About publicly available sources of personal data. Public personal data Processing of publicly available data

💖 Do you like it? Share the link with your friends

Every day, individuals provide personal information to various authorities. Personal data operators are responsible for processing information. These are banks, employers, medical organizations, Internet sites and other structures. Operators are required by law to protect personal information. They create sources that contain publicly available personal data (PD).

What is public PD?

Public information includes information about a person that he or she independently provides to the authorities. In order to open free access to information, written permission from the person who is the subject of personal data is required. A subject is an individual whose PD is collected, stored and processed by the operator. An operator is a legal or natural person, a municipal or state authority.

Public PD includes information about the subject by which he can be identified:

  • Date and place of birth;
  • home address;
  • phone number;
  • profession;
  • individual tax number;
  • place of work or study and other information.

Public data may include any information that is not confidential under the law. The subject's personal data can be classified according to the volume and degree of importance of personal information.

Public data also includes personal information that is provided:

  • during employment, concluding a contract or employment contract;
  • during the population census;
  • when formalizing contractual relations during trade operations and other similar situations.

The subject’s personal data, which is disseminated through the media, is not confidential, as it is publicly available in accordance with the “List of Confidential Information”.

The written consent of the subject to receive, transfer, process and other actions with PD is not always required. In some cases, for example, when participating in a survey or subscribing to a newsletter, it is enough to check the box that allows the use of PD.

General data can be placed in sources that are publicly available. This means that the sources are viewed and used by a huge number of stakeholders. An example of such a source is telephone directories.

Processing of publicly available data

The processing of publicly available data is carried out by departments and divisions whose responsibilities include the collection, systematization, storage, modification, use and destruction of personal data. Individuals have the right to request information about the data operator and find out what purpose the operator pursues during the processing of personal data.

Monitoring compliance with laws during processing is entrusted to Roskomnadzor. The FSB and FSTEC have certain auditing and monitoring powers. Operators create personal data protection systems for their own needs, therefore, in this regard, license such activities.

PD is processed by organizations that, in order to carry out their activities, need to collect, accumulate, process and store information about employees, suppliers and clients. In certain cases, such data is included in the public data.

Rights of public data subjects

Subjects of personal data may submit an application requesting to block, destroy, clarify or change publicly available data if the information is no longer relevant, is incomplete or is not required for the purposes of processing. Subjects also have the right to request access to their personal data and find out what tools the operator uses to process them.

Information must be used in accordance with legal requirements and be protected, regardless of whether it is confidential or public. It is the responsibility of operators to ensure complete protection of the subject’s personal data and limit access to data by unauthorized persons.

The operator begins to process personal data only after receiving written permission from the subject for processing. Consent includes information about the individual and operator data: company name, last name, first name and patronymic of the operator, position. The consent also requires indicating the purpose of processing and a list of data describing the operations that will be performed with the information. An individual has the right to withdraw his personal data and cancel his consent to processing.

In case of incapacity or death of the subject, consent to the processing and use of PD is requested from the heirs or legal representatives. In this case, you must be guided by the Federal Law on Personal Data.

In case of violation of legal requirements, the perpetrators bear administrative, criminal and other types of liability. It does not matter whether PD is confidential or publicly available, in accordance with Article 8 of Federal Law No. 152 on personal data, publicly available PD can be posted in publicly available sources only with the consent of the data subject. Personal data must be excluded from sources if required by the subject or authorized bodies: Roskomnadzor, court or other government agencies.

Is it legal to create public databases of personal data?

At the very end of 2015, I took part in a discussion of an interesting article in LiveJournal, which was devoted to the need to create a single publicly accessible database of unscrupulous job applicants.

It must be said that the idea is not new and, for sure, a number of companies have internal databases of applicants. With the help of such databases, personnel officers weed out unsuitable candidates with the most minimal costs time. If we theoretically assume that all HR in the country could have such a base at their disposal, then how much better it would be for everyone. Well, right? Thank God, no, not like that. As the commentators of this article correctly noted, potential benefits can easily be offset by the negativity that will inevitably arise from the misuse of data from the database, the unreasonable inclusion/exclusion of people in such databases, and issues of reputation, honor and dignity of people included in the databases.

