Personal data protection at an enterprise
Personal data of each participant of labor relations (as well as all citizens) are a particular category of information. Its protection is regulated by the law of the same name No. 152-FZ, which sets out all the necessary requirements for the protection of personal data, as well as special legal regimes for their processing.
Only the employer (operator) acts as the subject responsible for all operations with confidential data in enterprises of any type of property. Accordingly, sanctions may be imposed on him for violation of the organization of work with PD. The employer develops all the necessary regulations, orders, measures and other documents to protect the confidentiality of the private data of employees, partners, customers. The operator is in charge of ensuring cybersecurity and safety of information stored on physical and electronic media. The operator is also directly responsible for the leakage of information that is collected, processed, stored at the enterprise.
Legal sources ensuring the protection of rights in relation to personal data
Ensuring the protection of personal information is based on the main legal documents in force in this area:
- Federal Law No. 152 - fundamental requirements for the protection of personal data;
- Labor Code of the Russian Federation - contains guarantees, rules and regulations governing the exchange, the possibility of open publication of employee data;
Each employee is given the right to the protection of his personal information, which is guaranteed by the norms of the Constitution of the Russian Federation.
Features of personal data protection in the organization
The process of protecting personal data begins from the moment the employee is placed at the enterprise when he fills out a questionnaire with personal data and continues throughout the entire period of the employment relationship. At the time of signing an employment contract, a citizen must provide information that will allow him to be identified. These data include:
- Full name of the employee;
- his passport data;
- documents confirming qualifications, education, the presence of a certain profession;
- documents on the availability of benefits;
- marriage certificate;
- documents on the birth of children;
- insurance policy;
- medical information confirming the ability of the employee to fulfill his job duties, etc.
The employer is obliged, in accordance with the law, to process all information received from the employee, save it, protect it from unauthorized distribution, unless the employee has given written consent to this.
PD processing is the receipt of information, their systematization, making additions, changes (if necessary). It is necessary to store PD with the provision of restricting access to this data, which will avoid cases of copying, making changes, destroying, blocking, unauthorized distribution.
At the enterprise, the beginning of the protection of personal data is the issuance of an order on the appointment of a responsible person who ensures the organization, implementation and implementation of all legal requirements for the protection of personal data at the enterprise. This document must indicate the full name of the person on whom such responsibility is assigned.
The employer is considered the operator of personal data if the personal information provided by the employee is not limited only to labor and personnel relations and is necessary for the processing and provision of any services.
The employer must create a Policy for working with personal data, the relevant provisions, require the implementation of all measures from the responsible persons provided for by these internal documents and legislation. All documents created at the enterprise in relation to the protection of personal data must be approved and put into effect by orders of the head.
If the company is recognized as the operator of personal data, it must send this information to the organization that controls the work with personal data. Each federal district has its own supervisory authority, empowered to monitor the work of operators.
The regulatory authorities post on their official websites a notification form, which the operator must fill out and send to this authority by mail in the original.
Each enterprise must develop two documents:
- to obtain consent from citizens for the processing and storage of their personal data;
- to revoke such consent.
After the full fulfillment of the obligations to provide the service, the received personal data, which have become unnecessary for the company, must be destroyed. The law gives up to 30 days for this. The exception is actions necessary to protect life and to administer justice. In this case, personal data is not sent for destruction, even if it is revoked by a citizen.
Sharing personal data
Information containing the personal data of an employee, during the work process, undergoes the exchange procedure constantly not only within the enterprise, but also outside the company, since it often has to be provided to third parties. In the event of conflicts regarding personal data, the highest priority is to comply with the requirements of the Labor Code of the Russian Federation. After the TC, the statutory and legal documents of the enterprise and the identification of their violations should be considered. Further, the right to defense is considered in the light of the requirements guaranteed by the Constitution of the Russian Federation.
The employer has no right to demand from the employee to provide his personal information without reason. The possibility of disclosure applies only to the information necessary for signing an employment contract, when drawing up regulatory documents, when resolving controversial, conflict issues with the participation of third parties in accordance with the requirements of Art. 22 of the Labor Code of the Russian Federation.
