What it is?
An order in the field of ensuring the security of personal information is a document approving the procedure for processing, as well as working with information about employees of an organization that requires non-disclosure.
In addition, this document establishes the obligation of responsible persons to maintain the secrecy of the information received. Also, the order on personal data contains a list of officials authorized to work with personal data .
Reference! According to Article 3 of the Federal Law of the Russian Federation dated June 27, 2006 No. 152-FZ “On Personal Data,” personal information means any information directly or indirectly related to a specific individual.
Is an order to approve the provisions on personal data required?
The regulation on the protection of personal information and the order for its approval are mandatory local documents that must be located at the enterprise. This order approves the developed Regulations and establishes the procedure for processing, storing and using personal details of employees in the enterprise. According to the order, persons involved in the processing of personal information undertake in writing not to disclose such information to third parties.
In the absence of these documents at the enterprise, the manager may be subject to administrative liability from supervised departments, including a labor inspector.
Kinds
It should be noted that to ensure confidentiality at an enterprise, a multi-level information security system must be implemented . At the same time, its main component is the creation of internal documentation that would regulate the procedure for working with personal data.
So, in order to ensure the security of personal information about employees, the organization must issue the following types of documents.
On approval of the regulations on the processing and protection of personal information
It is fundamental and is intended to regulate the general procedure for working with personal information of employees of the organization, as well as its processing.
As a rule, the Regulations reflect the following information :
- goals, objectives and concept of data protection;
- a list of documents containing personal information;
- procedure for obtaining confidential information about employees;
- operating procedure;
- rules for processing, storage and transfer, etc.
The download forms contain an order for approval of the regulation on the processing of personal data, a sample regulation on the processing of personal data, as well as an agreement on non-disclosure of personal data:
On the appointment of a responsible person
Within the framework of this document, a specific specialist is assigned who is responsible for the correct processing of confidential information, as well as ensuring its secrecy.
It should be noted that according to Article 9 of the Federal Law of the Russian Federation “On Personal Data”, the processing of personal information about an employee is permitted only if he has given his consent to this . Only in this case can personal data be entered into the database and processed by an authorized person.
On establishing a list of persons with access to confidential information
This indicates specific people who have the right to work with confidential information about the organization’s employees.
Important! In accordance with Article 7 of the Federal Law of the Russian Federation “On Personal Data,” persons who have access to work with personal information must respect its confidentiality. Otherwise, you may find yourself held accountable, even criminally.
About protection
As a rule, this document contains key points of the organization’s management policy regarding working with confidential information, and includes all the issues listed above (protection provisions, responsible persons, list of specialists authorized to work with personal information).
Legal basis
By concluding an employment contract (EA) with an employee, the company’s management receives personal data from him, including:
- FULL NAME.
- Registration address and actual location.
- Passport details.
- INN and SNILS number.
- Availability of children, with their dates of birth.
- Family status.
- Data on previous work, with deadlines and reasons for dismissal.
In accordance with Art. 86-90 of the Labor Code of the Russian Federation, the enterprise is obliged to comply with the rules:
- Processing personal data of your personnel.
- Storage and use of received information.
- Transfer of personal information of employees.
Based on Law No. 152-FZ of July 27, 2006 “On Personal Data,” employees have the right to demand protection of their personal data. To ensure the non-distribution of this data, enterprise management is developing a Regulation that states:
- What data is considered personal.
- Who has the right to access them and the grounds.
- How is the security of the received data ensured?
- Information processing procedure.
- Where is employee data stored?
- Data access protection.
The developed regulations may display sample employee statements:
- On consent to the processing of your personal data.
- Consent to receive additional information about the employee.
This standard provision, by order of the head of the company, can be developed:
- Personnel officer.
- Enterprise lawyer.
- Deputy Director.
The order approving this Regulation refers to an internal departmental administrative document, the structure of which must comply with the current legislative norms of the Russian Federation. All personnel of the enterprise must be familiar with the contents of the order.
( Video : “Mistakes that can be costly for the personal data operator”)
Who needs an order on personal data and why?
An order on the protection of personal data is needed by the management of the enterprise, as this is required by Law No. 152-FZ of July 27, 2006 “On Personal Data”. This order determines the obligation of officials to ensure the confidentiality of personal information about employees and the level of their security clearance.
There is no approved standard template for such an order, therefore, the document is drawn up in a free style. However, according to the legislation of the Russian Federation, this order must contain certain points to ensure the protection of personal information, including:
- Approval of the provisions on the protection and processing of personal information.
- Assigning a responsible employee to ensure the processing of personal information.
- Identification of persons who are authorized to collect, store and process data.
By whom and when are they published?
Typically, these types of orders are issued by the human resources department at the direction of senior management. After preparing the document, it is approved by the signature of the head of the organization.
