Personal data protection in educational institutions
The law of the national level, adopted on 23.12.2010 under the index No. 359-FZ, regulates that all ISPD should be reduced to a single model from July 2011. Modern educational institutions are engaged in the implementation of this requirement, subject to amendments and changes periodically introduced by the legislature.
Legal basis for working with personal data
Schools, universities, secondary specialized educational institutions have logically become the main base for the implementation of the latest personal data processing systems. Educational institutions are designed to train personnel adapted to e-business both as teachers and in the role of ordinary users. A general culture of data security should be instilled in citizens at any age, without exception, and educational institutions are the first place where respect for the law in general and for the confidentiality of private information in particular can be cultivated. It is in the field of education that the understanding of the legality or illegality of handling data about a citizen is best introduced.
Personal data protection includes both legal and technical aspects of legal regulation. Electronic support for the collection of information is a technical issue, and the organization of the process itself is more related to the issues of office work than to current legal practice.
The protection of personal data of employees (teachers, researchers, administrative staff units, system administrators and other technical personnel) is subject to the following legislative acts:
- The Constitution of the Russian Federation;
- Law No. 149-FZ, which describes data protection in the aspect of information technologies and information technologies themselves;
- Law No. 152-FZ, which regulates the legal status of personal data;
- Labor Code of the Russian Federation;
- numerous departmental and subordinate legal acts.
The third article of Law No. 152-FZ means by "personal data" any biographical data on a subject - an individual:
- his full name;
- year and date of birth;
- actual address and place of registration;
- the profession and qualifications of a citizen;
- level and time of education;
- the amount of income and the amount of tax paid;
- social status;
- immovable and other assets;
- family status and other social, financial, legal facts about a citizen.
The second article of the same law allows the processing of personal data only to the extent necessary to ensure the work process, with a guarantee of the inviolability of private life. The same law regulates all requirements for handling confidential information. Federal Law No. 152 applies to all organizations on the territory of the Russian Federation, including educational institutions that are operators for the processing of personal data. The 19th article of this document determines that it is the operator who is responsible for all organizational and technical issues, both for the collection and protection of potentially vulnerable private material.
On November 17, 2007 No. 781, the executive branch approved the Regulations concerning the safety of personal data in the context of the use of electronic systems. This normative act describes a full range of necessary material parts, which directly relate to:
- recording equipment;
- terminals receiving personal information;
- elements of the networks used and all software accompanying this work.
Specific versions of programs and models of equipment are specifically negotiated in the profile documents drawn up by the Ministry of Education and special authorized bodies.
Article 22 of Law No. 152-FZ requires the operator to notify the competent authorities immediately before starting the processing of personal data. The procedure is necessary to prevent potential abuses, violations and control over the implementation by educational institutions of the requirements of the legislation in the field of PD processing.
As an authorized body, the legislation of the Russian Federation defines Rossvyazkomnadzor, which in 2008 developed and certified the corresponding samples of the Notification of the start of PD processing and Recommendations for their execution. The operator may not notify Rossvyazkomnadzor if the citizens who provide their personal data to the operator are in labor relations with him. A university, college, or other educational institution may carry out such activities in relation to teachers without creating a Notice.
Personal data protection actions
Educational institutions, when developing measures to protect personal data, involve lawyers, personnel officers in the processing of personal data, and create departments of computer technology.
The legal part and areas of work in this area are operations on:
- development of local acts that will regulate the organization, legal, technical part of the activity with PD;
- determination of the procedure for interaction with all supervisory authorities;
- distribution of functions between employees, fixing tasks between them for document management, processing, storage of personal data.
The specifics of educational institutions require the processing of personal data not only of students, but also of their parents, if we are talking about the primary levels of Russian educational institutions.
The procedure for transferring confidential data to third parties requires a special approach:
- the grounds for such actions may be the requirements of federal legislation, justice authorities;
- obtaining the written consent of the PD subject;
- conclusion of an agreement with third parties, which must contain their assurances to ensure complete confidentiality and safety of data during processing.
