Current laws in the field of labor law and the protection of confidential information require regulation of work with PnD at the enterprise - the creation of a policy for the processing of personal data. Art. 86 TC and 18.1 No152-FZ oblige the employer to develop and approve documentation - Regulations on the protection of personal data, regulations and others.
| Valentina Mitrofanova will tell you what's new in labor legislation this week. Watch the new episode of Personnel Review. |
There may be several local acts, taking into account the separation of mechanisms and purposes for processing confidential information at the enterprise.
Example
|
| Experts Valentina Mitrofanova and Maria Finatova will talk about what measures to protect confidentiality in an organization the personal data policy contains, how to develop and approve Regulations and Regulations in an online course as part of distance training. |
Requirements for internal documents on personal data
Documentation on confidentiality and means of ensuring the security of personal data is developed based on the specific conditions of the enterprise. Its compilation is subject to the law:
- The LNA is signed by an authorized person. The Charter states who approves internal regulatory documentation. Usually this is the Director, Board of Directors, etc.
- Local confidentiality acts do not require collective consideration and consideration of the opinions of trade unions. There is no need to coordinate their content with employee representatives.
Employees must know the company's policy regarding the processing of personal data. The regulations are communicated to all workers against signature, regardless of whether they are processing PnD or not.
Legal basis
When hiring an employee, the employer receives the following personal data from him:
- FULL NAME.;
- registration address and place of residence;
- passport series and number;
- TIN certificate number;
- SNILS;
- about the number of children, their dates of birth;
- about marital status;
- about previous work, terms, reasons for dismissal.
According to Art. 86-90 of the Labor Code of the Russian Federation, the employing organization must adhere to the rules:
- processing personal information of employees;
- storage and use of data;
- transfer of personal data of employees.
Based on the Federal Law “On Personal Data,” employees are given the right to demand protection of information provided to the employer. To ensure proper handling of personal data of employees, each organization develops a Regulation on personal data of employees. This document establishes:
- what information is classified as “personal”;
- who has access to personal information of employees;
- How is personal data stored (on what media);
- in what order the information is processed;
- where information about employees is recorded (are personal files, cards, are lists maintained, etc.);
- on what grounds and to whom employee data can be transferred;
- how is access to data protected (is electronic information encrypted, is a safe installed for physical media);
- the procedure for its approval and amendment.
The application may include sample employee statements:
- consent to the processing of your personal data;
- on consent to receive additional information regarding the employee.
A standard version of such a document, as directed by management, can be developed:
- HR specialist;
- company lawyer;
- assistant manager.
The provision on personal data belongs to the category of local acts of the enterprise. Its structure should not contradict the current legislation of the Russian Federation.
The employer is obliged not only to develop a document regulating the procedure for storing and using information about employees, he must put it into effect. It is for this purpose that the employer draws up an order approving the developed provision.
General provisions of the local act on the protection of personal data in organizations
The terminology used in the text, the purposes of personal data processing are explained, and the general meaning of the corporate document is described.
It is permissible to describe the rights and responsibilities in a local act:
- employer - HDD operator;
- employee - subject of personal data.
According to the law, the processing of personal data ends with the fulfillment of goals. They are determined in advance and regulated by federal acts. The Regulations on the processing of personal data of a specific company prescribe the goals specific to its activities.
Example
|
Do not indicate goals that are not specific to your company. To identify them correctly:
- analyze the actual activities of the enterprise;
- study the charter - the main directions of work are indicated there;
- track business processes in the IS of divisions and procedures in relation to certain categories of PD subjects.
Excessive storage of data in employee files
Often, personnel officers keep copies of passports, certificates, TIN, etc. in personal files or employee folders. This is considered illegal as it violates the requirements for storing personal data. Storing copies of an identity card and other documents containing personal data is qualified as a violation during inspections regarding the presence of excess personal data by the Operator.
Part 5 of Article 5 No. 152-FZ regulates the amount of personal data processed and its volume. They must correlate with the purposes of processing that you stated in the Policy or other LNA. The laws and regulations of the Russian Federation regarding the processing of personal data at an enterprise establish the volume and nature of personal data that is requested from an employee. The main regulatory document is the Labor Code:
- Art. 86 contains a list of standards that should be followed when calculating the volume and content of PnD. These are the Constitution of the Russian Federation, the Labor Code of the Russian Federation, etc.
- Art. 65 of the Labor Code provides a complete list of documents with personal information that an employer may require from an employee to conclude an employment contract.
