The Role of System Administrators

By | Friday December 16th, 2016

We are not obviously talking about technical roles, endowed with administrative privileges, but rather about roles stated with Decision of Italian DPA:

Measures and precautions prescribed to data controllers of electronic processes concerning functions of the system administrator – November 27 2008

and subsequently modified with decision on June 25th 2009.

Such Decision, as is known, states that natural persons meeting determined objective features (type of activity) and subjective features (controller and processor must conform to evaluation criterions equivalent to those required to designate liabilities pursuant to section 29) shall be formally appointed as System Administrators, requiring execution of several activities such as tracking of logins in the processing system and the electronic archives.

The Decision clearly states the perimeter of application:

2. pursuant to section 154, subsection. 1, letter c) of Personal Data Protection Code, Controllers of processed personal data gathered through electronic means within application of the Code, even those concerning police and judicial settings (sec. 46 and 53 of Code), are required to adopt the following measures, with exception of processing carried within public and private administrative/accounting purposes, carrying lower risks for the persons concerned and having been simplified through recent laws (sec. 29, Decree – August 25-2008, n. 112, as converted with amendments by act n. 133 dated August 6-2008; section 34 of the Code; Italian DPA’s Decision November 6-2008):

At the emanation of Decision it was not clear what did processing for administrative/accounting purposes mean, but in 2011 with Decree n.70 dated May 13 2011, as converted with amendments into act n.106, dated July 12 2011, in section 34 of Legislative Decree 196/03 subsection 1-ter was added, defining these processes.

Now, a simple reading of the quoted subsection hereby reported, highlights how extended is the range of such definition:

Section 34. Processing by electronic means

1-ter. For the purpose of applying the provisions concerning the protection of personal data, a processing operation performed for administrative and accounting purposes shall by any processing operation that is related to the performance of organizational, administrative, financial and accounting activities irrespective of the nature of the processed data. The said purposes apply, in particular, to in-house organizational activities, the activities aimed at fulfilling contractual and precontractual obligations, managing employer-employee relationships, keeping accounting records, and implementing the legislation on taxation, trade unions, social security and welfare, and occupational health and safety.


Such definition implies that an organization would realize very few processes (if ever carried out) outside the range of the quoted definition.

It is up to each organization to evaluate, according to their data processes and to what is hereby expressed, whether the role of system administrator is still necessary.

Category: Legal framework Roles and Liabilities

About Giancarlo Butti

Deals with ICT, organization and legislation since the early 80s covering different roles: security manager, project manager, auditor at banking groups, consultant in security and privacy to companies of different sectors and sizes. Performs regular activity of dissemination through articles (over 700), books (21 between books and white papers also used as university texts, 11 collective works within the ABI LAB, Oracle Community for Security and CLUSIT), technical manuals, courses, seminars, conferences… participates in working groups to ABI LAB on Business Continuity, Risk and GDPR, ISACA-AIEA on GDPR and 263, Oracle Community for Security, UNINFO, ASSOGESTIONI and the Committee of experts for the innovation of OMAT360. He is a member of the faculty of ABI Training. He is a partner and proboviro of ISACA-AIEA Member of CLUSIT and BCI. He is certified (LA BS7799), (LA ISO IEC 27001:2013), CRISC, ISM, DPO, CBCI, AMBCI.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.