What is personal data
Personal data is usually understood as any information relating to a person - a subject determined directly or indirectly according to the criteria of the Law “On Personal Data” dated July 27, 2006 No. 152-FZ.
Data about a person falls under the jurisdiction of Law No. 152-FZ if it is at the disposal of the personal data operator or is subject to processing with his participation (clause 1 of Article 1 of Law No. 152-FZ). In particular, the characteristics of an operator correspond to companies that have hired employees, since they process a wide range of information about the subjects in the process of building labor relations with them.
You will find a complete list of information about employees that is personal data in ConsultantPlus. This is important to know, since personal information includes not only information about the employee, but also his photo, for example. There are other interesting points. But for violations of working with personal data, quite significant fines have been established. Get free access to K+ and go to the Guide. This will protect you from mistakes and avoid liability.
How to draw up consent to the processing of personal data, see here.
See also: “Photo Pass May Incur a Personal Information Fine.”
Transfer of personal data to third parties
There can be a lot of reasons for transferring personal data to third parties - concluding contracts for additional medical insurance, receiving “salary” bank cards, etc. If the organization is large - several thousand employees, then obtaining consent from each of them for the processing of personal data can take a lot time. And the workers themselves will not be happy about this. Thus, the question arises: is it possible to solve this problem in advance by including this clause in the employment contract?
From my own experience, I will say that you will have to collect consent from everyone to transfer data in any case. Of course, you can include a corresponding clause in the employment contract, but it will still be necessary to fulfill the requirement to obtain the employee’s consent. Moreover, it will be easier to formalize this consent separately.
Make a collective agreement with employees and list there all those third parties to whom personal data will be transferred, indicating their name, address, the purpose of transferring data to them, including a list of their possible actions with personal data and indicating the period during which they will process this data . All employees will sign and the case will be closed.
Why do you need a regulation on working with personal data?
Norms Art. 87 of the Labor Code of the Russian Federation, as well as clause 2 of Art. 18.1 of Law No. 152-FZ requires employers to regulate transactions with the personal data of their employees. However, the noted legal acts, as well as other federal sources of law, do not clearly define exactly how this obligation should be fulfilled. In practice, this is most often done through the development and approval by the company of an internal corporate regulation on the personal data of hired employees.
Is the provision on personal data a binding document for the employer? The answer to this question was given by ConsultantPlus experts. Get trial access to the system and proceed to the material.
Find out which article of the Code of Administrative Offenses of the Russian Federation provides for a fine for violations when processing personal data by following the link.
Main sections of the Regulations
The provision is divided into semantic sections taking into account the requirements of Law 152-FZ. It is recommended to include the following sections in the document:
- general information;
- a list of information and documents containing data about citizens;
- employer obligations;
- procedure for providing personal information;
- methods and types of work with information about citizens;
- registration of access to information;
- protection of confidential information;
- rights and obligations of the subject;
- liability of officers and company.
List of information related to personal
Law No. 152-FZ (Articles 8, , ) divides data on individuals into:
- impersonal - they cannot be used to identify a specific person;
- general – primary and basic;
- special – health, religion, race, nation, etc.;
- biometric – physiology and biology.
Personal data is any information relating to an individual.
The list includes:
- Full Name;
- date and place of birth;
- residential address;
- information about the identity document;
- SNILS;
- TIN;
- information about diplomas;
- information about income received and wages;
- family status;
- other.
Methods for collecting and protecting records
The company receives information for specific purposes.
They must be reflected in the regulations and the informed consent form. Information can be collected using automated and non-automated methods. In the first situation, a person fills out special electronic forms, from which the information enters the database. In the second, information is transmitted through personal communication, by studying documents, through other persons, etc.
According to Law No. 152-FZ, the company is obliged to:
- determine who will be responsible for organizing the processing of personal data;
- introduce internal documents into work;
- ensure safe application and use;
- control the process of working with information;
- prevent harm if the law is violated;
- introduce the working rules of citizens hired under an employment contract.
Law No. 149-FZ of July 27, 2006 names protection methods:
- implementation of privacy rules;
- suppression of unauthorized access;
- identifying facts of illegal access and eliminating harm;
- organization of protection of technical means;
- recording backups.
Appointment of those responsible for storage and processing
The company appoints persons who are responsible for the processing and storage of personal data (Article 18.1 of Law No. 152-FZ). Access to information is formalized by order listing specific employees. Typically the responsible employees are:
- head of the personnel department;
- HR department inspectors;
- accounting employees;
- IT specialists.
