD.
The exercise of these rights is relatively common among city councils and provincial and
island councils, where 49.4% and 52.8%, respectively, grant them to their interested
parties. By size stratum, this obligation is implemented heterogeneously. 100% of
population centers with more than 500,000 inhabitants do so, followed by towns of 50,000
to 100,000 inhabitants and those with 100,000 to 500,000 inhabitants, where more than
70% of their governments carry this out (79.5% and 75%, respectively). The lowest level
of coverage is found in city councils with 5,000 to 10,000 inhabitants, where it is done by
more than 50% of the governments.
Instituto Nacional
de Tecnologías
de la Comunicación
8 SECURITY MEASURES
In order to correctly process personal data, it is necessary to take into consideration

specific security policies which ensure the privacy of these data. These policies must take
the form of a series of procedures and controls which form part of the requirements to
adapt to data protection regulations and which are included in the RDLOPD as security
measures. For this reason, they must appear in the security document for the public body.
Below is an analysis of the level of compliance with the security measures required by the
RDLOPD, encompassing controls for both management and technical matters.
8.1 Security measures with technical controls
8.1.1 Record of incidents

An incident is any anomaly which affects or may affect the completeness, confidentiality or
availability of personal data. According to art. 100 of the RDLOPD, the security officer
must keep a record of incidents in order to be able to monitor resolution of these.
Despite the stipulations contained in the regulations, in reality, this is done by 21.1% and
38.9% of city councils and provincial and island councils, respectively. By size stratum, it
is done by 61.5% of city councils in large municipalities, 33.4% in mid-sized municipalities
and 15.5% of small bodies.
8.1.2 Identification and authentication

In accordance with art. 93 of the RDLOPD, public bodies must establish criteria for
assigning workers the right to access information systems according to their duties. It is
important that the rights be reviewed periodically and updated in the case of resignations
or changes.
54.7% of city councils and 91.7% of provincial and island councils do this. By size stratum,
it is done by 98.4% of large municipalities, more than 81.6% of mid-sized municipalities
and 43.5% of smaller ones.
In any case, article 91 of the RDLOPD, referring to control of access, indicates that “the
party responsible for the file shall ensure that there is an up-to-date register of users and
user profiles, and the access authorized for each of these.” Overall, 36.2% of city councils
and 77.8% of provincial and island councils comply with the obligation to have a list or
register of users for their organization.
Instituto Nacional
de Tecnologías
de la Comunicación
In addition, LPBs also have the obligation to establish a process for authenticating or
verifying the identity of the user. The use of passwords, smart cards or biometric controls
are resources available for this purpose, provided that they are managed properly. 1
Nonetheless, if LPBs have chosen an authentication method which uses passwords, they
must establish a policy which defines how these are assigned and communicated the first
time the user is granted access to the system, as well as periodic renewal of these. This
measure has been implemented by 68.1% of city councils overall and 83.3% of provincial
and island councils.
There is also another security measure, control of failed access attempts by users (art.
103 of the RDLOPD). This practice has been implemented by 46% of city councils and
72.2% of provincial and island councils. By size stratum, it is used to a varying degree by
public bodies, as around 80% of bodies with between 50,000 and 500,000 inhabitants do
so, compared with 66.7% of municipalities with more than 500,000 inhabitants.
In the event that passwords are saved, this must be done in such a way that they cannot
be read, in order to prevent unauthorized persons from gaining access to these by
fraudulent means. This action is taken by 72.5% of city councils and 83.3% of provincial
8.1.3 Control of access

The right to access, as indicated above, must be granted according to the resources
which system users require to carry out their duties. The security officer is obligated to
ensure this control (art. 91 of the RDLOPD).
An overall analysis shows that 70.4% of city councils and 91.7% of provincial and island
councils state that each user accesses the data necessary according to the position they
hold with the public body. With regard to the existence of controls, this is done by 64.4%
of city councils and 83.3% of provincial councils.
In addition, this right must be granted only by the person designated as the party
responsible for the file. It is normally the systems administrator or administrators who give
users permission to access the systems. Public bodies must establish an authorization
mechanism so that the administrator has sufficient guarantees that he/she must grant
access to the user who has requested it. This mechanism has been established by 78% of
city councils and 94.4% of provincial and island councils.
1
INTECO. Recommendations for creating and using secure passwords. Available at
http://www.inteco.es/Seguridad/Observatorio/Estudios_e_Informes/Notas_y_Articulos/recomendaciones_creacion_uso_cont
rasenas
Instituto Nacional
de Tecnologías
de la Comunicación
Lastly, when establishing access controls, it is important for physical access to the
location of information systems at the public bodies to be controlled, preventing
unauthorized persons from gaining access and being able to engage in any fraudulent
tampering.
Overall, this is done by 55.6% of city councils and 69.4% of provincial and island councils.
8.1.4 Record of accesses

Among the measures required for files classified as high level is a record of accesses,
which involves an exhaustive control of each one, in accordance with the stipulations of
art. 103 of the RDLOPD, capturing the following information for each access attempt:
• User identification.
• Date and time of the attempt.
• File accessed.
• Type of access: query, change, deletion, etc.
• If the access was authorized or denied.
• Specific record accessed: in the event the access was authorized.
Overall, 47.7% of city councils and 36.1% of provincial and island councils keep a record
of accesses.
Other elements which public bodies must take into consideration regarding access
records are:
• The length of time this information must be kept, never more than two years, and
control of the register in the form of a monthly report (art. 103.4 of the RDLOPD).
Overall, the level of compliance is 62.1% among city councils and 47.2% among
provincial and island councils.
• Preparing a monthly report of changes made and problems detected by the

security officer (art. 103.5 of the RDLOPD). Overall, this requirement is met by
26.6% of city councils and 13.9% of provincial and island councils.
8.1.5 Telecommunications
Art. 104 of the RDLOPD requires that controls be implemented for personal data classified
as high level which ensure the confidentiality and security of transmissions over public or
wireless electronic communications networks. To do so, the most common mechanism
Instituto Nacional
de Tecnologías
de la Comunicación
used is data encryption, as this guarantees that the information will not be readable or
tampered with by third parties.
Overall, this encryption is done by 46.8% and 58.3% of city councils and provincial and
island councils, respectively.
8.2 Security measures with management controls
8.2.1 Media and document management

