Personal data of employees: ensuring safety

To fulfill its obligations under labor, tax and accounting laws, the employer must use and operate with the employee’s personal data. However, the personal data law requires the employer, who in this case is the “personal data operator” and performs the “processing of personal data,” to ensure the security of this information.

The rules established by Federal Law No. 152-FZ of July 27, 2006 “On Personal Data” (hereinafter referred to as the Law on Personal Data) apply not only to those organizations that deal with client databases. All organizations that have at least one employee must comply with the requirements of this law. This is due to the fact that legislators also include as personal data the information that an enterprise receives from its employees when hiring them. This means that the organization is obliged to protect them in full accordance with the law.

Read also “How to organize the protection of personal data of employees”

What data is personal?

According to the Labor Code of the Russian Federation, personal data of employees means information necessary for the employer in connection with labor relations and relating to a specific employee.

The Personal Data Law expands and clarifies the concept.

Personal data – any information relating to an individual identified or determined on the basis of such information (subject of personal data), including his last name, first name, patronymic, year, month, date and place of birth, address, family, social, property status , education, profession, income, other information.

Thus, each employer, when concluding an employment contract, receives information related to personal data.

This information is contained in the following documents presented by the employee upon hiring:

  • passport;
  • military ID (for those liable for military service);
  • certificate of assignment of TIN;
  • pension insurance certificate;
  • documents on education (including additional education, if the employee provides them when hiring or is required when performing certain job functions);
  • driver's license and car documents, if required in connection with the employee's job function;
  • a medical certificate confirming the completion of a medical examination (medical record), if required in connection with the performance of the employee’s labor function.

Read also “Employee’s personal file: procedure for formation and maintenance”

The use of the above data by an enterprise in its activities (collection, systematization, accumulation, storage, clarification, destruction, use, distribution and transfer) is interpreted by law as “processing of personal data.” All these operations are performed to one degree or another in any organization and in any enterprise.

Particular attention must be paid to the concept of transfer of personal data, since a number of restrictions are imposed on the employer in connection with it.

Thus, the employer does not have the right:

  • disclose personal data to a third party without the written consent of the employee, except in cases where this is necessary in order to prevent a threat to the life and health of the latter, as well as other cases provided for by the legislation of the Russian Federation;
  • disclose the employee’s personal data for commercial purposes without his written consent;
  • request information about the state of health, with the exception of information that relates to the issue of the employee’s ability to perform a job function.

In addition, the employer must comply with the following requirements:

  • warn persons receiving the employee’s personal data that such data can only be used for the purposes for which they were communicated, and require confirmation from these persons that this rule is observed. Persons receiving personal data are required to maintain confidentiality;
  • allow access to personal data of employees only to specially authorized persons, and they should receive only those personal data that are necessary to perform specific functions; transfer personal data to employee representatives in the manner established by the legislation of the Russian Federation, and limit this information only to those personal data that are necessary for the said representatives to perform their functions.

How to transfer?

There are several types of processing. The information can be transferred within the enterprise or outside it. Article 88 of the Labor Code reflects the rules observed during the transfer. It is prohibited to disclose data to third parties or for the purpose of receiving money.

The exception is a threat to human life or health. Such cases may be reflected in labor or other laws. It is required to warn citizens who have received information about the employee about the purposes for which they will be used. The purpose is reflected when the information is communicated.

The management of the organization has the authority to ensure that this requirement is met. Persons to whom the information is transferred undertake an obligation to maintain secrecy. These rules do not apply to situations where law enforcement agencies have become the recipient of the data.

Local regulations establish rules regarding the transfer of information within the enterprise. Citizens become familiar with this act by signing it. The legislator established a new rule. Now persons registered as individual entrepreneurs are required to issue local regulations that stipulate how data transfer occurs.

Persons vested with special powers have access to information. They can receive information from the employee that is necessary for their work. Therefore, some of the documentation may be submitted by other persons. It is prohibited to send requests for information regarding a person’s health status.

This does not apply to situations where it is necessary to determine whether the employee is able to continue his activities. Similar rules apply to women who are pregnant. This is done to understand whether a transfer to another job is necessary or not. The expectant mother is transferred to a place where there is no exposure to harmful factors.