Preventive measures include organizational measures:
- restriction of access to places of storage of PD and archives;
- verification of the person requesting access to information before providing it;
- introductory form of data provision;
- sanctions and penalties upon detection of a violation of the established rules regarding the processing of personal data at the enterprise.
Also provides for technical measures when processing PD:
- cryptography, data encryption;
- formation and use of separate servers for storing PD and, accordingly, communication channels for their transmission;
- disposal of personal data that have become irrelevant;
- shielding rooms and devices to prevent burglaries.
- The implementation of the protection of personal information by an employee is possible through:
- ensuring free free circulation of documentation in which his PD is present;
- requirements for the provision of copies of any regulatory documents related to working with PD;
- requirements from the employer to change, update, replace, destroy PD or any part of it;
- appeal against the procedure used for receiving, processing, disclosing data by the company.
An indicative list of documents on the protection of personal data at the enterprise
- Certificate of suitability of PDIS "Accounting" to work on data protection at the enterprise;
- Act on the disposal of documentation that cannot be kept strictly;
- The act of working on computer office equipment, which is part of the information security of the network;
- Personal information destruction acts;
- IS "Employees";
- IS "Clients";
- Description of the information system;
- Modeling security threats in the "Employees" system;
- Modeling security threats in the "Clients" system;
- Sample Security Threat Model;
- Instructions on how to competently make a backup in conditions of increased responsibility and federal requirements for protection;
- Basic instruction for the IP user;
- Instructions regarding antiviruses and similar package tools for protecting computers from unauthorized exposure;
- Instructions on IP cybersecurity for the administrator;
- Instruction of PD information systems for the administrator;
- Instructions for users to perform operations with personal data manually, without the use of automated processing tools;
- Instructions for working with machine tools used in PD processing in various fields;
- Schedule and organization of a plan for inspections of materiel and an assessment of the vulnerability of document security systems;
- A sample of the correct drawing up of a policy for working with personal data;
- Regulation on the standards of internal control of cybersecurity in the field of personal data;
- Regulation on the separation of access rights;
- General provisions on PD security;
- General provisions for the processing of personal information;
- Regulations on responsible persons performing business operations and PD processing;
- Regulation on possible damage (financial and material) in relation to PD subjects;
- Regulations on the creation of a commission dealing with aspects of information security, work with its composition;
- Order on the start of processing activities for working with personal data;
- Order on responsible persons and safety commission;
- An order containing a list of employees who are given access to personal information;
- Order with a list of places where it is allowed to store material values associated with PDIS;
- Order on the development and control of the boundaries of the controlled area at the enterprise, with a list of persons access;
- List of information that is considered as personal data;
- List of information systems;
- Written consent of employees for operations with their personal data;
- Written consent of clients for operations with their personal data;
- Sample form for such consent;
- Familiarization magazine for the working personnel of the enterprise;
- An accounting journal regarding both the materiel of information protection and all manuals to it;
- An accounting journal of cryptographic information security tools, manuals and complete technical documentation;
- An accounting log of the personal accounts of persons working with crypto protection means;
- Accounting log for issuing and working with machine equipment;
- An accounting log of inspections by authorized organizations of state supervision;
- An accounting log of requests from persons for access to their own personal data;
- An accounting log of incoming confidential documents;
- Likewise for all outgoing confidential correspondence;
- Accounting log for registration and work with seals and printing mechanisms for issuing;
- Inventory log of documents with distribution restrictions;
- An accounting log for registering keys, safes and special rooms related to PD;
- A log that records any attempts to unauthorized access to any possible form of personal data;
- Safe magazine;
- Key journal;
- Storage movement log with personal data;
- Record of utilization of this data;
- A log of acquaintance of persons whose data is processed by the operator (automated processing tools are not taken into account in this case).
Despite the significant revision of federal legislation in terms of using relatively more effective mechanisms than before, there is a need to improve the existing systems for protecting personal data at enterprises.
Complicating matters is the dramatically increased number of cybercriminals extracting confidential information. Even the latest protective equipment requires additional safety net. And this is a significant amount of money and the need for qualified personnel.