Hello. With this article I want to start a small cycle of articles on the protection of personal data (hereinafter PD) on the territory of the Russian Federation. The topic is very relevant, because From January 1, 2011, Federal Law No. 152- “On Personal Data” enters into force and all state and municipal institutions, as well as the lion's share of companies must fulfill all the requirements of this law. And so I want to explain what the law is and what it is eaten with.
What kind of law is this?
The Federal Law “On Personal Data”
is a regulatory legal act that is the basis of the regulatory framework for the processing (use) of personal data. (c) Wikipedia
The law was adopted on July 8, 2006, and entered into force on December 26, 2007. The time was allocated for the execution of the law until January 1, 2010, but the deadline was postponed to January 1, 2011 due to the fact that the law was not taken seriously. Now the heels of many are burning.
Let's start.Personal data
- any information relating to a physical person (subject of personal data) determined or determined on the basis of such information, including his last name, first name, patronymic, year, month, date and place of birth, address, family, social, property status , education, profession, income, other information.
This is “any information” that we indicate in the questionnaires when applying for a job, when registering on Internet resources when paying for utility services. If you are going to pay for receipts through a bank, you will see a separate item on it about authorizing the processing of personal data. I already faced it.
In organizations, this is a list of officials (subjects of AP), customer databases (if it costs CRM). Therefore, the law is mainly focused on the protection of personal data in organizations with a large number of employees and / or customers.
In the wording, “other information” can hide both the number and pin of the credit card and preferences in choosing a car. At the same time it will be data of completely different weight categories.
Your personal data should not be left anywhere. If you are sure of who you provide them with, you can safely indicate them.
PD are divided in turn into the following categories:
• category 1 - personal data relating to race, nationality, political views, religious and philosophical beliefs, health status, intimate life;
• category 2 - personal data that allows to identify the subject of personal data and obtain additional information about it, with the exception of personal data belonging to category 1;
• category 3 - personal data, allowing to identify the subject of personal data;
• category 4 - impersonal and (or) publicly available personal data.
The easiest way to comply with the law when you handle the 3 and 4 categories, because regulators are not too critical to their protection.
Personal data can only be processed by operators.Operator
- a state body, municipal body, legal or natural person, organizing and (or) carrying out the processing of personal data, as well as defining the goals and content of the processing of personal data.
In order to become an operator, you must send a notification to the Federal Service for Supervision in the Field of Communications and Mass Media. This is only the first step to the processing of personal data.
If we consider that almost every organization, be it small or large, must process at least the data of its employees, then there must be at least 4 million operators. Large firms, state corporations and other giants of Russian business for the most part have already complied with all the requirements of the law, which cannot be said about small and medium business.
“Everything, I did everything” - Eychar or the system administrator would be happy (they are often forced to comply with the requirements of this law) after sending a notification about personal processing. But their joy would be short-lived, because Regulator notifications are just the tip of the iceberg.
Operator is not so easy. See what is written by law.When processing personal data, the operator is obliged to take the necessary organizational and technical measures, including the use of encryption (cryptographic) tools, to protect personal data from unauthorized or accidental access to them, destruction, alteration, blocking, copying, dissemination of personal data, as well as other illegal actions.
All personal data are processed in personal data information systems (ISPD). It can be a database on a site or a table in Excel.
Here for the operator, if he himself intends to put his systems in order according to the law, he will have to read at least 4 laws, as well as at least 40 regulatory acts.
Ispdn classified as follows:
1. Class one (K1) - information systems for which the violation of a given characteristic of the safety of PD can lead to significant negative consequences for the subject of PD;
2. Class Two (K2) - information systems for which the violation of a given safety characteristic of PD can lead to negative consequences for the subject of PD;
3. The third class (3) - information systems for which the violation of a given safety characteristic of PD can lead to minor negative consequences for the PD subject;
4. Class four (4) - information systems for which the violation of a given safety characteristic of PD does not lead to negative consequences for the subject of PD.
Everything regarding ISPDN is specified in the regulatory acts of the FSB and FSTEC.
