Home » Vacation

Personal data: March 2021 – what many employers should NOT do

24.04.2020

Personal data is defined by law as information that can be used to identify a person (subject) directly or indirectly using additional means.

In recent years, the relevance of problems related to personal data has increased. Automated analysis systems allow you to organize the collection of large volumes of data. In the modern world, there are frequent cases of theft of network user data and mass sale of personal information without obtaining consent. Using personal data, you can spy on a citizen, plan a crime, or illegally obtain other people’s money. For “peaceful” purposes, personal data is used for advertising mailings. Please note that personal data remains part of the legal field and is not a technical concept.

Protection measures and liability

Part 1 and part 2 of Article 13 No. 323-FZ states that a citizen’s personal information cannot be disclosed without his consent. Particularly strict protection measures have been taken with regard to medical confidentiality, which is prohibited from being disclosed even in the event of the subject’s death. Article 137 of the Criminal Code of the Russian Federation of this law introduces criminal liability for the unauthorized collection and disclosure of information about the personal life of the subject of personal data. Dissemination of information is possible only with the written consent of the person. It is also illegal to disclose information in public speeches, published works of art and the media. The law prohibits the dissemination of personal data within the scope of one's official position.

Federal Law No. 323 clearly states that any person may be subject to criminal prosecution for disclosing personal data. IT security specialists pay close attention to providing social networks, mobile applications and various services with the ability to collect data.

While maintaining the ability to configure private access to individual information on social networks, the problem of protecting personal data actually remains unresolved. Theft of public information is considered common. In addition, any data posted on social networks is constantly processed by web services. Any individual has the right to make a request through the personal data operator to prohibit the processing of information.

Read also:  Reduced on maternity leave - advice from lawyers and jurists

Special categories of personal data

Special categories of personal data include:

  • information about personal life;
  • information about political and religious beliefs;
  • nationality and race;
  • philosophical beliefs.

The information that makes up such data is the personal matter of each person; the right to preserve or report it at his own discretion is given to a citizen of the Russian Federation not only by legal acts of the country, but also by international legal acts and agreements. As a general rule, the request, collection, verification, transfer, use and other processing of such data is not permitted, except in the following cases:

  • when processing is necessary for the implementation of international agreements;
  • when conducting a population census;
  • when the collection, storage, use and other processing of information is necessary for medical purposes and the preservation and protection of the life and health of an employee or third parties;
  • when the employee has given written documentary consent or an application for the collection and other processing of information;
  • when processing is necessary for the administration of justice and for counter-terrorism purposes;
  • in other cases established by law.

Processing can be carried out within the period necessary for its implementation and must be terminated once the purpose of processing has been achieved; in case of violations, liability is provided.

Personal data and the Internet

Valuable data is provided via IP or web services. This information allows companies involved in advertising activities to structure information and transfer it to third parties. Such companies can access data using specialized software.

Personalization of web pages aims to study in detail the interests of users and potential customers. Using software, specialists can track the activity of each user on a web resource, which helps determine his area of ​​interest. Tracking user activity allows you to increase sales conversion.

Rules for processing and transfer of personal data. Responsibility

The processing of personal data refers to any actions related to the collection of this data, its storage, protection, use, documentation, transfer, destruction.

The employee’s personal data is protected by the state and its law, therefore the processing of such data must be justified and meet all legal requirements, help the employee in his employment, ensure the employee’s safety and the safety of property.

The processing of information, documents and acts containing personal data of an employee for purposes beyond the scope of labor relations is prohibited.

It is important to note that the employer can obtain oral or written information upon request personally from the employee, and in the case where information can only be obtained with the help of other persons, the employee must be notified of this within the prescribed period. The transfer of an employee’s personal data to outsiders, third parties, contrary to the purposes of information processing and its rules, is recognized as a violation of the law.

Persons guilty of violating Russian legislation on the processing of personal data of an employee, provided their guilt is proven, are held accountable. Penalties for processing violations include:

  • disciplinary liability;
  • financial responsibility;
  • administrative responsibility;
  • civil liability;
  • criminal liability.

What information constitutes personal data?

