The content of the article
- What information is considered personal data
- Company employees
- State or municipal employees
- Legal entities
- Regulatory framework
- To whom the requirements of Federal Law 152 apply
- Responsibility for the use of personal data without consent
- PD categories
- General personal data about a person
- Special data
- Big data
- PD storage and protection mechanism
- Who has the right to request
In modern conditions, citizens often require consent to the processing of private information, for example, when visiting a doctor. In many cases, the signature on the form is put automatically. When accessing information about yourself, it’s important to know and abide by the rules..
What information is considered personal data
Common personal data:
- Surname, name, patronymic of an individual. In this perspective, an individual acts as a subject.
- Date and place of birth.
- Registration and residence address.
The employee’s personal data is concentrated in the information system (IP). It can be digital or analog (a computer base or a personal file in a paper folder). At the same time, legal requirements apply to PD, regardless of the technical implementation of the information system. There are various ways of processing personal information of individuals – collection, classification, clarification, etc..
The concept of PD refers not only to citizens, but also to legal entities, regardless of the legal form (firms, companies, organizations, commercial enterprises, etc.). Their feature is that on their basis the identification of not a specific person, but a specific company. Official information about the company is needed when concluding contracts, etc..
Personal information for this category of entities includes:
- FULL NAME;
- Date and place of birth;
- registration and residence address;
- decision on full or partial incapacity;
- marital status + information about family members;
- place of work;
- salary, insurance and tax deductions;
- military duty.
There are features of classifying different data as personal in the category of individuals:
- Phone number. Refers to PD if the information about the owner is in a public source (for example, contacts for direct contact are indicated on the deputy’s website).
- Verification parameters for authorization on various Internet services are personal data by definition and are not subject to disclosure to third parties.
- Photo and video recordings. They relate to PD only in a situation where an individual can be identified by them. The exception is photo or video shooting at events of a mass nature. If the record defames the honor, dignity or business reputation of a person, he may, in accordance with part 1 of Article 152 of the Civil Code of the Russian Federation, demand a refutation.
Personal information in this case includes information that the employee must provide when applying for a job. In the main part, they coincide with the PD for an individual and are intended to be entered in the personal file of the employee. Due to the fact that an employee fills out a standard form, information that is not related to his work.
In addition to the personal information of individuals, the personal dossier of an employee of an enterprise without fail includes:
- application for a job;
- seniority (+ at this enterprise);
- certificates of rewards and penalties from the administration;
- information about the used vacation;
- medical certificates and / or medical examination documents (if required by the working conditions).
The employer has no right (and this is prescribed in the laws):
- Transfer personal data to third parties without the consent of the employee (data protection).
- Request employee health information without consent. An exception are situations when it is directly related to the employee performing his functions.
The obligation of the employer is:
- Protect PD at its disposal from third-party access and allow only specially authorized employees to get to know them by providing them with data within their competence.
- Warning to third parties to whom information about the employee is transmitted that it can be used only for the specific requested purposes. Legislation prohibits the unauthorized distribution of personal data and those responsible can be held accountable.
- Secure accordingly (for example, by signing in a special form) the obligation to maintain confidentiality by persons to whom the PD is transferred.
State or municipal employees
In addition to the array of information required for the employee of the enterprise, the number of personal data for this category of workers includes:
- experience + length of service;
- cool rank (if any);
- discharge according to the tariff scale;
- academic degree, awards, rewards;
- clearance for working with classified materials;
- certificates of certification and advanced training;
- criminal record;
- medical certificates, copies of sick leave.
This category of information includes:
- name of company;
- legal and actual address;
- license numbers;
- bank account number and other bank details.
The main legal documents establishing the principles for the use of PD:
- Constitution of the Russian Federation. Articles 23 and 24 guarantee citizens privacy, personal and family secrets, and confidentiality in correspondence, telephone conversations, and other messages. According to these provisions, PDs belong only to their carrier and should not be controlled by third parties without his consent. The state guarantees the protection of this right of citizens.
- Federal Law No. 152-FZ “On Personal Data” dated July 27, 2006 determines who and under what conditions can use the personal data of a citizen.
For employees of various industries, there are separate regulations governing the processing of personal information:
- For workers in organizations of the energy sector – Order of the Ministry of Energy of Russia No. 166 “On Work on the Processing of Personal Data” dated 11.11.2008.
