Personal data protection in the Russian Federation
An indication that the protection of information about an individual must be given due attention can be found in the Constitution of the Russian Federation. The rule according to which the collection, storage and dissemination of information about the private life of a person without his consent is not allowed contained in Article 24 of the fundamental document. Personal data protection measures are detailed in a variety of legal acts clarifying this statement.
The Russian Federation has already laid the foundation for the security of personal information, but the development and implementation of an integrated approach to ensuring it continues. Ideally, a legal system should be created in the country that combines the requirements of the legislation of the Russian Federation for the storage, processing and transfer of personal data of citizens.
What data are defined by the legislation of the Russian Federation as personal?
Russian legislation includes several categories of personal data. Among them:
1. Publicly available PD - data that does not fall under the conditions of confidentiality and with the consent of the subject of the Russian Federation may become publicly available (directories, address books, etc.). In this case, the court or the subject of personal data may require the exclusion of this information from open sources.
2. Special PD - data that relate to nationality and race, health status, philosophical and religious beliefs, political views. The processing of such information is possible only with the written consent of the subject. Consent, however, is not required if it is impossible to obtain it due to the state of human health, or in the case of data processing for the purpose of operational search activities.
3. Biometric personal data - information about the physiological characteristics of a person, which allows you to identify a person. For example, photo and video images of people. To process them, it is necessary to obtain the written consent of the PD subject (with the exception of operational-search activity).
It is possible to single out PD, which are processed using personal data information systems (databases). Depending on what data is contained in the database, ISPD is assigned one of four categories:
- category 4 - IP containing anonymized and (or) publicly available personal data;
- category 3 - base with personal data, by which you can identify the identity of the subject;
- category 2 - IS, in which PD are collected, allowing to identify the subject and obtain additional information about him (except for PD related to category 1);
- category 1 - a database with a person's data, which reveal his racial, nationality, political views, religious and philosophical beliefs, health status, intimate life.
Personal data in regulatory legal acts
The issue of protecting personal data of various categories and the procedure for working with them is defined in the following regulatory legal acts:
- Federal Law "On Information, Informatization and Information Protection";
- Federal Law "On Personal Data";
- Chapter 14 of the Labor Code of the Russian Federation.
PD in the Law "On Information"
In the text of this federal law, more attention is paid to the procedure for working with biometric data of citizens, as well as working with data in information systems.
Highlights of the law:
- In the process of processing biometric personal data, government agencies, banks and other organizations should be guided by the norms of the Law on Personal Data.
- Control and supervision over the safety of processing biometric PD is carried out by the federal authorized body.
- In case of violation of the rights of subjects of personal data in terms of posting information about them in an open form, disclosure should be terminated by a court decision.
Personal Data Law
This document, adopted on July 25, 2006, most fully reflects the procedure for working with personal data, and also determines the measures of responsibility for violation of the law.
Basic concepts of the law:
- Personal data, which includes any information that is directly or indirectly related to a specific or identifiable individual (subject of personal data).
- PD operator is a state body, municipal body, legal entity or individual organizing and (or) processing personal data.
- PD processing - any action or set of actions performed with personal data, including collection, recording, systematization, accumulation, storage, clarification, extraction, use, transfer, depersonalization, blocking, deletion, destruction.
The main condition for operators to work with PD, according to the law, is to clearly define the purposes of data processing and use data only within the outlined framework. Moreover, the operator is obliged to store data within the period of their processing, i.e. upon reaching the goal, PD must be deleted, unless the storage period is established by other legislative acts and contracts.
PD in the Labor Code of the Russian Federation
The procedure for processing personal data of employees is regulated by Chapter 14 of the Labor Code of the Russian Federation. To the employee's personal data, civil legislation includes general information about an individual that is necessary for the employer in connection with the emergence of labor legal relations. These include:
- photo of the employee, full name, information about the place and date of birth, citizenship, marital status, place of registration, education, specialty;
- orders or orders for employment, encouragement, dismissal, personal card, documents on remuneration.