Law No. 152 indicates that personal data can include any data with the help of which an individual or legal entity is identified. Often, providing PD is necessary for processing documents, including a civil passport, TIN, etc. The law allows the processing of personal data by individuals, legal entities, municipal authorities and government agencies.

The list of basic personal data includes:

  • Full name of the subject;
  • place of permanent (temporary) residence;
  • Date of Birth;
  • any information about family and financial status;
  • any data related to occupation, earnings, education.

All personal data is usually divided into four groups:

1.

The first includes general information - nationality, adherence to religion, presence of disability, etc. This information is often included when filling out job applications and may also appear on medical certificates.

Read also:  Labor Code: how often can a worker be sent to a commander’s office?

2.

The second includes data that allows for identification of a person. These include full name, address, position, place of work, etc.

3.

The third group of PD includes biometrics: retinal image, fingerprints, DNA analysis data.

4.

The fourth includes publicly available personal data. This is information that does not allow a person to be identified. According to the law, they cannot be classified as confidential data. For example, the income level of representatives of municipalities and government agencies.

The following are considered personal data of individuals by law:

  • FULL NAME;
  • TIN and date of birth;
  • citizenship according to civil passport and place of birth;
  • information about registration and actual place of residence;
  • information about relatives and spouses;
  • data on legal capacity, death certificate;
  • information about the availability of education;
  • information about pension income;
  • data on the presence of diseases associated with professional activity, insurance, payments for insured events;
  • data on tax payments;
  • information about military service.

The following are considered by law to be personal data of legal entities:

  • name of the legal entity;
  • legal address and organizational and legal form;
  • location of the legal entity;
  • OGRN;
  • TIN and checkpoint;
  • current account number.

This list can also include information about the manager.

Personal data authorized by the employee for distribution

The second innovation, which concerns some employers, is the introduction by Federal Law of December 30, 2020 N 519-FZ “On Amendments to the Federal Law “On Personal Data”” of a new legal concept: “Personal data authorized by the subject of personal data for distribution.” This concept has expanded the list of special categories of personal data established by Article 10 of the Federal Law of July 27, 2006 N 152-FZ “On Personal Data”.

A special category of PD is personal data authorized by the subject of personal data for distribution , which is considered to be data to which access to an unlimited number of persons is provided by the subject of personal data by giving consent to the processing of personal data authorized by the subject of personal data for distribution in the manner prescribed by the legislation on PD.

Access is considered the ability to obtain information and use it (clause 6 of part one of Article 2 of the Federal Law of July 27, 2006 N 149-FZ “On Information, Information Technologies and Information Protection”).

Few employers provide an unlimited number of people with access to their information and access to employees’ personal data. Accordingly, few employers must update their activities and their local regulations, bringing them into line with the updates that came into force on March 1 of this year.

Those employers who provide access to employees’ personal data to an unlimited number of persons must obtain the consent of the subject of the personal data, the content of which will be subject to uniform requirements.

These requirements are established by the authorized body for the protection of the rights of personal data subjects. Currently, the unified requirements are undergoing public discussions regarding the text of the draft regulatory legal act and an independent anti-corruption examination (https://regulation.gov.ru/projects#npa=112660).

Read also:  Account 15 in accounting: procurement and acquisition of material assets

Please note that employers will need to update local regulations after the approval of uniform requirements for the content of consent to the processing of personal data authorized by their subject for distribution.

By the way, by paragraph 2 of Article 22 of the Federal Law of July 27, 2006 N 152-FZ “On Personal Data,” the employer, as a PD operator, is allowed to process personal data in many cases of employee-employer relations without notifying the authorized body for the protection of the rights of personal data subjects. Including in the case of the availability of personal data permitted by the subject for distribution.

The named two of the five changes of 2021 to the Federal Law of July 27, 2006 N 152-FZ “On Personal Data” are an improvement and protection of employee rights. Innovations oblige the employer to update local regulations. According to Article 12 of the Labor Code of the Russian Federation dated December 30, 2001 No. 197-FZ, in cases where a law establishing a higher level of guarantees for employees compared to the established local regulatory act comes into force, the local act or part of it simply ceases to be valid. That is why you should pay attention to the text of the provision on the protection of personal acts and bring it into compliance with current legislation.

