What exactly is personal data?

Novgorod boy Onfim from the XIII century turned the bark into a carrier of personal data, collecting a set of images of a man and his name.



Imagine that you have found three friends who were born with you on the same day. You have the same date of birth, the same gender, and you can change the names within the framework of the law by certain efforts. The result will be four identical people. Will the set “F. I. O. + date of birth + gender "personal data?



The answer, oddly enough, is yes.

')

In this case, personal data is understood as such a set of information, which in one way or another allows to identify an individual - the subject of personal data. That is, clearly indicates a particular person.



Previously, the legislative definition contained reference to specific examples that, individually or in combination with other information, comprised personal data. In the current version of Art. 3 of the Federal Law No. 152-FZ, there are no examples of personal data, since the legislator emphasized the “spirit of the law”, expressly stipulating that such data include “any information relating to a directly or indirectly determined or determined individual” giving the decision of this issue at the mercy of judicial practice.



Therefore, let us take an example of what is PD and what is not.

Simple cases

To begin with - there is a category of "raw" data that allow you to uniquely identify the identity of a particular person. For example, this is the passport number or a set of F. I. O., gender and date of birth.



Personal data, for example:

• Passport ID
• F. I. O. + gender + date of birth
• Fingerprint

At the same time, there is a second category of “raw” data, which alone can hardly help you identify the subject of personal data. For example, these include:

• Favorite dish
• Place of work
• Personal qualities (Nordic character, selfless)
• Amount of children

That is, such information cannot be called personal data from the point of view of current legislation.



Rule number one: if you mix that information, which in itself forms personal data, and the one that does not form them, into one database, you will get a personal data base. For example:

• Passport number + place of work = personal data
• Medical diagnosis + favorite dish + photo = personal data
• Ph. I. O. + gender + date of birth + place of work + fingerprint = personal data.

Clarification about the "bare" PD

Some personal data do not allow a random person to establish your identity, but allow you to identify your identity, for example, to law enforcement agencies. Thus, the mobile phone number of an individual is tied to his full name. and passport number, that is, it is “pure” personal data. Using it separately and mixing the phone number with any other information about its owner means receiving personal data sets. The same may apply to the credit card number, insurance certificate number, number of medpolis and so on.



If the subscriber number is tied to a legal entity, then it itself is not personal data, since it does not allow to identify a specific employee of the legal entity who uses this number.

More complex cases

It is not always the basis of personal data that is something that makes the whole set of PD immediately. For example, if there is a passport number in the set - this is exactly PD, whatever else it is. But sometimes no part of the set is PD in isolated form, but all together allows you to pinpoint a person.



For example, a medical diagnosis, as a rule, is not personal data in isolation from F. I. O. (but the result of the analysis of the DNA code is personal genomic data, by the way). Race by itself is not personal data. The workplace itself is not personal data.



However, it may turn out that the set "place of work + race + diagnosis" is personal data. For example, when only one-handed Chinese works at a gas station.



What is most interesting, if initially two one-armed Chinese worked at the gas station, and then one quit, the data set, logically, was not personal, and then became. As well as when you were the only one in the set “F. I. O. + gender + date of birth ", and then persuaded friends to change the names, in theory, the set has ceased to be PD. In practice, this is not the case.



To understand whether your dataset is personal, you need to consider the following:

• View court practice: if there was a decision that such a set is PD, then your set with a very high probability - PD.
• Examination that determines whether or not it is not yet. You can ask for clarification in Roskomnadzor. However, with some probability you will get the answer: "If you can identify a person unequivocally, this is PD."
• And, finally, the final decision will be a court decision, but, as a rule, it is better not to bring it up, but to think it over beforehand, you can still determine a person or not.

Naturally, in normal practice, most of the sets have long been described, and with them it is clear how to work. Nevertheless, there are some interesting points with biometrics, photos and special categories of PD.

Interesting moments

A copy of the passport is a PD. Because of the image you can definitely extract the numbers that are exactly PDs themselves.



A photograph from a passport, a photograph from the street, a video image is a debatable question. It is debatable because it is not always possible to unambiguously understand whether, for example, a particular photo allows one to identify oneself (where does the same quality border lie?). If it is 3000 pixels on the narrow side and a passport survey - obviously, this is PD. And if the same picture is stored in the size of 32x32 px? And if this is not a passport photo, but a photo in a crowd on the street?



There is no clear definition yet. Expert evaluations: for example, when you pass passport control, an FSB (border guard) officer looks at your face, looks at a photo in a passport or visa, and decides whether you are similar or not. If from his point of view they are quite similar, it means that the expert decision was made positively. Approximately the same is the identification of the photo: the court will attract an expert, and the expert will decide whether it is possible or not.



What is even more fun, a citizen can stop processing his personal data, that is, in theory, you can catch all your photos in a crowd and insist that this is storage and processing without your consent. Exceptions to this situation are when:

1. use of the image is carried out in the state, public or other public interests;
2. the image was obtained when shooting, which is held in places that are open to the public, or at public events (meetings, congresses, conferences, concerts, shows, sports competitions and similar events);
3. citizen posed for pay.

