Personal data processing
The fundamental regulatory document in the field of personal data protection (PD) is the law "On personal data". The first article of the law states that this document regulates issues related to data processing both with the use of automation tools and without. It is not completely clear whether every paper medium of PD is subject to the law. However, during inspections related to compliance with legal requirements, Roskomnadzor most often punishes precisely for violations related to the processing of personal information without the use of automation tools.
Personal data concept
Personal data is information that directly or indirectly relates to a specific or identified individual - the subject of PD. Data operators are state and municipal authorities, legal entities, and individuals who, independently or together with other persons, are involved in organizing or directly processing PD.
In any case, about PD, operators must establish target processing criteria; the content of the processed information, and the set of actions performed.
The concept of "PD processing" includes various operations with and without the use of automation tools:
The processing of personal data using automated systems is considered automated. Establishing the exact boundaries of the process of processing personal data in such ways creates some difficulties in working with them.
Working with personal data
Often, operators do not even assume that they fall under the definition of "personal data". For example, judicial practice shows that during the processing of PD, personnel services and accounting are guided by Part 2 of Article 1 of FZ-152 on personal data and I believe that the archives of the enterprise do not fall under the requirements of the law. The premises of archives in companies are, in fact, warehouses with paper carriers of information, which opens up opportunities for unauthorized access to PD with the corresponding legal consequences. Such warehouses are fully covered by FZ-152, so PD stored in the premises must be processed in compliance with the requirements established by law.
But in addition to archives, any organization has workplaces where the process of processing personal data takes place. For example, secretaries keep the personal information that includes:
- lists of employees with full names, phone numbers, and home addresses;
- copies of passport pages;
- data on the family status and children of employees;
- information from questionnaires and resumes of job seekers;
- orders with personal data, which are awaiting signature, on personnel appointments.
A huge number of PDs are also stored by the security service, for example, questionnaires, which contain information about criminal records that ordinary operators are prohibited from processing. At the checkpoint, data of visitors is stored, at the workplace of a medical worker who releases transport on a flight - data on the state of health of employees. Due to the variety of places where PD is used, it is necessary to determine the boundaries of their processing.
Also, in all the above examples, materials appear that are carriers of PD, therefore, according to Resolution No. 687, access to them should be limited. For any documents concerning the personal data of employees, it is required to ensure the conditions of confidentiality and security of information.
At the same time, it is important to clearly understand and follow the requirements of the PD law: determine what is included in the concept and take into account all possible options for data processing by Article 5 of this law.
The Law "On Personal Data" practically does not divide requirements according to the types of information processed. Only part 2 of article 19 contains information on the processing of PD using information systems. Therefore, it is important that data processing without the use of automation tools is carried out in compliance with the rules and cases provided for by law.
In addition to the law, the issues of PD processing without the use of automation tools are regulated by by-laws. We are talking about the government decree No. 687 of September 15, 2008 "On the approval of the Regulation on the specifics of personal data processing carried out without the use of automation tools."
Clause 6 of the document says that all persons involved in the processing of PD without the use of automated means must be informed that they are processing such data, and also notify which category the data belongs to and what features and rules must be followed when performing operations with data.
Informing about the fact of PD processing and the categories of data that are processed can be carried out by familiarizing employees with the list of positions required to participate in PD processing. This list should be divided depending on the processing method: using automation and without them.
The requirement to determine the employees who take part in specific types of PD processing is contained in Resolution No. 687 and Government Resolution No. 1119 of November 1, 2012 "On approval of requirements for the protection of personal data when processing them in personal data information systems."
Further, according to the law, the employee must be familiarized with the list, categories, and types of personal data processing. At the same time, it is recommended to divide the list of operator's PD by categories. Federal Law 152 does not say directly how to divide into categories. But by the order of Roskomnadzor dated August 19, 2011, the Recommendations on filling out the notification of PD processing were approved. In paragraph 6 of the document, PD is divided into three categories: personal, special, and biometric.
To comply with the requirements of regulatory enactments, it will not be superfluous to add a section on familiarizing employees with the rules for processing personal data without the use of automated tools to the local instructions or operator's regulations that determine the specifics of working with PD. Familiarization with this local document will at the same time bring to the attention of employees the requirements of paragraph 6 of the Roskomnadzor order.
Typical form according to regulation No. 687
By government decree No. 687, data processing without automation means is the operation of application, clarification, distribution, destruction, and other operations with PD related to each subject of PD, performed by a person.
Thus, if employees' personal data are processed in a computer system, this fact does not mean that automation tools are used. Therefore, the enterprise needs to develop and observe the procedure for processing PD. Moreover, such information should be isolated from other data, including through storage on separate physical media.
Clause 7 of Resolution No. 687 lists the conditions that must be observed when using the forms of standard documents, where PD is allowed or expected to be entered. In this case, in a standard form, for example, cards, registers, magazines, it is necessary to store:
- information about the purposes of PD processing without the use of automation tools;
- full name and contact details of the operator;
- full name and contacts of the PD subject;
- the source from which the information comes;
- processing time;
- list of operations with PD;
- a generalized description of processing methods.
It is important that in the standard form there are no combined fields allocated for entering PD, the processing purposes of which are completely different and cannot be combined.
The standard form should also provide for a column where the PD subject will put a mark on consent to data processing without the use of automated systems if the law requires consent.
The standard form developed by the requirements for maintaining official documentation is drawn up so that the subjects of personal data who appear in the document are familiar with it. At the same time, familiarization should be carried out without violating the rights of other PD subjects.
Data processing security
To protect PD, it is necessary to take special security measures that would allow processing without automation tools with the ability to determine storage locations on material carriers.
It is necessary to establish a circle of persons admitted to PD processing. Tangible media with personal data must be stored separately if they are processed for different purposes.
In any company, organization, and institution, it is necessary to restrict access and exclude unauthorized operations with personal data of employees. The operator must develop and put into effect a list of measures, the implementation of which will ensure the safety of PD in appropriate conditions. At the same time, it is necessary to develop a certain procedure for their adoption, as well as appoint responsible persons who will monitor compliance with this procedure.
An important stage in the organization of safe processing and safety of PD is the correct organization of storage, accounting, and circulation of funds that are carriers of information. You should also think about physical security: create an effective access control, restrict access to the operator's territory and places for processing personal data, organize the security of the premises where the technical means for processing personal data are located.