Information can be transferred to the extent required to perform functions.

Documents for working with personal data

In order to protect yourself when checking the safety of personal data, the company must have the following documents that can be presented upon request of the inspectors:

  • provisions on personal data;
  • order on the appointment of those responsible for working with personal data;
  • order on the appointment of those responsible for ensuring the security of personal data;
  • statements from employees regarding consent to the processing of personal data.

Statement on personal data

In pursuance of the legislation of the Russian Federation, in order to ensure the protection of the rights and freedoms of employees, each organization is obliged to develop and adopt a regulation on personal data of employees (hereinafter referred to as the Regulation). This document determines exactly what information is subject to processing and storage at this enterprise.

The regulation relates to management documentation and is approved by order of the organization. Its content must be developed in accordance with the Constitution of the Russian Federation, the Civil and Labor Codes of the Russian Federation, Federal Law dated July 27, 2006 No. 149-FZ “On information, information technologies and information protection”, Federal Law dated July 27, 2006 No. 152-FZ “ About personal data."

The Regulations should contain the following sections:

  1. General information.
  2. Basic concepts and composition of personal data of employees.
  3. Collection, processing and protection of data.
  4. Data transfer and storage.
  5. Access to personal data of employees.
  6. Responsibility for violation of the rules governing the processing and protection of personal data.

All employees included in the list of persons authorized to work with personal data must be familiarized with the Regulations against their signature.

List of processed employee data

Next, you will need to approve a document containing a list of personal data that is actually used in the organization’s activities. When drawing up such a document, do not forget to include in it all the information that the employee provides in writing about himself when applying for a job, as well as that used in the future when preparing personnel documentation.

This list should include:

  • application for a job;
  • employee profile;
  • personal card;
  • private bussiness;
  • employment contract;
  • orders;
  • employment history;
  • materials of certification commissions.

If the organization has an internal document flow containing information about employees (for example, reports and materials that are prepared for shareholders, founders, the parent organization, etc.), then these reports also need to be included in the list. In addition, the list must contain documents containing information about employees that the organization submits to various government bodies (tax and labor inspectorates, statistical authorities).

note

Fines are assessed for one violation, and where there is no system for protecting personal data, the inspection commission is most often faced with massive violations, as a result of which the total amount of the fine becomes quite impressive.

The next stage of work is the preparation and approval of a list of persons authorized to work with personal data. This document is approved by order of the manager and delivered for signature to all employees indicated in it. By the way, the manager’s order to appoint someone responsible for working with personal data and ensuring its protection is the first thing inspectors will want to see. This responsibility can be either a specific person or a department. In the latter case, the head of such a unit bears personal responsibility.

The agency authorized to monitor compliance with the personal data regime is the Federal Service for Supervision of Communications, Information Technologies and Mass Communications (abbreviated as Roskomnadzor). The department transfers all materials on those inspections where violations are found to the prosecutor's office.

When to familiarize a new employee with the Personal Data Regulations

Familiarize your future employee with the Regulations on Personal Data before signing an employment contract (Article 68 of the Labor Code of the Russian Federation). You can confirm that the employee has read the Regulations by signing:

  • in the text of the employment contract;
  • in the sheet for familiarizing yourself with the Statement on Personal Data;
  • in the journal of familiarization with local acts.

The regulation on personal data is a local regulatory act that must be present in the organization (Article 87 of the Labor Code of the Russian Federation). Otherwise, the company may be brought to administrative liability (Article 5.27 of the Code of Administrative Offenses of the Russian Federation).

Protection requirements

Chapter 14 of the Labor Code provides requirements regarding data protection. The responsibility of the manager is established to take into account the requirements when processing information. The purpose of processing is to ensure legal provisions and assist a person in finding a job. To determine the scope of information, you must be guided by the basic law of the country, the Labor Code.

Receiving information is allowed only from the employee himself. When it is possible to obtain it from a third party, the person must inform the company management about this in advance. You will be required to sign a consent form. The employer does not process data classified as special. This is information about intimate life, race, etc.

Measures to protect information are taken by the company's management. Paid with company funds. The order of protection is reflected in the laws. Employees are familiarized with the documentation reflecting the data collection procedure against signature.

