Personal data processing methods

 
Apply for SearchInform DLP TRY NOW

The modern world limits the human right to the protection of information about himself and his private life. Information is provided in many cases to government organizations and commercial companies, and not all of them ensure its confidentiality. When a person's personal data comes at the disposal of a company recognized as a PD operator, various actions can occur with them, information about which a person receives by signing a consent to processing. The means and methods of processing personal data are determined by federal laws.

Regulatory regulation

In the Russian legal field, the term “personal data” appeared in the early 2000s. It was borrowed from European and American law. The purpose of introducing a new concept into national legislation was to protect information about a person's private life, health, property from the encroachments of intruders.

Classification of actions with personal data

The Law "On Personal Data" names several types of actions that can be performed with the personal data received by the organization. This list is limited and not subject to broad interpretation. Thus, the PD operator can perform the following actions with them:

  • collection is the actual transfer of personal data from their subject to the operator;
  • recording - can be done both manually and by machine;
  • systematization is a technical action that facilitates the processing of personal data for the operator;
  • accumulation - the term does not have an independent meaning and involves the storage of information arrays on material carriers or using automation tools until they are destroyed;
  • storage - the legislator sets many requirements for the methods of physical and technical protection of personal data;
  • clarification - this term can mean either updating or changing information;
  • extraction - here it is assumed the transfer of personal data from the memory of automation equipment to material carriers;
  • using;
  • transfer - this term considers such ways of providing access to data to third parties, such as distribution, provision. Distribution assumes that the information becomes available to an unlimited number of persons who can get it by going to an open site, buying a newspaper or a CD with information; the provision is characterized by the performance of the same actions, but in relation to several subjects, determined by agreement or otherwise;
  • depersonalization - this method of processing is provided by security systems, it practically excludes the possibility of separating the personal data of a particular person from a common base for all Depersonalization can only occur in the context of the application of the method of data processing using automation tools. If it is used, the selection of the data of one subject from the array is possible only when using special means;
  • blocking - it means the temporary suspension of any actions with personal data. Blocking is carried out at the request of the subject of personal data or at the request of the regulator. If it is necessary, the processing of information is possible only for the purpose of clarifying them;
  • deletion - it differs from destruction, since it is performed in order to correct personal data or to solve other technical problems;
  • destruction - these are steps that not only destroy personal data processed in a manual or automated way, but also completely exclude their recovery. Important: if the data was on tangible media, the media itself is destroyed along with it. Destruction occurs at the request of the subject of personal data or after the expiration of the processing period.

Processing methods

Also, Article 3 of the Law "On Personal Data" clearly defines that there are two ways of processing personal data:

  • using automation tools;
  • without them.

The same understanding can be found in Roskomnadzor regulations. Under an automated method of processing, the legislator and the department understand the commission of any actions with personal data that are associated with the use of computer technology. The law does not specifically disclose the term "computer technology", but it is obvious that they mean information systems. There is one serious limitation for the method of processing personal data by means of automation. Not a single decision on the basis of which the rights or obligations of a citizen can be changed can be made only on the basis of the results of information processing by means of computer technology.

Accordingly, the manual method of processing personal data is to manually enter it on physical media and further work with such media. In the future, the law does not specify the specifics of organizing work in each way, leaving it to FSTEC of Russia. The agency, in turn, determines the requirements for the automated processing method and the means used for it. From the point of view of the manual method, either general principles or organizational measures act that impede physical access to personal data by delimiting the functionality of employees. The requirements for the physical protection of premises also work.

Processing principles

Federal law states that any processing of personal data must be based on certain principles that each operator must adhere to. Among them:

  • legality and fairness   - the purposes of processing personal data must be lawful, all subjects and operators must be in equal conditions;
  • specificity - the processing of personal data should be carried out only to achieve specific goals and objectives predetermined by the operator. Processing by any means is not allowed if it is incompatible with the declared purposes;
  • avoidance of redundancy - the operator must process only that amount of personal data that meets the assigned goals. It is unacceptable to request redundant information from the subject of personal data;
  • accuracy, sufficiency and relevance - all incorrect information must be deleted either by the operator independently or at the request of the subject, when the data changes, they must be updated in a timely manner;
  • minimum identification - storage of personal data in the conditions of using automation tools should be carried out in such a way that identification of their subject would be possible only for a strictly defined time and for solving certain problems.

Processing conditions

In order to avoid being brought to administrative responsibility, it is necessary to adhere to the conditions for processing personal data established by law. Among the main ones:

1. processing of personal data is allowed when a person has expressed his consent to this and has not withdrawn it;

2. in the absence of consent, processing is allowed in cases strictly specified by law. These are situations such as the imposition of obligations on the operator to carry out activities for which the processing of personal data is required, or if this is required by international treaties or Federal laws of the Russian Federation that are in force in significant areas, for example, in the field of protection against terrorism. The same area of regulation includes the situation when PD are provided to state or federal authorities for the performance of their statutory obligations;

3. it is also allowed without the consent of the subject of personal data in the implementation of any legal proceedings, criminal, civil, in the field of constitutional law, for the resolution of disputes or for the execution of a judicial act. So, the personal data of citizens is freely provided to bailiffs.

A private, but no less important case of PD processing by any means and methods without the consent of the subject will be a situation when it is necessary to protect human life and health. Processing of personal data in the work of journalists is also allowed, if they do not violate the rights of individuals to privacy or other interests. Separate rules regulate the conditions for the processing of personal data of persons who are under state protection.

Methods of processing personal data by state and municipal authorities

The Law on Personal Data establishes additional requirements for the methods and methods of their processing for state or municipal authorities. So, for them, certain methods of depersonalization can be established, which make it difficult to determine the belonging of information to one or another person. Also, for them, a restriction has been established on any use of PD or designation of their belonging in such ways that could offend the feelings of specific individuals or social groups. No method of data processing by government agencies and institutions should limit human rights.

Any operator, whether it is a private company or a public organization, when determining how he will process the personal data provided to him, must strictly adhere to the principles established by law. This will allow you to avoid both misuse of information and bringing the operator to responsibility.

11.12.2020