Checks and plans of Roskomnadzor for 2018

Grandfather Roskomnadzor has been searching for personal data operators all year, who, from the point of view of the law, “behave badly”, and write them prescriptions. In this article we would like to talk about how this is happening, and a little more to reveal the plans of the "grandfather" for 2018. It is wonderful if it helps someone to prepare in advance and avoid problems.

Article 23 of the Federal Law of July 27, 2006 “On Personal Data” No. 152-FZ identifies two areas of Roskomnadzor’s activity: protection of the rights of personal data subjects; control and supervision of the compliance of personal data processing with legal requirements. To perform these functions, this article of the law vests Roskomnadzor with certain powers. Consider the most, in our opinion, the important ones.
')
Roskomnadzor:

• verifies the information specified by the organization in the Notification;
• may require the operator to destroy invalid or illegally obtained personal data;
• may restrict access to information processed in violation of the law;
• has the right to file claims with the court in defense of the rights of personal data subjects and submit them to the court;
• empowered to bring to administrative responsibility those responsible for violation of this Federal Law;
• is obliged to consider complaints and appeals on issues related to the processing of personal data, as well as to take decisions on them within their powers.

In practice, the main actions of Roskomnadzor in accordance with the federal law “On Personal Data” are as follows:

• work with appeals and complaints of citizens;
• control and supervisory activities;
• maintaining a registry of personal data operators.

Roskomnadzor considers complaints under the law of 05.05.2006 No. 59- “On the procedure for considering appeals of citizens of the Russian Federation”. Complaints can be sent both in writing and through a special form on the website of Roskomnadzor or the portal of state services.



The term for consideration of the application is 30 calendar days, except for the cases established by law. Now the Government is awaiting approval of the draft new Administrative Regulations. But at the moment, Roskomnadzor is conducting verification measures on the basis of the Administrative Regulations approved by order of the Ministry of Communications and Mass Communications of the Russian Federation No. 312 of 11/14/2011. As part of the monitoring and supervision of the processing of personal data, Roskomnadzor carries out scheduled and unscheduled inspections.

Scheduled checks

Scheduled inspections are carried out on the basis of the annual plan, it can be found at the link rkn.gov.ru/plan-and-reports , as well as in the annual plans of the activities of the territorial offices for the next year.

The plan of inspections for the next year is usually posted on the websites of the regional offices in mid-December of the current year. Since from September 1, 2015, Roskomnadzor is not coordinating plans for checking personal data with the Prosecutor’s Office, there is no check on the website of the latest in the consolidated inspection plan for all bodies on this subject. The current Administrative Regulation states that the territorial department of Roskomnadzor is obliged to notify you about the conduct of a scheduled inspection no later than three working days before the start of its conduct.

We analyzed the data already posted and available on the Roskomnadzor website. Here are some interesting results:

In total, measures are planned for the organization and conduct of control (supervision) in relation to about 900 PD operators. Geographically, these are the most diverse organizations "from Klininingrad to Vladivostok." To identify the most "verifiable" industries, we used information about the main type of activity of companies under OKVED.


The plans are led by the “traditional” for verification of the ILV industry: education, medicine, tourism, financial services and management companies.

About 38% of the operators in the inspection plans are state organizations. Accordingly, the share of commercial organizations accounts for more than 62% of events. Almost 99.8% are legal entities, not individual entrepreneurs.

To somehow describe the size of companies that in 2018 will fall under the checks, we used the information about the size of their share capital as an indirect feature.


The plans for the ILV are companies of all sizes.

The subject of verification Roskomnadzor are:

• personal data processing activities;
• documents, the nature of the information in which involves or allows the inclusion of personal data in them;
• personal data information systems.

Accordingly, Roskomnadzor does not check the availability and status of the technical protection of personal data information systems. His main task is to check the legal basis for the processing of personal data. Contrary to popular belief, regulations, instructions, orders and other documents are not the most important subject of inspections. The authorized body is more interested in the personal data itself and the correspondence of the volume of this data to the purposes of processing.

The notice of a scheduled inspection, as a rule, says that the person being inspected must submit:

• a copy of the document on the appointment of an official or authorized representative who will represent the interests of the legal entity under review;
• documents, the nature of the information in which involves or allows the inclusion of personal data. Roskomnadzor usually refers to such documents applications, questionnaires, magazines, etc .;
• documents confirming the destruction of personal data to achieve the purpose of processing. Unfortunately, not all personal data operators understand that in each case of personal data processing there is (or should be) the purpose of processing, by which it is necessary to destroy the data; written consent of the subjects of personal data to the processing of their personal data;
• documents confirming compliance with the requirements of the legislation of the Russian Federation in the processing of personal data, including special categories and biometric personal data;
• documents confirming the location of the databases (information systems) of personal data. This requirement appeared when the legislation amended the localization of personal data of Russians; documents confirming the familiarization of employees who directly process personal data with legislation and local acts of the operator regarding the processing of personal data;
• local acts of the operator governing the procedure and conditions for the processing of personal data.