Fortunately, since 2006, the federal law “On Personal Data” has been in force in Russia, which clearly defines the conditions under which such databases can exist:

2. Article 6 of the federal law “On Personal Data” determines that “the processing of personal data is carried out with the consent of the subject of personal data to the processing of his personal data.”

3. Article 7 of the federal law “On Personal Data” determines that “Operators and other persons who have access to personal data are obliged not to disclose to third parties or distribute personal data without the consent of the subject of personal data, unless otherwise provided by federal law.”

4. Article 8 of the federal law “On Personal Data” determines that: “1. For the purpose of information support, publicly available sources of personal data may be created (including directories, address books). To publicly available sources of personal data from written consent of the subject of personal data may include his last name, first name, patronymic, year and place of birth, address, subscriber number, information about profession and other personal data provided by the subject of personal data. 2. Information about the subject of personal data must be excluded at any time from publicly available sources of personal data at the request of the subject of personal data or by decision of a court or other authorized government bodies.”

5. And finally, article 13.11. Code Russian Federation on administrative violations, determines that “Violation of the procedure established by law for collecting, storing, using or distributing information about citizens (personal data) - entails a warning or the imposition of an administrative fine on citizens in the amount of three hundred to five hundred rubles; for officials - from five hundred to one thousand rubles; on legal entities- from five thousand to ten thousand rubles.”

In other words and in short:

1. Any data relating to an individual (including just a telephone number) is personal.

2. To process personal data, you must obtain consent, which can be withdrawn at any time.

3. If someone has legal access to personal data, then it is prohibited to disclose it to anyone or share it with anyone without the consent of the personal data subject, unless otherwise provided by current legislation.

4. A written consent form is provided especially for those wishing to create publicly available sources of personal data.

5. For violation established order Responsibility is provided for the collection and storage of personal data.

The conclusion is very simple and clear - the creation of a single publicly accessible database of careless job seekers is possible only with the written consent of these same careless workers, which, naturally, reduces to zero the likelihood of the legal creation of such a database. For those who decide to create such databases and share them with friends, our company recommends that you familiarize yourself with the existing this moment punishments.

The subject's personal data is classified according to the amount of personal information about the person and the degree of importance. Any transactions with them are carried out strictly within the framework of legislative acts and are subject to protection. However, there is a category of publicly available personal data that carries only superficial and impersonal information about a person.

From this article you will learn:

  • what is publicly available personal data;
  • list of publicly available personal data;
  • features of working with publicly available personal data.

When creating any database, including a list of all employees of the enterprise, on initial stage it is necessary to categorize personal data. All personal data of employees is divided into two groups - public and confidential.

Concept and classification of personal data

Personal data (PD) is different kinds information, from full name, date of birth, marital and social status, to registration numbers of documents issued by government agencies and commercial authorities. The operator of personal data is a state, federal, commercial structure, legal entity or individual who has the rights to carry out various activities using personal data.

In labor relations, the owner/subject of personal data is the employee, and the operator is the employer, personnel and accounting departments involved in registering the employee for work and all issues related to personal affairs and legal relations, payroll, benefits, compensation, etc. The subject's personal data is necessary for the employer to connect them with labor relations/agreements (Articles 85, 86 of the Labor Code of the Russian Federation).

The processing of personal data refers to various operations provided for by the legislation of the Russian Federation. Types of PD processing include collection, systematization, accumulation, storage, updating, use, depersonalization, destruction, which are carried out according to the procedures established by regulations. State, federal, municipal bodies and organizations that have such a right by status can carry out transactions with personal data.

All PD are divided into the following sections:

  • Special personal data;
  • Biometric personal data.

When forming information systems Personal data (ISPD) is recommended to be guided by the Order of the FSTEC, FSB and the Ministry information technologies and Communications of the Russian Federation No. 55/86/20 dated February 13, 2008 “On approval of the Procedure for classifying personal data information systems.” According to this regulatory act, PD is divided into categories:

  1. Category 1 – special data defining race and nationality, religious and political beliefs, facts of personal life and health status.
  2. Category 2 – data that makes it possible to identify the subject and obtain information about him Additional information with the exception of factors related to category 1. This section includes full name, home address, passport details, serial numbers documents (medical policy, pension certificate, SNILS, TIN), information from work and medical records.
  3. Category 3 – data allowing to identify the subject (first name, last name, date of birth).
  4. Category 4 – anonymized or publicly available personal data from which it is impossible to identify the subject.