- For civil servants – Federal Law No. 79-FZ “On the State Civil Service of the Russian Federation” dated July 27, 2004.
To whom the requirements of Federal Law 152 apply
Access to personal data of a particular person is allowed to special operators. These are representatives of structures or organizations that produce and process PD of a specific individual. In the absence of permission of the subject, any operations with his personal data are a violation of the law. Personal information about a person must necessarily be eliminated after the need for its use has disappeared.
The legislation does not determine the validity period of the consent to the processing of personal data, therefore it can be indicated directly in the form signed by the subject. Such a period can be determined directly or indirectly – for example, “for 3 years” or “for the time specified in the employment contract”. By signing such papers, check the deadlines and make sure that they are written real.
Responsibility for the use of personal data without consent
For violators there is a list of penalties. This includes cases:
- PD processing in situations not prescribed by law. This violation entails a warning or a fine: for citizens – 1,000-3,000, for officials – 5,000-10,000, for legal entities – 30,000-50,000 rubles.
- Processing personal data without the written consent of the subject. For this, penalties are provided: for citizens – 3,000–5,000, for officials – 10,000–20,000, for legal entities –– 15,000–75,000 rubles.
The use of PD without the consent of the subject may be an integral part of the offense, punishable by Article 137 of the Criminal Code of the Russian Federation. These include:
- Illegal collection of information about the private life of a person who is his personal or family secret. This implies a fine of up to 200,000 rubles, compulsory work up to 360 hours, or arrest up to 4 months, etc. For officials, disqualification for up to 3 years is possible..
- Actions to collect various information about a person that was committed using his official position. It entails a fine of up to 300,000 rubles, forced labor for a term of up to 4 years or arrest up to 6 months, etc. In most cases, after applying this sanction, a citizen is deprived of the right to hold certain posts for up to 5 years.
Law No. 152-FZ divides information on information content, complexity of use and level of disclosure. Categories of personal data that cannot be used without consent: depersonalized, general and special, biometric data.
General personal data about a person
These include basic information materials about a specific individual:
- Full Name;
- Date and place of birth;
- registration and residence address;
- phone number;
- passport data – series, date of issue, etc .;
- place of work;
Personal information related to the general type is recorded in the basic documents of a citizen (this is a passport, work book, etc.). In many cases, indirect processing is sufficient for their processing. Such simplified cases are typical for filling out online questionnaires with a minimum of information, when the subject has enough checkmarks in the corresponding field instead of a written confirmation. Here the data transfer occurs through open communication channels.
Some of this information is not personal if used independently of others. The current position of Roskomnadzor is that only one telephone number (without correlating it with the name of the owner) is not possible to identify an individual. For this reason, non-personalized SMS mailing is not a violation of the law..
This includes the physiological and biological parameters of an individual:
- fingerprinting (fingerprints);
- blood type;
- eye color;
- special signs associated with appearance (for example, acquired injuries).
Any audiovisual files — photographs of a specific individual, recordings from a voice recorder, video recorder, etc., belong to the same category. The development of technologies is widely used by biometric parameters — they are used in medicine, hiring government agencies, and applying for passports. Often such data is harmful to the subject in a professional activity or personal life..
This category includes:
- political preferences;
- criminal record;
- medical diagnosis;
- sexual orientation;
- intimate life.
Such information is contained in special documents. They can be used to discriminate against a specific individual. For this reason, according to Article 10 of Law No. 152-FZ, access to this type of information for general cases is not allowed. Exceptions to this are situations when:
- Subject gave written consent to PD processing.
- The dossier of a particular person is studied to preserve the life / health of this person or third parties when obtaining permission is not possible (for example, a victim in a car accident is in a coma and an operation is urgently needed). This case can be extended to all situations of diagnosis and the provision of medical services, provided that it is carried out by an authorized employee and he retains professional secrecy..
- These PDs became public on the initiative of the person to whom they belong (for example, a pop artist gives an interview to the TV channel about his sexual orientation). This also includes the processing of information in connection with the implementation of the All-Russian population census or the implementation of social assistance programs, labor or pension legislation.