The security officer has the obligation to effectively manage the media at the public body,
as stipulated in art. 92 of the RDLOPD. To this end, a series of measures has been
established, which are designed to:
• Identify the type of information contained in media and documents which hold
personal data (art. 92.1 RDLOPD), as well as having them inventoried and
accessible to the personnel authorized to do so in the security document. The
exception to this measure is when the physical characteristics of the medium make
this impossible to do, and a record of the reason for this must be made in the
security document. The degree to which these requirements have been
implemented is uneven:
o 58.3% of city councils overall and 72.2% of provincial and island councils
have identified this information.
o The inventory is done by 22.6% of city councils and 44.4% of provincial

o Lastly, the accessibility of the media and documents, which is related to

restricted access to the location where these are stored, is controlled by
64.8% of city councils and 69.4% of provincial and island councils.
• Authorization by the party responsible for the file or authorization by means of the
security document for removal of media and documents which contain personal
data, including those encompassed by and/or outside an e-mail, outside premises
and under the control of the party responsible for the file or processing (art. 92.2
RDLOPD). Supplementing this provision, art. 92.3 of the RDLOPD stipulates that
when documentation is to be transferred, measures must be taken to prevent theft,
loss or wrongful access of the information during transport.
Overall, 18.4% of city councils and 30.6% of provincial and island councils control
the removal or addition of media. Authorization by the security officer is carried out
by 56% of city councils and 52.8% of provincial and island councils.
Instituto Nacional
de Tecnologías
de la Comunicación
By size stratum, there is a disparity in the fulfillment of these obligations. While the
percentage for city councils in large municipalities is greater than 44% for control
and 70% for authorization, in the case of mid-sized and small organizations, the
percentage of those complying is approximately the same as the overall value.
• Prior analysis of the needs of the medium or document which contains personal
data before disposing of it, in order to prevent access to the information contained
therein or later recovery of this data (art. 92.4 of the RDLOPD). This measure
arises due to the possible risks which public bodies may encounter when
disposing of devices without having ensured that all information has been deleted. 2
When public bodies were asked about this, overall the response was that 39.6% of
city councils and 36.1% of provincial and island councils take measures to prevent
unlawful recovery of the information.
• Identification, management and distribution of media and processing on portable

devices (art. 101 of the RDLOPD). Regarding the latter, regulations stipulate that
the use of devices which do not permit encryption must be avoided, and in the
event that it is strictly necessary, a record of this is to be made in the security
document, indicating the reasons, and measures are to be taken which account for
the risks of processing in unprotected environments.
Overall, public bodies have fulfilled these obligations to a similar extent, as 37.3%
of city councils and 36.1% of provincial and island councils state that they encrypt
the data contained on media which is taken outside the premises of the public
body.
8.2.2 Back-up copies and recovery

This is essential to ensure the continuity of the activities at LPBs. For this reason, the
availability of the data which is processed must be ensured. Security or back-up copies
achieve this aim, and are used recover the original data in the event of loss or improper
changes being made. Regulations stipulate a series of measures which must be taken:
• Making back-up copies at least once a week, unless no data has been updated
during this period (art. 94.1 of the RDLOPD). Overall, this action is taken by 55.2%
of city councils and more than 90% of provincial and island councils, 94.4%, to be
precise.
2
INTECO. Secure reuse and replacement of storage devices. Available at
http://www.inteco.es/Seguridad/Observatorio/Estudios_e_Informes/Notas_y_Articulos/Reutilizacion_y_sustitucion_segura_d
e_dispositi_11
Instituto Nacional
de Tecnologías
de la Comunicación
• Establishing procedures for data recovery which ensure reconstruction of their

condition at the time of loss or destruction at all times (art. 94.2 of the RDLOPD).
Except when this affects partially automated files or processing and provided that
the existence of documentation makes recovery possible, the data must be
entered manually, making a record of this fact and the reasons for it in the security
document. Among LPBs, 52.8% of city councils and 88.9% of provincial and island
councils ensure reconstruction of the data.
• Verification every six months by the party responsible for the file that procedures
for making back-up copies and data recovery have been defined and are operating
and used correctly (art. 94.3 of the RDLOPD). This measure is carried out by the
majority of municipalities, regardless of size, except in the case of city councils
with 5,000 to 10,000 inhabitants, where the percentage of public bodies is
approximately the same as that for provincial and island councils (68%).
Nonetheless, this measure also supposes that the party responsible for the file:
o Gives written authorization for data recovery. Among LPBs, this action has
not been sufficiently implemented, as the highest level of coverage is 44%,
for municipalities with 100,000 to 500,000 inhabitants. For the remaining
strata, the figure is under 33.3%, including provincial and island councils,
which have 25% coverage.
o Keep a record of all recoveries made. This must contain the following
information: date and time, person carrying out the recovery and the data
recovered manually (because they are not included in the back-up copy).
The level of implementation is greater for the register: 100% of
municipalities with more than 500,000 inhabitants and 51% for those with
more than 50,000 inhabitants. For the remaining strata, the bodies which
comply with the stipulations contained in the regulations stand at around
25%, except in the case of municipalities of between 10,000 and 50,000
inhabitants (35.7%).
• Keeping a back-up copy of data and recovery procedures for these data in a
location which is different from that where the computer equipment which
processes them is located for high level personal data (art. 102 of the RDLODP).
This obligation is fulfilled by 64.5% of city councils and 66.7% of provincial and
island councils. Nonetheless, in terms of size of municipality, compliance is higher
than this for those with more than 10,000 inhabitants.
Instituto Nacional
de Tecnologías
de la Comunicación
8.2.3 Tests using real data

Art. 94.4 of the RDLOPD stipulates that tests conducted prior to implementing or
modifying information systems which process files containing personal data not be carried
out using real data, except when:
• The security level corresponding to the processing carried out is ensured.
• A note of the tests is made in the security document.
• A security copy is made.
The response of the organizations participating in the study indicates that, overall, 60% of
city councils and 58.3% of provincial and island councils state that tests are not conducted
using real data, compared with 25% and 27.8%, respectively, which do use real data.
In any event, regulations recommend the use of fictitious data so as not to have to use
additional security controls, and that the same security measures which would be applied
if the data were real are utilized. This precaution is taken into account by 52.2% of city
councils and 52.8% of provincial and island councils.
8.2.4 Audits
The information systems and data processing and storage facilities which handle data
with a medium security level must be subject to an internal or external audit which verifies
compliance with security measures at least every two years, as stipulated by art. 96 of the
RDLOPD.
Overall, these audits are carried out by 10.9% of city councils and 19.4% of provincial and
island councils.
Nonetheless, a special audit must be done whenever substantial changes are made to the
information system which may have an effect on compliance with the measures
implemented with the aim of verifying the adaptation, suitability and efficiency of these.
After the audit process, a report must be prepared which meets the following aims:
• Determine how far the measures and controls adapt to the law and its
implementing regulations.
• Identify possible shortcomings of the information systems and facilities.
• Suggest necessary corrective or supplementary measures.
• Include the data, facts and remarks on which the stated opinions and proposed
recommendations are based.
Instituto Nacional
de Tecnologías
de la Comunicación
This report is prepared by 13.9% of city councils and 33.3% of provincial and island
councils. By stratum size, this is carried out by 50.8% of city councils in large
municipalities, 27.9% of mid-sized municipalities and 7.7% of smaller ones.
Lastly, regulations stipulate that audit reports must be analyzed by the authorized security
officer, who will forward the conclusions to the party responsible for the file or processing
so that suitable corrective measures may be taken and they will be made available to the
Spanish Data Protection Agency or, if appropriate, the control authorities for the
autonomous communities.
Overall, 21.6% of city councils and 19.4% of provincial and island councils carry this out;
although at the stratum level, it is done by 39% of city councils in large municipalities and
20.5% of mid-sized municipalities.
Instituto Nacional
de Tecnologías
de la Comunicación
9 SUPERVISION, INSPECTIONS, COMPLAINTS AND