The FSTEC tells us that any personal data has been protected, and their personal data is certified (not in all cases). When processing PD related to religious information, information about his health and intimate life, protection on the PEMIN channel is necessary (spurious electromagnetic radiation and noise)
Without going into this article in detail, we can say that the protection of personal data is an expensive pleasure. Of course, you can spend everything in order without the help of specialists and technical means of protecting information, but you know, the miser pays twice.
What in practice?
Suppose our company is engaged in recruiting specialists through social and professional networks (Vkontakte, My circle). Personal data are user data, and the operator of the above Internet resources. The recruiter takes user data and adds it to his database. So I asked about whether it was legal for one of Mail.ru's recruiters, to which I was answered "we take data from public sources." No matter how wrong!Processing of personal data
- actions (operations) with personal data, including collection, systematization, accumulation, storage, refinement (update, change), use, distribution (including transmission), depersonalization, blocking, destruction of personal data
What follows from this - the operator is considered the one who conducts the processing of personal data. And even the storage of other people's personal data falls under this wording. But even here everything depends on the conditions of registration on Internet resources, if there is indicated the possibility of disseminating personal user data.In paragraph 4.8 of the Vkontakte social network rules the following is written.By accepting these Rules by registering on the Site, the User confirms his consent to the processing by the Administration of his personal data provided during registration, as well as posted by the User voluntarily on his personal page. Processing of personal data of the User is carried out in accordance with the legislation of the Russian Federation. The Site Administration processes the User’s personal data in order to provide the User with services, including for the purpose of receiving personalized (targeted) advertising by the User; verification, research and analysis of such data, which allow maintaining and improving services and sections of the Site, as well as developing new services and sections of the Site. The Site Administration takes all necessary measures to protect the User’s personal data from unauthorized access, alteration, disclosure or destruction. The Administration provides access to the User’s personal data only to those employees, contractors and Administration agents who need this information to ensure the operation of the Site and the provision of the Services to the User. The Site Administration has the right to use the information provided by the User, including personal data, in order to ensure compliance with the requirements of the current legislation of the Russian Federation (including in order to prevent and / or suppress illegal and / or illegal actions of Users). The disclosure of information provided by the User can be made only in accordance with the current legislation of the Russian Federation at the request of the court, law enforcement agencies, as well as in other cases provided for by the legislation of the Russian Federation.
The item is composed almost perfectly. Such item from 2011 should be included in every user agreement between the Internet resource and the user.
The situation is completely different in the My Circle professional network. They went a little different way.Clause 2.5 of the User AgreementBy joining this Agreement, the User consents to the processing by Yandex of the personal data provided to them as part of the Information in order to conclude this Agreement between such User and Yandex, as well as its subsequent execution
And further.Clause 3.4 of the User AgreementYandex is not responsible for the use (both lawful and unlawful) by third parties of the Information posted by the User on the Service, including its reproduction and distribution, carried out both within the Service and in other possible ways.
Everything is clear and without explanation. Yandex has a good reputation and he, which is logical, does not want to spoil it in connection with the law “On Personal Data” that comes on its heels.
Muscovites should know that MGTS is often called and told what kind of good internet they have. If I am a telephone subscriber, then I myself know if I need internet or not. With such thoughts, I answered the operator who called - there is no clause in the contract that I give you the right to call me, i.e. without special needs and in advertising purposes, process my PDs (old contract). For the past six months, do not call.
If your personal data is processed illegally or without compliance with the law, then you can send a notification to the regulator about possible violations. I wonder what the risk operator PD?
The regulator has the full right to stop the processing of personal data by the operator. This entails stopping work if PD is the cornerstone of a business. The loss of reputation and image in the market will also be felt. And the fine will not take long, it is still small, but everyone expects tougher penalties - 5 - 10 tr. You can pay off.
Do I need this law?
This law is necessary, it certainly is, but the question is how to change it in the near future. The “hole” and ambiguity in the document is not small, but nevertheless it is, the regulators have done the main regulatory and methodological documents and acts. What else is needed? It is necessary to faithfully and wisely comply with this law.
PS In the next article I will try to analyze the situation that has arisen with the application of the law to CRM-systems that are distributed according to the SAAS model