Is full name personal data
Law No. 152-FZ does not provide a complete list of information related to personal data. The question of whether the full name fits this category is debatable. There is an opinion that the last name, first name and patronymic of a citizen can be recognized as personal data only when they allow a person to be fully identified. The positions of the regulatory authorities and the legislator in this case are not always expressed specifically.
Personal data concept
The general term defining personal data sounds like "any information relating directly or indirectly to a specific or identifiable natural person." The term is present in the Law "On Personal Data", and is also mentioned in other regulations. Thus, the Law "On Communications" refers to information about subscribers - individuals - surname, first name, patronymic or pseudonym, as well as home address and other data that allow for personal identification.
The procedure for regulating the issue is also described in the decrees of the FSTEC RF, Roskomnadzor, and the Central Bank. In one of the clarifications of the Central Bank of the Russian Federation, it is noted that banks are not allowed to leave correspondence in mailboxes in such a way that personal data, including the name of a person, are available to third parties. A similar position led to the need to send receipts in envelopes with printouts of the cost of housing and communal services, also containing personal data. The regulator also drew attention to the inadmissibility for bank employees to disclose the client's personal data to an employer or colleague, which is often done in order to inform about the presence of debt. With such disclosure, the subject is uniquely identified, even without the addition of clarifying information, which violates the rights of an individual to protect the privacy of his personal life.
In what cases the full name refers to personal data
The regulator is inclined to consider as PD any information processed by the operator and provided to him by the subject, subject to the signing of the consent to the processing. Such information will be both complete personal data and brief information in the online store, by which it is impossible to establish their real owner. In any case, all information must be protected using organizational, software and technical means of ensuring confidentiality.
Often the operator, considering the surname, first name, patronymic information as well-known information, wants to reduce the costs associated with their processing. But in the end, such manipulations do not lead to reaching an agreement with the regulator. Upon verification, the organization will be fined if the protection of citizens' names is ensured by low-level software solutions.
In the instructions for processing PD, with which the Central Bank works, these are information about employees, auditors, management of commercial banks and other categories of persons. In clause 5.1. clearly indicated: information such as surname and name, patronymic if any, gender, are personal data. The category of information does not affect the quality and degree of processing. At the same time, the Bank of Russia clarifies that only the surname and first name are not enough for identification, they must be used in conjunction with passport details or other identifying information.
Exceptions to the general rule
If an organization wants to argue with the regulator and consider the full name information that is not directly related to the PD, it can give a number of arguments:
- a combination of frequently occurring first and last names without other information does not give an unambiguous opportunity to identify a person;
- several employees with the same names may work in one organization;
- Full name is publicly available, unlike other information about citizens.
However, these arguments are not always accepted, since a direct reading of the law refers to the PD any information about a person. This position is associated with a one-dimensional adoption of the requirements of international legislation, which had to be reflected in the national one for accession to the WTO. The opinion among experts that the name belongs to the category of anonymized data is incorrect. The law understands depersonalization as a certain process that occurs with the help of software and hardware and allows you to turn specific records into a general body of information, from which it is impossible to isolate information relating to a specific person. There are explanations from the regulator (Order of Roskomnadzor No. 996), which determine the requirements for methods of depersonalization. They are extremely specific, it is obvious that in itself the lack of the ability to identify a person by brief information about him does not make this data impersonal.
Among the characteristics of information transformation methods:
- reversibility - the ability to programmatically eliminate anonymity and return the PD to its original form;
- variability, or the ability to change the method of depersonalization during processing;
- persistence, or the ability of the method to resist external attacks on the PD array in order to de-anonymize them;
- the possibility of indirect de-anonymization in a single array with the data of other operators;
- compatibility, in which in one array there will be data anonymized by different methods;
- small parametric volume;
- the ability to control data quality.
The regulator names four types of methods for eliminating a high degree of identification of personal data, without denying the operator the opportunity to offer his own solution:
- method of identifiers, in which an account is marked with labels that allow finding complete data in a table;
- a change in semantics, in which part of the information is removed or replaced;
- decomposition, or splitting a large amount of information into several separately stored arrays;
- mixing of personal data belonging to different subjects.
Regardless of the chosen method of depersonalization, full names are stored and protected on the same grounds as other categories of PD.
Position of the regulator and courts
Roskomnadzor does not see a direct opportunity to exclude the full name from the general list of PD, despite the opinions of experts that only these data, without the presence of another identifying feature, do not provide an unambiguous opportunity to determine the person. The Central Bank adheres to the same position.
Although Roskomnadzor issued several clarifications, where it unequivocally answered the question of whether the surname, name, patronymic are personal data, sometimes the department expresses an ambiguous position. So, in 2012, in a letter from the territorial administration for the Republic of Karelia, it was noted that the surname and initials of a citizen are undoubtedly the personal data of the subject. On the other hand, it is difficult to determine whether a PD belongs to an individual without using other information. Last name, first name, patronymic, along with many other ways, are used to identify an individual among others.
By its nature, it is a composite key, an identifier based on combinations of three parameters (surname, first name and patronymic), in fact, does not uniquely identify a person, but only greatly reduces the sample of those to whom they may belong. At the same time, it is obvious that if the interested attacker has other data about the object, providing him with the data of the full name will allow him to determine the subject, for example, by the number of the car to find out the data about its owner.
In later clarifications provided in 2017 in response to an appeal from the Treasury of Russia, the regulator, relying on the provisions of the federal law on personal data, noted that the full name, no doubt, belongs to this category. He said that among the powers of the department there is no right to give explanations on the interpretation of the norms of the law, this task falls within the competence of the Ministry of Communications.
Nevertheless, from a direct reading of the text of the law, it follows that the name and initials refer to personal data without any exceptions, with the exception of those directly stated in the law:
- if the information is publicly available;
- if they are used for statistical purposes.
This means that the processing of the full name should take place according to the same rules and using the same hardware and software as the processing of the rest of the array of confidential information, directly or indirectly related to the personal information of citizens.
The courts have repeatedly drawn the attention of operators to the impossibility of disclosing any personal data without dividing them into groups according to the degree of personal identification.
Unconditionally recognizing the attribution of full name to personal data, the regulator is not ready to provide operators with easier conditions to ensure their confidentiality than for other groups of information, with the exception of certain categories of data related to higher levels of protection, for example, biometric or medical data. At the same time, disputes about the classification of the full name continue, perhaps the legislator will change his position on this issue.