PENALTIES RESULTING FROM FAILURE TO
COMPLY WITH DATA PROTECTION REGULATIONS
Data protection agencies at both the national and autonomous community level have
been granted the legal authority to impose penalties.
In accordance with the stipulations of article 48.1 of the LOPD, penalty procedures are
regulated by Royal Decree 1332/1994, of 20 June, which details the course to be followed
to determine the offense and the penalties to be imposed.
In the case of public administrations, according to art. 43.2 of the LOPD, art. 46, which
establishes the offenses of these bodies, shall govern the procedure and penalties.
This section analyzes the number of LPBs which have been affected by an AEPD
inspection, the level of knowledge regarding the penalties to which public organizations
may be subject as a result of failure to comply with data protection regulations, and
whether they have been assessed any penalty.
9.1 Inspections
have not received any inspection by the Data Protection Agency. However, all city
councils with more than 500,000 inhabitants participating in the study have received an
inspection. This can be explained by the significant volume of data and files they manage.
Of special note are city councils with between 5,000 and 10,000 inhabitants, which state
that they have received no inspection.
9.2 Complaints and penalties
The public bodies taking part in the present study were asked whether they know about
the penalties which may be imposed by the Spanish Data Protection Agency and whether
they have been assessed a penalty.
32.1% of city councils and 69.4% of provincial and island councils state that they have
knowledge of this. By stratum size, this knowledge is held by 80.8% of city councils in
large municipalities, 50.3% of mid-sized municipalities and 24.1% of smaller ones.
With regard to the second question, whether they have been assessed a penalty, overall,
2.9% of city councils state that they have been assessed one, in contrast with 95.7%
which have not. In the case of provincial and island councils, 91.7% of these have not
received a penalty and the rest state that they do not know.
Instituto Nacional
de Tecnologías
de la Comunicación
The amount of the penalties varies from €600 to €60,000, in the case of minor offenses, to
between €60,101.21 and €180,101.21 for serious ones, up to the most serious, with
amounts ranging from €300,506.05 to €602,214.12. Regulations indicate the following
cases for each of the penalties:
• Minor offenses: ignoring a request from an interested party to cancel their personal
data, not registering the personal data file with the National Data Protection
Register, or not fulfilling the duty to inform interested parties when gathering
personal data, as stipulated by art. 5 of the LOPD.
• Serious offenses: creating publically owned files or beginning to gather personal

data without general authorization published in the Official State Gazette or
corresponding official bulletin.
• Very serious offenses: communicating or transferring data under conditions other

than those permitted, or gathering and processing data without the consent of the
affected party, as stipulated in art. 45 of the RDLOPD.
Overall, around 38% of the public bodies state that they have been assessed one of the
penalties established by the regulations; specifically, 38.6% have received minor
penalties, 38.1% of LPBs have received serious or very serious penalties. In the case of
provincial and island councils, the percentage of public bodies for all the penalties is the
same (38.9%).
Lastly, with regard to the public bodies’ knowledge of penalties, it should be noted that this
is progressive depending on the size of the body. Thus, it is possible to see that the
penalties most commonly found among city councils in large municipalities are serious
ones (52.4%), followed by minor (50.7%), and lastly, very serious ones (49.3%). Among
city councils in mid-sized municipalities, the penalties most often imposed are very serious
(45.8%), followed by minor penalties (45.2%), and lastly, serious ones, as stated by 45%
of the municipalities.
Instituto Nacional
de Tecnologías
de la Comunicación
10 THE OPINION OF EXPERTS REGARDING THE

DEGREE OF ADAPTATION TO AND
IMPLEMENTATION OF REGULATIONS
This chapter contains the opinion of experts on the subject, with the aim of establishing a
framework for analysis which offers new perspectives and points to new trends for action
with regard to the degree of adaptation to and implementation of data protection
regulations by LPBs.
The experts were selected to provide a range of representation and professional profiles
which would make it possible to ensure a comprehensive approach and cover different
points of view:
• Management and/or technical experience in the area of public bodies.
• Specialized in data protection.
• Responsibility for planning and managing information and communications

systems.
• Representative of the different levels of local public bodies, whether city, provincial
or island councils.
As a result, the group of experts was made up of persons responsible for the areas
described at 24 local public bodies which represent city councils of different sizes and
geographical locations, as well as provincial and island councils. The collaboration of the
Spanish Data Protection Agency and the three autonomous community agencies which
currently exist: Community of Madrid, Catalonia and the Basque Country, was also
requested, as well as the collaboration of independent professionals.
The present section was prepared using the information gathered on these qualified
opinions. It contains a detailed analysis of:
• The definition of maturity levels for implementation of security measures as a tool

for selecting priorities at the initial phase of adapting to the law. Therefore, three
maturity levels have been defined for the security measures described in the
regulations, with the aim of helping public bodies beginning their adaptation or
adjustment to the regulations, enabling them to select the priority actions.
• The set of good practices which help public bodies initiate or improve their
adaptation to the law, identifying both organizational and technical good practices
Instituto Nacional
de Tecnologías
de la Comunicación
in order to achieve a suitable and effective implementation of the required security

measures.
• Examples of success cases in applying good practices. Four experiences

have been selected which stand out in some area related to the LOPD, whether it
be the successful implementation of a security measure or the assistance they
may currently be giving other public bodies.
10.1 Maturity levels
The definition of maturity levels for implementation provided by the experts is intended to
resolve the problem of setting priorities at the initial phase of adapting to the law. As a
result, each level undertakes certain security measures in the regulations which must be
completed in phases.
The progressive implementation of these levels will result in full compliance with the
requirements defined in the regulations, as well as optimizing the controls implemented.
The maturity levels, which are cumulative, may be classified as follows:
• Incomplete level of compliance (level 1): encompasses basic security measures,

although it does not include all those necessary in accordance with the legislation.
• Legal level of compliance (level 2): encompasses all security measures to achieve
implementation of the requirements contained in the RDLOPD.
• Advanced level of compliance (level 3): encompasses management and ongoing

improvement of all the measures defined in the RDLOPD and good management
practices.
All the measures identified are preferably considered maturity level 2, as it was logical to
expect, given what compliance involves. Of special note among the measures is the
security document, mentioned by 62.5% of the experts, telecommunications (60.9%) and
a record of access (58.3%). Nonetheless, despite this prioritization, it is necessary not to
lose sight of the urgent measures to be developed for level 1, such as for example:
communicating duties and obligations to personal (37.5%), carrying out audits (34.8%) or
management of media and the incident register (both with 33.3%).
At level 3, identification and authentication (29.2%), back-up copies (27.3%) and access
control (25%) are indicated as priorities.
In order to take a more in-depth look at the assessments made, below is the classification
made by the experts consulted regarding the specific measures contained in the RDLOPD
according to the three maturity levels defined.
Instituto Nacional
de Tecnologías
de la Comunicación
10.1.1 Maturity level 1

At this first maturity level, especially noteworthy – mentioned by 70.8% – is preparing the
monthly report of incidents corresponding to the access register security measure. This is
considered a priority measure by the experts when beginning the process of implementing
data protection regulations, despite the fact that this is a high level security measure.
In second place – mentioned by 52.4% – is delegation of coordination and management

duties by the party responsible for the file to one or several security officers, without under
any circumstances delegating the former’s ultimate responsibility for compliance with the
law.
Additionally, in third place, 52.2% mentioned encryption on distributed media. This activity
is related to encryption of information on media which contain personal data when they
are distributed outside the locations which are under the control of the party responsible
for the file or processing. Complementing the previous measure, mentioned by 50%, is the
activity in which the party responsible for the file, or the person to whom this has been
delegated, must authorize the removal of all media from the public body’s facilities.
The other measures selected – mentioned by fewer than 46% – refer to the duties of the
security officer as coordinator of the security measures implemented, as the person
responsible for disseminating information about the regulations to be complied with by the
employees of the public body, authorization for requested data recovery, and analyzing
the recommendations which must be contained in the audit report.
Lastly, the experts identified specific measures relating to the security document, such as
defining the duties and obligations of personnel, identifying the security officer and
keeping records of access for two years.

