Requirements for personal data protection
Since the end of the 40s of the twentieth century, the concept of personal data has come into practice. This is such information about a person and his personal life, which can be uniquely identified with him and the dissemination or illegal use of which may harm the person. National legislation has developed a coherent system for the protection of personal data, imposing this obligation on legal entities that receive this information in the course of their activities. The requirements relate to the adoption of technical and organizational measures.
The main regulatory act in which you can find the requirements established to ensure the protection of personal data is the Federal Law "On Personal Data". The law introduces basic definitions, describes in which cases a legal entity will be the operator of personal data, the rights, obligations and responsibilities of operators.
The law does not establish a complete list of personal data. They can be any information relating to a person's personality and uniquely identifiable with him. It:
- passport data;
- address, information about real estate objects belonging to a person and personal life;
- family status and certain aspects of personal life;
- disease history;
- bank account and credit card numbers.
A citizen voluntarily provides most of this information to the operator, getting a job, making a purchase in an online store, which requires registration in a personal account, contacting a medical institution or issuing a pass to the library. Each of the companies receiving this information is obliged to ensure their protection, storage and do everything to avoid their leak. Before obtaining information from an individual, it is required to sign his consent to the processing of personal data, which must indicate:
- the amount of personal data;
- the purposes of their processing;
- ways of processing them;
- persons listed in detail, to whom personal data may be transferred for any purpose for additional processing. So, the bank can transfer information to the Central Bank.
Consent to processing can be revoked by a citizen, in which case the data is destroyed within a month. Without obtaining consent, only information related to the performance of civil obligations, for example, the payment of taxes, or in cases provided for by separate laws, for example, anti-terrorism legislation or the law on the prevention of legalization of income, is processed.
One of these responsibilities is the creation of an information system for the protection of personal data. The requirements for the creation of such a system and the determination of the class of its protection are established by Government Decree No. 1119. The technical parameters of the system, the equipment and software used are regulated by the regulations of the FSTEC of Russia.
The organizational measures applied to protect personal data are divided into two groups. The first includes those that must be accepted by all operators, regardless of which class the protection system they use belongs to. The second group includes measures ranked depending on the degree of threats, the category of information processed and the number of persons whose personal data are at the operator's disposal. It should be borne in mind that the duties of the operator are not assigned to companies that process only the personal data of employees transferred to them in connection with the usual HR workflow.
The measures of the first group aimed at protecting personal data, mandatory for all operators, are:
- sending a notification to Roskomnadzor about the start of activities related to the processing of personal data;
- approval of a package of internal documents, among which there should be a regulation on the protection of personal data;
- development of a consent format for the processing of personal data;
- organizing the process of signing and storing such consents, recording them, ensuring control over the withdrawal of consents;
- organization of restriction of access to computers containing legally protected information, access control, systems of limited access to data.
If the personal data security system should be of a higher class than the fourth, lower class, the following are added to these measures:
- issuance of an order on the appointment of a person responsible for the development and maintenance of the personal data security protection system;
- the creation of a separate department engaged in this activity (for the maximum class of protection for organizations that ensure the processing of personal data of more than 100 thousand people);
- entering in electronic logs of all parameters related to changes in the functions and powers of employees admitted to data processing.
All these measures can be supplemented depending on the current needs of the operator.
Technical measures can be of a different nature, it is conditioned by the requirements imposed depending on the established hazard class. Among them:
- the use of software certified by the FSTEC of the Russian Federation for the processing of personal data for various classes of protection;
- the use of cryptological means of protecting personal data;
- differentiation of user rights, the establishment of firewalls;
- building the system configuration depending on the applied threat model;
- use of software tools that provide full protection of the information perimeter from information leaks, in particular, DLP systems and SIEM systems.
Control over the implementation of organizational measures for the protection of personal data is entrusted to Roskomnadzor, which has the right to conduct scheduled and extraordinary inspections of compliance with legislation on the protection of personal data. Compliance with technical measures is checked by the FSTEC of the Russian Federation. The agency also conducts checks, both documentary and field. Based on the results of each control event, an order may be issued to eliminate the violation of the law, the operator may be prohibited from engaging in activities related to the processing of personal data, he may be brought to administrative or criminal liability.
The personal data protection system is aimed at maintaining a balance of interests of the individual and the operator's business processes, the legislation responds flexibly to changes and corrects all shortcomings associated with insufficient protection of personal data.