Regulations on employee personal data storage

Apply for SearchInform DLP TRY NOW

By concluding an employment contract, an employee transfers his personal data to the organization. The company, when processing them in accordance with the requirements of the law, is obliged to ensure that they are stored in such a way as to avoid the possibility of leakage or misuse.

Regulatory regulation

In the activities of each organization, there is a need to develop regulatory documents. The development of such a local regulatory legal act of the company as the Regulation on the storage of personal data of employees is provided for by two Federal laws - the Labor Code and the Law "On Personal Data". The code explicitly states the obligation of the company not only to publish the document, but also to familiarize the staff with it. Also, certain norms that can be included in the document are contained in several decrees of the Government of Russia, including No. 1119 and Presidential Decree No. 609, dedicated to the data of civil servants.

Also, a number of technical standards governing the storage of personal data of employees are in the orders of the FSTEC RF. None of the normative acts gives specific instructions on the issue of drawing up the Regulation, therefore, each company has the right to use its own developments on how to process and store personal data and which sections to include in the document.

Development and approval of the Regulation

Like any internal document, the Regulation on the storage of personal data of employees is developed by authorized departments. Since the document is complex in nature and affects various areas of activity - from document flow to computer technology, usually involved in its preparation:

  • an administrative unit responsible for storing documents for the company as a whole;
  • Human Resources Department;
  • legal division;
  • department providing automation.

The document is approved by the general director of the company by issuing an order. Its absence will entail many adverse consequences. If the organization is the operator of personal data, then the fact of refusal to develop the Regulation will be revealed during the inspection of Roskomnadzor, which entails an order to eliminate violations of the law. In addition, attention will be drawn to the fact of the absence of a document in the event of control measures by the labor inspection.

Structure of the Regulation

The organization has the right to combine in one administrative document both the rules regarding the storage of personal data and the rules on their processing. But in some cases, it is advisable to develop a separate document dedicated specifically to the storage of information, for example, for a large company with a large staff of employees and branches in different cities, in a situation in which it is impossible to provide centralized storage of personal data. When you create a document of this nature, it will contain the following sections:

  • general provisions containing references to regulations and definitions of terms used in the document;
  • a list of information related to the personal data of employees and subject to storage;
  • the procedure for collecting information;
  • organization of storage of information on tangible media. These include personal files, registration cards, photographs, employment contracts, copies of documents. In a separate section, a block can be allocated on the procedure for the employer to maintain personal files of employees;
  • organization of information storage in information databases. This section usually indicates software products with which data storage and processing are carried out;
  • organization of a mode of access to data, determination of the responsible unit, persons responsible for storing data, the procedure for granting and revoking access;
  • the period of data storage, methods of their destruction in the case when this is allowed by the storage time of personnel records or when the subject of personal data has withdrawn his consent to their processing;
  • final provisions, the procedure for making changes to the document.

The provision on personal data is posted on the company's website in such a way that all employees always have access to it. After the acceptance of the document, employees are familiarized with it against signature in order to fulfill the requirements of Art. 87 of the Labor Code of the Russian Federation.

The development and adoption of the document must ensure compliance with legislation in the field of storing personal data and ensuring their security.