Measures to ensure personal data protection in an organization
Any organization dedicated to working with personal data (PD) and their transfer, PD is considered by the operator. Operators of PD should be guided in their activities by the Law of the Russian Federation No. 152-FZ "On Personal Data" dated July 27, 2006 and other legal norms.
The operator must register in the Register of PD Operators in Roskomnadzor on the official website of the regulator and indicate for what purpose he uses the collected and requested PD. If the use of PD by employees is provided for by labor legislation, then the organization has the right to work with them without notifying Roskomnadzor.
The operator is obliged to take the necessary measures to protect PD from unauthorized use: falsification, copying, deletion, blocking, distribution and other illegal actions.
Regulation of the content of PD related to work
The PD includes almost all information about a person. The content of the PD is determined by the operators themselves. But there are cases when their content is clearly regulated by regulatory legal acts, and deviation from these requirements is illegal.
At any enterprise, the following information (personal data) about each employee is entered in the personnel record form:
- FULL NAME;
- date of birth information;
- individual tax number;
- knowledge of foreign languages;
- education received;
- acquired professions, specialties;
- information about the composition of the family;
- place of residence;
- attitude to military duty;
- labor activity.
Protection of personal information
Legal entities and individuals working with PD are obliged to organize the proper protection of this information. Provides internal and external protection of PD at the enterprise and in any organization.
Internal protection of PD includes the following actions:
- admission to the PD of employees only strictly defined by internal documents of the circle of persons who need this information to fulfill their duties provided for the position held;
- appointment of a responsible officer who monitors the implementation of legal norms in the field of personal data protection;
- creating a list of documentation that contains the PD;
- issuance of regulatory documents for the protection of personal data for internal use and control over compliance with the rules;
- familiarization of employees processing personal data with legal provisions for their protection and internal regulatory documents;
- periodically checking the awareness of employees on these issues and monitoring their compliance with regulations on the protection of confidential data;
- workplaces should be located so that unauthorized persons cannot see confidential information;
- creating obstacles for influencing technical means that carry out automated processing of PD, as a result of which their work may be disrupted;
- formation of a list of persons entitled to be in the offices with personal data;
- a description of the procedure for removing unused information;
- timely identification and elimination of violations of PD protection norms;
- taking preventive measures to prevent employees from disclosing personal data being processed.
External protection of PD involves the following actions:
- access control;
- compliance with the established rules for receiving visitors and their registration;
- use of devices for protection;
- software data protection.
Personal data information systems (PDIS)
Personal data information systems are a functioning set of information, hardware and software components.
- processed PD;
- technology of working with information by means of computer technology;
- technical means and devices (servers, work terminals, data networks, printers, scanners, etc.);
- information security means.
Protective measures when working in PDIS
To protect personal data from unauthorized distribution, the following measures must be taken to protect it:
- identification of current security threats;
- formation of threat models;
- development of personal data protection systems;
- checking the performance of information security tools;
- conclusion on the suitability for use;
- installation and commissioning of information security systems;
- training employees to work with information security systems;
- control over the work of the information security system;
- registration of technical documentation;
- determination of the circle of employees admitted to work with PDIS;
- upon detection of a violation of the storage conditions for PD carriers - investigation and drawing up a conclusion;
- taking measures to eliminate the consequences of these violations;
- provision of security for premises with PDIS equipment and organization of the access regime;
- taking measures to prevent information leakage through technical channels.
PD protection from unauthorized access
Their subsystems serve as protection against unauthorized access:
- access control to PD, registration and accounting of all actions with this data;
- ensuring the integrity of personal information;
- application of anti-virus protection to save personal data and prevent virus attacks;
- creation of a firewall;
- analysis of security and taking measures to strengthen it;
- detection of intrusions, their timely localization.
The access control subsystem is a means of their protection, which are not included in the OS kernel, as well as systems for managing databases and other programs. These means of protection include special utilities that test the file system, logging actions, signaling of unauthorized entry into the system.
Ensuring the integrity of PD is carried out by means of the OS and database management systems. The basic platform for building ISPD can be a network operating system Microsoft Windows Server (Standard Edition and Enterprise Edition), which is certified by the FSTEC of Russia and the FSB.
For the anti-virus protection subsystem, you can use anti-virus tools of Kaspersky Lab, which are also certified by the FSB. Depending on the level of security of the PDIS, firewalls of the third or fourth level of protection can be used.
The security analysis subsystem monitors OS protection settings on work terminals and servers. It issues a report with information about the detected vulnerabilities. Based on the scan results, measures are taken to eliminate the identified deficiencies.
For the analysis subsystem, you can use the Xspider network security scanner from Positive Technologies, certified by the FSTEC of Russia. For the intrusion detection subsystem, experts recommend the Cisco Intrusion Detection System product certified by FSTEC.
Before starting the commissioning of the PDIS into operation, it is necessary to carry out its safety certification and obtain a Certificate of Compliance with the requirements of the FSTEC of Russia.
Certification of PDIS according to information security requirements is carried out before the start of processing the information that is subject to protection. It officially confirms the effectiveness of complex solutions used in the ISPD measures and tools for protecting information
How to document the protection of personal data
As a practical matter, the following documents can be issued:
- regulations on PD;
- list of employees working with personal data;
- order to approve the employee responsible for working with personal data;
- instructions on the official investigation of the facts of disclosure of personal data of employees;
- antivirus scan log;
- PD use control log for business needs.
Transfer of personal data to third parties
In order to ensure compliance with the provisions of the law on obtaining the consent of an individual for the processing and transfer of personal data, you can draw up a collective agreement with employees, in which all third parties are listed, indicating the names, addresses, and the period of data use. All employees of the organization must sign this agreement.
You need to know that the legislation of the Russian Federation provides for the transfer of personal data to judicial authorities and other law enforcement agencies without the need to obtain consent for these actions.
Storage time of personal data
Confidentiality is removed from personal data after 75 years if it is depersonalized, or at the request of the law.
When PD is no longer needed by the operator, they must be destroyed within five years or handed over to the archive.