Article 65 of the Labor Code of the Russian Federation does not specify what personal data an employer or a personnel service employee can store and process during the employee’s working life. The law lists the documents that are presented when concluding an employment contract.
What documents will an employer require to conclude an employment contract - table
| Document | What is it for? |
| Passport | Identity document |
| Employment history | If the employee is hired for the first time, it is made by the employer. Electronic TDs introduced in 2022 |
| SNILS | From 2022 the ADI-REG form |
| Military ID | If the employee is liable for military service or conscript |
| Diploma, other educational documents | Confirmation of qualifications, availability of special training if the applicant is applying for a position that requires special knowledge |
| Certificate of criminal record/criminal prosecution or its termination | For work to which those who have been convicted or subjected to criminal prosecution are not allowed |
It is prohibited to require other documents!
Municipal or state institutions have the right to collect, process and store personal data on criminal records within the framework of the powers granted to them by the laws of the Russian Federation - paragraph 3 of Art. 10 No. 152-FZ. In other cases, this procedure is determined by other federal regulations.
The Labor Code of the Russian Federation provides for documents and personal data that the employer can use. This is an employment contract (Article 57 of the Labor Code of the Russian Federation), it states:
- Full name of the employee;
- passport information;
- work book (Article 66 of the Labor Code of the Russian Federation);
- employment order (Article 68 of the Labor Code of the Russian Federation), etc.
For identification when applying for a job, the employee will be required to provide his full name and a document confirming his identity. It's enough. Therefore, storing copies of passport pages is regarded by inspectors from Roskomnadzor as exceeding the volume of required personal data.
| Advice The example with copies of passport pages shows that their storage does not ensure the accuracy and relevance of personal information. Only the original is a source of authentic information. This statement is true for duplicate passports and other documents. |
Roskomnadzor pays special attention to the nomenclature of documents contained in personal files and employee folders.
How to obtain access to personal data in a local act
You indicated in the local act all the terms used and defined the goals. Now, in the Regulations on the Protection of Personal Data of Workers, fix the list of positions with access to PnD. This is required by Art. 86 Labor Code of the Russian Federation and 152-FZ.
How to describe internal access to personal data in a local act
This is the admission of officials within the operating company. Access to confidential data is divided into full and limited . When describing full access, indicate a list of positions admitted to PD without restrictions.
When defining restrictions, in addition to listing positions, they describe the properties of confidential data to which employees are allowed, list the operations performed with them and indicate the final goals.
Example of a list of positions and a list of documents with personal data
The process of appointing an authorized person for personal data processing at the enterprise is also recorded here. This requirement for the protection of personal data is voiced in clause 1, part 1, art. 18.1 No152-FZ. This function can be enshrined both in the Regulations on PD and in the order.
| Advice We recommend appointing a person who works with I&D when performing day-to-day job responsibilities - IT manager, HR manager, etc. |
The person responsible for organizing the processing of personal data is subordinate to the executive body of the operator and acts according to his instructions.
External access - transfer of personal data to third parties
The Regulations list the institutions to which personal data is transferred - this is external access to confidential information. The number of employees allowed to access personal information includes control and supervisory agencies, others established by federal regulations:
- Labor Inspectorate;
- Prosecutor's Office of the Russian Federation;
- Law enforcement agencies;
- Tax officers;
- Military commissariats;
- Departments of migration registration of foreign citizens;
- other.
Legal entities included in the regulation on the processing of personal data of employees receive access based on the specifics of their activities in the manner established by the norms of the Russian Federation.
Indicate in the local act the following information about a legal entity with external access to PD:
- name, location;
- the purpose of the transfer and the amount of information transferred;
- operations with PnD;
- processing mechanisms and rules;
- protection requirements.
| Advice We recommend that the PD Regulations indicate the circumstances under which it is possible to provide confidential information to a counterparty. |
| Example Conditions for the transfer of personal data to third parties (including those located outside of Russia - cross-border) to achieve the purposes of PD processing - the presence in the agreement of clauses regulating the processing of PD. |
Example of a register of personal data and actions for their processing
Personal data: legal definition
When a person enters into an employment relationship, he is required to provide a number of information about himself. All this information relating to the future employee, allowing him to be identified in a particular context, is united under the term “ personal data” .
In what order should personal data of individuals be processed ?
The procedure for handling this information is defined in such legislative documents as:
- Constitution of the Russian Federation;
- Art. 85 Labor Code of the Russian Federation;
- Federal Law No. 149 of July 27, 2006 “On information, information technologies and information protection”;
- Federal Law No. 152 of July 27, 2006 “On Personal Data”;
- Decree of the President of Russia dated March 6, 1977 No. 188.
