Personal data protection in a DMS
The protection of personal data processed in electronic document management systems becomes an independent technical task, sometimes it is not solved by the efforts of the user of the DMS. Software modules designed to organize electronic document management are not always properly protected from internal and external threats, and the information processed in them is often classified as confidential information.
Features of processing personal data in the DMS
Any large company uses electronic document management programs in its activities. They are intended for joint work on documents, their approval and approval. Often, documents that enter these systems for processing contain personal data of company employees and other persons, for example, customers of the organization. An example would be the endorsement of a contract with a client containing his name, passport details, TIN and place of residence.
In this regard, when ordering the development or revision of the DMS from the integrators, clients make requirements for its compliance with the legislation on the protection of personal data. In order for these standards to apply to the DMS, the following conditions must be met:
- it should have in its structure directories containing data of individuals;
- information should make it possible to identify a specific subject of personal data.
In addition to reference books, the DMS can store other information in text form or in the form of scanned documents - questionnaires, case histories, personal files. Especially a lot of such data is contained in the DMS of companies that operate in the B2C sector, providing services specifically to citizens. Accordingly, document management systems must be fully protected in accordance with the requirements that apply to personal data information systems in accordance with the level of their security established by Government Decree No. 1119.
How are the requirements for the degree of protection of the DMS determined?
The regulatory legal act establishes four levels, depending on the category of data and the number of persons whose information is processed in the system. Personal data entrusted to a company is divided into employee and customer data. According to the class of information, they are subdivided into four more groups:
- 1 - special data, additional protection of which is provided for by Russian and European law, this is information about health, intimate life, political and religious convictions;
- 2 - biometric information containing information about the physical characteristics of the subject. These are fingerprints, photograph, personal signature;
- 3 - information transmitted by the subject of personal data that does not belong to group 1 or 2, but allows you to obtain more detailed information about the citizen;
- 4 - publicly available data.
After determining which security group the DMS should belong to, to select the technical means necessary for its operation in the personal data protection mode, it is necessary to build an up-to-date threat model. It will be based on three types of threats:
- Type 1 threats are caused by the presence of undeclared (undocumented) capabilities in the system software installed in personal data information systems;
- Type 2 threats are caused by the presence of undeclared capabilities in the application software installed in personal data information systems;
- Type 3 threats are not associated with the presence of implicit capabilities in all types of software.
How exactly the type of threats is determined is not regulated by regulations; companies can do it on their own or instruct a software developer or its integrator to prepare a threat model.
Studying the Decree of the Government and orders of the FSTEC of Russia, devoted to the issues of ensuring the security of information systems containing personal data, the owners of electronic document management systems cannot always determine the answer to the question of whether certification is required for the software used. It is required for cryptographic means of protection, but is it necessary to certify, for example, 1C Document Flow, if it contains directories of clients - individuals.
The answer will be unambiguous. If the system contains personal data that make it possible to uniquely identify an individual, it must be certified. This responsibility rests with the developer, who must apply to the FSTEC of Russia for certification of his product in accordance with the established requirements for the security of personal data. It should be borne in mind that certification has features:
- issued for a specific version of the software product. When an update is released, the product will have to be certified again;
- issued for a specified period;
- designed for a specific number of copies of the software product;
- excludes the possibility of significant revision or completion of the program, which is often done by companies in relation to 1C.
If the owner of the electronic document management system decides to certify the system for its compliance with the requirements for the protection of personal data, one software certification may not be enough. Additionally, you will have to go through the same procedure with regard to the technical protection means built into it, both anti-virus and cryptographic, if information is transmitted via telecommunication communication channels of general or local use.
The customer should be aware that the process of certification of software products and attestation of the personal data protection system is very lengthy - sometimes it takes several months. Upon its completion, it may turn out that new threats have appeared that were not taken into account in the model, or the requirements of the regulatory authorities have changed, and the work done to prepare the system no longer meets the requirements of the current moment.
This issue is partly resolved by the fact that certification is now allowed for certain generations of software products. In practice, this means that the first version of the software product is certified, and after its update, instead of certification, it will be enough just to go through the inspection control procedure by the FSTEC RF. The inspection must determine whether the program continues to comply with the requirements for ensuring the protection of personal data. It will complete successfully for the developer, if the update did not concern such program functions as:
- mechanism of differentiation of access rights;
- cryptographic mechanism;
- ways of keeping logs.
DMS and its relationship with the general information system
We must not forget that the DMS is only a part of the general information system of the operator of personal data and its tasks are not solved only by the purchase and installation of a certified software product. It is necessary to comply with a certain list of requirements related to the entire system. Among them:
- regularly checking how the operator's information system complies with the current legal requirements. Such a check is carried out at least once every three years by the operator itself or by involved licensed specialists;
- ensuring physical protection of workstations on which modules containing personal data bases are located, and servers. Physical protection should be accompanied by the implementation of an access control system and, if possible, recording all user actions with personal data in the logs;
- ensuring the safety of material data carriers, for example, documents, scanned copies of which are transferred to the database. At the same time, it is necessary to exclude the possibility of an insider copying information from the DMS to one or another medium;
- determination of persons admitted to work with modules containing personal data. In a company that works with clients, it is extremely difficult to do this - even with a contract for mobile communications, an ordinary administrator gains access to confidential information. Nevertheless, there remains a need to differentiate access rights and by order to determine the person responsible for the protection of personal data or, for large companies, to create a separate division to entrust the implementation of these tasks;
- introduction of certified information security tools provided for by the regulations of the FSTEC of Russia.
At the same time, if certification is provided for the entire information system and applied security measures, a separate certified program for the ERMS is not required.
Judicial practice related to the processing of personal data in the DMS
Issues related to the unlawful processing of personal data processed in electronic document management systems often become the subject of court consideration. Usually, this category of disputes develops between the employer and the employee and is the result of one or another protracted labor conflict, in which the employee uses violations of personal data protection legislation by the employer as a tool to put pressure on him.
So, the Moscow City Court in 2017 considered a dispute, the essence of which was the placement by the employer of the correspondence with the employee in the DMS. This situation occurred not in a private company, but in the Ministry of Justice of the Russian Federation, and the employee's statement and the response of his management to it got into the electronic document management system. The citizen resigned of his own free will. Prior to that, his leadership, in his opinion, deliberately disseminated his personal data, including about his place of residence, in the SED system of the Ministry of Justice of Russia, about which he informed the First Deputy Minister and requested an official check. But his request was not satisfied, so he went to court with a claim to compel such a check to be carried out. In the first instance, he was refused, the court did not find violations of the Federal Law "On Personal Data" in the actions of the Ministry of Justice. The position of the appellate instance coincided with the position of the first instance.
But not all disputes end so easily for the employer. In court proceedings, claims for compensation for harm caused by the disclosure of personal data of employees of the organization are extremely frequent. The staff takes from the DMS the information it requires about other employees or clients and transfers it to third parties. When a claim is brought against a specific citizen who has committed an offense, his employer, who has not provided adequate protection of personal data, which is his responsibility, may be brought to court as a co-defendant and also forced to compensate for moral damage.
Taking care of the proper protection of the DMS, if personal data is stored in it, should become a task that is relevant for all operating companies. This will avoid the risks of bringing to administrative and civil liability.