Publicly available personal data: list

The list of publicly available personal data includes factors that do not contain information that allows a person to be identified in a database. Anonymized data includes:

  • First name, first name and patronymic;
  • Nickname/login of the subject on the Internet;
  • Email address(without reference to full name);
  • Position, place of work (without information about personal data).

Public data includes information about the subject that can be obtained from open sources of information, for example, telephone directory or address book. Data is entered into such publicly accessible databases with the written consent of the subject.

Public personal data: features

The peculiarity of publicly available personal data is that it can be posted in open sources of information. That is, if the organization’s contact directory contains contact information for officials, for example, those involved in training and hiring personnel, then such data is considered publicly available. When a printed publication contains the names and surnames of members of the editorial board, this information is also publicly available.

A feature of publicly available data that allows them to be correctly classified includes the following factor: the first three categories are, to one degree or another, necessary to include a subject in the ISPD, and the fourth category remains outside the requirements of information systems. If only the name and place of work are known about a person, then such information is publicly available.

When systematizing data, more accurate information will be required, which can only be obtained with the written consent of the subject to the processing of personal data. In this case, the operator assumes the responsibility to protect and comply with legally established rules for the processing and storage of personal data.

“Person” - data that relates to a person, personality, biological organism.

What is it, how to collect it, where to store it, how to protect it?

Is a fingerprint card personal data or not?

It contains no personal information.

personal data - any information relating to an individual identified or determined on the basis of such information (subject of personal data), including his last name, first name, patronymic, year, month, date and place of birth, address, family, social, property status , education, profession, income, other information;

Address is registration at the place of residence or place of stay.

Conditional classification of personal data.

1) according to the degree of openness:

publicly available personal data - personal data that is accessible to an unlimited number of persons with the consent of the personal data subject or to which, in accordance with federal laws, is not subject to confidentiality requirements.

Public personal data is data to which voluntary consent is given and is posted in the public domain.

Often, some site owners ask for registration information that they don't want to provide.

Confidential information – information is provided strictly for specific purposes. Sometimes it can be collected without the person's knowledge.

The Ministry of Internal Affairs stores information in information centers

2) by affiliation

- personal - belongs from birth

- official - in the course of work, service - class rank, etc.

3) by method of provision

— voluntarily provided information

- provided in a general manner in accordance with the law (compulsory)

— collected without the consent of the citizen in accordance with the law

4) by the nature of the data

— biometric (fingerprint information)

Basic concepts used when working with personal data.

— processing of personal data— actions (operations) with personal data, including collection, systematization, accumulation, storage, clarification (updating, changing), use, distribution (including transfer), depersonalization, blocking, destruction of personal data;

— distribution of personal data- actions aimed at transferring personal data to a certain circle of persons (transfer of personal data) or to familiarize themselves with personal data of an unlimited number of persons, including the publication of personal data in the media, posting in information and telecommunication networks or providing access to personal data to any -or in any other way;

— use of personal data — actions (operations) with personal data performed by the operator for the purpose of making decisions or performing other actions that give rise to legal consequences in relation to the subject of personal data or other persons or otherwise affect the rights and freedoms of the subject of personal data or other persons;

— blocking of personal data— temporary cessation of the collection, systematization, accumulation, use, dissemination of personal data, including their transfer;

Information posted on the Internet often cannot be blocked.

