Formalized method of analysis and analysis of regulatory and methodological documents, as well as the synthesis of local acts based on them
It so happened that I participated in the development of the direction of personal data at the very beginning of the appearance of FSTEC documents on their protection. In this regard, it was necessary to shovel a huge amount of various regulatory documents. A little later, there was a job of organizing the processing of personal data - I had to create a fairly voluminous guide for the operator’s employees who were not familiar with the requirements of the law. After a fundamental amendment of the law, this handbook was revised, and I created a formalized method for analyzing regulatory documents to share the experience of such work. About him further and will be discussed.
Technique
The technique takes only one A4 sheet, but requires some explanation. I proceeded from the principle of paying special attention to the psychological state of the person examining the document. Unfortunately, this work is cognitive - it requires a state of flow . When reading a regulatory act (hereinafter - the NA, by which I will mean any regulatory, legal, methodical document), it is often difficult to keep thoughts on the text, crawling through its legal and punctuation jungles. Therefore, it is better to adhere to the rule that any search operation on the text should be associated with one “concept” for one reading of the text (this is from the category: underline all the letters “O” in “War and Peace”, cross out all letters “A” and circle circle all the letters "E").
Document Analysis (AT)
On the first three points of the methodology. These steps are necessary in order not to do "unnecessary" work. Suppose if you need to draw up an employment contract, it makes no sense to read the criminal procedure code. There is one remark - it is necessary to carefully read the scope of federal laws. It often turns out that the same concepts in different laws have different meanings - depending on the sphere (context) under consideration.
Example:
Federal Law of July 27, 2006 No. 152- “On Personal Data”
Article 11. Biometric personal data
1. Information that characterizes the physiological and biological characteristics of a person, on the basis of which his identity can be established (biometric personal data) and which are used by the operator to determine the identity of the subject of personal data, can be processed only with the written consent of the subject of personal data, except cases provided for in part 2 of this article.
and
Federal Law of December 3, 2008 No. 242-FZ “On State Genomic Registration in the Russian Federation”
Article 1. Basic Terms
3) genomic information - personal data, including coded information about certain fragments of deoxyribonucleic acid of a physical person or an unidentified corpse, not characterizing their physiological characteristics;
in this example, “personal data” in the concept of 242- is not “biometric personal data” in the concept of 152-.
Article 11. Biometric personal data
1. Information that characterizes the physiological and biological characteristics of a person, on the basis of which his identity can be established (biometric personal data) and which are used by the operator to determine the identity of the subject of personal data, can be processed only with the written consent of the subject of personal data, except cases provided for in part 2 of this article.
and
Federal Law of December 3, 2008 No. 242-FZ “On State Genomic Registration in the Russian Federation”
Article 1. Basic Terms
3) genomic information - personal data, including coded information about certain fragments of deoxyribonucleic acid of a physical person or an unidentified corpse, not characterizing their physiological characteristics;
in this example, “personal data” in the concept of 242- is not “biometric personal data” in the concept of 152-.
For 5-7 points, it is better to see:
Order FSTEK No. 17 (the “correct” location of the blocks is marked with a green border, and the “wrong” one with a red border).
')
This is a general type of splicing placement:
Law No. 149- “On Information, Information Technologies and Information Protection” “before” and “after” 23 paragraphs of the methodology (it is clear that in the closet are colored pencils, crayons and a whole pack of disassembled documents: according to personal data and education).
Points 8 and 9 are mechanical work that just needs to be carefully done and rechecked.
Points 8 through 15 are the “inclusion” of the maximum possible number of cognitive processes of memorizing information: its “convolution” and analysis.
At point 10, a trap may lie in wait for our legislators if we try to penetrate into the structure of NA: often the blocks of meaning are in different parts of the law and then at the 12th step a “mosaic” can turn out. In the case of the fulfillment of 15 points from the point of view of the subject - such a “mosaic” will always be obtained (various issues relating, for example, to the personal data operator, will be scattered throughout the text - in duties, terms, rights, etc.).
Item 16 - allows you to thoroughly understand and visualize NA in all details. Its peculiarity is that at this step the color separation is not used (there are few visually contrasting distinguishable colors, for the same reason it is not necessary to color the blocks standing next to with non-contrast colors - it is better to alternate them: warm-cold).
Points 17 to 21 are needed to visualize the place of the NA in the system of regulatory acts, and point 20 is also to determine the list of local acts that should be developed in the organization.
It makes sense to perform items 22 through 26 only in cases when the disassembled AN is necessary for current work.
Three examples of performing the described actions:
Order FSTEK â„–21.