A total of approximately 31 documents are requested , the following can be distinguished from the main and significant ones (the items concerned both automated processing and non-automated processing):

• PD processing notice
• Document identifying the person responsible for organizing PD processing
• The list of employees authorized to process PD
• Document defining the storage locations of PD
• Help on the processing of special and biometric categories PD
• Help on the implementation of cross-border transmission of PD
• Typical forms of documents with PD
• The order of destruction PD
• The procedure for transferring PD to third parties
• Model consent form for PD processing
• The accounting treatment of the subjects of PD
• List of personal data information systems (ISPDN)
• Documents regulating data backup in ISPD
• The list of information security tools used
• Access Matrix
• Threat model
• The document determining the security levels for each ISPD in accordance with PP-1119 dated November 1, 2012 “On approval of requirements for the protection of personal data when they are processed in personal data information systems”
• The logbook of computer data carriers PD

The audit plan includes legal entities that filed a Notice on the processing of personal data in the register of operators, and those who did not. That is, they can check everyone. The duration of both scheduled and unscheduled inspections may not exceed 20 business days.

Unscheduled inspections of Roskomnadzor

Unscheduled checks are documentary and away. Documentary are held in the form of a request by Roskomnadzor of the necessary documents and the provision of these documents by you within the time specified in the request. The operator shall be notified of the unscheduled inspection no later than 24 hours before its start in any way possible. This is usually done by phone or fax.

Such checks can be carried out in most cases for the following reasons:

• if the operator has completed the deadline for the previously issued order to eliminate the identified violation. After a routine check, Roskomnadzor usually conducts an unscheduled check to find out how the violation has been fixed. Such a check is rarely an exit. It is conducted in documentary form, that is, Roskomnadzor will ask you for information on the elimination of violations, and you must provide the necessary documents;
• if the service or its territorial bodies received an appeal from citizens, legal entities, individual entrepreneurs, information from public authorities, local governments, from the media. In 2011, approximately 1,500 complaints were received. In 2016, about 33,000;
• by order of the head of Roskomnadzor or the head of the territorial administration.
• upon detection as a result of systematic observation of violations of mandatory requirements

Systematic observation activities

Another type of control is systematic observation measures. The main difference is
activities are carried out without interaction with the audited persons. In recent years, this is the most popular type of control over the order of personal data processing. The popularity of such events is due to the fact that the labor expenditures of the territorial departments for their implementation are much less than scheduled inspections, and the efficiency is much greater. For a short period of time, each territorial office of Roskomnadzor can check dozens or even hundreds of organizations, starting, as a rule, by checking their websites.

The concept of “systematic observation activities” was added in 2015. Systematic observation is dangerous because no one is obliged to notify the company about it. According to the results, if violations are revealed, an unscheduled inspection is carried out in accordance with the “Administrative Regulations”. Measures of systematic observation are carried out on the basis of the order of the head of the territorial body and are fixed in the annual plan of the territorial administration for the next year.

The most popular violation detected during systematic observation is the absence on the site of a document defining the operator’s policy regarding the processing of personal data, if the site reveals a case of personal data collection (for example, an application form, registration or feedback with a specific set of requested information) .

Roskomnadzor may also request the legal basis for the placement of someone's personal data. Such requests have already been received, for example, by educational organizations, when personal information about schoolchildren and their success in competitions was posted on their website. So, by placing personal data of your employees or other persons on the site, monitor compliance with the requirements of the law .

What to look for

The processing of personal data is the daily activity of any legal entity. We constantly work with the data of our employees and customers (patients, students, customers, applicants, site users, borrowers, policyholders, visitors, viewers, etc.). We process the same data of the same person in different cases. And taken in one case, the consent - to the other may not apply.

Accordingly, in order to prevent negative consequences, we must pay attention to the legal basis for the processing of personal data in each particular case of processing, that is, to understand whether we have agreements, consents or even regulations that Roskomnadzor recognizes when checking the legal basis for processing personal data. A check can occur at any time. For example, you have a website. You collect data on it through various forms. Accordingly, you can be checked during systematic observation events, or in case any visitor to your site makes a complaint to you. Also, you may be unhappy with your client or employee (the former may also) who have the opportunity to complain to Roskomnadzor, and he, in turn, is obliged to respond to such complaints. So your task is to provide a legal basis for each case of processing.

Administrative responsibility for violation of personal data legislation is established by Article 13.11 of the Administrative Code of the Russian Federation. Fines for legal entities for each violation established by article 13.11 vary from 15,000 to 75,000 rubles.

Inspections of the State Labor Inspectorate

In the Labor Code of the Russian Federation, Chapter 14 is called: “Protection of personal data of an employee.” The State Labor Inspectorate conducts control and supervisory measures regarding the fulfillment of the requirements of the entire Labor Code and, accordingly, cannot bypass chapter 14. The inspections draw attention to the requirement of paragraph 8 of Article 86:

“Employees and their representatives must be familiarized with the employer's documents, establishing the procedure for processing personal data of employees, as well as their rights and obligations in this area.”

