Emailing personal data
Technology allows you to instantly exchange huge amounts of information by email, including personal data. How to ensure reliable protection of personal data transmitted through the web interfaces of online mail services?
Security when transmitting PD in electronic form
In accordance with the provisions of 152-FZ, personal data is information that allows a person to be identified. But the law does not contain a specific list of data, therefore, it is necessary to determine as fully and accurately as possible what data may be personal.
For example, in the case of transmission using electronic means, the login will not belong to the PD, since it is impossible to establish who exactly it belongs to. But the full name and mobile phone number in combination with e-mail already allow you to identify an individual. This means that the collection of information in such a combination will most likely be regarded as a process of collecting and storing PD.
Obviously, the operator of personal data is an organization that receives data in any way, including name, home address and e-mail address, telephone number, marital status, income and other information. Operator status means that you need to comply with the provisions of the law "On Personal Data".
Owners of sites with personal accounts, feedback mechanisms, registration forms, questionnaires and other fields in which users can leave their personal data, also fall under the definition of "operator of personal data".
If the site has a button that a visitor can use, for example, for consultation by sending his name and phone number, this resource can also be qualified as a platform for processing PD.
Data stored in our own electronic archives for personal purposes or family needs is not subject to the law on personal data. But in the event that the owner of the archive transfers information to persons or companies that are considered PD operators in accordance with the law, or publishes data in the public domain, this will be regarded as a violation.
How not to break the law?
In order not to violate the requirements of the law when processing personal data, a number of conditions must be observed:
- Submit information on the principles of working with PD of the company's clients and / or site visitors on their resources for general information.
- Ask to provide only such personal data that is necessary for a specific purpose. For example, do not require passport details or residential address for mailing via e-mail.
- Before receiving PD, which is planned to be published in publicly available sources of nature, you need to take written consent for processing, distribution and storage from each user, client, subscriber. If the information will not be published, but is only needed to work directly within the enterprise, you need to create an explicit restriction on the possibility of transferring PD without obtaining consent to processing.
- Use personal information solely for the purposes of which the data subjects are notified. It is allowed to use only the information that was indicated in the publicly presented documents related to the processing of PD.
- Provide the subject of personal data with information, if he has submitted a request, about what data the company has about him in electronic and / or printed form, how and for what purposes the information is processed, to whom it is transmitted.
- Immediately fulfill the request of the PD subject to delete information from the database.
- Store electronic bases in a safe place protected from unauthorized access, create an effective system of protection against burglary or leakage.
- Determine by order (order) the person responsible for creating safe conditions for storage, processing and other actions with PD, in accordance with the requirements of FZ-152.
- Train company employees in the rules for working with PD.
- Register with Roskomnadzor as a personal data operator.
Cryptographic information protection tools
It is necessary to transmit or prepare for the transfer of personal data of employees using e-mail through communication channels with going beyond the boundaries of controlled areas via the following TCP ports:
- SMTP-25, 587, 465;
- POP3-110, 995.
During the transmission of PD by e-mail, security measures must be observed that will ensure effective anti-virus protection; prevent attempts to disclose PD, modifications, and deliberately false data entry; will allow you to timely detect and properly respond to the entry of unsolicited letters, spam and other messages that do not belong to personal information into the information systems of PD.
The transfer or preparation for the performance of actions with PD using e-mail without the use of cryptographic information protection (CIP) is considered the disclosure of personal data. This violates the legal protection requirements. One of the types of liability can be applied to PD operators who do not use cryptographic information protection tools: disciplinary, civil, administrative and even criminal.