The main measure assigned the second maturity level is defining the scope of application
for the security document, mentioned by 62.5%. This is the security document security
measure. It is important to give general details in the document of the information systems
which support or are involved in processing personal data.
Also included, mentioned by 58.3%, is the record of accesses, referring to user accesses.
This register must include the user’s identifier, time, file accessed, type of access (query,
deletion, change, addition), specific record accessed, and encryption of personal data
when these are sent over communications networks. This activity is the
telecommunications security measure.
Instituto Nacional
de Tecnologías
de la Comunicación
In fourth place – mentioned by 56.5% – is the requirement that the audit report contain not
only the deviations found, but also recommendations for improvement. This is the audit
security measure.
The following measures, mentioned by 54.2%, relate to the following activities: a) record
of accesses, b) the party responsible for the file must establish a procedure with details of
the manner in which user identification and authentication will be carried out, and c)
control of physical access, indicating that only authorized personnel must have access to
rooms in which information systems are located, the activity referring to as the control of
physical access security measure.
At the next level are tests using real data corresponding to the back-up copy and recovery
security measure and identification of the security officer, both mentioned by 52.2%.

This third maturity level encompasses the measures which can easily be automated or
which are for ongoing improvements following legal compliance. These are necessary if
the aim is to achieve efficient compliance in the long term.
The security measure with the highest percentage of mentions, 47.8%, refers to back-up
copies and recovery. The activities included in this group are: a) the obligation to store
these in a location other than the processing location in order to ensure continuity of
service in the event that a serious incident should occur at the original location, b) the
making of a weekly security copy so that, in the event of a loss of data, this will only result
in the temporary loss of a week’s work.
As part of the previous measure, mentioned by 43.5%, respondents identified the need to
ensure that recovery of the information provides data in the same condition as they had
been prior to the incident. It is necessary to carry out data recovery tests in order to
ensure that this requirement is met.
In fourth place – mentioned by 41.7% – is the requirement that users’ access passwords
must be stored in such a way that they cannot be read by someone who may gain access
to them. This corresponds to the identification and authentication security measure.
With mention by 37.5%, there is also automation of the media inventory, which will allow
us to update and manage it in a simple and agile fashion.
The remaining activities selected – mentioned by fewer than 34% – refer to: a)
establishing and documenting a password management procedure, b) establishing a
procedure for assigning and managing passwords, including the frequency with which
these are changed, c) access permission granted to users by authorized personnel only,
and d) restricting access to the location where physical media are stored, as due to their
Instituto Nacional
de Tecnologías
de la Comunicación
size, these are easy to hide and may contain large amounts of information. These
correspond to the access control security measure.
10.2 Best practices
The present study, in addition to offering an analysis of the situation at local public bodies
in terms of adapting to the requirements of personal data protection regulations, provides
added value by proposing a set of good practices which aim to assist the public bodies in
initiating and improving their adaptation to the law.
The experts consider it of great interest and important that adaptation to and
implementation of the LOPD and RDLOPD operate in relation with the following activities,
identified by order of priority:
10.2.1 From an organizational point of view

• Presenting training and awareness sessions for civil servants, non-civil service
staff and associates on the security measures which affect them.
• Informing citizens and companies about the processing of their data when they
access a public service online.
• Promoting awareness among citizens and companies of their fundamental right to

personal data protection.
• Individual distribution of the security document to civil servants, non-civil service

staff and associates, with acknowledgement of receipt and that the document has
been read and understood.
10.2.2 From a technical point of view

• Facilitating the exercise of the rights of interested parties regarding their data
through various telecommunications and information processing channels
(telephone, fax, website, e-mail) and in person, preventing digital exclusion, and
training civil servants, non-civil service staff and associates to identify and handle
requests efficiently.
• Hiring an outside service to carry out an internal audit, thus ensuring

independence and objectivity.
• Automating the incident management process, regardless of origin, in order to

facilitate resolution.
• Automating the process for implementing the measures of the RDLOPD with a
management tool which makes it possible to monitor the process and generate the
required documentation.
Instituto Nacional
de Tecnologías
de la Comunicación
• Combining more than one identification and authentication method for controlling
access to personal data files.
• Hiring an outside service for the safekeeping and secure destruction of media
(automated or paper) which contain personal data.
Analysis of the best practices has shown that implementation of those related to
organizational activities, and therefore training, is valued most highly by the experts. Thus,
implementing these practices will provide a foundation for carrying out an effective
implementation of the remaining measures and as a result comply with the requirements
stipulated by the law.
10.3 Examples of success cases for applying good practices
Having analyzed the set of good practices which serve as a work tool for local bodies to
begin or improve their adaptation to the law, below is a description of three examples of
successful experiences with applying these practices.
These experiences are related to the specific activities or measures governed by personal
data protection regulations and carried out by bodies which serve as an example of
adaptation and compliance due to their level of awareness and practical approach.
The information included below concentrates on the specific activity for which the public
body has been chosen as a noteworthy case study. Additionally, it has been produced
based on the information provided by the persons responsible for personal data protection
in the case of city councils and area managers in the case of agencies.
10.3.1 Data protection structure, management model and specific actions: Santa
Cruz de Tenerife city council
In 2005, the Santa Cruz de Tenerife city council began the process of adapting to the
LOPD. 3 There were two priorities in implementing measures to adapt the municipal
administrative structure:
• Writing and approval of the security document.
• Completing a catalogue of municipal files containing personal data to later be