Most personal data:

- stored on a computer

- posted on the Internet

It’s difficult to control placement

— destruction of personal data— actions as a result of which it is impossible to restore the content of personal data in the personal data information system or as a result of which material media of personal data are destroyed; — situations when archives were on fire

depersonalization of personal data

— depersonalization of personal data— actions as a result of which it is impossible to determine the ownership of personal data to a specific subject of personal data;

personal data information system— an information system, which is a collection of personal data contained in a database, as well as information technologies and technical means that allow the processing of such personal data using automation tools or without the use of such tools;

confidentiality of personal data— a requirement for the operator or other person who has gained access to personal data to comply with the requirement not to allow their distribution without the consent of the subject of personal data or the presence of another legal basis;

cross-border transfer of personal data— transfer of personal data by the operator across the State border of the Russian Federation to an authority of a foreign state, an individual or legal entity of a foreign state;

— publicly available personal data— personal data, access to an unlimited number of persons to which is provided with the consent of the subject of personal data or to which, in accordance with federal laws, is not subject to confidentiality requirements.

Processing of personal data.

1) the legality of the purposes and methods of processing personal data and integrity;

2) compliance of the purposes of processing personal data with the goals predetermined and stated when collecting personal data, as well as with the powers of the operator;

3) compliance with the volume and nature of the personal data processed, methods of processing personal data for the purposes of processing personal data;

4) the reliability of personal data, their sufficiency for the purposes of processing, the inadmissibility of processing personal data that is excessive in relation to the purposes stated when collecting personal data;

5) the inadmissibility of combining databases of personal data information systems created for incompatible purposes.

If at some time someone filled out a fingerprint card, then it is in the information center in their databases. We cannot, for example, combine databases of ordinary citizens and those who have committed a crime.

1) with the consent of the owner of personal data

2) without the consent of the owner of the personal data.

This applies to persons occupying a certain position and position: military personnel, corpses

Confidentiality of personal data:

When not required:

1) in case of depersonalization of personal data;

2) in relation to publicly available personal data.

- the operator who collects and processes personal data.

— limit access within your own organization

The operator is personally responsible for the dissemination of personal data

— establishing access restrictions both indoors and online (pass system, card identification system)

For local networks– system login+ password

You can restrict access using biometric information: fingerprint, retina.

- about race

- about political views

- about religious or philosophical beliefs

- about the state of health

- about intimate life

Their processing is possible only with the consent of the subjects.

1) the presence of written consent of the subject for their processing

2) if the subject of personal data has made them publicly available

3) if this information refers to information necessary to protect the life, health and other vital interests of a person

Such information may be provided for medical and preventive purposes - for example, a viral infection.

Features of the processing of personal data in state or municipal information systems for processing personal data.

- applies only to civil servants and municipal employees.

A government agency has its own status; there are independent systems for processing information about state or municipal employees.

1) it is established what information is needed within its competence

2) there is also the Federal Law “On the State Civil Service”, that is, it is regulated not only by the legislation on personal data.

Information that characterizes the physiological characteristics of a person and on the basis of which his identity can be established (biometric personal data) can only be processed with written consent of the subject of personal data, except for the following cases:

1) committing a crime

Processing of biometric personal data can be carried out without the consent of the subject of personal data in connection with the administration of justice, as well as in cases provided for by the legislation of the Russian Federation on security, the legislation of the Russian Federation on operational investigative activities, the legislation of the Russian Federation on civil service, the criminal executive legislation of the Russian Federation Federation, the legislation of the Russian Federation on the procedure for leaving the Russian Federation and entering the Russian Federation.

- collecting information from a suspect is illegal

Processing of cross-border information.

It can be demanded, in order to protect the citizens of the country to which it is transferred, that it is collected only with the written consent of the subject.

Rights of the subject of personal data.

1) The right of the subject of personal data to access his personal data

You cannot call the information center of the Ministry of Internal Affairs (main information center and zonal information center)

2) The rights of personal data subjects to the processing of their personal data in order to promote goods, works, services on the market, as well as for the purposes of political propaganda

The accuracy of the information will be verified by others.

3) making decisions based solely on automated processing of personal data. A person may not trust automated processing. You can require that fingerprints be stored not only in the computer, but also on paper.

— Labor Code of the Russian Federation - there is a chapter devoted to personal data.

FEDERAL LAW ON STATE FINGERPRINT REGISTRATION IN THE RUSSIAN FEDERATION dated July 25, 1998 N 128-FZ

Public personal data is

Personal Information- any information relating to a specific or determined on the basis of such information to an individual, including:

His last name, first name, patronymic,

Year, month, date and place of birth,

Address, family, social, property status, education, profession, income,

other information (see Federal Law-152, Article 3).