These laws establish information that falls within the definition of personal data in order to protect the privacy of law-abiding citizens from unlawful interference and ensure that confidential information obtained from them is used for the intended purpose.
Are telephone numbers and email addresses personal information?
List of data considered personal:
- Full name of the individual;
- Date of Birth;
- place of residence and/or registration;
- the education received by the person;
- family composition;
- social status;
- information relating to ownership of property;
- positions previously held by him;
- level of income received and their sources;
- other information related to the job function specified in the contract concluded with the employee.
BY THE WAY! Information about an employee’s political, religious or other beliefs, his participation in various organizations other than work, as well as details of his private life are not considered personal data and are not subject to collection, processing, storage and use. They can only be obtained with the consent of the employee himself. The exception is when information of this kind directly relates to work activity.
Employee health issues cannot come to the attention of human resources employees, except for their direct impact on the work function.
Who bears what responsibility for violating the laws on personal data ?
Content and scope of personal data protection in organizations: documentation
Art. 5, clause 5 No152-FZ is devoted to:
- proportionality of the volume and nature of the data obtained to the declared purposes;
- prohibition of PD redundancy.
This will be discussed in the next section of the local act.
| Example If the declared purpose of PD processing is the signing of an agreement with the individual Ivanov I.I. for the supply of goods, then personal information corresponding to this purpose - full name, bank details, passport, TIN, telephone numbers, address. Information about family and property status will be redundant. |
| Important! It is the goal that determines the volume of PD. If your organization offers Ivanov I.I. additional social support (VHI policy) is a different goal, it will require a different amount of PD. |
The Regulations on the Protection of Personal Data of Workers list all categories of persons whose personal information is necessary in the activities of the enterprise. These are current and former employees, relatives, applicants for vacancies, counterparties of the operator (individuals, legal entities) or their representatives.
| Advice In parallel with listing the purposes, we recommend providing a list of processed personal data in relation to the specified categories of subjects. |
The processing of special information (race, nationality, political views, religion, health) and biometrics, if any, is separately explained.
Why do you need a regulation on working with personal data?
By hiring a person, the company takes on the functions of a data processing operator. In other words, the employer collects, stores, systematizes, accumulates and updates information relating to employees. Work with personal data is carried out both with the use of automation tools and without their use. The processing of confidential information is carried out not only during the period of cooperation, but also after its completion, at the archiving stage. Art. 22.1 of the Federal Law of October 22, 2004 No. 125-FZ “On Archival Affairs in the Russian Federation” obliges organizations to store personal files of employees for 75 years. At all stages of processing personal information, the employer is obliged to prevent its transfer to third parties in the absence of legal grounds. A set of appropriate measures must be documented as a regulation on working with personal data of employees.
Security measures when processing personal data
This describes the applicable security and confidentiality measures for IPD. These activities are described in Art. 18.1 No152-FZ. From those listed, the operator himself selects the duties that are important and sufficient to perform. Art. 19 Federal Law regulates a specific list of steps to ensure the security of personal data during processing. Among others:
- modeling threats to the security of personal data in information systems;
- identifying unauthorized access to confidential information and promptly responding to incidents.
Levels of protection of personal data have been established - Resolution No. 1119. One of the measures to protect personal data in an organization for the safety of personal data during their processing in ISPD is organizational and technical procedures. Their presence maintains the levels in the state designated by the government - clause 3/1 of article 19 of the Federal Law and clauses 8-16 of Decree No. 1119. Basic protective measures:
- establishing the authenticity of subjects and objects of access;
- monitoring tolerances;
- protection of media storing/processing personal data;
- monitoring events;
- PD security survey;
- ensuring the integrity of IP and information;
- PD availability;
- protection of technical resources, etc.
The full composition of these measures is given by FSTEC Order No. 21.
Other organizational and technical measures aimed at protecting personal data
Care should also be taken to ensure organizational and technical measures designed to protect personal data. Here's what their list might look like:
- approval of requirements for the premises where personal data is stored.
It should be borne in mind that they are not established by law. However, if we proceed from existing similar laws and take into account the provisions of the Labor Code of the Russian Federation, then in order to avoid unauthorized access to personal data on paper, it is necessary to equip the room where they are stored with locked cabinets.
The local regulatory act should establish requirements for the premises where personal data is stored, as well as issue an order to determine the premises where personal data is processed and approve the list of persons authorized there;
- ensuring software protection of the organization's information system.