- The processing of personal data on participants in a public association or religious organization is carried out (for example, this personal information can be collected in the municipality or state statistics bodies). The determining factor here is the non-dissemination of such information without the written consent of the subjects of PD.
- The extraction of the necessary personal information is connected with the exercise of the constitutional rights of this individual or the administration of justice (by law, this is allowed, for example, by police or prosecutors). This also includes situations of enforcement of legislation on defense, counter-terrorism, transport security, anti-corruption activities, etc..
- This situation arises when it is necessary to implement legislative requirements on compulsory types of insurance, on citizenship of the Russian Federation, and when checking parents who take orphans.
In accordance with Law No. 152-FZ, this includes information the correlation of which with a particular person is impossible without clarification. This can be any of the components of the PD, devoid of other information, for example:
- The surname, name, patronymic of a person, his date, month, year of birth, street, house and apartment numbers in the aggregate are personal data.
- Each of this information separately (for example, only a name, without a surname and other information) cannot be a PD.
Depersonalization is an additional method of protection. It is often resorted to by government bodies authorized to process personal information about citizens, transferring an array of information to an outside study. For example:
- As a result of the census, the Federal State Statistics Service (Goskomstat) accumulates a large number of profiles containing personal data. This may be information about age, nationality, etc..
- By sending such data to other departments for an analytical study of their work profile, Goskomstat employees take measures to protect PD. For this, personal information is deprived of personification. For example, a sample of data on individuals is transmitted to the Ministry of Social Protection of the Russian Federation, indicating their nationality, age and education, but without mentioning the name and surname.
This includes information received on the Internet from a specific user or accumulated in his digital devices:
- IP address of the computer;
- pageview history;
- authorization data on sites;
- nicknames and avatars of forums or social networks.
The ambiguity of this category in the legal perspective is associated with the following features:
- This information may directly or indirectly indicate a specific person..
- The owner himself cannot fully control them..
- If desired, they can be falsified (for example, one person can register on social networks under the name of his friend and leave defamatory messages on his behalf).
Given these circumstances, not all information from the Big Data category is personal data. If they do not directly indicate a specific person, then, according to Roskomnadzor, they do not belong to the category of PD. Then they are not subject to the requirements of Law No. 152-FZ. Examples of such information:
- Photo of a man. If it is accompanied by a name and surname, it is personal data, because it indicates a specific person.
- Avatar (userpic) and nickname on the forum. These positions are not PD. They do not directly indicate a specific person. There is an exception: when the picture shows a photo of a person with a name, surname or other information.
- The PD category does not include the search queries of the computer user and information about his location, which are processed to provide him with contextual advertising and geo-targeting (data output depending on the geographical location of the individual).
PD storage and protection mechanism
In accordance with the requirements of the law, operators must independently use the means of ensuring security for the personal data they collect. This is implemented using:
- Admission to work with the information system is only a predetermined circle of people who have the appropriate instructions and warned of responsibility for unauthorized distribution of information. If a computer IP contains PD of a special type, then work with it (views, changes, etc.) should be recorded in a special electronic journal. With the help of modern information technologies, this process can be made automatic..
- Measures to create a high level of IP protection, block unauthorized access (for example, as a result of a hacker attack), promptly restore the original information from a backup copy in case of damage by a computer virus, etc. If personal information is in an analog form (for example, these are paper profiles with information about the employees of the enterprise), it is necessary to take measures for their digitalization.
- The control of Roskomnadzor, ensuring that the current processing of personal information of employees is carried out in accordance with legislative standards. This agency also verifies that the storage of personal data processed as part of labor duties occurs in conditions where the leakage of personal data and their illegal use are excluded.
Who has the right to request
In accordance with the law, PD processing must have legal purposes. There are two options for obtaining the subject’s PD:
- Without obligatory written consent. Allowed if the collection of PD is the fulfillment of legal requirements. For example, the employer has the right to freely receive information about the registration address and education of the employee. A special case is the exceptional situations considered in Article 10 of the Law No. 152-FZ (the list is given above), dispensing with the consent of the subject.
- Subject to written permission. Representatives of individual organizations are allowed access to the information that is required to perform their tasks. For example, when applying for a loan, the bank has the right to ask a question about the salary of the client, but interest from the attending physician will be unlawful.