For example: passport data, financial statements, medical records, year of birth (for women), biometrics, other personal identification information.

IN public sources of personal data (address books, lists and other information support) with written consent of an individual may include his last name, first name, patronymic, year and place of birth, address, subscriber number and others personal data (see Federal Law-152, Article 8).

Personal data is classified as restricted information and must be protected in accordance with the legislation of the Russian Federation. When developing system security requirements, personal data is divided into 4 categories.

What is the operator and subject of personal data?

Personal data operator- this is, as a rule, an organization, or more precisely, a state or municipal body, a legal entity or an individual that organizes and (or) carries out the processing of personal data, as well as determining the purposes and content of the processing of personal data.

Subject of personal data is an individual.

The operator is responsible for the protection of the subject’s personal data in accordance with the current legislation of the Russian Federation.

How to classify a personal data information system?

In order to attribute typical Personal data information system (PDIS) for a particular class requires:

II. Define volume personal data processed in the information system:

volume 3— data is simultaneously processed in the information system less than 1000 subjects personal data or personal data of personal data subjects within a specific organization;

volume 2 from 1000 to 100,000 subjects personal data or personal data of subjects of personal data working in the economic sector of the Russian Federation, in a government body, living within a municipality;

volume 1— personal data is simultaneously processed in the information system more than 100,000 subjects personal data or personal data of subjects of personal data within a subject of the Russian Federation or the Russian Federation as a whole;

III. Based on the results of the analysis of the initial data typical ISPDn is assigned one of the following classes(see table):

Class 4 (K4) - information systems for which violation of the specified security characteristics of personal data processed in them does not lead to negative consequences for the subjects of personal data;

Class 3 (K3) - information systems for which a violation of the specified security characteristics of personal data processed in them may lead to minor negative consequences for the subjects of personal data;

Class 2 (K2) - information systems for which a violation of the specified security characteristics of personal data processed in them may lead to negative consequences for the subjects of personal data;

Class 1 (K1) - information systems for which a violation of the specified security characteristics of personal data processed in them can lead to significant negative consequences for the subjects of personal data.

Judgment Day delayed until January 1, 2011

Personal data information systems created before the entry into force of Federal Law of the Russian Federation No. 152 “On Personal Data” must be brought into compliance with the requirements of this Federal Law no later than January 1, 2010 (see Federal Law No. 152, Article 25).

This means that personal data operators who fail to comply with the very stringent requirements of Federal Law No. 152 will, from January 1, 2010, face appropriate civil, administrative, disciplinary, and perhaps (God forbid) criminal penalties. responsibility .

All information systems that have already been put into operation after February-April 2008 (from the moment of distribution of methodological documents by the FSTEC of Russia and the FSB of Russia), but do not comply with the requirements of Russian legislation in the field of personal data, may incur the specified liability earlier, for example, tomorrow morning .

Note. Changes to the Criminal Code of the Russian Federation, significantly tightening liability for violations affecting privacy, will also come into force on January 1, 2010.

But as always happens, personal data operators did not move much, and few managed to do everything that was required. On December 16, 2009, the State Duma adopted in the third reading amendments to Articles 19 and 25 of the Law “On Personal Data” (152-FZ). The deadline for bringing personal data information systems (PDIS) into compliance with this law was postponed by a year - until January 1, 2011. In addition, the law obliging the operator to use encryption (cryptographic) means to protect data when processing personal data was excluded from the law.

