Storage of personal data
Personal data (PD) is any information about an individual. Most citizens today are part of global databases. Without providing their personal data, no one can open a bank account, get an official job, buy a SIM card, submit documents to an educational institution, and perform other daily activities.
Since September 2015, a new law "On the protection of personal data" has been in effect in Russia. It includes a lot of innovations, the main of which is a ban on storing any information about the residents of the Russian Federation on servers in other countries. Now all data should be added to the databases, the servers of which operate in the Russian Federation. Let's consider in more detail what the law regulates and what rules for storing information provided.
What is personal data?
The concept of personal data is understood as any information that relates to a living person. The collection, storage, and processing of such information are regulated by law. Each country has its own rules and principles for working with PD.
Modern information and communication technologies control all information about people (history of payment by credit cards, cell phone calls, allowing to identify a person with an accuracy of 100 meters, Internet connection). Personal data is of significant commercial value, and because of this information leaks occur:
- files are illegally bought and sold;
- hacking servers to copy the database;
- leaking information through negligence on the part of its owner.
- Personal data includes:
- biographical information;
- current housing situation, including dates of birth, social security numbers, phone numbers, and email addresses;
- appearance and behavior, including eye color, weight, and temperament;
- workplace data and education information, including salary, tax information, and student numbers;
- private and subjective data. This also includes religion, political opinion, and geo-tracking data;
- health, disease and genetics, medical history, genetic data, and disease information.
The new law, collection, and processing of information
The new law prohibiting the storage of personal data of Russian citizens in other states has caused problems for many domestic and foreign companies that store user data in the clouds. Now, these companies must not only organize a complex and time-consuming migration of information to Russian servers, but they also undertake to comply with the legislation of the Russian Federation in general, including its provisions on the collection, storage, use, and protection.
Compliance with this legislation remains one of the most important and challenging issues of running a legitimate online business in Russia.
Before starting the processing of personal data, the operator must notify the responsible state body (Roskomnadzor) about the personal processing of information and provide him with the information required by law. In turn, Roskomnadzor undertakes to maintain a special register of operators' personal data and update it to obtain new information.
The provisions of the Law on the processing of personal data of an individual provide:
- processing of personal data by labor legislation;
- use of personal information solely within the framework of signing and concluding an agreement with an individual and in the interests of this person;
- written consent of a person to data processing.
The operator must also notify Roskomnadzor of any changes in information related to the processing of personal data within 10 days after such changes are made.
The main and general condition for the legal collection and processing of personal data is the consent of the subject to perform actions with his personal information. However, there are exceptions to this rule. Consent is not required in such cases:
- situations, when personal data are used by law-abiding media, provided that the rights and legitimate interests of a person are not violated;
- the second exception applies to the processing of personal data to trace a person.
If the organization intends to store personal data in a special database and use it after the fulfillment of an employment contract or a sales contract, the information cannot be transferred to third parties without the consent of the subject. In practice, this requirement is often not met. On the Web, you can find a lot of sites where databases of phone numbers, addresses, passports, and other important components of a person's personal information are sold.
Data collection methods
The term “collection of personal data” falls under the general definition of “processing of personal information”. In practice, the concept of personal data processing includes the operator's actions when collecting information containing PD directly from individuals or from third parties who have received personal data legally. Information can be collected in different ways: from special surveys, questionnaires, agreements, contracts, certificates, and other documents.
It is important to note that the law does not address the data collection process itself in detail, which is why it was criticized. Legal analysis of the adopted package of articles made it possible to distinguish three main methods of collecting personal information about the subject:
- Direct receipt of personal data from subjects through telephone conversation, in writing, through the website's web interface, or other means that are related to the main activity of the data operator.
- Collection of personal data through marketing activities, ranging from registration in a discount system or loyalty program and ending with participation in a competition or lottery.
- Collecting information through purchases.
Data processing
The processing of personal data includes their distribution and sharing, as well as setting up access to such information. Commercial companies can take any action with information that the subject agrees with to obtain financial gain. These activities include sending advertisements, calling with various sales offers, personalized data analysis.
Until 2015, it was allowed to store the personal information of citizens of the Russian Federation on servers located abroad. Today, all companies and organizations undertake to use only those storage services that are located in the country. According to the new legislation, several activities related to personal data, including collection, registration, systematization, accumulation, storage, updating, modification, and receipt of personal data, should be carried out through databases located in the Russian Federation.
There are few clear exceptions to this restrictive approach: all of them are related to the activities of state bodies, public interests, the media, scientific, literary or other creative activities, as well as the implementation of international agreements (for example, data on air tickets, booking services). There are no exceptions for any other categories of personal data.
Despite the absence of specific and simple requirements for PD operators, concretization in official rules, many provisions of the law were adopted without detailed consideration.
The law does not specify whether foreign companies will collect PD without a physical presence in Russia, but Roskomnadzor states that legal requirements will apply to any company that is not focused on storing data about residents of the Russian Federation in the country.
Since the law does not contain any definition of “primary data collection”, the obligation to record, organize, accumulate, store, update, modify and retrieve personal information using databases located in Russia applies wherever data is collected.
When recording and storing information on servers located in the territory of Russia, personal data may still be available from abroad or transferred abroad by cross-border data transfer technology. Thus, the personal information of Russian citizens can be processed in databases located outside the Russian Federation, provided that all newly collected information will eventually be transferred for storage in the Russian Federation. Also, all data stored abroad must be stored simultaneously in Russia.
The question of how to accurately determine the citizenship of users should be resolved by each data controller.
Storage rules
The rules for storing personal data can be conditionally divided into several steps, each of which must be followed by an employer or a company that is interested in collecting personal data:
Step 1. Each organization undertakes to issue its local acts, which describe the process of regulating the storage of personal information of customers and employees.
Step 2. It is necessary to approve an official document, which indicates the list of types of information used.
Step 3. Creating a service that is responsible for processing PD. For small and medium-sized businesses, the appointment of one authorized employee is sufficient.
Step 4. Roskomnadzor is obliged to conduct regular inspections. To expedite this process, before a formal audit by the authorities, all employee statements with consent to the use of PDs, databases, and logs should be prepared.
Step 5. Setting the storage method - locally or on a cloud server. Creation of a security system and information encryption to maximize the likelihood of its leakage in the future.
Storage period
The storage period of the data depends on the type of data. The law regulates the automatic purge of servers to minimize costs. For example, personal messages of users of instant messengers and social networks should be stored on the operator's cloud for no more than 30 days. Official correspondence, data of employees, and customers cannot be deleted for 1 year.
Currently, the possibility of reducing the established timeframes is being considered, since most providers cannot fulfill this norm due to a lack of financial and technical capabilities.
Disadvantages of the new law - is data breach possible?
Among the main criticisms of the 2015 changes were:
- The law uses the basic conditions of international conventions, but, unlike national legislation in many European countries, it does not specify all the nuances with sufficient detail - how to organize the storage of information and what tools should be used.
- The Personal Data Law establishes requirements for the processing of personal data, which are very strict, often expensive, and can hardly be fulfilled without the help of specialized companies with appropriate state licenses, which are practically non-existent in the Russian Federation.
- The cost of meeting these requirements or outsourcing them is financially detrimental to companies.
- The specifics of certain types of business are not taken into account. The requirements are the same for everyone - from banks to large companies and small businesses.
- A side effect of the implementation of this law, according to experts, maybe a significant increase in the level of corruption.
24.11.2020
