⬆️ ⬇️

What exactly is personal data?

image


Novgorod boy Onfim from the XIII century turned the bark into a carrier of personal data, collecting a set of images of a man and his name.



Imagine that you have found three friends who were born with you on the same day. You have the same date of birth, the same gender, and you can change the names within the framework of the law by certain efforts. The result will be four identical people. Will the set “F. I. O. + date of birth + gender "personal data?



The answer, oddly enough, is yes.

')

In this case, personal data is understood as such a set of information, which in one way or another allows to identify an individual - the subject of personal data. That is, clearly indicates a particular person.



Previously, the legislative definition contained reference to specific examples that, individually or in combination with other information, comprised personal data. In the current version of Art. 3 of the Federal Law No. 152-FZ, there are no examples of personal data, since the legislator emphasized the “spirit of the law”, expressly stipulating that such data include “any information relating to a directly or indirectly determined or determined individual” giving the decision of this issue at the mercy of judicial practice.



Therefore, let us take an example of what is PD and what is not.



Simple cases



To begin with - there is a category of "raw" data that allow you to uniquely identify the identity of a particular person. For example, this is the passport number or a set of F. I. O., gender and date of birth.



Personal data, for example:





At the same time, there is a second category of “raw” data, which alone can hardly help you identify the subject of personal data. For example, these include:





That is, such information cannot be called personal data from the point of view of current legislation.



Rule number one: if you mix that information, which in itself forms personal data, and the one that does not form them, into one database, you will get a personal data base. For example:





Clarification about the "bare" PD



Some personal data do not allow a random person to establish your identity, but allow you to identify your identity, for example, to law enforcement agencies. Thus, the mobile phone number of an individual is tied to his full name. and passport number, that is, it is “pure” personal data. Using it separately and mixing the phone number with any other information about its owner means receiving personal data sets. The same may apply to the credit card number, insurance certificate number, number of medpolis and so on.



If the subscriber number is tied to a legal entity, then it itself is not personal data, since it does not allow to identify a specific employee of the legal entity who uses this number.



More complex cases



It is not always the basis of personal data that is something that makes the whole set of PD immediately. For example, if there is a passport number in the set - this is exactly PD, whatever else it is. But sometimes no part of the set is PD in isolated form, but all together allows you to pinpoint a person.



For example, a medical diagnosis, as a rule, is not personal data in isolation from F. I. O. (but the result of the analysis of the DNA code is personal genomic data, by the way). Race by itself is not personal data. The workplace itself is not personal data.



However, it may turn out that the set "place of work + race + diagnosis" is personal data. For example, when only one-handed Chinese works at a gas station.



What is most interesting, if initially two one-armed Chinese worked at the gas station, and then one quit, the data set, logically, was not personal, and then became. As well as when you were the only one in the set “F. I. O. + gender + date of birth ", and then persuaded friends to change the names, in theory, the set has ceased to be PD. In practice, this is not the case.



To understand whether your dataset is personal, you need to consider the following:





Naturally, in normal practice, most of the sets have long been described, and with them it is clear how to work. Nevertheless, there are some interesting points with biometrics, photos and special categories of PD.



Interesting moments



A copy of the passport is a PD. Because of the image you can definitely extract the numbers that are exactly PDs themselves.



A photograph from a passport, a photograph from the street, a video image is a debatable question. It is debatable because it is not always possible to unambiguously understand whether, for example, a particular photo allows one to identify oneself (where does the same quality border lie?). If it is 3000 pixels on the narrow side and a passport survey - obviously, this is PD. And if the same picture is stored in the size of 32x32 px? And if this is not a passport photo, but a photo in a crowd on the street?



There is no clear definition yet. Expert evaluations: for example, when you pass passport control, an FSB (border guard) officer looks at your face, looks at a photo in a passport or visa, and decides whether you are similar or not. If from his point of view they are quite similar, it means that the expert decision was made positively. Approximately the same is the identification of the photo: the court will attract an expert, and the expert will decide whether it is possible or not.



What is even more fun, a citizen can stop processing his personal data, that is, in theory, you can catch all your photos in a crowd and insist that this is storage and processing without your consent. Exceptions to this situation are when:



  1. use of the image is carried out in the state, public or other public interests;
  2. the image was obtained when shooting, which is held in places that are open to the public, or at public events (meetings, congresses, conferences, concerts, shows, sports competitions and similar events);
  3. citizen posed for pay.


image


The image of a person is PD. Usually we are talking about a photo, but not about a portrait. Nevertheless, in this portrait you can install a person, so it is not clear how to store and process it.



Another controversial case is the mail. It is unequivocally clear that info@domain.ru in an isolated form (without F. I. O., for example) is not PD, because there could be anyone, including a robot. But if it is ivanpetrov1990@mail.ru? Or billgates@microsoft.com? Most likely - not PDN, we need more sets. In addition, by analogy with the phone number, everything depends on whether the mail is registered to: legal entity or citizen.



Biometric data - the individual form of the skull and ears - are uniquely personal data, as is a fingerprint. This imposes serious restrictions on face recognition systems - it is necessary to obtain consent even for the storage of hash from biometric measurements.



What is regulated



Federal legislation:





The main documents of regulators:





In its explanations, Roskomnadzor devoted considerable attention to the subtleties of qualifying images as personal data “On the issues of assigning photo and video images, fingerprint data and other information to biometric personal data and features of their processing” (see 25.rsoc.ru ).



Of course, the list is far from complete, the above are only the main documents. There are also informational messages and documents on the modeling of information security threats from the FSTEC of Russia, guidelines and documents on making assumptions about the possibilities of violators from the FSB of Russia, documents of the Ministry of Communications and so on.



What does it mean?



When you build your IT infrastructure, you need to understand whether your data is personal or not. There are no personal data classes anymore, there is a table from here (in the post there is more about certification). If your data is still personal, you need to understand what data types you have, what threats are possible for them and how many records you will have. Further from the table, the required level of security is calculated - and for this level, protection measures are implemented in accordance with the requirements of the legislation .



Following the spirit of the law and law enforcement practice, in almost all situations it is possible to determine whether we are talking about PD or not. Extremely rare cases are usually considered separately by lawyers who carry out the assessment and make requests to the regulatory authorities.



This is the material of the head of the legal consulting department Ilya Grigoriev, and this is the Technoserv Cloud blog.

Source: https://habr.com/ru/post/348046/



All Articles