How is the data processed?
Article 6 of Law No. 152-FZ discloses the conditions for the processing of personal data:
- taking consent from a citizen;
- consistency with assigned tasks and goals.
In the process of processing information, the operator performs the following actions:
- collects;
- clarifies;
- systematizes;
- uses;
- deletes;
- stores.
Violations of regulations and liability of officials
The company must not allow unauthorized use of personal information. For violation of the law, administrative, criminal, and disciplinary penalties are imposed. The guilty person can also be brought to civil liability, i.e. use the compensation procedure.
Administrative responsibility (Administrative Code of the Russian Federation):
- Art. 13.11 – violation of the procedure for working with information;
- Art. 13.12 – non-compliance with protection rules;
- Art. 13.14 – disclosure of information;
- Art. 19.5 – failure to comply with the instructions of the regulatory authority.
As a measure of administrative liability, fines are applied that are imposed on an organization, entrepreneur or official.
Criminal liability is provided for in Art. 137 of the Criminal Code of the Russian Federation, which prohibits encroaching on the private life of citizens. If a person is found guilty, he must pay a fine or serve compulsory, corrective or forced labor. The court may prohibit the person from engaging in professional activities or impose arrest for two years.
Art. 90 of the Labor Code of the Russian Federation establishes the responsibility of employees who have access to confidential information. The offender can be fired by the employer's decision.
If the victim has suffered moral damage, he has the right to recover it in the manner prescribed by the Civil Code of the Russian Federation.
Regulations on personal data of employees: document structure
The document in question contains local standards defining:
- goals and objectives of the company when working with personal data;
- lists of actual and potential personal data involved in the company’s business processes;
- a description of the data operations practiced by the company;
- methods of data access used in the company;
- responsibilities of company employees who use certain data when performing a job function;
- the rights of company employees to acquire authorized access to data;
- legal mechanisms for liability of company employees for violations during data transactions.
Based on the noted list of norms, the provision on the processing of personal data of employees can be represented by the following key sections:
- establishing the general provisions of the document;
- fixing the criteria for selecting personal data from the array of information involved in document flow and other areas of internal corporate communications;
- defining a list of key operations with personal data;
- regulating the implementation of relevant operations;
- defining the procedure for access of company employees and other persons to data;
- establishing the responsibilities of employees involved in data operations;
- establishing the rights of company employees in terms of gaining access to such data and carrying out the necessary operations with it;
- defining the mechanisms of responsibility of company employees for violations of local norms and provisions of the legislation of the Russian Federation regulating operations with personal data.
The regulation on intra-corporate transactions with personal data must be certified by the head of the company. All employees are required to familiarize themselves with a copy of this document against receipt (subclause 6, clause 1, article 18.1 of law No. 152-FZ).
What employee data is personal?
Legislation determines what is included in a person’s personal data. This can be either information directly related to the employee or indirectly affecting him.
This includes:
- Full personal data of the employee (full name).
- Information about the place and date of his birth.
- The address is actual and registered.
- Social, family, property status.
- The employee’s current education and profession.
- Information about the employee’s income, etc.
In addition to the law on personal data, the composition of personal information is also determined by the Labor Code of the Russian Federation. It includes in the protected information information that allows you to identify a person as an employee. These are qualifications, specialization, education, the state of a person’s health (in some situations, for example, when working in hazardous conditions), and the presence of children.
You might be interested in:
Note on calculation of leave in form T-60: sample preparation in 2021
The list of information that can be classified as an employee’s personal data is not closed, therefore each entity conducting business has the right to expand it, and these categories must be recorded in the Regulations of the enterprise.
Attention! There is information about the employee that should never be requested by the company administration, since it is purely personal. This includes, for example, religion and nationality. If someone tries to find out such information, it will be regarded as an attempt to invade the employee’s privacy.
Results
Each company that has the status of a personal data operator (all employers are such) is required to approve a local legal act that regulates operations with such data. Most often, such a local act becomes a regulation approved by the general director of the company.
You can familiarize yourself with other aspects of personnel document flow in the articles:
- “Military registration in an organization - step-by-step instructions”;
- “What is the storage period for documents in the organization’s archive?”
Sources:
- Federal Law of July 27, 2006 No. 152-FZ
- Labor Code of the Russian Federation
You can find more complete information on the topic in ConsultantPlus. Free trial access to the system for 2 days.