Personal data protection of clients of an organization
The majority of Russian companies operating in the sector of providing services to individuals, in one way or another, collect and process their personal data. Such a function becomes the basis for the recognition of their personal data operators in the manner prescribed by law and the need to take a set of organizational and technical measures designed to protect the client information entrusted to organizations.
Legal and regulatory framework
The Federal Law "On Personal Data" recognizes as operators all legal entities and entrepreneurs who receive and process personal data of clients in situations that are not ordinary personnel workflow. Enterprises that are constantly faced in their work with the requirements to receive and process data in the manner prescribed by law, as well as take measures aimed at protecting them, include:
- medical institutions, the requirements for which, determining the degree of security of the information system, are increased due to the importance of the data entrusted to them;
- educational organizations;
- banks and other financial institutions;
- Insurance companies;
- the shops.
Each of these business entities receives information from citizens that is confidential, and this is not only a name, passport details and phone number, but also information about marital status, health, property, accounts and deposits. Organizations in whose activities this information is needed for various reasons, often of a regulatory and legal order (for example, the formats of various registration cards are established by ministries and departments), along with the information, receive a set of responsibilities for their protection when processing and transferring to third parties.
The law requires operators to take a set of organizational and technical measures aimed at protecting the information entrusted to them. These requirements are concretized by Government Decree No. 1119, which determines the parameters by which the level of system security is established, and by orders of the FSTEC of Russia, which regulate the use and certification of technical means that protect the integrity of the personal data information system. Also in the field of certification of means of cryptographic data protection and some software products, there are standards developed and approved by the FSB of Russia.
Obligations of the operator
The operator is almost every organization that, as part of its activities, receives information from customers about their passport data or phone number. The law establishes the responsibilities of the operator of personal data both at the organizational and technical levels. Once the company has determined that the legal requirements unconditionally attribute it to the operators, it is obliged to:
- send a notification to Roskomnadzor about the start of activities related to the processing of personal data. His form is filled out on the website, then printed, signed and sent to the department by mail;
- develop local regulations defining the principles and procedure for processing personal data of clients in the process of their entrepreneurial activities;
- develop a format for consent to the processing of personal data, which is signed by clients, and determine the procedure for providing it for signing;
- appoint, by order of the head, a person responsible for ensuring the proper protection of personal data;
- determine the required degree of security of your information system in accordance with the norms of Government Decree No. 1119;
- develop a plan to bring the information base in line with the requirements of the legislation and implement it.
The fulfillment of these duties is monitored during inspections by Roskomnadzor. It should be borne in mind that according to the law on the protection of the rights of legal entities in the process of inspections, the first of the planned ones can take place only three years after the notification is sent.
Personal data protection regulation
One of the tasks of the operator is to develop an internal regulation that determines the principles of its work when interacting with personal data of clients. Usually it is placed on the operator's website in such a way that it is available to any client when searching for information or providing information containing personal data. You can prepare such a normative act independently, by the administrative division of the company or the security service, it does not contain any special norms, and the legislation does not impose requirements for its format and content. In the recommended version, the position structure will look like this:
- general provisions. Here it is necessary to describe the principles of working with personal data, the general purposes of their use, information that after a certain time has expired, the data that has lost relevance should be destroyed, the procedure for approving the document itself and making changes to it;
- definitions. It explains what is meant by the personal data of clients in relation to the statutory goals and objectives of a particular company, other terms are explained, for example, "client", "operator". The personal data required from the client is described in as much detail as possible, with explanations from which category of persons exactly which information should be provided. It also describes the acceptable methods for obtaining personal data;
- confidentiality requirements. The regulation states that the confidentiality regime applies to personal data, that the operator obliges its employees to comply with its requirements. In addition, it is noted that when transferring information to third parties for processing on the basis of an agreement, the operator includes in his obligations confidentiality and responsibility for violation of these requirements;
- the rights and obligations of the client. You need to be careful in this section. So, imposing on the client the obligation to notify the organization about the change in personal data should be explained either by the norms of the law, or by the interests of the client himself;
- obligations of the society itself arising from the processing of personal data. Here you can not be limited by the requirements of the law, proactive solutions will increase the attractiveness of the organization's proposal for the client;
- ways to protect personal data;
- final provisions.