reported to the Spanish Data Protection Agency public register.
Management model
3
Further information available at http://www.sctfe.es/
Instituto Nacional
de Tecnologías
de la Comunicación
The city council opted for a centralized management model. As a result, any activity
connected with the subject of data protection is channeled through the Security and Data
Protection Office, the management body. Likewise, all top-level decisions are made by
this office.
Monitoring, maintenance and updating of the security measures implemented at the city
council are managed by this office, which acts independently. As a result, the level of
supervision is technical in nature, with political matters being excluded from this area.
Specific actions regarding personal data protection
One of the core elements of the effectiveness of the security measures implemented lies
in the dissemination of information and training provided by the aforementioned office.
Therefore, as indicated by the Security and Data Protection Manager for the city council:
“Training is key, because it is the civil servants who are the real users engaged in
processing the data.”
Every year, the Municipal Training Plan includes a data protection course. The information
dissemination activities carried out include publication of a leaflet: “Protect Your Data,” as
well as information available on the city council’s website and the organization’s intranet.
Additionally, between January 2007 and 2008, several citizen information conferences
were held, with talks by various speakers specializing in the subject of personal data
protection.
With regard to the new Implementing Regulation for the LOPD, a new version of the
security document was approved on 18 April. This text adapts to the new instructions
contained in the regulations. In an ordinary session on 16 May 2008, the Municipal
Plenary Session passed the Regulations for Approval of Personal Data Files with the
appropriate changes to adapt to the new regulations.
The Security and Data Protection Office has published several procedural changes and
various sets of instructions in order to bring the organization into line with the RDLOPD.
Examples include the confidentiality clause for users and contractors, new standardized
request forms, etc. In addition, as a result of its management model, the office works with
other city council offices and departments on issuing legal opinions and consulting on
protection and security matters.
Instituto Nacional
de Tecnologías
de la Comunicación
10.3.2 Audits: Audit and Information Security Coordination Area of the Catalan
Data Protection Agency
In terms of its field of action, the Catalan Data Protection Agency 4 has authority over
registers, control, inspection, penalties and resolution, as well as adopting proposals and
instructions.
As a success case, audits are carried out by the Audit and Information Security
Coordination Area, which provides technological support to management and the
agency’s different areas, projects and initiatives, focusing especially on activities
connected to inspection duties, as they require direct specialized support for auditing ICT
information and security systems.
The Catalan Data Protection Agency’s Audit and Ex-officio Control Plans are developed in
the exercise of the supervisory duty and powers over applying data protection legislation
which are assigned to the agency by Law 5/2002, of 19 April, on the Catalan Data
Protection Agency, by which it was created.
Its actions are predominantly preventative in nature. Its aim is to review the status of
compliance and recommend the actions necessary to adapt to the LOPD, according to the
personal data processing carried out by the body audited.
The auditing work began as a response to the need to provide greater support to public
bodies under the agency’s control, and especially with the intent of anticipating possible
incidents resulting from failure to comply with regulations.
New initiatives
At the present time, the agency has committed to focusing on effective and efficient
prevention. To this end, it is designing two future actions:
• Implementation of Privacy Impact Assessments: This is a method which consists

of assessing the type of impact which a body’s new projects will have on the
privacy of citizens, in order to minimize this as much as possible.
• Seeking the best organizational models at the bodies which are capable of
responding to the problem of managing personal data. The aim of this action is to
promote the position of manager or head of data protection at each organization, a
position known in the English-speaking world as “data protection officer.”
4
Further information available at www.apdcat.net
Instituto Nacional
de Tecnologías
de la Comunicación
10.3.3 Consulting: File Register and Consulting Sub-department of the

Community of Madrid Data Protection Agency
The purpose of the Community of Madrid Data Protection Agency (APDCM in its Spanish
acronym) 5 is to guarantee and protect the basic rights of individuals with regard to their
family and personal honor and privacy, in connection with the processing of their personal
data.
Its powers cover publically held files created or managed by the Autonomous Community
of Madrid, the bodies that make up the local administration in its geographical area, public
universities and corporations of public law representing the economic and professional
interests of the autonomous community.
As a success case, the agency performs consulting duties, which are carried out by the
File Register and Consulting Sub-department. This department is responsible for the
register of personal data files held by the Community of Madrid, as well as carrying out
consulting duties and consulting for the parties responsible for the files.
The root of this consulting work lies in the statutes of the APDCM itself, but is based on
the belief that this work is essential for achieving its aims. For this reason, the APDCM
has contacted the 179 municipalities, communities and autonomous bodies in the
Community of Madrid to offer its assistance.
The initial aim of the consulting work was to ensure that 100% of the municipalities had
registered their files. It is not only the number of files registered which is important, but
also the quality of the register, that is, that all are registered properly.
The consulting work provides assistance on all areas of the LOPD and RDLOPD, both
organizational and legal measures, and even the procedure for security measures of a
more technical nature.
The entire regulation is not reviewed at each public body, but emphasis is placed on the
part of each one which is determined to be the weakest or most in need. A complete
review can be carried out through the Inspection Department, which can always act ex-
officio and request that any body carry out a complete review of its situation.
An important concern of APDCM consultants is the security document. This is not only
because it is a regulatory benchmark for all the body’s employees, but also because it is
the document which describes the current status of the body with regard to the LOPD. In
this way, continuity of policies and procedures is guaranteed in the event of, for example,
5
Further information available at www.madrid.org/apdcm
Instituto Nacional
de Tecnologías
de la Comunicación
a change of government in the city council. The incoming management team can continue
with the work based on an accurate and up-to-date security document.
With regard to more technical security measures, in order to guarantee the APDCM’s total
Independence, consultants cannot recommend any specific type of commercial
technology, tool or application. For the same reason, neither is any recommendation
made regarding an outside company which can provide consulting services for adaptation
to the LOPD.
The APDCM makes two tools to facilitate adaptation to the LOPD available to local public
bodies:
• DEPD: Application for exercising data protection rights using telecommunications

and information technology. It has been implemented in the regional administration
of the Community of Madrid.
• CUMPLE: Support System for Persons Responsible for Publically Held Files for
compliance with their data protection obligations.
10.3.4 Data protection structure, management model and specific actions: the
Municipal Institute of Computing of the Barcelona city council
The Municipal Institute of Computing (hereinafter IMI, its Catalan acronym) of the
Barcelona city council 6 is a local autonomous organization whose aim is to effectively
manage all aspects of the internal computing of the Barcelona city council and other
public bodies serving citizens, such as the local police and fire department. It serves more
than 6,500 users, civil servants and employees of public services in more than 300
buildings.
In terms of adapting to the LOPD, the top priority was creating the Technical Committee
for Personal Data Protection Security of the Barcelona city council, 7 known as the CSPD,
with the following duties:
• Establish general guidelines for personal data protection throughout the municipal
organization.
• Establish criteria for applying personal data protection regulations.
• Authorize the publication of good practices, internal procedures and other

documents of interest regarding personal data protection on the municipal intranet.
6
Further information available at http://www.bcn.es/
7
Commission created by the Mayoral Decree 21/7/2006.
Instituto Nacional
de Tecnologías
de la Comunicación
• Authorize municipal training plans on personal data protection.
The daily management of all matters related to the LOPD is carried out by the IMI.
However, incident management is reviewed on a weekly basis by the Sub-department of
Basic Information and by the IMI’s technology security officer.
There are three types of general control and review:
• Biennial audits required by regulations.
• Internal year-on-year audits carried out by the Sub-department of Basic