The same requirements must be observed when working with personal data when processing with the help of computer technology, Internet resources of educational institutions.
Obligations of employers in matters of personal data protection
The employer, in accordance with Article 21 of the Federal Law No. 152, must:
- block the PD of an employee of an educational institution at his request or at the request of his legal representatives, if such information is not reliable, illegal actions were carried out with it, the operator must clarify or change such data based on the information provided by the subject;
- fix violations if they were found within no more than 3 working days, starting from the day they were detected. If it is not possible to eliminate them within this period of time, the operator must destroy this information. The employer must send information about the elimination of violations, the implementation of the procedure for the destruction of personal data to the subject, his representatives or an authorized body;
- immediately stop the processing of PD, destroy them if the subject has withdrawn his consent to these actions within 3 working days after receiving the notification, unless otherwise provided by law.
Stages of personal data protection
- Analysis of the need and volume of PD processing.
- Analysis and definition of information processes for processing confidential information.
- Creation of a list of departments and staff units involved in the processing of personal information.
- Summation of information systems and analyzed input.
- Definition of categories of information collected in the future.
- Publishing a package of administrative documents for PD processing.
- Development of an effective security system.
Local protection of personal data of employees of educational institutions
Art. 85 of the Labor Code of the Russian Federation interprets as confidential information data on staff units and all requested information on staff members of an educational institution, necessary for an operator to perform actions prescribed in employment contracts. What specific information is subject to protection and is classified as confidential must be decided by the employer, taking into account the current legislation. Article 87 of the Labor Code of the Russian Federation requires the development, implementation and maintenance of the procedure for archiving, preservation and processing of employee PD by the employer.
The primary document is the Regulation on the collection and protection of personal data of employees, during the implementation of which the opinion of authorized trade union cells is necessarily taken into account in accordance with the requirements of Article 372 of the Labor Code of the Russian Federation. This legislative act regulates the procedure for handling personal data, contains methods and principles for ensuring the basic information rights of staff members, identifying responsible persons and ranks of personal data availability for different categories of staff members, determining sanctions for violations committed in working with employees' personal data.
Drawing up the Regulation is a duty that must be fulfilled by the PD operator, the absence of this document is qualified as a direct violation by the operator of federal laws.
Personal data protection in an educational institution consists of the following measures:
- upon receipt of confidential information, written consent from the PD owner is required for their processing, as well as for the possibility of transferring this data to third parties within the framework of the current legislation and in the volumes necessary to fulfill its requirements and implement the work process in an educational institution;
- during the storage of PD, it is required to issue an order on the responsible persons from among the personnel who will have access to these documents, including private data that cannot be disclosed.
An employer (head of an educational institution) is a legal entity that is responsible for the confidentiality of data received for processing within the framework of an employment relationship. It should be in charge of the corresponding logs of the control internal and outgoing accounting of personal data, containing, in addition to the inventory of confidential documents, the procedure for their removal from storage and transfer to third parties. These persons include both representatives of various legal entities and state control and supervisory bodies, law enforcement agencies, and representatives of the judicial system.
The Log itself for internal access to personal data (the name is conditional and not subject to regulation separately, the main thing is that it is accurately indicated in the reporting documentation) should contain:
- dates of workflow of personal files (issue-return);
- term of use;
- the purposes for which the document was issued;
- the list of issued documents itself.
An employee who works with the personal file of another employee, in no case has the right to make any changes to the document.
The educational institution must keep a register of the external circulation of personal data of employees, containing all incoming requests, information about who sent this request to the institution, the date of the beginning of the document flow in the case or a note of refusal to issue the information of interest, and also indicate the specific information transmitted.
A high-quality personal data accounting system requires periodic checks of the availability of personal files and other carriers of confidential personal information, the establishment of a clear document flow procedure.