Mandatory requirements for the protection of personal data information systems

Basic mandatory requirements for organizing an information security system depending on the class of a typical ISPD:

For class 4 ISPD:

The list of measures to protect personal data is determined by the operator (depending on the possible damage)

For class 3 ISPD:

Declaration of conformity or

Obtaining a license from FSTEC of Russia for activities related to technical protection of confidential information (for distributed ISPDn K3 systems)

For class 2 ISPD:

Mandatory certification for information security requirements

Obtaining a license from FSTEC of Russia for activities related to technical protection of confidential information for distributed systems

For class 1 ISPD:

Mandatory certification for information security requirements

Measures must be implemented to protect personal data from PEMIN

Obtaining a license from FSTEC of Russia for activities related to technical protection of confidential information

Procedure for protecting the personal data information system

Sequence of actions when fulfilling legal requirements for the processing of personal data:

1) Notification to the authorized body for the protection of the rights of personal data subjects about your intention to process personal data using automation tools;

2) Pre-project survey of the information system - collection of initial data;

3) Classification of the personal data processing system;

4) Construction of a private threat model in order to determine their relevance to the information system;

5) Development of a private technical specification for a personal data protection system;

6) Design of a personal data protection system;

Responsibility for violations of personal data processing

Persons guilty of violating the requirements of Federal Law 152-FZ “On Personal Data” bear:

- criminal (see Criminal Code of the Russian Federation, Art. 137, 140, 155, 183, 272, 273, 274, 292, 293),

Administrative (see Code of the Russian Federation on Administrative Offenses, Articles 5.27, 5.39, 11.13-13.14, 13.19, 19.4-19.7, 19.20, 20.25, 32.2),

Disciplinary (see Labor Code of the Russian Federation, Art. 81; Art. 90; Art. 195; Art. 237; Art. 391)

and other responsibility provided for by the legislation of the Russian Federation (see by-laws on working with personal data, which are published in the constituent entities of the Russian Federation, departments and organizations).

FSTEC- Federal Service for Technical and Export Control.

PEMIN- Side effects Electromagnetic Radiation and Tips

Protection of personal information

In December 2014, the State Duma adopted in the third reading a bill on storing personal data of citizens processed on the Internet on servers in Russia. According to Roman Chuichenko, a member of the information policy committee, the main goal of the bill is to strengthen information security country and its citizens. This measure was taken due to the complication of the international situation. This bill will come into force on September 1, 2015.

The entry into force of the new regulation on the protection of personal data requires that personal data operators provide:

  • timely detection of unauthorized access to personal data;
  • preventing impact on technical means those carrying out automated processing of personal data;
  • the ability to promptly respond to the fact of unauthorized access and immediately restore personal data in cases of their destruction or modification;
  • constant monitoring of the level of security of personal data.

Categories of personal data

Processing of ISPD can also be carried out according to the parameter “volume of personal data processed”, which assumes the number of subjects processed in the information system and can take the following values:

  • simultaneous processing of more than 100 thousand subjects of personal data (performed both within the subject of the Russian Federation and in the Russian Federation as a whole);
  • simultaneous processing of personal data from 1 to 100 thousand subjects (performed in a government agency working in the field of the Russian economy);
  • simultaneous processing of personal data of less than 1 thousand subjects (performed within a specific organization).

Division into categories allows not only to determine the class of ISPD, but also to establish a set of measures to ensure the security and protection of personal data on the Internet, when processed in information systems.

Employee personal data

Every employee has the right to protect their personal data (clause 9 of Article 86 of the Labor Code of the Russian Federation).

In accordance with Art. 89 of the Labor Code of the Russian Federation, each employee can exercise his right to the protection and protection of personal data through the following actions:

  • free free access to your personal data, including obtaining a copy of any record containing the employee’s personal data;
  • determining a personal representative to protect your personal data;
  • obtaining complete information about personal data and their processing;
  • issuing demands for the exclusion or correction of personal data containing incorrect information or if it was processed in violation of legal requirements;
  • appealing in court against the employer’s unlawful actions, as well as his inaction in processing and protecting personal data.

Composition of the employee’s personal data

Based on clause 2 of Article 86 of the Labor Code of the Russian Federation, the volume and content of the employee’s personal data are determined by the employer in accordance with the Constitution of the Russian Federation, the Labor Code and other federal laws. As a rule, the activities of any organization require the employer to use two main types of documents in document flow:

  1. Documents that are provided by the employee when concluding an employment contract (Article 65 of the Labor Code of the Russian Federation). This category includes documents containing a photograph of the employee, full name, information about the place and date of birth, citizenship, marital status, place of registration, education, specialty (passport, insurance certificate of state pension insurance, military ID, etc.).
  2. Documents that are generated by the employer independently (primary accounting documentation for recording labor and its payment). This category includes orders or instructions on hiring an employee, terminating an employment contract, rewarding an employee, a personal card, and documents on remuneration.

