Who controls personal data protection
The protection of personal data becomes the task of every company that receives it in accordance with its statutory goals. These companies have specific responsibilities - from developing documentation to installing the appropriate software. Certain government departments are tasked with monitoring compliance with the legislation in force in this area.
Main regulators and their powers
The main proposals and terms in the field of personal data protection are defined by Federal Law No. 152-FZ. He also determines the state organizations authorized to exercise control in this area. The law points to three departments of the Russian Federation, which are entrusted with the obligation to monitor the implementation by legal entities of what the law requires of them in order to effectively protect the personal data of citizens. These are state bodies such as:
The Federal Law on the Protection of the Rights of Legal Entities No. 294-FZ named the main type of control measures that are carried out in relation to persons who have sent a notice of starting a business related to the processing of personal data. These are inspections carried out by state bodies within the framework of their powers. According to the legislation, they can be planned and unplanned. A scheduled check can be scheduled no earlier than three years after registration or filing a notification about working with personal data. She is appointed in the year preceding the audit. Information about it, its term and the objects to be inspected must be entered into the national register, which is then posted on the website of the General Prosecutor's Office. Each operator can always know whether scheduled inspection activities will be carried out in relation to him.
An unscheduled check of compliance with the rules for the protection of personal data can be assigned only if there are good reasons. It:
- the presence of a citizen's statement about the violation of his rights or illegal activities carried out by the company;
- reporting this to a law enforcement agency;
- media report;
- failure to comply with the prescription issued by the inspection organization based on the results of the previous scheduled inspection;
- expiration of the prescription and the need to verify its implementation;
- violation of legislation governing the field of personal data protection;
- inconsistency of the data entered in the notification with real business activities.
It is important that unscheduled inspection departments can come to the company only with the consent of the prosecutor's office. If the citizen's appeal, which could become the basis for the verification, does not contain data that could help establish his identity, for example, it has an illegible signature or no postal address, such a statement cannot be the basis for the verification.
If companies are most often found out about scheduled inspections of compliance with the prescriptions or requirements of the law on the protection of personal data at the end of December, when their list appears on the website of the Prosecutor General's Office, then the unscheduled inspection agencies are required to notify them no later than 24 hours in advance. This is done by any means available, including email, fax, or telephone. But there is one exception. If the operator's activities went beyond the law and such a violation caused harm to a person, his health or life (for example, a data leak caused an attack), then in this case it is not required to notify about the check, it is carried out immediately after the establishment of such a fact.
Any check cannot last more than 20 days. If circumstances require, it is extended, for small businesses - no more than 15 hours. It can be suspended with a mandatory written notification to the operator if:
- expertise is required;
- a reasoned decision was made by the head of the department conducting the inspection.
The check ends in several ways:
- drawing up an act based on the results of the inspection, sending it to the operator;
- issuance of an order on the need to stop violation of the law with a list of actions to eliminate the shortcomings;
- bringing the operator to administrative responsibility on various grounds provided for by the Code of Administrative Offenses of the Russian Federation;
- sending materials to law enforcement agencies with the formulation of the issue of bringing to criminal responsibility.
In practice, most often, Roskomnadzor conducts inspections of compliance with legislation on the storage and processing of personal data. All three authorized organizations have reached mutual understanding and, in the order of interdepartmental interaction, sometimes carry out joint control activities in relation to the same subject, distributing among themselves areas of responsibility and objects of checks. Roskomnadzor is responsible for general compliance with the law, FSTEC and FSB monitor compliance with special licensing requirements.
The department is responsible for a wide range of legal relations related to information technology and the use of the Internet. It checks how accurately organizations comply with the requirements related to the processing and storage of personal data, protection of the rights of subjects. The agency has the right to check the data that the company indicated in the notification about the start of the activity related to the processing of personal data. This form is filled out on the portal of the organization and at the same time sent by mail. The requirement applies to all organizations, except those that process only information about their employees.
Based on the law on personal data, the agency has the right to:
- to request from citizens and organizations any information that he needs to perform his functions, and receive such data free of charge;
- check all the information that the company sent to the state authority, informing about the beginning of the activity on the processing of personal data. Control is carried out both directly by the department and with the involvement of other state structures that have the authority to verify the specified information;
- upon receipt of a citizen's application or for other reasons, require the operator to block, erase or clarify data that does not meet the reliability requirements or was obtained in an illegitimate way;
- in the event that the processing of personal data does not comply with the rules and regulations established for such operations, independently, without transferring the issue to a court decision, make a decision to suspend or prohibit further processing of personal data;
- to submit claims to courts, the subject of which will be the protection of information and personal rights of subjects - carriers of personal data, to represent the interests of such citizens in court;
- send a request to the agency that issued the license to the operator to carry out entrepreneurial activities related to the service of personal data, with a request to suspend or terminate it, if one of the licensing conditions was a prohibition on the distribution or transfer of personal data without obtaining a permit signed by their carrier;
- write official notifications to the prosecutor's office and the investigating authorities, sending materials that make it possible to resolve the issue of initiating a criminal case if signs of an act provided for by the Criminal Code of the Russian Federation were recorded and related to the illegal handling of personal data;
- make informed decisions on bringing operators and other persons who incorrectly use personal data or commit other offenses to liability under the Code of Administrative Offenses of the Russian Federation.