At the same time, Article 86 states that every employee has the right to the protection of their data. This right provides for:
- availability of free access of the employee to personal data;
- obtaining complete information about PD processing;
- the ability to make edits to PD if they contain erroneous information or are processed in violation of the law;
- the opportunity to appeal in court the unlawful actions or inaction of the employer to protect the rights of the PD subject.
Personal data security measures
Personal data protection measures must be in accordance with the requirements of the law. In a general sense, the most important steps in resolving this issue should be the following:
- Identify threats to the security of PD during their processing and develop a threat model;
- Develop a protection system based on a threat model, while the applied methods of protecting personal data systems must comply with the IP class;
- Check the protective equipment that will be used in the system and draw conclusions about the possibility of their operation;
- Install and commission protective equipment, as well as train employees to work with them.
The measures to protect personal information that are required to be taken in the organization are detailed in the law "On Personal Data". First of all, it should be established whether the company is a PD operator. The answer is yes in the following cases:
- the company uses information systems (IS) for personnel records of employees and selection of personnel;
- the company uses IP in case of transfer of personal data of employees or clients to other organizations;
- the company's clients are individuals, personal information about whom is collected in the IS.
One of the first steps to ensure the security of PD for the operator is to notify the authorized body for the protection of the rights of PD subjects - Roskomnadzor of the intention to process the data. Providing Roskomnadzor with an official notification to operators is mandatory.
At the next stage, you can start organizational measures - determine the procedure for working with personal data, prepare a number of documents and develop measures to protect critical information. The procedure for the processing and protection of personal data should be set out in the position of the same name.
- PD processing notification (for Roskomnadzor).
- Order on the organization of PD processing with the appointment of a responsible person from the operator.
- Subject's consent to the processing of his personal data.
- Documents defining the operator's policy regarding the processing of personal data (the processing policy must be placed in the public domain, for example, posted on the official website of the organization).
- Documents containing provisions on the adoption by the PD operator of legal, organizational and technical measures to protect them.
- Documents on the organization of reception and processing of requests and requests from subjects.
- Documents that define the categories of processed data, features and rules for their processing with and without the use of automation tools.
On average, a package of documents includes about 30 different orders, regulations and rules. The number and content of documents largely depends on the scope of the organization. For example, a manufacturing facility with a pass system will need a logging requirement document for a one-time entry to the site. And an online store does not need such a document.
Protection system implementation
This stage should be started when the main paperwork is settled, i.e. the company has a data protection plan that certain employees are responsible for implementing. Now important clarifications need to be made.
- Draw up and approve a list of persons with admission to PD processing, and notify the responsible employees about this.
- To familiarize employees with the policy for the processing and protection of personal data in the organization, as well as take a commitment from them to ensure the confidentiality of information.
- Develop instructions - for IS users on compliance with the information protection regime, for the IS security administrator, as well as instructions for backing up and restoring data in IS.
- Delineate access rights to PD in IS.
Technical means of protection
Preparation of documents for the full protection of confidential information is not enough. The operator must also take technical measures. These include:
- means of protection against unauthorized access;
- antivirus programs;
- cryptographic means.
It is important to consider that the funds chosen by the company must comply with the requirements of the law, or rather have a certificate of conformity. The register of certified information security tools is available on the FSTEC of Russia website. Not the last point is the correct configuration of the purchased software.
It should also be borne in mind that the set of information security threats is changing all the time. Therefore, it is necessary to timely check the reliability of the technical protection of personal data. At the same time, the purchase of new equipment, the installation of new programs, the expansion of the area of the enterprise or changes in its structure will have to be reflected in the adopted documents. That is, both documentary and technical parts must be periodically updated.
Responsibility for violation of legislation in the field of personal data
The operator is obliged to protect personal information about citizens from the following threats:
- unauthorized or accidental access;
Any illegal actions with data may entail the responsibility of the operator, who is responsible for their safety according to the law.
The personal data of citizens of the Russian Federation are protected by current legislation, which provides for several types of liability for violation of the requirements of laws in the field of personal information protection:
- civil law;
Moreover, some sanctions apply to individuals, legal entities and officials.