Thus, they check the availability of such a document and the fact that all employees familiarize themselves with it.

Administrative liability for violation of these requirements is provided for in Article 5.27. KoAP - a fine in the amount of from 30 000 to 50 000 rubles.

Checks FSTEK and FSB

Article 19 of the Federal Law “On Personal Data” establishes measures to ensure the security of personal data during their processing.

Part 3 of Article 19 states that the Government of the Russian Federation establishes the levels of protection of personal data when they are processed in personal data information systems (hereinafter referred to as ISPD) and the requirements for the protection of personal data in ISPD. Thus, we have a Government Decree No. 1119 of November 1, 2012, defining these requirements.

Part 4 of Article 19 establishes that the composition and content of the requirements, organizational and technical measures to ensure the security of personal data necessary for the fulfillment of the Government’s requirements, when they are processed into the ISPDN, are established by the FSTEC and the FSB within their authority. In response to this requirement, we have:

• Order of the FSTEC of Russia of February 18, 2013 No. 21 “On Approval of the Composition and Content of Organizational and Technical Measures for Ensuring the Security of Personal Data During Their Processing in Personal Information Systems”
• Order of the Federal Security Service of the Russian Federation of July 10, 2014 No. 378 “On approving the composition and content of organizational and technical measures to ensure the security of personal data when processing them in personal data information systems using the means of cryptographic information protection necessary to meet the protection requirements established by the Government of the Russian Federation”.

In fact, between the FSB and the FSTEC divided the powers in this area, where the FSB determines measures to protect ISPD when using cryptographic protection tools in them, and the FSTEC - measures on all other security issues.

Part 8 of Article 19 of the Federal Law “On Personal Data” contains an important point:

"Control and supervision of the implementation of organizational and technical measures to ensure the security of personal data established in accordance with this article, when processing personal data in the state personal data information systems, is carried out by the federal executive body authorized in the field of security and the federal executive body authorized in the field of countering technical intelligence and technical protection of information, within their limits without access to personal data processed in personal data information systems. ”

It turns out that the FSB and the FSTEC can only be checked by organizations operating state information systems. For other information systems, the control is not fixed in the law. It is only said that the FSTEC and the FSB

“By the decision of the Government of the Russian Federation, taking into account the significance and content of the personal data being processed, they may be vested with the authority to monitor the implementation of organizational and technical measures ... when processing them in personal data information systems operated in the implementation of certain types of activities and not being public information systems of personal data ... "

Inspections FSTEK and FSB can be both planned and unplanned.

As part of the checks, the FSB pays attention to:

• the presence of a model of the intruder and threats, developed in accordance with the requirements of the FSB;
• organizational measures established in accordance with the order of the Federal Security Service No. 378 (the appointment of responsible persons, local acts, the procedure for admitting employees to ISPDn, the physical protection of facilities, etc.);
• availability of means of cryptographic protection of information, the procedure for their accounting and operation;
• documentation for the means of cryptographic protection of information (licenses, certificates, forms, etc.).

As part of inspections FSTEC draws attention to:

• the presence of a model of the offender and threats, acts of establishing security levels for ISPDn;
• availability of information security tools, the procedure for their accounting and operation;
• documentation for information security tools (licenses, certificates, forms, etc.);
• organizational measures established in accordance with the order of the FSTEC of Russia No. 21 (the appointment of responsible persons, local acts, the procedure for admitting employees to ISPDn, physical protection of facilities, etc.);
• certification testing materials (in GIS).
• For violation of these requirements, responsibility has been established in accordance with Article 13.12 of the Administrative Code of the Russian Federation:
• for the use of non-certified information systems, databases and data banks, as well as non-certified information security tools, if they are subject to mandatory certification - a fine of up to 25,000 rubles for legal entities;
• for violation of information protection requirements (except for information constituting state secrets) established by federal laws and other regulatory legal acts of the Russian Federation adopted in accordance with them - a fine of up to 15,000 rubles for legal entities.

Conclusion

After the amendments to article 13.11 of the Administrative Code of the Russian Federation come into force, control and supervisory activities will not change dramatically, but due to a substantial increase in fines, the approach of organizations to meeting the requirements of the law and preparing for inspections will change. If earlier organizations believed that it was easier to do nothing and you could wait for a probable check and pay a small fine (up to 10,000 rubles) for it, now companies will fight for their rights, which means that it will positively affect the rather ambiguous court practice. these issues.

Worst of all are those organizations, the start of inspections for which falls on the very beginning of the year. They have a minimum amount of time to prepare for the inspection or observation. However, it is worth remembering that PD processing can also be carried out by a person on behalf of the operator . With automated processing, you can contact us and save yourself at least part of the headache on the issue of compliance and reduce their costs. We offer several solutions that allow approaching the image of the “ideal operator”, the main one being “Cloud FZ 152” .

Sources:
rkn.gov.ru
fstec.ru
www.fsb.ru
www.anti-malware.ru