Consent to the processing of personal data
An essential element of the personal data protection system is the development of a consent format for the processing of personal data and the establishment of the procedure for signing it. Most often, information is received from the client in the process of drawing up a contract, but it should be borne in mind that they are stored not only in information databases, but also on tangible media, which, depending on the type of services, can be:
- visitor registration sheets filled out in hotels;
- forms drawn up in libraries;
- medical records;
- questionnaires of various kinds.
All these documents are often stored in the public domain, and their degree of security cannot be attributed to increased security. The extension of the confidentiality regime to them is protected by the inclusion of relevant norms in labor contracts with personnel, but, as practice shows, it is extremely difficult to recover damage from an employee guilty of disclosing confidential information. The only protection of personal data stored on paper is the difficulty of processing a large amount of handwritten data, which means that their illegal distribution is possible only if the attacker is interested in information about a specific client. But when signing a consent to the processing of data, the client must be sure that they will be protected in the maximum possible and in accordance with legal requirements.
The consent also indicates the purposes of processing personal data, for example, for a hotel it will be compliance with the requirements of customer safety and the safety of property. By signing the consent, the client must acknowledge the appropriateness of these goals. After the goals have been determined, the methods of processing personal data, manual and automatic, are indicated. The client must express his consent with them.
The consent specifies the persons to whom, under an agreement with the operator, the data may be transferred for storage and processing. As the latest judicial practice shows, in relation to banks, these persons must be listed in detail and scrupulously.
As the law says, consent to the processing of personal data can be revoked at any time, this is done through the communication channels that the operator has established for communication with the client. After the revocation, the company is obliged to destroy the data within 30 days. This can only be avoided if their presence with the operating organization is determined by the requirements of federal laws, for example, on the fight against terrorism or on money laundering. Previously, the removal period was 7 days, but it was so inconvenient for operators that it was decided to extend it. Also, the client has the right to demand the deletion or change of data if they are not true, distorted. Upon receipt of a refusal or in case of non-fulfillment of the requirements, the citizen can apply to Roskomnadzor.
Risks associated with the processing of personal data of clients
Operators should take into account that violation of the established procedure for processing and protecting personal data entails the occurrence of adverse consequences. Such violations can be detected in three ways:
- when carrying out verification activities by bodies monitoring compliance with legislation on the protection of personal data - Roskomnadzor, FSTEC of the Russian Federation, FSB of Russia;
- as a result of the operator's interaction with some other departments, for example, the FAS RF;
- an individual whose rights have been violated. Such a violation can become the basis for filing a claim in court for the restoration of the violated right and compensation for moral damage.
The consequences of detecting a violation by a state body are:
- issuance of an order to eliminate violations of the law;
- administrative fines imposed on company managers;
- a ban on engaging in activities related to the processing of personal data;
- in the most egregious cases of misuse or dissemination of data, criminal prosecution.
A person whose information about his private life has been unlawfully obtained or disseminated may apply to the court with the following categories of claims:
- a claim for compensation for moral damage associated with the unlawful use of personal data;
- a claim to ban the collection of personal data if the organization does not have the necessary certified resources to ensure their safety (this method of protecting rights is often used in relations with stores);
- a claim for the removal or modification of incorrectly recorded data.
Russian courts satisfy claims for the recovery of moral damage most often within small amounts, on average 50 thousand for the capital and large cities, 10 thousand in Russia. But the risk lies not in losing small funds, but in bringing the problem to the public field. After the entry into force of a court decision or a media report on the process, Roskomnadzor may appoint an extraordinary review of compliance with legislation on the protection of personal data, and based on its results, the organization may be prohibited from processing them. This will cause significant losses for the operator.
Organizations working with individuals must take into account all requirements and risks and organize their work in such a way that no violation of the established procedure for protecting personal data occurs.