It has been established that a person should not be deprived of his powers in order to maintain a secret. The development of protective measures is carried out by employers together with employees. Exceptional situations are reflected in laws.

Employee consent to the processing of personal data

You need to obtain consent if:

  • the request for information about the employee came from a third party;
  • the employer sends requests to other organizations;
  • the employer processes information about those included in the personnel reserve;
  • the processing of personal data of the employee’s relatives exceeds the established volume (more data is required than indicated in the personal card).

Personal data is confidential information, which means there should not be free access to it, otherwise it ceases to be such. In this regard, the employer has the right to transfer such information about employees to other persons only with their written consent.

An exception to the rule is situations where the life and health of workers are at risk. In addition, the law provides for the processing of an employee’s personal data without the consent of the person being inspected, if he is a law enforcement officer.

The statement of consent is addressed to the employer represented by the general director. However, the latter has the right to entrust the processing of personal data to other employees of the organization (Part 3 of Article 6 of the Law on Personal Data). Most often these are personnel officers and accountants. Consent can be issued both on paper and electronically. However, in this case it must be signed with an electronic signature (Part 4 of Article 9 of the Law on Personal Data). There is no unified consent form. It can be designed in any form.

The heading must indicate that this is consent to the processing of personal data, and not anything else.

Next, the full name of the person being checked is written down by hand, then the series and number of the passport, who issued it. After which the name of the organization to which the person being inspected gives permission to perform the inspection is indicated. Subsequently, it is necessary to indicate the grounds for verification.

Be sure to describe in detail what exactly the person being tested gives his consent to. At the end of the document there must be a signature of the person being verified.

An employee who has given consent to the processing of his personal data has the right to withdraw such consent at any time (Part 2 of Article 9 of the Law on Personal Data).

If the employee does not agree

If the employee does not agree to the processing of personal data, explain the consequences.

Explain to the employee that without his consent it is impossible to issue a VHI policy, congratulate him on his birthday, give gifts to children on holidays, use his full name when creating an email address, on business cards, or post information on the company portal. As a rule, given such arguments, employees change their position and consent to data processing.

An employer has the right to process an employee’s personal data without his consent, provided that the volume does not exceed that established by law. For example, to fulfill the terms of an employment contract. Without the consent of an employee, it is possible to process his personal data in cases that provide for a collective agreement, local acts of the employer adopted in the manner established by Article 372 of the Labor Code of the Russian Federation.

Dismissal for disclosure

It is possible to terminate an employment relationship with a person due to the disclosure of information, provided that the information came to him while performing his duties at work. This rule is reflected in Article 81 of the Labor Code. Such employees include the management of the organization, representatives of human resources departments, and financial departments. The work of these citizens is directly related to the processing of information about employees. When information comes to a person by chance, dismissal on this basis is considered not to comply with the law.

Storing personal data of employees

Federal Law No. 242 of July 21, 2014 “On amendments to certain legislative acts of the Russian Federation in terms of clarifying the procedure for processing personal data in information and telecommunication networks” provides for storage exclusively on Russian servers. Employees' personal information contained in their personnel files must be retained by the organization for 75 years.

Read also “How to store personal data of employees”

What is personal data?

The idea of ​​a person’s personal data and the basic rules for working with them are contained in the Law of the Russian Federation “On Personal Data” dated July 27, 2006 No. 152-FZ. Any information relating to a specific person is his personal data, the receipt and use of which requires the consent of this person.

Most often, personal data is needed by the employer, and usually during employment, information is taken from the employee, confirmed by:

  • passport or other identification document;

Is it possible to keep a copy of the passport in the employee’s personal file? The answer to this question is in ConsultantPlus. Get trial demo access to the K+ system and access the material for free.

  • work book;
  • Pension Fund certificate;
  • documents on training;
  • military registration documents;
  • additional certificates certifying any circumstances necessary for employment.

The employer who has received personal information not only collects and processes it within its division (personnel service), but also transfers it to other divisions (accounting, legal service), as well as to third parties (PFR, Social Insurance Fund, Federal Tax Service, banks, internal affairs bodies, courts ).