Moreover, on March 27, 2021, the norms of the Code of the Russian Federation on Administrative Offenses dated December 30, 2001 N 195-FZ were updated, aggravating the liability of the personal data operator and the liability of officials taking part in PD processing procedures.

In particular, the innovations of Article 13.11 of the Code of Administrative Offenses for the processing of personal data in cases not provided for by the legislation of the Russian Federation in the field of personal data, or the processing of personal data incompatible with the purposes of collecting personal data, provides for the imposition of an administrative fine on citizens in the amount of two thousand to six thousand rubles ; for officials - from ten thousand to twenty thousand rubles; for legal entities - from sixty thousand to one hundred thousand rubles, with an increase in the amount of the fine for repetition.

Processing of personal data without the written consent of the subject of personal data for the processing of his personal data in cases where such consent must be provided shall entail the imposition of an administrative fine on citizens in the amount of six thousand to ten thousand rubles; for officials - from twenty thousand to forty thousand rubles; for legal entities - from thirty thousand to one hundred and fifty thousand rubles. And this is not the limit.

Collective information about liability in the field of personal data is given in the materials of the ConsultantPlus ATP, for example, in the Ready-made solution: What fines and other administrative penalties may be imposed in connection with the implementation of control and supervision in the field of personal data.

What is not personal data?

The development of the Internet has led to the availability of data. Web search allows anyone to find information of interest about a specific person. However, according to Law No. 152-FZ, any operator processing personal data does not have the right to disclose data without the consent of the subject.

An operator is a person or state (municipal) body that processes personal data. With the consent of the OPD, it can transfer information to third parties for processing (Part 3 of Article 6).

The operator is responsible to the subject for actions performed with personal data by third parties. In turn, they are not responsible to the subject, but are responsible to the operator.

Many questions are raised by information such as IP address, email, phone number. Can they be classified as personal data if such information often remains publicly available? If we refer to article FZ-152, we can draw the following conclusions:

  • A telephone number can be considered personal data, since it can be used to easily identify the subscriber using additional means. In accordance with the definition of PD, a telephone number cannot be disclosed without the consent of the subject.
  • By analogy, an email address However, if the address does not include the subject’s full name, such information is considered anonymized.
  • Photos and videos are personal data if they can be used to identify the subject. At the same time, according to Article 152.1 of the Civil Code of the Russian Federation, photographs and videos can be published at mass and public events.
  • Logins and passwords are not included in the category of personal data, but may be classified as a trade secret.

The procedure for processing personal data of employees

All actions with acts containing personal information, the procedure for storing and using personal data of employees are carried out under the conditions specified by law and in compliance with the established deadlines.

Information can be processed using automation tools, that is, with the help of computer technology, or without them. Persons processing information without automation means must process the employee’s personal data on the basis of a special permit.

It is necessary to familiarize these persons with the requirements of regulatory enactments regarding processing. The job description of these persons includes a clause on the performance of data processing duties.

One of the main responsibilities of the employer when processing information is the protection of the employee’s personal data during the period of validity of the employment relationship.

For the purpose of data protection, the employer is developing a standard internal act - a regulation on the protection of personal data of employees, with which the employee must be familiar with and agree.

The Regulations contain the storage period for data, the procedure and terms for their destruction. The law does not establish exact time requirements; however, it is assumed that information can be stored for the period necessary for processing. An annex to the Regulations is also drawn up; this act indicates authorized persons who have access to the personal data of employees.

In addition to the list of specified persons, the appendix to the Regulations contains the data and signature of the manager.

The application form to the Regulations also contains information about the date and place of preparation. The employer is obliged to inform the employees of the act in question, the appendix to it, accompanying orders, if any, and obtain signatures from the employees on the form for familiarization with the specified documents. It is important to note that access to personal data of employees must be determined by professional necessity.

Changing the personal data of an employee imposes certain responsibilities on the employer: he must make an appropriate entry at the request of the employee in the documents: the work book and his personal file, if the change in data requires this.

Author of the article

Classification of personal data information systems (PDIS)

In order to classify ISPD, it is necessary to know the degree (category) to which the data belongs and determine its volume.