FSTEC and its powers
FSTEC is responsible for the technical support of the personal data protection system. Among his powers:
- requesting the operator for a report on controlled activities and checking it;
- the requirement for copies of documents confirming the compliance of the used computer equipment and certificates for the software used;
- request for documentation for the premises, confirming that they are properly equipped and guarantee the proper protection of personal data;
- visiting the site and monitoring how effectively organizational measures are applied to ensure the safety of the data stored there.
Verification cannot take more than 20 days. Inspectors check documents that confirm the organization's compliance with the conditions for granting licenses, as well as those previously sent to the company that are binding on the FSTEC requirements.
There are 2 types of checks:
- documentary (analogous to the tax office). It takes place in the FSTEC of Russia or its department in a particular Russian federal district on the basis of the requested documents and the data contained in them. This type of control measures can be assigned both in a planned and an extraordinary, proactive manner;
- exit. Within its framework, the correctness of compliance with the requirements set to the company as a condition for issuing a license is monitored. It always takes place in the office of the organization itself. This type of verification measures is assigned in the event that a documentary verification cannot be carried out. This situation arises when the documents that FSTEC has do not allow reliable control over compliance with the license terms.
The check begins on the basis of the order, and ends with the issuance of an act or order to eliminate violations.
FSB and its powers
The Federal Security Service also carries out control measures designed to ensure the accuracy and correctness of compliance with the legislation on working with personal data, but in relation to the means of cryptographic information protection (CIPF) used by the subject of verification. Her areas of competence include:
- request from operators for a report on their licensed activities. The list of issues and the depth of control are not limited by the normative, the operator needs to be ready to give a full report on all aspects of fulfilling the license conditions;
- request for copies of documents issued as a certificate of compliance of the technical means of personal data protection used by the operator, in the structure of which the cryptographic information protection system is located, with the security requirements established by regulatory enactments;
- verification of the accuracy and correctness of the implementation of organizational measures provided for by the license conditions to ensure the safety of facilities in which the organization operates.
Violation of the requirements for the protection and processing of personal data, protection of the rights of subjects of personal data will become the basis for the suspension or termination of the license. An inspection can be appointed only on the basis of an order from the head of Center 8 of the FSB of Russia. The order must contain the following data:
- the composition of the persons participating in the audit, employees of the department and experts involved in the audit activities;
- data about the checked object;
- verification parameters, its goals and objectives, subject;
- legal norms on which the department relied when assigning an inspection;
- a list of those verification measures that are supposed to be carried out (request for documents, interviewing witnesses, inspection of premises);
- inspection period.
It is important that the powers of the department are legally limited. During inspections of compliance with legislation on the protection of personal data, it is not entitled to:
- check the correctness of the fulfillment of those requirements of the law that are not within the competence of the department;
- to carry out events if during this period its director or other person authorized by him on the basis of a power of attorney to interact with the department is absent in the company;
- demand to transfer copies of documents that are not related to the subject of inspection, or seize the originals of documents;
- disseminate information obtained during the audit, if it belongs to a category of secrets protected by law, for example, banking or commercial;
- delay the inspection without making a reasoned decision;
- to carry out control measures at the expense of companies, giving them preliminary instructions on this.
During the events, the FSB checks several types of requirements, mainly technical. The first group includes the requirements for the correct application of organizational measures. It:
- availability of documents regulating the protection of personal data by the operator using cryptographic information protection tools;
- implementation of previously issued recommendations of the department aimed at the correct organization of communication when transferring personal data using cryptographic information protection tools.
The second group includes the requirements for the correct organization of the system of measures for the cryptographic protection of personal data. It:
- the presence of a threat model in the organization indicating potential violators;
- the relevance of this model, its compliance with the previously presented introductory;
- compliance of the applied protection tools with the threats highlighted in the model;
- the existence of documents confirming the legitimate supply of cryptographic information protection tools, ensuring the protection of personal data, to the operator.
The third group of inspected objects includes the availability of permits at the enterprise that mediate the method of protecting personal data. It:
- verification of the existence of licenses required for the use of cryptographic information protection tools;
- availability of certificates of conformity for purchased and used personal data protection tools;
- availability of documentation for the operation of these tools, various operator manuals, instructions, operating rules;
- verification of compliance with the rules of accounting for cryptographic information security
- identification of funds that do not have the necessary certificates.
The fourth group of inspected objects includes the requirements for persons admitted to servicing cryptographic information protection tools that ensure the protection of personal data. It:
- availability of job descriptions;
- the procedure for personnel records;
- availability of employees in all positions provided for by the staffing table;
- the procedure for training personnel working with cryptographic information protection tools.
The fifth group of objects includes methods of operating personal data protection means. It:
- technical condition assessment;
- the correctness of their commissioning;
- assessment of the correctness of the choice of the software used.
The sixth group of objects includes organizational measures that the operator of personal data must apply. It:
- availability of instructions;
- the presence of crypto keys;
- regime measures.
The powers of the regulatory authorities are broad enough. But any of their decisions, if they violate the norms of law, can be challenged in court: both the order issued and the protocol on bringing to administrative responsibility. However, only scrupulous observance of legislation on the protection of personal data guarantees successful interaction with regulatory authorities.