Personal Information (Short FAQ)

What is personal data?

Personal data - any information relating to an individual determined or determined on the basis of such information , including:
- his surname, name, patronymic,
- year, month, date and place of birth,
- address, family, social, property status, education, profession, income,
- other information (see Federal Law 152 , Article 3).
For example: passport data, financial statements, medical records, year of birth (for women), biometrics, other personal identification information.
Publicly available sources of personal data (address books, lists and other information support) with the written consent of an individual can include his last name, first name, patronymic name, year and place of birth, address, subscriber number and other personal data (see FZ-152 , art. .eight).
Personal data refer to information of limited access and must be protected in accordance with the legislation of the Russian Federation. When forming requirements for the security of systems, personal data are divided into 4 categories.

What is the operator and the subject of personal data?

The personal data operator is, as a rule, an organization, or rather, a state or municipal body, a legal entity or an individual who organizes and (or) performs the processing of personal data, as well as defining the goals and content of personal data processing.
The subject of personal data is an individual.
The operator is responsible for the protection of personal data of the subject in accordance with the current legislation of the Russian Federation.

How to classify the personal data information system?

In order to assign a typical personal data information system (ISPDn) to a particular class, it is necessary:
I. Define the category of personal data processed:
• category 4 - impersonal and (or) publicly available personal data;
• category 3 - personal data, allowing to identify the subject of personal data;
• category 2 - personal data that allows to identify the subject of personal data and obtain additional information about it, with the exception of personal data belonging to category 1;
• Category 1 - personal data relating to race, nationality, political views, religious and philosophical beliefs, health status, intimate life.
Ii. Determine the amount of personal data processed in the information system:
• volume 3 - in the information system, data of less than 1000 subjects of personal data or personal data of subjects of personal data are processed simultaneously within a specific organization;
• volume 2 - in the information system, personal data from 1000 to 100 000 subjects of personal data or personal data of subjects of personal data working in the sector of the economy of the Russian Federation, in a government body residing within the municipality are simultaneously processed;
• volume 1 - in the information system, personal data of more than 100,000 personal data subjects or personal data of personal data subjects are processed simultaneously within the constituent entity of the Russian Federation or the Russian Federation as a whole;
Iii. According to the results of the analysis of the initial data, a typical IPPD is assigned one of the following classes (see table):
•   class 4 (4) - information systems for which the violation of a given security characteristic of personal data processed in them does not lead to negative consequences for the subjects of personal data;
•   Class 3 (3) - information systems for which the violation of a given security characteristic of personal data processed in them may lead to insignificant negative consequences for the subjects of personal data;
•    class 2 (2) - information systems for which the violation of a given security characteristic of personal data processed in them can lead to negative consequences for personal data subjects;
•    class 1 (1) - information systems for which the violation of a given security characteristic of personal data processed in them can lead to significant negative consequences for the subjects of personal data.

Volume / Category	Volume 3 (<1,000, organization)	Volume 2 (1,000-100,000, branch, city)	Volume1 (> 100,000, subject of the federation)
Category 4 (impersonal, public)	Class 4	Class 4	Class 4
Category 3 (identification)	Class 3	Class 3	Class 2
Category 2 (identification and more)	Class 3	Class 2	Class 1
Category 1 (medical, social)	Class 1	Class 1	Class 1

')
See the Procedure for the classification of personal data information systems introduced by the Order of the FSTEC (Federal Service for Technical and Export Control) of Russia, the FSB of Russia, the Ministry of Information Technologies and Communications of Russia N 55/86/20 .  

Doomsday is delayed until January 1, 2011

Information systems of personal data created before the date of entry into force of the Federal Law of the Russian Federation No. 152 “On Personal Data” should be brought into compliance with the requirements of this Federal Law no later than January 1, 2010 (see FZ-152, Article 25).
This means that personal data operators, who failed to fulfill the very stringent requirements of the Federal Law No. 152, will, from January 1, 2010, incur appropriate civil, administrative, disciplinary, and maybe (God forbid) and criminal liability .
All information systems already taken into operation after February-April 2008 (from the moment of distribution of the methodological documents of the FSTEC of Russia and the FSB of Russia), but not meeting the requirements of the Russian legislation in the field of personal data, may incur this responsibility earlier, for example, tomorrow morning .
Note. Changes in the Criminal Code, significantly tightening responsibility for violations affecting privacy, will also take effect from January 1, 2010.


ADDITION :
But as always happens, the personal data operators did not move much, and very few people managed to do everything that was required. On December 16, 2009, the State Duma adopted in the third reading amendments to Articles 19 and 25 of the Law on Personal Data (152-FZ). The deadline for bringing personal data information systems (ISPDn) into compliance with this law was postponed for a year - until January 1, 2011. In addition, the law excluding the law obligating the operator to use encryption (cryptographic) means for data protection when processing personal data.