Based on the volume of PD systems, they are divided into three types:

1.

The first includes ISPD, numbering over 100,000 subjects within the Russian Federation.

2.

Read also:  Article 127 of the Labor Code of the Russian Federation. Exercising the right to leave upon dismissal of an employee

The second includes ISPD, which processes the personal data of more than 1,000 subjects who live in a specific municipality. It also includes entities involved in the economy or a specific government agency.

3.

The third includes information systems with data of no more than 1,000 SPD employed in a particular company.

After analyzing the source data, you can assign the appropriate class to the system:

  • In first-class , violations of the security of storing and processing personal data are dangerous because they can lead to serious harmful consequences for their owners.
  • The second class is assigned to systems in which a violation of the processing and storage of personal data can lead to tangible undesirable consequences.
  • The third unites ISPD, violations of which can lead to minor consequences.
  • The fourth group includes ISPDs, in which, in the event of a violation of security parameters, the processed data is not in danger.

Classes are conventionally designated by the letter “K”. The procedure for classifying ISPD is regulated by order of the FSTEC.

What are the requirements for ensuring the protection of ISPD?

For fourth-class ISPD , all measures aimed at ensuring PD protection are established by the operator.

Third-class systems must undergo a declaration or certification procedure, and also obtain a FSTEC license for the technical protection of confidential data if such systems are distributed.

Second-class ISPDs must necessarily undergo certification; measures must be taken for them aimed at ensuring data protection from unwanted electromagnetic radiation and interference. Accordingly, special information security measures may be required to implement such measures. For distributed systems, it is also necessary to obtain a FSTEC license.

First-class ISPDs must undergo certification and are also subject to measures aimed at protecting against unwanted electromagnetic radiation and interference. It is mandatory to obtain a FSTEC license to carry out activities related to the technical protection of confidential information.

How to protect ISPD?

To ensure ISPD protection, you must do the following:

  1. Notify the authorized bodies of the intention to process personal data.
  2. Collect initial data.
  3. Assign a class.
  4. Predict threats to the structure and create a model.
  5. Design a data protection system.
  6. Perform system implementation and integration.
  7. Fulfill all requirements for engineering protection, security, fire safety, environmental requirements, etc.
  8. Pass the certification.
  9. Take care of the qualifications of the personnel who will process PD.

In what cases is it necessary to undergo certification and certification?

Certification must be performed in relation to ISPD if personal data is included in the state information resource. Such resources are systems that store information and documents at the disposal of the state. Certification is also required for ISPD of the first, second and third classes.

The operator has the right to replace the certification procedure for third-class ISPD with a declaration of conformity. However, this procedure is quite difficult to complete, since it does not have clear regulations.

Products used in class 1 and class 2 systems must undergo a conformity assessment procedure, including certification. For class 3 ISPD, a declaration of compliance with safety requirements is carried out. For class 4 ISPD, compliance testing is performed at the discretion of the operator.

05.03.2020

Rating
( 2 ratings, average 5 out of 5 )
Did you like the article? Share with friends:
You may also be interested
What should an employer do if an employee challenges his dismissal in court?
What does the Labor Code of the Russian Federation of 2021 say about maternity leave? Review +Video
Example of filling out the DAM for the 1st quarter of 2021
Which employees are entitled to increased holiday pay after May 1, 2021
PBU 18/02 from 2021. How to do everything in 1C
Zero calculation for insurance premiums for the 2nd quarter of 2021: example of filling out
Internal labor regulations
2021 changes to internal labor regulations
Act of refusal to sign the act - Form and sample 2021
From January 1, 2021, the system of remuneration for employees of budgetary organizations is changing
Order on the creation of a labor dispute commission: sample 2021
Photo-2
Is it necessary to add a regional coefficient to vacation pay - accounting rules using the example of the Ural region for 2021
C:\Users\Vova\Desktop\BUKHGURU\September 2018\Why do you need a copy of the WEB work book\bank-kredit-trudovaya-knizhka.png
Changes in the procedure for certification of work records from 2021
Для любых предложений по сайту: [email protected]