Information.
• Ongoing internal control to supervise and monitor compliance with the LOPD.
The IMI has partial management tools developed in house. The next step will be to
interconnect with the corresponding applications and workflows. 8
In the medium term, the IMI plans to evaluate implementation of:
• Management tool and medium for the security document.
• Improved management tools for ARCO rights.
• Tool for support and monitoring audits which includes supervision of

implementation of the corresponding corrective actions.
Training at the city council is carried out by sector, according to worker profile and
position. With regard to the LOPD, it is possible to distinguish the following types:
• Legal staff: given more advanced training regarding sentences, records, agency
activities, etc.
• Personnel at headquarters for citizen services offices: training provides an

introduction to the LOPD, with special emphasis on ARCO rights and municipal
routes.
• Personnel responsible for files and operational managers: given intensive legal
training on the LOPD, data protection regulations, recommendations of the
Catalan and Spanish Data Protection Agencies, etc.
8
Also known as workflows, expressing how the tasks carried out at a public organization or private company are structured,
their correlative order, how they are synchronized, the flow of information which supports the tasks and how fulfillment of
tasks is monitored.
Instituto Nacional
de Tecnologías
de la Comunicación
• Personnel in general: an online introduction to the LOPD is being prepared.
In relation with the coming into force of the RDLOPD, a CSPD work group has been set
up. The adaptation of the city council is at the study phase.
Instituto Nacional
de Tecnologías
de la Comunicación
11 CONCLUSIONS OF THE STUDY
Having analyzed the current situation at Spanish local bodies with regard to the extent to
which personal data protection regulations have been adopted, it is possible to observe
that overall, 28% of city councils say that they know about the RDLOPD and 46.4%
state that they have reported their files to the Spanish Data Protection Agency
register. If we compare this with the situation of Spanish SMEs, as indicated by the
“Study on the degree of adaptation of Spanish small and mid-sized companies to the
Organic Law on Data Protection (LOPD) and the new Implementing Regulation
(RDLOPD)”, 9 where, based on the data, the level of knowledge and adoption of data
protection regulations was not especially positive – 14% of the SMEs stated that they
knew about the RDLOPD, and only 16% of the SMEs participating in the study had
reported their files to the AEPD – it is possible to conclude that the position of LPBs
regarding personal data protection is at a higher maturity level than Spanish
businesses as a whole.
However, the level of knowledge by stratum varies significantly: the percentage of city
councils in large municipalities is 76%, in contrast with 48% of mid-sized
municipalities and 20% of small ones. In the case of provincial and island councils,
66.7% state that they know about the new implementing regulation.
Additionally, despite the differences between strata, public bodies play an essential role in
both disseminating information about the regulations among non-civil service staff, civil
servants, political managers and associates at local bodies, and complying with these
regulations, ensuring that citizens have access to their rights.
Having asked LPBs about the level of awareness regarding compliance with data
protection regulations, the response level (74.8% overall for city councils and 58.3% for
provincial and island councils) is proof of the effort these organizations are making to
adapt to the regulations. An analysis by stratum and size shows that this obligation is
generally being met, with all strata being close to the overall average.
Nonetheless, LPBs must continue working and improving in their adaptation to the
regulations by, for example, increasing planning and allocation of resources. One in five
(21.4%) participating city councils and 47.5% of provincial and island councils state that
they have done this. Behind this effort are:
• The financial costs, direct and indirect, of adaptation.
9
Study prepared by INTECO’s Information Security Observatory (www.inteco.es). July 2008.
Instituto Nacional
de Tecnologías
de la Comunicación
• The technical and legal complexity which, in some cases such as city councils of a
smaller size, involves concepts and processes with which they are not familiar.
• The need to document the security measures, procedures, rules and standards
necessary to ensure the level of security stipulated in the regulations.
• The organizational cost, as internally, this requires establishing or modifying roles,

responsibilities and procedures.
LPBs are already dealing with all of these. 46.1% of city councils and 56.8% of
provincial and island councils have defined the obligations and functions of the
personnel responsible for processing personal data. However, an analysis of these by
stratum and size shows irregular levels of compliance with this obligation. Thus, 56.5% of
city councils in large municipalities have planned this assignment, while only 31.1% of city
councils in mid-sized municipalities and 16.8% of smaller ones have done so.
Additionally, the effort which public bodies are making is in some cases
demonstrated by the degree of implementation of some essential security
measures. Noteworthy among these are:
• Public bodies which have a security document: 26.2% of city councils and 50% of
• Public bodies which have an incident register: 20.1% of city councils, in contrast
with 44.4% of provincial and island councils.
• Public bodies which have implemented user access control: 40.1% of city councils
and 58.3% of provincial and island councils.
• Public bodies which manage computer media: 36.8% of city councils and 50% of
• Public bodies which make back-up copies: 35.1% of city councils and 55.6% of
Regarding registration of the files and data authentication, LPBs demonstrate

heterogeneous behavior both overall and by stratum, where city councils in small
municipalities have a lower level of participation.
With regard to registration, of all the city councils, 46.4% state that they have registered
their files with the Spanish Data Protection Agency (AEPD), in contrast with 43% which
confirm that they have not registered them, and 10.5% which do not know their situation.
The situation by stratum and size shows that while the number of organizations in large
and mid-sized municipalities is high (92.5% and 67.9%, respectively), only 37.2% of
Instituto Nacional
de Tecnologías
de la Comunicación
smaller ones have registered their files. In the case of provincial and island councils,
88.9% state that they have done some, in contrast with 8.3% which have not.
With regard to data authentication, this is made up of four aspects: the duty to inform, the
duty to obtain consent, management of transfers and data confidentiality. The behavior of
city councils shows some differences, and so some measures have implementation rates
which could be improved, such as:
• Duty to inform the interested party of the purpose of the processing: Overall,
67.5% of city councils and 72.2% of provincial and island councils state that they
comply with this obligation. At the stratum level, the majority are in compliance,
ranging from 90.7% of city councils in large municipalities to 71.1% and 65.6% in
mid-sized and small municipalities, respectively.
• Duty to obtain the consent of the interested party: This measure is quite
widespread overall among city councils and provincial and island councils, where
36.4% and 41.7% extend this to their citizens. At the stratum level, the majority are
in compliance, ranging from 67% of city councils in large municipalities to 43.4%
and 33% of mid-sized and small municipalities, respectively.
• Managing transfer of data: Overall, 46.9% of city councils and 55.6% of provincial
and island councils do this. At the stratum level, the majority are in compliance,
ranging from 71.1% of city councils in large municipalities to 53.1% and 44% of
mid-sized and small municipalities, respectively.
• Data confidentiality: This measure is quite widespread overall among city councils
and provincial and island councils, where 28.9% and 44.4% extend it to their
interested parties. By stratum, the situation is not unlike that of the other
measures, as 22.4% of city councils in small municipalities carry this out, in
contrast with 76.1% of large municipalities and 43.1% of organizations in mid-sized
municipalities.
Together with authentication, one of the key points of the LOPD is the procedure for
exercising the rights de access, correction, cancellation and objection (known as
A.R.C.O. rights), granted to owners of the data. Overall, this practice is carried out by
49.4% of city councils and 52.8% of provincial and island councils. By size stratum, the
level of compliance is higher on average for city councils in large and mid-sized
municipalities (79% and 58.1%, respectively), than for small municipalities (45.4% of city
councils).
Another key element of managing personal data protection regulations at LPBs is the
security document, which is mandatory. However, as mentioned above, this does not
exist at all the public bodies participating in the study. In addition, with regard to the
Instituto Nacional
de Tecnologías
de la Comunicación
document itself, it is not common practice among LPBs to define the scope of the security
document, as overall this has only been done by 35.3% of city councils and 58.3% of
In additional to the scope, the security document must contain a number of aspects which
are not taken into account by all the public bodies. Noteworthy among these are:
• Definition of the duties and obligations of employees: This has been done by
46.1% of city councils and 56.8% of provincial and island councils overall.
• Definition of the security measures, procedures, rules and standards necessary to