Mandatory requirements for the protection of personal data information systems

The main mandatory requirements for the organization of information security systems, depending on the type of standard SPDN:
For ISPD class 4:
The list of measures for the protection of personal data is determined by the operator (depending on the possible damage)
For ISPD class 3:   
• declaration of conformity or mandatory certification of information security requirements
• obtaining a license from the FSTEC of Russia for technical protection of confidential information (for distributed systems of SPDK K3)
For ISPD class 2:
• mandatory certification of information security requirements
• measures must be taken to protect personal data from PEMIN
• obtaining a license from the FSTEC of Russia for technical protection of confidential information for distributed systems
For ISPD class 1:  
• mandatory certification of information security requirements
• measures must be taken to protect personal data from PEMIN
• obtaining a license from the FSTEC of Russia for technical protection of confidential information

Procedure for the protection of the personal data information system

The sequence of actions in compliance with the requirements of the legislation on the processing of personal data:
1) Notification to the authorized body for the protection of the rights of subjects of personal data about their intention to process personal data using automation tools;
2) Pre-project inspection of the information system - collection of basic data;
3) Classification of the personal data processing system;
4) Building a private threat model to determine their relevance to the information system;
5) Development of a private technical assignment for a personal data protection system;
6) Designing a personal data protection system;
7) Implementation and implementation of personal data protection system;
8) Compliance with the requirements for engineering protection of premises, fire safety requirements, security, power supply and grounding, sanitary and environmental requirements;
9) Certification (certification) for information security requirements;
10) Professional development of employees in the field of personal data protection;
11) Maintenance (outsourcing) of the personal data protection system.

When is certification and certification required?

Certification of information systems for information security requirements is required:
- for ISPDN, in the case of the assignment of personal data to the state information resource (see “Special Requirements and Recommendations for the Technical Protection of Confidential Information”, State Technical Commission of Russia, 2001);
- in other cases - for ISPD 1, 2 and 3 classes.
For ISPD 3 classes, by the operator’s decision, the mandatory attestation procedure can be replaced by the conformity declaration procedure (see “Basic measures for organizing and maintaining the security of personal data processed in personal data information systems”, FSTEC of Russia, 2008, 3.11) . Unfortunately, at present the conformity declaration process is not regulated.
Information security tools used in ISPDN, in the prescribed manner, undergo a procedure of conformity assessment (see “Provision on ensuring the security of personal data when they are processed in personal data information systems”, paragraph 5), including certification for compliance with information security requirements (see . "The main arrangements for the organization ...", p. 3.3).
At the same time, for the software used to protect information in the ISPDN (information security tools, including those built into the system-wide and application software), certification for the absence of undeclared capabilities should also be carried out (see. “Basic arrangements for the organization. .., clauses 4.2, 4.3).
Note:  
1) ISPDN operators, when taking measures to ensure the security of personal data (confidential information) when they are processed into ISPD 1, 2 classes and distributed information systems of class 3, must be licensed to carry out technical protection of confidential information in the prescribed manner.
2) Applicants for certification of information security tools (developers of GIS, ISPDN or personal data operators) must have a license to carry out activities for the development and / or production of means of protecting confidential information.

ADDITION :
In connection with the publication of the order of the FSTEC of Russia No. 58 of February 5, 2010 “On Approving the Regulations on Methods and Methods of Protecting Information in Personal Data Information Systems” (registered by the Ministry of Justice of Russia on February 19, 2010, registration No. 16456; published: Rossiyskaya Gazeta ”, March 5, 2010, No. 46) from March 15, 2010, to ensure the security of personal data when processing them in personal data information systems, the following methodological documents of the FSTEC of Russia:
• The main arrangements for the organization and maintenance of the security of personal data processed in personal data information systems, approved by the Deputy Director of the FSTEC of Russia on February 15, 2008;
• Recommendations on ensuring the security of personal data when they are processed in personal data information systems, approved by the Deputy Director of FSTEC of Russia on February 15, 2008

Responsibility for violations of the processing of personal data

Persons guilty of violating the requirements of the Federal Law 152- “On Personal Data” are:
- civil
- Criminal (see the Criminal Code of the Russian Federation, Art. 137, 140, 155, 183, 272, 273, 274, 292, 293),
- administrative (see Code of the Russian Federation on Administrative Offenses, articles 5.27, 5.39, 13.11-13.14, 13.19, 19.4-19.7, 19.20, 20.25, 32.2),
- disciplinary (see Labor Code of the Russian Federation, article 81; article 90; article 195; article 237; article 391)
and other liability stipulated by the legislation of the Russian Federation (see bylaws on working with personal data, which are published in the subjects of the Russian Federation, departments and organizations).



Abbreviations used in the article:
FSTEC - Federal Service for Technical and Export Control.
PEMIN - Secondary Electromagnetic Radiation and Guidance