List of personal data to be protected
The list of personal data in need of protection in personal data information systems (ISPDN) should be set out by the organization in its Information Security Concept. The PD operator must ensure the effective functioning of the personal information protection system at his facility, monitor the implementation of the provisions of the law on the protection of personal data, determine the persons who ensure the collection, preservation, transfer of this information. For this purpose, it is necessary to determine which data are included in the list of protected data and develop a system for their protection based on the types of PD used.
What data should be protected
The objects of protection are the data that is processed in the PDIS. Such objects include:
- information of a technological nature;
- software products and information processing tools;
- information security tools;
- sources and channels for data exchange;
- objects, premises with stored PDIS.
The list of such objects at the enterprise should be compiled based on the results of internal information and technical audit and cover the analysis of the received, processed and stored data. This is necessary to create a sustainable PD protection system.
The list of personal information of each subject includes basic information about him. Special data include:
- racial characteristics;
- political views;
- attitude to alcoholic, narcotic, psychotropic substances;
- marital status;
- health and intimate life.
List of PD of employees of the enterprise
At each enterprise, in any organization, large volumes of PD are processed. These include:
- FULL NAME;
- birth information;
- registration address according to the passport;
- residential address (actual);
- passport data;
- information about the education received (names of educational institutions, specialty, duration of study, data from documents confirming studies at these institutions);
- contact phone numbers, e-mail addresses, Skype, etc .;
- linguistic knowledge (foreign languages);
- data from previous places of work / service;
- information about work experience;
- information about the employment contract (serial number of the document, date and time of its execution and issuance, type of labor, duration of the labor contract, employee benefits, duration of vacations, work schedule and breaks, wage issuance system);
- information on military registration (rank, reserve category, fitness category);
- individual taxpayer number (TIN);
- information about past and chronic diseases;
- information about deserved awards, titles, orders, medals;
- business trip data.
The following types of technological information are subject to protection:
- configuration files, system settings;
- passwords, access keys, authentication information;
- information on the composition and structure of data protection tools;
- all resources, databases, tables that contain information about employees, plans and schemes for evacuation, etc.
Software and hardware
These systems carry out processing, storage, transfer, use of PD. Their protection is also a topical issue for every operator.
These funds include:
- software - general, special, database management systems, operating systems, data from remote servers, information from client-server systems;
- all software backups;
- add-ons for control systems PDIS;
- automated computers and servers on which PD is stored and processed;
- routers, other network equipment.
Personal data protection means
Personal information protection means (PIPM) are hardware and software resources, they include:
- user access controls;
- means for processing input information, user registration data;
- means that ensure the safety of data;
- security software - antiviruses, antispyware, firewalls, etc .;
- cryptographic keys for PD protection.
Premises with hosted PDIS
Office space is also a property that needs to be protected. They store and process data, equipment, physical media of PD.
Channels for transmission and exchange of information, telecommunications
In case of transmission of processed data or information of a technological nature by information exchange channels, telecommunication lines, they must be protected without fail.
The operator is obliged:
- collect and process only the information of employees that is necessary to ensure the workflow;
- store in the database and use only those data of the employee, including information provided by him or added with his consent;
- not to make any illegal decisions regarding the employee based on the PD;
- be responsible for the safety of information about employees.
When receiving and processing information about employees, the employer must:
- do not distribute this information;
- provide access to information only to persons authorized to do so;
- transfer confidential information only with the consent of the employee.
An employee of an enterprise has the right:
- receive information about the storage of their personal data;
- have access to their database;
- make amendments to the database (only in personal information).
The rights to protect personal information are defended by a citizen in court.