Again on the protection of personal data or preparing to check Roskomnadzor

Introduction

Good day to all! In this article I would like to once again raise the topic of personal data protection (hereinafter we will call them PDN), as well as the topic of protection from regulators. The peak of the debate on PD protection has long passed. These peaks were accounted for, as a rule, at the approach of the next “most recent term” of entering 152-FZ in full force. As a result, “the very last time” has come, active debate has abated, but the law “On personal data” lives, regulators arrange checks and punish violators. Therefore, the topic will be relevant for a long time.

At once I will make a reservation that in this article basically there will be information of an organizational nature, rather than technical. “And why do we need such information?” The reader will ask. I explain: it just so happens that the heads of large and not-so-big organizations do not like to build long logical chains and delve into the essence of the issue, which lies far from their competence. Therefore, when the need arises to ensure the protection of personal data, a quite logical, in their opinion, relationship is built: “Personal data protection” -> “Information protection” -> “Information technologies” -> “Call the question of personal data protection on IT-people”. And do not care that in this issue the lion's share can be entrusted to lawyers and personnel officers, but as stated in the bearded anecdote: "who does not like to ship Lumin, will go to ship iron."
')

A typical example of the disclosure of PD special category (information about intimate life)

So why here I still will not consider the technical protection of personal data.

There are several reasons:

• So much information on the Internet and it is more or less unambiguous.
• This topic is quite capacious and deserves a separate article, in this opus I still want to touch on organizational issues.
• The organizational aspects are checked by Roskomnadzor, and the technical ones by the FSTEC. The FSTEC checks much less for the protection of personal data, if only because the Roskomnadzor department is in each region, and the FSTEC department is one for the Federal District.
• In connection with the repeal of the Government Decree No. 781, which regulates the technical protection of personal data, and its replacement with PP No. 1119, the regulatory documents of the FSTEC of Russia and the Federal Security Service of Russia are in “suspended” condition. In theory, they should not be used, since they were issued in pursuance of the repealed Resolution No. 781, but on the other hand, the FSTEC of Russia documents should be abolished by the FSTEC of Russia itself. Therefore, the technical protection of PD is better to consider in detail after the release of new documentation from regulators.
• IT-shnik is still much closer to the technical protection of PD and it is easier for them to figure it out, but when the bosses take on the “paper” work, many may need help and clarification.

A little bit about yourself

I thought it necessary first to tell a little about myself so that the reader could understand that everything written below is based on personal experience in organizing the protection of personal data in various organizations, and is not the quintessence of various forum debates on the Internet (there are sometimes “experts” write that hair stand on end, and not only on the head).

I am the head of the department of one of the companies in the Far East, engaged in the outsourcing of enterprises in the field of information security. Of course, personal data protection is one of our most sought after services. I have been working in this direction since 2008. Among the clients there are both small organizations and rather large state ones (departments, government offices, legislative assemblies, etc.) and commercial ones (mobile operators, Internet providers, private medical clinics).

Some clients had Roskomnadzor audits for compliance with the requirements of the legislation in the field of PD protection and so far the result is 100% successful audits. I also have personal experience of representing the interests of an organization during a similar audit.

So, you were appointed responsible for the organization of PD processing, and besides, you learned that you were included in the inspection plan of Roskomnazdor for the coming year. Where to begin?

And so it happened: the head, not really bothering, signed the order in which it says “System Administrator of Horns and Hoofs LLC Ivanov I.I. to ensure that personal data protection in our opuchennoy organization was feng shui”. What to do first?

First of all, you need to find out if your organization is in the register of personal data operators . To do this, the search is enough to drive the company INN. If there is no such notification, then you need to submit it (but you need to consider that if the notification has not been submitted before - this is a reason for the regulator to fine your organization).

If the notification is still present, you need to clarify its content. It often happens that the notification was filled out by some Vasya Pupkin from the personnel department from the bald back in 2007, which was also fired long ago. In this case, it is quite natural that the content of many fields does not correspond to reality. At the same time, the practice of punitive measures indicates that the majority of prescriptions are issued by Roskomnadzor precisely because of the inconsistency of the notice with what is actually happening in the organization. For example, the column “Categories of personal data processed” indicates “Name, passport data, address of residence, phone number”, and you also process health information.

There is also a special form for making changes to the notice on the personal data portal. Here it must be remembered that the changes will not be taken into account unless you follow up with a paper letter to your territorial department of Roskomnadzor. The same applies to the initial notice.

Well, with the notification understood, what then?

Then you need to publish and approve a bunch of documents (instructions, regulations, orders, journals, etc.) in your organization. Here it must be remembered that documents must regulate not only automated processing but also “analog” processing too.

