White Paper on the Federal Law №152 - a book that can be referenced in the processing of personal data

Introduction

This document is a guideline describing the actions of organizations that should be taken by responsible persons in order to comply with the laws governing relations related to the processing of personal data.

In preparing the facts and logical conclusions were used , made on the basis of the current regulatory legal acts of the Russian Federation, forming the "boundaries" of the legal field in which it is necessary to carry out any operations with information about the facts, events and circumstances of a citizen’s private life, allowing directly or indirectly identify his identity.
')
Each of us is at the same time the subject of personal data and the operator, independently or together with other persons engaged in the processing of personal data. For this reason, although this white paper document has a business orientation, it will also be useful and relevant to government bodies, local governments, municipal bodies and individuals.

Federal Law No. 152- “On Personal Data”, which regulates the processing (use) of personal data (hereinafter PD), does not apply to relationships arising from the processing of personal data by individuals solely for personal and family needs, if this is not violated rights of subjects of personal data.

However, knowledge of this law can help everyone to avoid such a violation of the rights of others and to ensure the protection of their rights and freedoms of a person and citizen in the processing of PD, including the protection of the rights to privacy, personal and family secrets.

It is the protection of the rights of PD subjects - the main purpose of the law 152- and the function of the authorized body, which is the federal executive body that performs the functions of control and supervision in the field of communications and mass communications (Roskomnadzor).

Perhaps, if earlier you were not well acquainted with the laws governing relations related to the processing of personal data, then after reading the first few paragraphs, you already have questions.

One of the main goals of this book is to eliminate confusion and provide an understanding of the legislation in the field of personal data, clearly describe the process of bringing the personal data information system in compliance with the requirements of the law.

I hope that this book will bring you closer to achieving these goals and help minimize the risks of possible fines from the regulatory authorities and avoid other negative consequences associated with the violation of the rights of personal data subjects.

This book will be interesting both to readers who begin to study this issue "from scratch" and have basic knowledge.

It is especially relevant for:

• management of organizations - for all decision makers;
• managers and employees of IT services - for everyone who builds and supports the work of the IT infrastructure;
• HR specialists - for those who cannot but work with personal data of employees;
• newcomers to the profession and those who are just preparing to devote themselves to a career in information security.

Chapter 1. Brief Background

Back in 1981, the Council of Europe published a convention on the protection of individuals when dealing with personal data. The purpose of the Convention is to “ensure in the territory of each country every individual, regardless of his nationality and place of residence, to respect his rights and fundamental freedoms, and especially his right to privacy, in the aspect of automated processing of personal data (Article 1).

According to part 1 of article 3 “The Parties undertake to apply this Convention in relation to automated card files and for automated processing of personal data in the public and private sectors”.

It is worth noting that the opinion of the Council of Europe on personal data was not and is not the only one in the world. For example, China and the United States can be seen a slightly different approach.

For the USSR, at that time, the issue of processing using automation tools was not relevant due to the weak penetration of computer technologies into the economy. Later, for reasons of economic problems, the sphere of protection of confidential information in Russia had a significant lag in the development of the legislative framework and public awareness.

As a necessary step for accession to the WTO, Russia signed the Convention in November 2001. Thus, it was not until 20 years after the publication of the Convention in Russia that the movement towards creating a legal framework for the processing of personal data began. The convention was adopted formally, but in fact it did not operate due to the lack of Russian regulatory acts.

Again, the legislators returned to this issue in 2005, when the Federal Law of December 19, 2005 No. 160- “On ratification of the Council of Europe's Convention on the Protection of Individuals with Automatic Processing of Personal Data” was adopted.

The year 2006 was a landmark year, when in order to restore order in the field of intellectual property and to protect personal data, including the fulfillment of one of the conditions for Russia's accession to the WTO, two Federal laws were adopted.

• Federal Law of July 27, 2006 No. 152- “On Personal Data”
• Federal Law of July 27, 2006 No. 149- “On Information, Information Technologies and Protection of Information”

Download the book in full.