According to Article 1 of the Federal Law of the Russian Federation “On Personal Data”, the need to develop orders for working with personal data arises in the following cases :
- when processing personal information by government agencies;
- when processing confidential information by legal entities or individuals.
How to fill out a form
There are no special conditions imposed on the design of the form, just like its format. That is, the document can be made on a letterhead with a company logo and details or on a simple sheet of paper. The text can be either printed or handwritten, although in the first case it must be printed (to put the necessary signatures on it). The order is generated in one original copy, but if additional copies are required, the document can be duplicated (for example, for transmission to interested structural units).
Step-by-step instructions for compiling
The procedure for drawing up an order on personal information can be presented in the form of the following step-by-step instructions:
Document header.
The name of the organization, as well as its details, is indicated here. If the document is drawn up on company letterhead, then, as a rule, it already contains the name of the organization and all its details.- Next, you must indicate the name of the document (“ORDER”), the topic (For example, “On the appointment of persons responsible for the processing of personal data”), as well as the date and registration number.
All orders issued by the organization must undergo the registration procedure. As a rule, to record them, a separate journal is kept, where the name of the document, its number and date of publication are recorded. - Drawing up the “body” of the order. In general, the content of the text should include the following:
- a link to the legal act in accordance with which the document is issued;
- specific instructions (For example, “Approve the list of officials authorized to process personal data”);
- the name of the employee who is responsible for familiarizing all employees of the organization with the order;
- person responsible for execution.
- The document must contain the following signatures:
- head of the organization;
- an official who is instructed to familiarize all employees of the enterprise with the order;
- the official responsible for execution.
- Finally, the order must be stamped by a legal entity.
What applies to personal data
Information of personal significance is any information about an employee of an organization included in his personal documents. In particular, these are: date and place of birth, residential address, education and work experience, health status. Personal data also includes religion, nationality, external characteristics, financial and marital status, relations with the law (presence or absence of a criminal record), as well as some facts from the biography.
- Form and sample
- Online viewing
- Free download
- Safely
FILES
Shelf life
In accordance with the Order of the Ministry of Culture of Russia dated August 25, 2010 No. 558 “On approval of the “List of standard management archival documents generated in the process of activities of state bodies, local governments and organizations, indicating storage periods” for orders issued in the field of protection of personal information about employees, a permanent storage period is provided (until the liquidation of the company).
Thus, the management of the organization must take care of creating internal documentation that would regulate the work with confidential information of employees. Otherwise, if information leaks occur, the affected employees will easily be able to prove the employer’s guilt in court, which will entail unpleasant consequences.
How to enter a position in an organization?
To implement the Regulations on the protection of employee details, the director of the enterprise is obliged to:
- Develop Regulations.
- Publish an order for its approval.
- Familiarize all personnel of the enterprise with these documents.
Only after this procedure will the Regulations receive legal status within the enterprise. In the absence of a Regulation approved by order, the head of the enterprise may be brought to administrative liability in accordance with Art. 5.27 Code of Administrative Offenses of the Russian Federation.
Document retention periods
According to Law No. 152-FZ of July 27, 2006 “On Personal Data,” the management of an enterprise is obliged to organize the storage of all local acts on the processing of personal information of its employees throughout the entire period of operation of the enterprise. Consequently, both the Information Protection Regulation and the order for its implementation must be kept at the enterprise for the same period.
Sources of personal information are stored in the data protection department in an office with limited access, for example, in a metal safe equipped with class H0 for tamper resistance.
If the enterprise ceases to operate, then all documents are transferred according to the act to the local archive, where such documents are stored for 75 years, on the basis of Order of the Ministry of Culture of the Russian Federation No. 558 dated August 25, 2010.
Structure of the personal data act
The employer processes the employee’s personal data exclusively within the framework of the employment contract. Only for the purposes of work activities in connection with the employment relationship. And the employee, by virtue of Art. 86, 68 of the Labor Code of the Russian Federation must be familiar with the Regulations on Personal Data. The employer draws it up on the basis of the Labor Code and the Law on Personal Data.
The structure of the document might look like this:
- General provisions. Or the purpose, the legal basis of the document. Everything we talked about above. General principles (Article 86 of the Labor Code of the Russian Federation).
- Basic concepts. Composition of personal data of employees. Here you can indicate which documents of the organization contain personal data and general concepts (Personal Data Law).
- Processing of personal data. Access to personal data. Here we indicate the conditions and limit access to data. It is better to separately mention the list of persons and level of access in the order approving the Regulations. Or in a separate order.
- Transfer of personal data. Both within the organization and to third parties and government agencies.
- Liability for violation of the Regulations.
All general rules that are included in the structure of the Regulations are reviewed on the website from the point of view of current legislation, including labor legislation.