Personal data security requirements
Information, allowing to identify the person and contains such important issues as information about his personal life, health, occupational and property status, refers to the categories of personal data. Its illegal distribution or other use can cause harm to humans. Legislation sets out certain requirements that operators must comply with to ensure the security of this data.
A citizen transfers information about himself in various cases - when applying for a job, visiting medical institutions, receiving educational services, purchasing a mobile phone number, concluding an agreement with a bank. In each of these cases, he trusts the personal data of the company or an individual entrepreneur, who, based on the requirements of the law, are obliged to ensure their security. Among the typical threats that can harm a citizen if this data is leaked:
- unlawful publication in the media of data about him and information that constitutes a secret of his personal life;
- criminals receiving his address, vehicle information or bank card number;
- getting on the Internet of information about his medical history, for example, photos before and after plastic surgery.
In each of these cases, a person suffers moral damage, but also property damage. All this forces operators to take measures to ensure the security of personal data. This obligation is reinforced by legal regulation, oversight by government agencies, and the risk of becoming a defendant in claims for damages.
Legal and regulatory framework
The main layer of relations related to the security of personal data is regulated by the Federal Law “On Personal Data”. The normative act introduces definitions and concepts, defines the rights and obligations of operators, their responsibility, considers all permitted methods of data processing. Its application in practice is ensured by a certain amount of by-laws. The main one is the Decree of the Government of the Russian Federation No. 1119, which defines the requirements for ensuring the security of personal data. The decree establishes standards in relation to:
- definitions of personal data security systems;
- three types of data security threats;
- four types of systems protection.
The requirements are quite specific and make it easy to determine which protection class is needed. Certain technical and software requirements are regulated by orders of the FSTEC of Russia, which licenses the activities of individual operators and certifies the software products used. With regard to a specific legal entity, this state body has the right to issue mandatory orders to eliminate deficiencies in the organization of personal data security systems. Failure to comply with the requirements may lead to a prohibition to engage in entrepreneurial activity, the basis of which is work with personal data. The requirements are both technical and organizational in nature, associated with the need to send notification of the start of activities related to the processing of personal data and the development of a set of internal documentation.
Government Decree No. 1119 introduces four levels of personal data protection, ranked by threat level - from maximum to lowest. The rules for their determination are specified in Resolution No. 1119, they depend on the total number of persons who provided their data for processing and the category of this information. The definition is assumed to be based on the following principles:
- The 1st and maximum level must be set for those operators who work with data classified by law in special categories, with biometric data, as well as for companies that have personal data of more than 100 thousand people who are not employees enterprises (for example, mobile operators or the Pension Fund);
- The 2nd, or high, level is assigned to those companies that work with biometric data of less than 100 thousand people or process information of more than 100 thousand employees or personal data of the same number of persons, if this information is publicly available;
- The 3rd, or medium, level of protection is received by companies if they have data of more than 100 thousand people at their disposal, and they are not employees of the organization;
- The 4th, or low, rank of the security level is received by systems that process information that is publicly available and cannot be reliably attributed to a specific person.
If a company processes only the personal data of employees obtained in the course of HR administration, then it is not considered an operator and it will not have to equip an information system in accordance with one of the security classes, ensuring the protection of information. Individuals who trust data to operators must sign a consent to their processing.
Basic requirements for security
The law has undergone many changes since its adoption. Some of them simplified the position of operators, for example, lengthening the period for the destruction of personal data after the subject's consent to their processing was withdrawn, others made it more complicated. Today, the following basic principles of ensuring the security of personal data are distinguished:
- obligatory placement of servers on which arrays of protected data are stored in the country;
- the operator's right to independently determine the level of threats and their relevance, based on the model proposed in Article 1 of Resolution No. 1119. The level determined by him should be reflected in the threat model, on the basis of which the configuration of the personal data security system is built.
Even the 4th level of system protection requires the implementation of a certain set of measures. It:
- obligatory difficult, restricted access to those offices and premises in which servers storing arrays of personal data are located. The passage should be carried out by passes, any unauthorized persons should not enter the object;
- servers must be placed in a special way that guarantees their physical safety in the event of an accident or other emergency situation;
- it is required to approve a package of internal documentation on the regulation of personal data protection issues. One of these documents should be an order establishing a list of persons with access to databases.
For the third level, the need to appoint an official who will be responsible for security is added to the list of organizational measures for the protection of personal data. The second level obliges the enterprise to ensure that only employees who are bound by the obligation to maintain trade secrets can access the data. For the maximum, first, level, two additional obligations are added:
- create a separate structural unit responsible for the security of personal data;
- enter in the electronic logs all the points related to adjusting the powers of employees who have access to arrays of personal data.
The measures required from operators to ensure the security of personal data are designed to ensure respect for information human rights. The fulfillment of duties is monitored by the state and the judiciary. Sometimes these measures may seem redundant, but legislation is flexible in responding to changes in law enforcement practice and corrects laws and by-laws.