Protection of personal data, liability for violation of laws

Let us note that some sanctions for violation of certain offenses apply to both individuals and officials, as well as legal entities.

In accordance with Article 150 of the Civil Code of the Russian Federation, the inviolability of private life, personal and family secrets is among the inalienable intangible rights that are protected by current laws.

Let us note that the rights and obligations of an employee that are directly related to the personal data of other employees are determined by the terms of the employment contract and the composition of local regulations establishing the employee’s labor functions and the list of his job responsibilities.

Administrative responsibility Violation of the procedure for collecting, storing and distributing personal data entails a warning or a fine in the amount of: from 300 to 500 rubles - for individuals; from 500 to 1000 rubles - for officials, from 5 to 10 thousand rubles - for legal entities (Article 13.11 of the Code of Administrative Offenses of the Russian Federation). Administrative liability for the dissemination of information protected by law in the performance of official and professional duties entails a fine in the amount of: from 500 to 1000 rubles - for individuals, from 4 to 5 thousand rubles - for officials (Article 13.14 of the Code of Administrative Offenses of the Russian Federation) .

Violation of privacy, in particular personal data, by a person using his official position is punishable by:

  • a fine in the amount of 100 to 300 thousand rubles, wages or other income of the offender for 1-2 years;
  • deprivation of the right to hold certain positions for a period of 2 to 5 years;
  • arrest for a period of 4 to 6 months.

Anonymized data includes:

  • First name, first name and patronymic;
  • Nickname/login of the subject on the Internet;
  • Email address (not linked to full name);
  • Position, place of work (without information about personal data).

Public data includes information about a subject that can be obtained from open sources of information, for example, in a telephone directory or address book. Data is entered into such publicly accessible databases with the written consent of the subject. : features A feature of publicly available personal data is that it can be posted in open sources of information. That is, if the organization’s contact directory contains contact information for officials, for example, those involved in training and hiring personnel, then such data is considered publicly available.

Concept and types of personal data

Labor Code of the Russian Federation). The processing of personal data refers to various operations provided for by the legislation of the Russian Federation. Types of PD processing include collection, systematization, accumulation, storage, updating, use, depersonalization, destruction, which are carried out according to the procedures established by regulations.


State, federal, municipal bodies and organizations that have such a right by status can carry out transactions with personal data. All PD are divided into the following sections:
  • Publicly available personal data;
  • Special personal data;
  • Biometric personal data.

When creating personal data information systems (PDIS), it is recommended to be guided by Order of the FSTEC, FSB and the Ministry of Information Technologies and Communications of the Russian Federation No. 55/86/20 dated 13.
02.

Public personal data

Misuse of such information is punishable by law. The Personal Data Protection Law concerns not only individuals, but also legal entities.

Attention

Few people will like it if information about the financial state of affairs or data of company employees is available to everyone. This would make life much easier for scammers, which neither ordinary citizens nor law enforcement officers want.


What data is considered personal under the law? The law does not provide a clear list of information that is considered personal. Content:
  • Public personal data
  • Article 8.

Public personal data is

For example, the law does not precisely define whether a telephone number constitutes personal data. Roskomnadzor, in response to requests from citizens, explained that it is impossible to accurately identify a person by number alone.

By itself, it is not personal, but in conjunction with the owner’s full name and city of residence, it refers to PD. Therefore, non-personalized sending of SMS messages is not considered a violation of Federal Law No. 152.

General PD is contained in a passport, military ID, diploma, personal employee card, work record book, etc. Written permission is not necessary to obtain this data; indirect permission is sufficient, for example, a check mark next to the corresponding item in the online application form.
The relative ease of access often brings problems to the subjects of personal data - ordinary citizens: from intrusive advertising to blackmail and forgery of loan applications.

What personal data is considered public?

For example, the following:

  • need to store backups the entire database;
  • a specialist is needed who will administer the information system;
  • expenses will be required for specially designed equipment and software;
  • the employee who processes personal data must be extremely literate.