ensure the level of security required: Overall, this is carried out by 27.6% of city
councils and 36.1% of provincial and island councils.
• Description of the files registered and information system which process them: In
contrast with 75% of provincial and island councils, overall, 38.1% of city councils
have done this.
In spite of this level of security document development at the public bodies, the
regulations stipulate a series of measures which must be included in the internal policy of
the organizations. These measures require compliance with technical and management
controls, which include:
• Record of incidents: 21.1% of city councils and 38.9% of provincial and island
councils manage incidents.
• Identification and authentication: 54.7% of city councils and 91.7% of provincial

and island councils overall do this.
• Control of access: An overall analysis shows that 70.4% of city councils and 91.7%
of provincial and island councils state that each user accesses the data necessary,
depending on the position they hold at these public bodies.
• Record of accesses: Overall, 47.7% of city councils and 36.1% of provincial and
island councils keep a record of access, preserving the information on each
access.
• Telecommunications: In terms of encryption of personal data in transmissions over

communications networks, overall, 46.8% of city councils and 58.3% of provincial
and island councils do this.
• Media management: Overall, this is carried out by 58.3% of city councils and
72.2% of provincial and island councils.
Instituto Nacional
de Tecnologías
de la Comunicación
• Back-up copies: Overall, of the participating bodies, 55.2% of city councils and
94.4% of provincial and island councils make a complete copy of all data at least
once a week.
• Tests using real data: The response of the public bodies participating in the study
shows that, overall, 60% of city councils and 58.3% of provincial and island
councils state that tests are not carried out using real data, in contrast with 25%
and 27.8%, respectively, which do use real data.
• Audits: Overall, 10.9% of city councils and 19.4% of provincial and island councils
state that audits are carried out at their organizations with the frequency stipulated
by the regulations.
The last aspect which the LPBs were asked about was their knowledge of the penalties
for failure to comply with the regulations and whether they had received an inspection
or penalty. Overall, 32.1% of city councils know what penalties are contained in the
regulations and only 5.7% have received an inspection by the AEPD; in contrast with
42.1% of city councils in large municipalities, which have received one.
In conclusion, among LPBs there is significant awareness for compliance with the
regulations, as well as a reasonable level of file reporting in comparison with SMEs, an
average of 46% for the former, in contrast with 16% of the latter. This fact is characteristic
of the public vocation of public bodies and the knowledge and awareness of the
importance of maintaining the confidentiality and security of the personal data they
handle, as well as the perception of the impact on public image and possible penalties
from personal data protection agencies, whether at the national or autonomous
community level.
In contrast, public bodies, above all in the case of city councils in small municipalities, are
faced with budgetary limitations for implementing the proper controls, a lack of specialized
personnel and the need for ongoing training plans, primarily in small and mid-sized local
bodies, where only 20% of small city councils have a security officer.
This opportunity for improvement, while also a legal obligation for organizations, as well
as the recommendation by experts to approach the maturity of processes progressively,
must first be placed within the larger context of the support for electronic administration
provided by the enormous challenge of implementing Law 11/2007, of 22 June, on
Electronic Access by Citizens to Public Services and, secondly, coordinated and
determined action on the part of all government bodies and agencies which will have to
act as agents and facilitators for smaller public bodies.
Instituto Nacional
de Tecnologías
de la Comunicación
12 PROPOSALS AND RECOMMENDATIONS FOR THE

AUTHORITIES
This chapter contains the proposals and recommendations indicated by the experts
consulted based on their experience, as well as those taken from the conclusions of this
study, and identified as generating value for the adoption and implementation of data
protection regulations by LPBs.
These recommendations must be considered actions to guide the design of programs for
improving adaptation to and implementation of the security measures stipulated by the
LOPD and RDLOPD. This is to be carried out by the local public bodies themselves, as
well as the other actors involved in the processes for evaluation, definition and
implementation of these measures in the area of personal data protection.
In particular, there is a description of those initiatives which can contribute to extending

the best practices proposed by the experts and resulting from the conclusions of this
report, whose degree of implementation by local government bodies has been
demonstrated by the results of the survey carried out.
The recommendations have been prepared based on the premise of progressive maturity
levels with the aim of assisting public administrations in setting their priorities, assigning
resources and focusing results in order to obtain the best results in terms of cost/benefit,
as required by all management of publically financed programs.
12.1 Proposals and recommendations concerning raising awareness and training
Programs for raising awareness of, disseminating information about and

communicating the new RDLOPD
Effective implementation of a culture of data protection must include activities to raise

awareness, disseminate information and communicate.
In this area, the AEPD has published various guides, available at www.agpd.es, and
organized open seminars and sessions. Likewise, INTECO has prepared a “Guide for
Local Bodies: how to adapt to data protection regulations.” 10 This is intended to provide
local bodies with the content of personal data protection regulations in order to establish
the main aims, recipients and processes for adapting to the LOPD and the new RDLOPD.
10
INTECO. Available at
http://www.inteco.es/Seguridad/Observatorio/Estudios_e_Informes/Estudios_e_Informes_1/Guia_LOPD_EELL
Instituto Nacional
de Tecnologías
de la Comunicación
In addition, the existence of these actions must make it possible to raise the level of
awareness among civil servants, non-civil service staff and associates of data security
and the measures required for personal data. As a result, this initiative must also be
carried out at both the national and autonomous community levels.
Training and teletraining courses adapted to the needs and particular features of
LPB employees
The wide geographical distribution of LPBs and large number of potential users make it
advisable to use teletraining and trainer training.
These courses must take into account different levels of maturity and authority, namely:
incomplete, compliance and continuous improvement; and basic, intermediate and
advanced, respectively, in accordance with the responsibilities assumed by civil servants,
non-civil service staff and associates at the local government body, that is: party
responsible for the file, security officer, IT technician and user.
When organizing this type of training, priority must be given to practical orientation and the
possibility of carrying out ongoing actions which permit those users who already have
knowledge of the regulations to bring their ideas and knowledge up to date.
In addition, it is advisable for training activities to be recognized by the appropriate official

organizations (data protection agencies, National Public Administration Institute – INAP in
its Spanish acronym, 11 etc.). This will help increase the perception of their importance and
necessity on the part of all users.
Therefore, courses must have a curriculum which is officially approved by the data
protection agencies and proper official organizations (INAP, autonomous communities)
and be presented in the different official state languages.
Lastly, priority must be given to creating an extensive network of tutors and instructors to
support virtual and in-person training activities, as their presence will be crucial to the
success of this action.
12.2 Proposals and recommendations concerning assessment and information
Periodic assessment of the status of the security of personal data at local

government bodies
Assessing the status of the security of personal data at local government bodies must
make it possible for these to take the appropriate measures in order to achieve the
11
Further information is available at www.inap.map.es
Instituto Nacional
de Tecnologías
de la Comunicación
highest degree of adaptation to and implementation of regulatory stipulations concerning

