Personal data of housing and communal services
Citizens entering into relations with various housing and communal services organizations transfer to them information that has the character of personal data. They must be sure that the protection of information is carried out in a way that is provided by law, and their leak is impossible. In turn, management companies should be aware that non-compliance with the norms of the law may also become a reason for terminating the contract with them.
Types of housing and communal services organizations receiving personal data
The sphere of housing and communal services is regulated by several regulations, including the Housing Code, the Federal Law “On Energy Saving” and others. Residents of apartment buildings and private cottages enter into relations with housing and communal services organizations both on the basis of an agreement and through an oral agreement. These organizations include:
- management companies of apartment buildings;
- homeowners' associations (HOA), which have the status of a legal entity;
- GUPs and DEZs (not all of them have been corporatized yet);
- housing cooperatives (HCC);
- resource supplying organizations, in the case of a direct contract;
- companies providing maintenance and overhaul;
- other companies that provide housing and communal services, in particular, from 2019, they will include companies that export solid waste - municipal solid waste.
In practice, citizens living in city apartments most often enter into relationships with managing organizations. They are elected by a meeting of owners, often on the basis of tenders, and the contract with them can be terminated if the company breaks the law or provides poor quality services. Owners of private houses enter into direct contracts with resource suppliers. All these types of organizations, according to the norms of the law "On Personal Data", are PD operators. This status makes it necessary:
- send a notification to Roskomnadzor about the start of activities related to the processing of personal data;
- develop a package of internal documentation regulating processing;
- request from subjects of personal data consent to their processing, containing all the points required by law, in particular, the purpose of processing;
- ensure technical protection of the transmitted information.
In the future, the information is transferred to other companies, sometimes not related to the housing sector, for their processing. These are repair organizations, settlement centers that generate receipts, courier and postal services that send receipts. In order for the information not to get to third parties, the pay slips must be placed in an envelope.
The composition of the PD transferred to housing and communal services employees
The Federal Law "On Personal Data" does not strictly define the list of information that is transferred to housing and communal services employees. It is formed in practice, but there is a mandatory minimum. Other information may be requested in special cases, and a citizen has the right not to provide them if he does not understand the purpose of their processing. The minimum set of data includes:
- passport data;
- information about the property and the rights to use it;
- information about the composition of the family;
- data on the number of residents;
- data on personal vehicles when deciding questions about renting a parking lot.
Other information may be transferred, for example, to obtain documents from the management company confirming the right to receive subsidies for utility bills, and in other cases. A photo of a citizen belongs to the group of biometric personal data with an increased protection status, therefore, her request, for example, to issue a pass, will definitely require the signing of a consent to the processing of personal data.
Obligations of housing and communal services organizations when processing personal data
Having received the status of an operator, the management company, along with it, acquires a set of tasks. The responsibilities of housing and communal services organizations to work with personal data of property owners and tenants are divided into three groups:
- upon request for consent;
- data processing and storage;
- to ensure security during their transfer to third parties, in particular, companies that generate settlement receipts, and resource supplying organizations.
Recently, management companies have the right not to request consent to the processing of personal data, since they are requested in cases directly regulated by law. At the same time, since not all transmitted information refers to those whose provision does not require registration, it is necessary to develop a consent format and sign it not only from the owner or tenant, but also from other persons living in the apartment, if their data is received. The consent is executed either on paper, provided that it is stored in such a way that access to it by other, unauthorized persons is excluded, or in electronic format, on the company's website. In this case, it is signed with an electronic signature. Consent can be revoked by a citizen. After that, management companies are obliged to destroy all information within 30 days, except for those whose processing is required by law.
Further, the company must ensure the implementation of a set of technical and organizational measures that completely exclude unauthorized access to data of third parties, leakage or processing for purposes not previously stated. We will have to develop our own regulation on the protection of personal data and post it on the website of the Criminal Code.
Technical measures to protect information systems implemented by management companies containing personal data include firewalls, differentiation of user rights, installation of certified software, development of authentication and user identification algorithms, anti-virus and cryptographic protection. Requirements for all software products are established by the FSTEC RF.
After the termination of the contract for the management of a particular apartment building, the previously obtained information will need to be destroyed. Violation of this obligation will be accompanied by the imposition of an administrative fine.
Errors of housing and communal services employees associated with the processing of PD
Some time ago, housing and communal services employees were not informed about the requirements related to the protection of personal data of owners of premises. This led to unacceptable situations such as:
- hanging in the doorways of the lists of non-payers;
- forwarding of payment receipts in unsealed form;
- storing important data in information systems that do not ensure their security;
- illegal transfer of information to third parties;
- refusal to send a notification to Roskomnadzor that the housing and communal services organization is the operator of personal data;
- refusal to develop a regulation on the procedure for processing PD and to familiarize owners and employers with it;
- refusal to destroy personal data in case of apartment sale. This requirement is very often ignored by employees of management companies;
- refusal to make changes to inaccurate data.
This created many conflicts between citizens and management companies, leading to administrative cases and lawsuits. Now the practice of refusing to comply with the requirements of the legislation in force in the field of personal data protection has practically ceased. Nevertheless, the risks of their loss and misuse, which lead to invasion of the privacy of citizens and causing moral harm to them, remain.
Despite the fact that the situation with the protection of personal data in the housing and utilities sector has improved, citizens should exercise caution and independently verify compliance with the requirements of the law, sending notifications of violations to Roskomnadzor, if necessary.