The procedure for storing and using employee personal data
Personal data is any, including confidential, information about a person, in this context, called the subject of PD. Therefore, for any enterprise that has a staff of employees, about which information is stored in its database, it is important to properly handle this information.
All actions with personal data: obtaining permission from the subject to use them, storing information on paper and electronic media, transferring personal data abroad, organizing all types of processing of personal data of employees - must be carried out in the legal field, as stated by Federal Law No. 152 "On Personal Data".
Subject's consent to processing
A person's employment is directly related to the submission of personal information to the employer. At the stage of applying for a job, this information includes name, age, address of residence and registration, marital status, data on education.
As the length of service in the employee's personal file increases, such documents as an order for admission to service, an employment contract, a work book, documents on salary and wages appear.
Each employer, upon concluding an employment contract with an employee, becomes the owner of his personal information.
According to the requirements of federal legislation, if the enterprise processes personal data of employees, it is necessary to have the consent of each of them to perform actions with personal data.
However, the law provides for exceptions to this requirement:
- if the receipt and use of PD is necessary to ensure the protection of the life and health of the subject of personal data (in the case when it is impossible to obtain consent). Such an exception will allow PD processing without consent only for a short period of time;
- if there is an agreement with a relative of the person, and this agreement is implemented in favor of this person. If there is absolutely no way to get permission from the subject, this way out will be the only solution to the issue, for example, when checked by Roskomnadzor.
The above exclusions apply only to the general category of personal data. The consent of the subject is required to work with confidential data, such as political and religious views.
Personal data storage locations
Depending on the form of personal information, they can be stored:
- in paper form;
Modern enterprises always duplicate the personal materials of employees, storing them in parallel both on paper and in a computer database. These materials are located in most cases in the accounting department or in the personnel department of the company. A prerequisite for ensuring the safety of PD in paper form is their storage in fireproof safes.
For materials about dismissed employees at the enterprise, there is a special archive in which personal files are entered and stored there until the expiration of the storage period. After that, the materials are destroyed.
Data in electronic form is stored in the database of the enterprise's computer network, and it is mandatory with the creation of a backup copy in case of deletion or software failure.
Compliance with the rules for storing employee personal data is extremely important. Violation of these requirements entails administrative and criminal liability.
According to article 87 of the Labor Code of the Russian Federation, the procedure for storing and using personalized information about employees is developed and approved by the employer.
The law establishes specific storage periods for various documents containing personal data of employees. You should know them:
- orders and extracts from them, reports, service letters, travel sheets are stored for 5 years;
- autobiographies, questionnaires with data, employee statements, personnel accounting schedules are stored for 3 years;
- payment statements, pay slips and other documents on payments of benefits and wages are kept for 75 years.
Processing of personal materials in paper form
The most important rule is that the use of personal data of an employee on paper is carried out only on the basis of federal legislation, namely Art. 24 of the Constitution of the Russian Federation. It says that:
- any actions with personalized information about a person are unacceptable without his consent;
- state bodies and self-government services should provide citizens with the opportunity to familiarize themselves with documents that affect their rights and freedoms.
When processing personal information of employees of an organization, a number of requirements must be taken into account:
- The use of personal materials should be carried out only within the framework of the employment contract.
- All documents and materials are provided directly by their owner.
- If the data about an employee required by the company is in a third-party source, then a written agreement of this employee for the use of his personal data is required.
- The management has no right to collect and store information about the personal life of an employee without his consent (unless otherwise provided by law).
- The transfer of personal information to third parties is prohibited.
- Personal documents of subordinates, such as a passport, birth certificate, marriage certificate, taxpayer identification number, are provided to the employer for review and obtain a photocopy for further storage, while the originals are returned to the employee. Documents such as work record book, employment contract, orders are kept in the original.
- All personal files of employees should be in folders in alphabetical order.
- All folders with personal documents must be kept in a safe, the key from which must only be with the manager, chief accountant and head of the HR department.
- Employees of the personnel department must without fail provide briefings on the procedure and rules for filing, processing personal data.
Processing of personal materials in electronic form
The legislation does not put forward special requirements for electronic data on workers. There are only a few specific rules:
- The use of PD on electronic media must be carried out in accordance with the above-mentioned norms of legislative acts.
- For data in electronic format, it is necessary to indicate the information related to PD. With a small addition: they also include e-mail, social media accounts.
- All documents of the employee received by the company must be scanned and entered into his personal file in the electronic database.
- The access right to the database belongs to the director of the enterprise and his deputies, the chief accountant and the head of the personnel department, as well as system administrators (programmers). Moreover, for each of them, a username and password are personally created to enter the electronic database.
- In parallel, a backup copy of the database is created, which is stored on removable media (disk, hard disk).
Data in electronic form, as well as in paper form, needs to be protected. To protect electronic personal data, the following methods are used:
- an individualized user access system is integrated;
- access of employees to those premises where computers (servers) with a database are stored is restricted;
- secure organization of storage of information carriers is carried out.
Transfer of personal data abroad
The Federal Law of the Russian Federation established that the international, or cross-border, transfer of personal information is the sending of personal data to the territory of another state to a foreign individual or legal entity or a representative office of a state authority. Most often, this includes sending data to UN bodies.
If the international sending of personal data is carried out to an unsafe state, it is necessary to have an agreement with the subject of personal information providing for this action, or to obtain his written permission.
The employer's action plan for working with employees' personal materials:
- the employer creates and approves a special act that regulates the storage and processing of personal information. Often, this is the Regulation on personal data, provided for review to employees against signature. Acquaintance is possible only with hard copy - sending the Regulations by e-mail does not comply with the requirements of the law. When conducting an audit of an enterprise, Roskomnadzor requests this document for verification. If there is none or no signatures of employees, the employer may be brought to administrative responsibility;
- the next important document drawn up by the employer is an act containing a list of personal data that will be used in the organization. Also, this act specifies specific papers containing data on employees that the enterprise transfers to government services;
- the employer issues an order in which he approves a person for the position of a PD operator who will be responsible for the collection, storage, processing and other actions with personal information, as well as for ensuring its safety;
- in order to be ready for verification, you should keep ready employees' statements of consent to the processing of personal data, logs and transfer of personal data;
- all documentation containing personal information about employees should be kept in safes. Data in electronic form - contained in the database under a password and have a backup copy.
In order to avoid prosecution, it is necessary to fulfill all the above points and pay special attention to the security of personalized information, because since 2017, federal legislation has tightened the liability of employers for non-compliance with the requirements for the safety of personal data.
The legislation of the Russian Federation requires the destruction or depersonalization of all personal information of employees when there is no longer any need for their use and storage.