Civil liability for violations in the use of personal data is carried out in the claim for the payment of monetary compensation for moral damage.
In the event of illegal dissemination of other people's personal data in the workplace, the culprit may be disciplined in the form of dismissal. If the violation was not too serious, the employee can get off with a reprimand or remark.
Liability may affect employees who have been caught disclosing information related to the personal data of others.
Administrative liability for violation of the procedure for collecting, storing and distributing personal data implies a warning or a fine in the amount of 1,000 to 3,000 rubles - for individuals; from 5,000 to 10,000 rubles - for officials, from 20,000 to 50,000 rubles - for legal entities.
And for the dissemination of legally protected information in the workplace - a fine of 500 to 1,000 rubles - for individuals, from 4,000 to 5,000 rubles - for officials.
Personal data is subject to criminal liability for violation of privacy. Liability measures under the Criminal Code of the Russian Federation are as follows:
- a fine of 200,000 rubles or in the amount of the offender's salary / other income for 18 months;
- compulsory work for a period of 120 to 180 hours;
- executive work for up to 12 months;
- arrest for up to 4 months.
If the person violating the inviolability of privacy has used his official position, the punishment will be stricter:
- a fine from 100,000 to 300,000 rubles or in the amount of the offender's salary / other income for 1-2 years;
- deprivation of the right to hold certain positions for a period of 2 to 5 years;
- arrest for a term of 4 to 6 months.
Powers of Roskomnadzor in data protection
It should be borne in mind that the regulator, Roskomnadzor, may be held liable for violation of legislation in the field of personal data of operators. Moreover, claims to the work of the organization in this direction may appear after a planned inspection of the organization or after receiving a complaint from the subjects.
Speaking of checks. They are planned and unplanned. The first ones are held no more than once every three years (for one organization). Moreover, the list of organizations to which inspectors will come with an inspection in the coming year can be found on the official website of Roskomnadzor. Unscheduled inspections are carried out on an ad hoc basis, for example, in order to understand the situation after receiving a complaint from the subject.
The reason for the inspection may be the desire of the regulator to dispel its own suspicions. The fact is that the third form of verification is the systematic observation of the activities of operators.
The regulator notifies the organization about all inspections in advance: three days in the case of a planned one and 24 hours in the case of an unscheduled one. In addition, the type of inspection can be documentary and on-site. In the first case, it is enough to provide the regulator with a complete package of documents requested by him, which prove that the operator is working with PD strictly according to the law. In the second, inspectors can take a guided tour of the company to study the technical aspect of information security.
Powers of Roskomnadzor:
- may require the destruction of inaccurate or unlawfully obtained PD;
- may restrict access to information processed in violation of the law;
- can send a statement of claim to protect the rights of PD subjects and represent them in court;
- empowered to bring persons guilty of violating the law "On Personal Data" to administrative responsibility;
- examines complaints and appeals on data processing issues and makes decisions on them.
Judicial practice and the practice of Roskomnadzor inspections, however, show that most violators are limited to fines. In rare cases, the regulator may demand, through the court, to block a resource that was caught in the distribution of classified information.
So, since September 1, 2015, when the register of PD operators appeared in Russia, the courts have taken 238 positive decisions on the appeals of Roskomnadzor. This figure does not look intimidating against the background of the total number of operators in the registry - 401 624 as of 12/31/2017.
But the fines that are issued to companies more often, in fact, do not look so big. For example, the total amount of fines issued by the regulator for 2017 was 4,068,500 rubles.
FSTEC and FSB checks
The Law "On Personal Data" establishes security measures when processing personal information. The compliance of the enterprise information system with these requirements is monitored by the FSTEC and the FSB. In practice, they often only check organizations that use government information systems.
FSTEC and FSB inspections can be scheduled and unscheduled. At the same time, inspectors of both bodies pay attention to the same things, but consider them from different angles. For example, they check what organizational measures to protect data are taken in the organization, based on the requirements of the FSTEC and the FSB, respectively.