What methods are used to effectively protect employees’ personal information?

  • Make the premises in which personal data is processed completely closed to access by other employees.
  • To obtain any information, employees must obtain special permission.
  • Data storage must be clearly organized.

Given the presence of both disadvantages and advantages of each method, as a rule, employers combine them.

Article 8. Public sources of personal data

Salaries cannot be a commercial secret due to the fact that they relate to the remuneration system. But this does not exclude it from the list of PD, for the distribution of which an employee can be fired in accordance with the Labor Code.

And if the employee begins to challenge this decision in court, then the employer is obliged to prove that the disclosed information relates to a secret, the information of which the employee undertook not to disclose to anyone. back to content Types Types of personal data can be classified according to:

  • The content contained in them:
  • The category, which includes the list specified in Article 10: race, nationality, religion, health, personal life, political beliefs. However, according to Federal Law 152, there are restrictions here, namely, access can only be carried out with the written permission of the owner.

Is salary personal data or not?

Important

For the purpose of information support, publicly available sources of personal data (including directories, address books) may be created. Public sources of personal data, with the written consent of the subject of personal data, may include his last name, first name, patronymic, year and place of birth, address, subscriber number, information about profession and other personal data reported by the subject of personal data.


(as amended by Federal Law dated July 25, 2011 N 261-FZ) (see text in the previous edition) 2. Information about the subject of personal data must be excluded at any time from publicly available sources of personal data at the request of the subject of personal data or by court decision or other authorized government bodies. (as amended by Federal Law No. 261-FZ of July 25, 2011) (see.
Content
  • Biometric. Characterize physiology.
  • Not biometric. Data that is not biometric.

Types of personal data What types of personal data are divided into? What does this mean? It is important to understand that all information that is stored at the enterprise in relation to a particular employee can be viewed from two different points of view.

  • Data on the marital status and family of the employee (individual members), namely: presence of dependents, presence of children, their age and number, state of health.
  • Information about a specific employee, namely: full name (passport), profession, health status, as well as any special circumstances.

The head of the enterprise is obliged to formulate a regulatory legal act of local significance, which considers the procedure determining the storage of personal data.

Personal data is publicly available and what applies to it

Responsibility for disclosure It is important to note that 152 Federal Law “On the Protection of Personal Data” provides only for the administrative responsibility of an enterprise for the disclosure of an employee’s personal data. This means that if an organization is unable to guarantee employees absolute protection of their personal information, then it will only face a fine. Moreover, the amounts of monetary punishment for incorrect storage of personal data are absolutely ridiculous. In general, they range from five to ten thousand rubles. Of course, this is true if we are talking only about single payments. As a rule, in enterprises where there are problems of this kind, there are multiple violations, which means that the amount of the fine increases significantly. However, monetary costs are far from the most important consequence of the fact that personal data is used in the wrong way. This greatly damages the company's reputation.
For example, the following:

  • the availability of additional storage resources, such as special premises, equipment, safes, and so on;
  • labor intensity of the process;
  • Special skills are required to maintain paper records.

Sometimes HR departments prefer to store information about one employee separately (in different thematic folders). Thus, all employment contracts, questionnaires and other documents for all employees are stored separately. They are numbered for easier searching. This method is less labor-intensive than the one described above, and does not require any special skills from the HR department employee. However, it is not without its shortcomings.
Notification about the processing of personal data It is a very common mistake for operators to notify about the processing of personal data when it was possible not to do so. And if you still decide to notify Roskomnadzor, here are some recommendations:

  • Read very carefully Part 2 of Article 22 of the Federal Law of the Russian Federation dated July 27, 2006.

    N 152-FZ “On personal data”.

  • Look at the data that is processed for you. Some cases will require you to make adjustments with PD carriers.

One of the reasons why you may not notify about the processing of personal data is indicated in clause 2, part 2, article 22 of the Federal Law and is as follows: Let’s take as an example the establishment of a business relationship with an individual to perform a service.

To make it clear that everything is ready and you didn’t have to just drive several tens of kilometers, the foreman prudently took your phone number to announce the good news.



tell friends