The image of a person is PD. Usually we are talking about a photo, but not about a portrait. Nevertheless, in this portrait you can install a person, so it is not clear how to store and process it.



Another controversial case is the mail. It is unequivocally clear that info@domain.ru in an isolated form (without F. I. O., for example) is not PD, because there could be anyone, including a robot. But if it is ivanpetrov1990@mail.ru? Or billgates@microsoft.com? Most likely - not PDN, we need more sets. In addition, by analogy with the phone number, everything depends on whether the mail is registered to: legal entity or citizen.



Biometric data - the individual form of the skull and ears - are uniquely personal data, as is a fingerprint. This imposes serious restrictions on face recognition systems - it is necessary to obtain consent even for the storage of hash from biometric measurements.

What is regulated

Federal legislation:

• “On Approval of the List of Confidential Information” - Presidential Decree No. 188 of March 6, 1997 determines that personal data also includes information about the facts, events and circumstances of a citizen’s private life, allowing him to identify his identity.
• 149- “On Information, Information Technologies and Protection of Information” is a basic law establishing common things.
• “On personal data” No. 152- dated July 27, 2006 - it sets the framework for what is PD, how to process it (by the way, storage and transfer are processing sub-forms).
  
  Especially interesting quotes:
  
  

  "It is not allowed to merge databases containing personal data that are processed for purposes that are incompatible with each other."

  
  
  

  “Only personal data is processed that meets the purposes of processing it.”

  
  
  

  “The content and volume of processed personal data must comply with the stated processing objectives. The processed personal data should not be redundant in relation to the stated purposes of their processing. "

• Decree of the Government of the Russian Federation “On approval of requirements for the protection of personal data when processing them in personal data information systems” of 11.11.2012 No. 1119 - the document describes the rules for determining the levels of personal data protection and the main requirements for the protection of personal data.
• The RF Government Decree “On Approving the Requirements for Material Media of Biometric Personal Data and Technologies for Storing Such Data Outside Personal Data Information Systems” dated July 06, 2008 No. 512 - contains requirements that should be applied when using material media for which biometric PD is recorded, also when storing biometric PDs outside personal data information systems. The document is old, but you need to take into account its requirements.
• Government Resolution of the Russian Federation “On Approval of the Regulation on Peculiarities of Processing Personal Data Performed Without Using Automation Tools” No. 687 dated September 15, 2008 - everything is clear from the name: requirements for processing and protecting PDs that are processed in paper form.

The main documents of regulators:

• The Order of the FSTEC of Russia dated February 18, 2013 No. 21 “On Approval of the Composition and Content of Organizational and Technical Measures for Ensuring the Security of Personal Data During Their Processing in Personal Data Information Systems” - a large set of organizational and technical requirements for protecting information, as well as rules for creating protection systems personal data. In short - see the post about how we passed the certification and how we help to certify.
• Order of the Federal Security Service of Russia dated July 10, 2014 No. 378 “On Approving the Composition and Content of Organizational and Technical Measures for Ensuring the Security of Personal Data when Processing the Personal Data Information Systems Using the Means of Cryptographic Information Protection Required to Fulfill Personal Security Requirements data for each of the levels of security "- a very useful document that contains not only the requirements for the protection of personal data, but also allows class required to use kriptosredstv.
• “On approval of requirements and methods for depersonalization of personal data” - Order of Roskomnadzor of 05.09.2013 No. 996 (Registered in the Ministry of Justice of Russia of 10.09.2013 No. 29935) and “Guidelines for the application of the order of Roskomnadzor of September 5, 2013 No. 996“ On Approval requirements and methods for the depersonalization of personal data ”” ”approved. Roskomnadzor 12/13/2013, that ceases to do PD actually PD when depersonalized, for example, for the purposes of Data Mining.

In its explanations, Roskomnadzor devoted considerable attention to the subtleties of qualifying images as personal data “On the issues of assigning photo and video images, fingerprint data and other information to biometric personal data and features of their processing” (see 25.rsoc.ru ).



Of course, the list is far from complete, the above are only the main documents. There are also informational messages and documents on the modeling of information security threats from the FSTEC of Russia, guidelines and documents on making assumptions about the possibilities of violators from the FSB of Russia, documents of the Ministry of Communications and so on.

What does it mean?

When you build your IT infrastructure, you need to understand whether your data is personal or not. There are no personal data classes anymore, there is a table from here (in the post there is more about certification). If your data is still personal, you need to understand what data types you have, what threats are possible for them and how many records you will have. Further from the table, the required level of security is calculated - and for this level, protection measures are implemented in accordance with the requirements of the legislation .



Following the spirit of the law and law enforcement practice, in almost all situations it is possible to determine whether we are talking about PD or not. Extremely rare cases are usually considered separately by lawyers who carry out the assessment and make requests to the regulatory authorities.

This is the material of the head of the legal consulting department Ilya Grigoriev, and this is the Technoserv Cloud blog.