data protection.
These actions should also extend to the websites of these public bodies, with the aim of
preventing, for example, lists of personal data from becoming a public source of data.
Creating a system for measuring and monitoring indicators of the status of data
security
This would make it possible to obtain statistics and provide LPBs with quantitative
information to enable them to gauge the actual security situation. In this way, it would be
possible to make global decisions regarding the level of implementation of and adaptation
to current regulations.
12.3 Proposals and recommendations concerning funding
Direct budgetary support
Local bodies are key players in achieving electronic access to public services for citizens.
This results in a need for tightly controlled processing with regard to the privacy and
security of the data by the bodies gathering and/or processing it in order to ensure the
success of this legislative initiative.
In situations where public bodies do not have sufficient funding, which may have an effect
on the allocation of specific resources for the scope of action and authority concerning
data protection, they must be supported with dedicated and direct aid and subsidies for
ongoing adaptation in the area of data protection.
Indirect budgetary support
The lack of personnel at public bodies who can carry out the adaptation to the regulations
must not justify delay. For this reason, the organizations themselves must have access to
training courses and information dissemination campaigns which supplement the
resources of the LPBs.
Another possibility is to create working groups among public bodies to identify common
problems or establish partnership agreements with data protection agencies.
12.4 Proposals and recommendations concerning standardization and certification
Identification and authentication using digital signatures
Implementation and widespread use of digital signatures and their attribute certificates as
a secure identification and authentication system is an ideal measure to enable the party
responsible for the file to control and verify user access to personal data at public bodies.
Instituto Nacional
de Tecnologías
de la Comunicación
Information security and digital confidence certification
Effective implementation and certification of the best information security practices

identified, as demonstrated both internally and for third parties following international
certification systems such as ISO IEC 27001 and 27002, 12 will help implement controls for
compliance with regulations in general, and data protection in particular, as well as
subsequent audits and reviews.
12.5 Proposals and recommendations concerning promotion and motivation for

maturity levels and good practices
Creation of some sort of assistance and support body to encourage implementation

of the regulations
This proposal is considered especially suitable for smaller LPBs due to the added
difficulties revealed throughout the study.
The new body could be created through the FEMP, for example, and would facilitate
adaptation to the regulations at city councils and provincial and island councils. This would
be achieved by identifying maturity levels and good practices by stratum size or, for
example, by setting up work groups for the bodies as a whole.
In addition, this new body could serve as a link between data protection officers at local
bodies, in order to:
• Create a common forum in which to bring forward problems, queries or requests

which arise when implanting the security measures required by the regulations.
• Enter into agreements with bodies which can guarantee secure access to the data,
as well as offering an automated incident management service.
Support for adapting to and implementing the provisions of the new regulations
Due to the significant volume of files held by LPBs, this support is especially necessary in
the case of storage and processing of high level files, and therefore controls for recording
access must be implemented.
For this reason, it would be advisable if prior to starting up new services or areas, public
bodies were capable of designing and implementing controls whose final purpose is to
12
ISO/IEC 27001 is the standard for information security. It specifies the requirements necessary to establish, implement,
maintain and improve information security management systems at organizations. ISO 27002 provides recommendations
for the best information security management practices, divided into eleven sections. For each of these, the aims of the
various controls are specified. In total, there are 133 controls which each organization must consider, according to its own
needs.
Instituto Nacional
de Tecnologías
de la Comunicación
evaluate what impact these initiatives will have on privacy. These should cover aspects of
not only regulatory compliance, but also the effect on privacy in the broad sense, taking
into account the factor of public opinion.
Instituto Nacional
de Tecnologías
de la Comunicación
http://www.inteco.es
http://observatorio.inteco.es

Executive Summary of The Study On The Security of Personal Data at Local Bodies

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Executive Summary of The Study On The Security of Personal Data at Local Bodies

Hochgeladen von

Copyright:

Verfügbare Formate

Instituto Nacional

Executive Summary of the Study

INFORMATION SECURITY OBSERVATORY

Edition: January 2008

1 INTRODUCTION AND OBJECTIVES ..........................................................................7

1.1 Introduction ..........................................................................................................7

1.2 Objectives of the study .........................................................................................7

1.3 Presentation: Participating bodies .......................................................................7

1.3.1 Instituto Nacional de Tecnologías de la Comunicación (Spanish National

1.3.2 Federación Española de Municipios y Provincias (Spanish Federation of

2 METHODOLOGICAL DESIGN ...................................................................................10

3 knowledge, awareness and allocation of resources according to current legislation .12

3.1 Level of knowledge about the RDLOPD at LPBs ...............................................12

3.3 Allocation of resources .......................................................................................12

3.4 Degree of adaptation to and implementation of the regulations ........................13

4 CLASSIFICATION OF FILES BY SECURITY LEVEL AND PROCESSING OF

4.1 File classification by security level .....................................................................14

4.2 Processing of standard data by local bodies .....................................................15

4.2.1 Register of inhabitants ...................................................................................15

4.2.2 Vehicle register ..............................................................................................15

4.2.3 Social services ...............................................................................................16

4.2.4 Trading license for business premises ...........................................................16

4.2.5 Video surveillance ..........................................................................................16

5 REGISTRATION OF PERSONAL DATA FILES, SECURITY OFFICER, SECURITY

5.1 Registration of files ............................................................................................18

5.2 Security officer ...................................................................................................18

5.3 Security document .............................................................................................18

5.3.1 Scope of application .......................................................................................18

5.3.2 Measures, procedures, rules and standards ..................................................19

5.3.3 Duties and obligation of personnel .................................................................19

5.3.5 Incident notification, management and response procedures........................19

6 DATA AUTHENTICATION: INFORMATION, CONSENT, TRANSFER AND

6.3 Managing transfer of data ..................................................................................21

6.4 Data confidentiality .............................................................................................21

8 SECURITY MEASURES ............................................................................................23

8.1 Security measures with technical controls .........................................................23

8.1.1 Record of incidents ........................................................................................23

8.1.2 Identification and authentication.....................................................................23

8.1.3 Control of access ...........................................................................................24

8.1.4 Record of accesses........................................................................................25

8.1.5 Telecommunications ......................................................................................25

8.2 Security measures with management controls ..................................................26

8.2.1 Media and document management................................................................26

8.2.2 Back-up copies and recovery .........................................................................27

8.2.3 Tests using real data ......................................................................................29

8.2.4 Audits .............................................................................................................29

9 SUPERVISION, INSPECTIONS, COMPLAINTS AND PENALTIES RESULTING

9.1 Inspections .........................................................................................................31

9.2 Complaints and penalties ...................................................................................31

10 THE OPINION OF EXPERTS REGARDING THE DEGREE OF ADAPTATION TO

10.1 Maturity levels ....................................................................................................34

10.1.1 Maturity level 1 ...........................................................................................35

10.1.2 Maturity level 2 ...........................................................................................35

10.1.3 Maturity level 3 ...........................................................................................36

10.2 Best practices ....................................................................................................37

10.2.1 From an organizational point of view .........................................................37

10.2.2 From a technical point of view ....................................................................37

10.3 Examples of success cases for applying good practices ...................................38

10.3.3 Consulting: File Register and Consulting Sub-department of the

11 CONCLUSIONS OF THE STUDY .........................................................................45

12 PROPOSALS AND RECOMMENDATIONS FOR THE AUTHORITIES ................50

12.2 Proposals and recommendations concerning assessment and information ......51

12.3 Proposals and recommendations concerning funding .......................................52