The list of documents as such does not exist, there is only a list of aspects that you must describe in them.
The first step is to appoint a person responsible for organizing the processing of personal data (this person now needs to be indicated in the operator’s notice). This person will be responsible for the “paper” questions. You also need to assign a personal data security administrator. He will be responsible for the technical side of the question. Both can be assigned by one order. At once I want to note that all formulations are strongly recommended to be coordinated with the text of the legislation, since the inspectors very often find fault with them. For example, if you call the person responsible for organizing PD processing just responsible for PD processing, then with a probability of 99.9%, the controller will ask you to make changes to the document during the verification process.

Further, many people forget about this, but Roskomnadzor requires: in all offices where PDs are processed on paper, storage locations (safe, cabinet, shelving) and those responsible for maintaining the confidentiality of PD in this office must be identified. Simply put, we issue an order in which we write "In Cabinet No. 1, to approve a safe for storage, to be responsible for designating such-and-such and such."
Next, you must appoint a classification commission and a PD destruction commission. These commissions should include: the chairman of the commission and at least two members of the commission. Both commissions can be 100% identical in their composition.

Further, it is necessary to determine the persons allowed to process personal data. These are employees who work with PD both for employees of the organization, and clients, subscribers and other categories of subjects. Moreover, the document should indicate which employee has access to which data, whether he processes this data using automation tools or not, and in the case of automated processing, his role in the system (user, administrator, etc.). It should be noted here that every employee who is allowed to process personal data must sign a non-disclosure agreement.

The next step is to determine the categories of personal data that we have to protect. This is also done by a separate order. There is also a moment that many people forget about, but the Roskomnadzor asks during inspections - personal data is a special case of confidential information, therefore such a list must also be approved by a separate order. What may relate to confidential information is determined by presidential decree No. 188 of March 6, 1997. We simply rewrite the items relating to your organization in your order and are ready.

Finally, you must approve the main document in your organization that regulates the protection of PD. Typically, such a document is called "Regulations on the processing and protection of personal data." Here you describe the basic concepts of legislation, the goals and legal grounds for processing PD, the rights and obligations of the operator, the rights and obligations of the subject of PD.

You will also have to develop a number of magazines; you must show Roskomnadzor that you are conducting regular (and not just one-time) PD protection activities. This can be helped by, for example, the “Information Security Instructions Magazine” and the “Event Log for Monitoring the Ensuring the Protection of Personal Data”. It is imperative (Roskomnadzor will definitely ask) there should be a register of appeals of citizens-subjects of personal data on the fulfillment of their legal rights. Also, do not forget to get a register of inspections of legal entities by regulatory authorities before checking.

Summing up the implementation of organizational documentation for the protection of PD in your organization, I repeat once again, there is no strict list of documents. You can create one big document called “Policy for the protection of personal data”, in which you can describe everything I listed above, or you can break it into many small documents. You can issue several different orders, or you can designate all those responsible, identify the persons authorized to process PD and so on by one single order.

But, nevertheless, for example, I’ll give you a standard list of documents that we usually implement with our clients:

• list of confidential information;
• information security administrator's instructions;
• an order appointing persons responsible for organizing the processing of personal data and a list of measures for the protection of personal data;
• list of personal data to be protected;
• an order approving personal data storage locations;
• instructions for users of the personal data information system;
• order on the appointment of a commission for the destruction of personal data;
• the procedure for backing up and restoring the performance of hardware and software, databases and information security tools;
• a plan for internal checks of the personal data protection mode;
• order on commissioning the personal data information system;
• log book of information media of personal data information system;
• register of measures to monitor the protection of personal data;
• register of applications of citizens-subjects of personal data on the implementation of their legal rights;
• rules for processing personal data without the use of automation;
• provision on the delimitation of access rights to the processed personal data;
• the act of classification of the personal data information system;
• instructions for anti-virus control in the personal data information system;
• instructions for organizing password protection;
• magazine of periodic testing of information security tools;
• the form of the act of destruction of documents containing personal data;
• non-disclosure of personal data;
• register of information security tools;
• information security instruction journal;
• instruction to the user to ensure safety in the event of emergency situations;
• order on the list of persons allowed to process personal data;
• regulations on the processing and protection of personal data;
• an action plan to ensure the security of personal data;
• security threat model in the personal data information system.

Here, something like this, again, the list can be much wider or much narrower, it all depends on what is written in each of the documents, the content is important here. Samples of all documents are easy enough to google.