Order FSTEK No. 31 (Appendix with tables pasted separately, aside)
Composite document (Decree of the Government of the Russian Federation No. 1119, Order of the Federal Security Service of the Russian Federation No. 378 and Order of the FSTEC No. 17). All classifications and definitions of requirements are carried out sequentially from left to right: the presence of NDV, the level of protection, the requirements for the mode, the group of the cryptoglass class, the exact class of the cryptomeans, the GIS class and its refinement by the level of PDn security are determined.
Order FSTEK â„–21.
Order FSTEK No. 31 (Appendix with tables pasted separately, aside)
Composite document (Decree of the Government of the Russian Federation No. 1119, Order of the Federal Security Service of the Russian Federation No. 378 and Order of the FSTEC No. 17). All classifications and definitions of requirements are carried out sequentially from left to right: the presence of NDV, the level of protection, the requirements for the mode, the group of the cryptoglass class, the exact class of the cryptomeans, the GIS class and its refinement by the level of PDn security are determined.
Document Synthesis (LA)
When designing an aircraft, a standard method for developing content and filling it has been described. Separately, it makes sense to note the 3 and 5 points.
In paragraph 3, in the absence of any textual “content” for the document being created, it makes sense to refer to AT / LA counterparts in another area of ​​law, using Article 6 of the Civil Code of the Russian Federation.
Civil Code:
Article 6. Application of civil law by analogy
1. In cases where the relations provided for in Clauses 1 and 2 of Article 2 of this Code are not directly regulated by law or by agreement of the parties and there is no custom applicable to them, such relations, if this does not contradict their essence, civil law regulating similar relations applies (analogy law).
2. If it is impossible to use the analogy of the law, the rights and obligations of the parties shall be determined on the basis of the general principles and the meaning of civil law (analogy of law) and the requirements of good faith, reasonableness and justice.
1. In cases where the relations provided for in Clauses 1 and 2 of Article 2 of this Code are not directly regulated by law or by agreement of the parties and there is no custom applicable to them, such relations, if this does not contradict their essence, civil law regulating similar relations applies (analogy law).
2. If it is impossible to use the analogy of the law, the rights and obligations of the parties shall be determined on the basis of the general principles and the meaning of civil law (analogy of law) and the requirements of good faith, reasonableness and justice.
In paragraph 5, the “canonical form of the text” is mentioned. This is not a generally accepted concept taken from the remarkable, but difficult to read book Kurnosova Yu.V. and Konotopov P.Yew. “Analytics: methodology, technology and organization of information and analytical work” (more details about it can be found in the third paragraph below on page 335 and further, RUSAKI edition, 2004).
Examples of "synthesis":
• Rules for the processing of personal data for a state organization (15 parse points are clearly presented here - items are grouped not according to the text of the law, but by subjects, types of relationships, terms, etc.);
• Consent to the processing of personal data , which takes into account all references to it in the text of the law (may differ from the latest edition of the law);
• Request of the subject of personal data to the operator of personal data (contains “slightly more” than the subject has the right to request, but since operators for the most part have not read the law - this makes an indelible impression on them and, usually, they agree to resolve the issue with the subject peace, without swearing and scandals).
Another example - the Rules themselves are drawn (not in the form of an intelligence map, but in the form of an algorithm - the mind map degenerates into it, if everything is logically aligned):
A complete sequence of all steps to organize the processing and security of personal data in the organization.
Algorithm 1 steps - preparing for the processing of personal data in the organization.
Algorithm 4 steps - the necessary actions of the operator for the processing of personal data in the organization, depending on the method of processing.
Algorithm 8 steps - the necessary actions of the operator for the processing of personal data in the organization, depending on the category of personal data being processed.
A complete sequence of all steps to organize the processing and security of personal data in the organization.
Algorithm 1 steps - preparing for the processing of personal data in the organization.
Algorithm 4 steps - the necessary actions of the operator for the processing of personal data in the organization, depending on the method of processing.
Algorithm 8 steps - the necessary actions of the operator for the processing of personal data in the organization, depending on the category of personal data being processed.
Conclusion
In conclusion, let me remind you that it is very difficult to challenge the “literal reading” written in the regulations, therefore I urge to read / write documents in exactly this way.
And, naturally, this methodology with some modifications can be used not only for parsing regulatory documents, but also for analyzing any literature (primarily educational) and synthesizing various reports, analytical notes, term papers and dissertations.
And finally, in order to use the described method quickly, without thinking, just looking at the document, you need to “practice” quite a lot, as in any business in which a person wants to become a professional or achieve noticeable results.
My personal e-mail
My personal e-mail for questions, comments and suggestions xanton@list.ru
Source: https://habr.com/ru/post/285922/
All Articles