When using electronic systems for processing personal data, it is necessary to take into account the requirements for ensuring the security of such data established in the Regulations on ensuring the security of personal data during their processing in personal data information systems. This includes restricting access to certain information in information systems (for example, setting passwords, etc.).
It is also advisable to limit access to electronic databases containing personal data of shareholders by a two-level password system: at the local computer network level and at the database level. Passwords should be set by the database administrator and network administrator, respectively, and communicated individually to employees with access to personal data, and they should be changed as often as possible (for example, monthly);
- keeping a log of work with personal data.
In order to maintain a confidential regime for working with personal data, it is advisable to keep a log of the issuance of personal data to other persons, organizations and government bodies. It should register incoming requests, as well as record information about the person who sent the request, the date of transfer of personal data or the fact of notification of refusal to provide it, and also note what information was transferred.
Description of the procedure for storing personal data in the local act
If the PnD storage mode allows you to reveal their subject, then the storage of such information ends:
- with the achieved purpose of processing;
- together with the effect of consent to PD processing/its revocation;
- in accordance with archival regulations.
| Advice We recommend indicating the duration and procedure for storing PD in the ISPD or on paper, taking into account the access established to them by officials. The storage location of the used confidential information databases should also be indicated in the Regulations. |
| Important! We remind you that databases of personal information of employees are localized in Russia |
What is personal data
Personal data is usually understood as any information relating to a person - a subject determined directly or indirectly according to the criteria of the Law “On Personal Data” dated July 27, 2006 No. 152-FZ.
Data about a person falls under the jurisdiction of Law No. 152-FZ if it is at the disposal of the personal data operator or is subject to processing with his participation (clause 1 of Article 1 of Law No. 152-FZ). In particular, the characteristics of an operator correspond to companies that have hired employees, since they process a wide range of information about the subjects in the process of building labor relations with them.
You will find a complete list of information about employees that is personal data in ConsultantPlus. This is important to know, since personal information includes not only information about the employee, but also his photo, for example. There are other interesting points. But for violations of working with personal data, quite significant fines have been established. Get free access to K+ and go to the Guide. This will protect you from mistakes and avoid liability.
How to draw up consent to the processing of personal data, see here.
See also: “Photo Pass May Incur a Personal Information Fine.”
Personal data information systems - protection requirements
The local document on the policy for the protection and processing of personal data displays the types of information systems used, threats to confidentiality and the procedure for its protection. All this is in Resolution No. 1119. The law identifies the following information systems:
- for processing special categories of PD;
- working with biometrics;
- containing publicly available data;
- all others (excluding special, biometric, public);
- only personal data of the operator's employees.
In other cases, ISPD is a system that processes personal data of subjects who are not employees of the employer.
You have determined the type of IP you are using and indicated these facts in the LNA. The next step is the types of threats to PnD that are processed in this information system.
There are three types of threats that differ from each other by software capabilities that are not reflected in the technical documentation. May be found in:
- system software - type 1;
- application software - type 2;
- in system and application software - type 3.
Security threats are recorded based on their relevance to a specific IS. They are established taking into account the forecast of potential harm to subjects of personal data if the procedure for processing personal data is violated.
Additionally, the ratio of the damage caused to the operator’s measures specified in Art. 18.1 of the PD Law. The processing of confidential information in information systems requires several levels of protection of personal data. The conditions for determining the level are given in paragraphs 9-12 of PP No. 1119, the requirements for security are in paragraphs 13-16.
Document form
Requirements for the content of consent to disseminate personal data are approved by Roskomnadzor Order No. 18 dated February 24, 2021. It is worth noting that you do not need to notify Roskomnadzor of your intention to distribute personal data if you have the subject’s permission to do so.
Is it possible to obtain one consent from an employee, specifying all possible purposes of processing/distribution?
Often, the “Consent” document contains not one purpose of processing and not one third party to whom the information is distributed, but several at once, which, according to Roskomnadzor, is contrary to current legislation.
According to the department’s position, each target and each third party to whom information about an individual is disclosed must have their consent. This follows from Part 4 of Art. 9, part 5 art. 18 of the Law of July 27, 2006 No. 152-FZ.
In these articles, the “purpose of processing” and the third party are indicated in the singular; therefore, it is unlawful to combine several purposes and several third parties in one document.
This rule applies to all cases where it is necessary to obtain the employee’s written consent.
Judicial practice is currently not on the employer’s side (Resolution of January 15, 2022 in case No. A40-81171/2017). In this regard, companies will have to issue a large number of consents from employees in order to comply with legal norms.