Many probably noticed that there are many such documents in the list of documents that regulate the automated processing and protection of personal data in information systems. Despite the fact that when checking Roskomnadzor pays more attention to documenting the protection of PDs, rather than technical ones, it doesn’t matter - the more documents you provide for PD protection, the more pluses you will get in your karma from the regulator.

Concluding the section on documents, I will note a few more points that need to be addressed. Firstly, all the above documents should go to the list of familiarization and all persons concerned by this document (whether instruction or order) must sign that they are familiar with the piece of paper. Secondly, in the job descriptions of all persons admitted to the processing of personal data, you must enter the line "When dealing with personal data, follow the Regulations on the processing and protection of personal data." And, thirdly, in addition to internal documents, it is necessary to develop one public. Usually it is called the “Policy on the processing of personal data”. Such a document should be posted on the website of the PD operator, or, if there is no website, on the bulletin board in the office or in another public place. There are also a lot of examples of politics.

Certification

Despite the fact that this moment is more related to technical protection (after all, certification is carried out when our information system is fully charged with information protection tools), I still wanted to say a few words about it. I just very often hear from regular customers that they have been brainwashed that certification of personal data information systems is mandatory. Remember once and for all - it's all a BETTER! The provision on the certification of information objects in black and white states that only objects containing state secrets and environmentally hazardous objects are subject to mandatory certification. Therefore, all this nonsense about compulsory certification of ISPDN is simply the machinations of unscrupulous integrators who want to cut the dough from the trusting client once again.

Attestation of ISPDn can be mandatory only if your organization is subordinate to a higher authority, and this very top has given you an instruction to certify all of your ISPDn.

Although, the head of the organization himself may wish for certification, because the certificate of conformity unambiguously confirms that your information systems fully comply with the legislation both in terms of documentary support and in terms of technical protection. In this case, it must be remembered that one of the conditions for the validity of the certificate is the invariance of the conditions of operation of the ISPD. That is, roughly speaking, you cannot change the monitor at the workplace or install additional software without coordination with the certification body, and this entails additional costs. It is also worth remembering that the certificate of conformity can be issued for a maximum of three years, and then - all over again.
Returning to our main topic - preparation for the inspection of Roskomnazdor, I want to say that for all five years of work in this field, the inspectors have never demanded a Certificate of Compliance.

Instead of conclusion

It turned out quite a lot of letters and, I think, it’s time to wrap it up, especially since after completing the measures described above, you can say that you are almost ready to check Roskomnadzor. But still, I will once again try to briefly formulate the main stages, the implementation of which will help you with a high degree of probability to get a positive conclusion on the basis of the test and some other points not included in the article:

• Operator notification. It is necessary to check the presence of the notice, as well as the veracity of the information contained in it.
• Roskomnadzor will not check your personal data information systems, these functions are entrusted to the FSTEC of Russia and the FSB of Russia (in the case of using encryption tools), therefore focus on documentary support, informing your employees.
• I think it is not worth to say once again that if the Roskomnadzor check came to you, and in the personnel department, someone on the table will lie unattended with a pack of photocopies of someone's passports, this will be an epic fail.
• If after all that has been read and after all the events held, you still have questions, do not be lazy (and even more so do not be afraid and do not hesitate) to call the regional department of Roskomnadzor. Ask your questions. As a rule, it is easy to call there (in comparison with many other government agencies) and the RKN workers go to the meeting and explain their vision of some controversial issues. In some cases, such a call is even vital, since our legislation can often be interpreted in two ways, and it even happens that the same RKN officer has one point of view on a problem today, and another point of view tomorrow.
• It is better to collect consent from PD to all subjects. Yes, the law contains a list of cases when consent is not required, for example, when the operator and the subject are parties to a contractual relationship. BUT, here it is necessary to remember that the processing of biometric and special categories of PD, as well as the transfer of PD to third parties are carried out ONLY with the consent of the subject. In any case, the consent to the treatment of PD removes a lot of various unpleasant questions from you. And if there is an opportunity to collect these consents, it is better to do it. Here, by the way, as with the notification, you need to remember that the information specified in the consent must coincide with what and how you actually handle.
• At the beginning of the audit, show the regulators that you are fully prepared to cooperate and correct the identified shortcomings during the audit itself. It is impossible to prepare perfectly, in any case there will be any comments. This is not scary, they can be eliminated in the verification process, which usually lasts 20 days. If the comments are eliminated, this will not adversely affect the content of the final protocol.

On this, probably, and finish. As can be seen, the testing of the RKN is not so terrible as it may seem at first glance. If readers have any questions or suggestions on the following articles on PD, I will try to answer everything and take everything into account.