Obligation of non-disclosure of personal data

Such an obligation must be completed by every employee who has access to the personal data of other employees. The law prohibits such employees from disclosing information that became known to them in connection with the performance of their job duties.

First of all, we are talking about personnel and accounting department employees. If they allowed personal data to be made public, they can be brought to disciplinary liability up to and including dismissal (subparagraph “c”, paragraph 6, part 1, article 81 of the Labor Code of the Russian Federation, paragraph 43 of the resolution of the Plenum of the Supreme Court of the Russian Federation dated March 17, 2004 No. 2).

Workers' rights

The labor law indicates that in order to protect personal information stored in the organization, employees are vested with rights to receive processing information. As an example, the rules developed by the Government under No. 225 indicate that the management of an enterprise has an obligation to familiarize all employees with the entries made in work books. Citizens must familiarize themselves with their signature. Employees must be aware of all entries made in the work book.


Employees can use their data free of charge. We are talking about making copies. Exceptions are reflected in the current law. It must be indicated that the employer cannot refuse to provide such information. Otherwise, liability is provided.

It is enshrined in the criminal and administrative code. Liability includes penalties. The size is set from 200 to 500 minimum wages. The wealth of the culprit may be used as a basis. The period is taken into account from two to five months. The violator is deprived of the opportunity to engage in activities or hold a certain position. The period is set from two to five years.

A person has the right to independently choose the person who will protect his data. Most often, this function is assigned to trade unions. It is established that protection is implemented by the citizen independently. If the data is medical, access to it is obtained with the help of doctors. A person has the right to choose his own doctor.

Requirements have been established regarding the elimination of information that is untrue or recorded in violation of the law. The management of the enterprise assists the person in finding incorrectly reflected information in the work book. If the actions of the organization’s management are unlawful, the person defends his rights in court.

Notice of receipt of personal data from a third party

If you receive personal data from a third party, notify the employee in advance (clause 3 of article 86 of the Labor Code of the Russian Federation, clause 1 of part 2 of article 10 of Law No. 152-FZ). In the notice, inform the employee about the purposes, intended sources and methods of obtaining or transmitting personal data. Also indicate the nature of the personal data to be collected.

Definition

The legislator implies that this is information that relates to the employee. The relationship can be direct or indirect. The information relates to a specific person. The law does not reflect a list of what is included in personal data. General principles related to the concept are reflected.

Lawyers say that the definition is evaluative. Information is provided at the time of conclusion of the employment agreement. The employee can sign a consent so that the information is received from a third party. This category cannot include anonymized information.

The list of data includes:

  • surname and initials;
  • the day a person was born;
  • the place where he is registered;
  • family and financial status;
  • availability of education;
  • what profession to receive;
  • income level.

Federal Law No. 152-FZ indicates other data. These include information about race and nationality. Beliefs and health status fall into this group. The information is reflected in the documentation. It could be:

  1. The act by which identity is verified.
  2. Employment history.
  3. Certificate taken from previous places of work.
  4. Personal card, etc.

The employer stores the listed acts in copies. The exceptions are questionnaires, employee cards and work books.

Fines for violations will soon increase

So far, fines for violations in the field of personal data protection are not that high. According to Article 13.11 of the Code of Administrative Offenses of the Russian Federation, they range from 5,000 to 10,000 rubles for an organization and from 500 to 1,000 rubles for its leader, if the violation is his fault.

However, it must be borne in mind that this fine may be imposed for each violation committed. So a 10 thousand ruble fine can easily turn into 50 or 100 thousand rubles even within the framework of one inspection. And over the course of a year, these amounts may turn out to be even more impressive. In addition, the State Duma of the Russian Federation has already adopted a bill tightening administrative liability for violations in the processing of personal data.

Now, in cases of processing of personal data not provided for by law, as well as incompatible with the purposes of collecting such information, the fines will be: from 1,000 to 3,000 rubles for citizens, from 5,000 to 10,000 rubles for officials and from 30,000 to 50,000 rubles – for legal entities.

If the “processor” forgets to take the citizen’s consent to process information about him, the fines will be accordingly: from 3,000 to 5,000 rubles – for citizens; from 10,000 to 20,000 rubles – for officials; from 15,000 to 75,000 rubles – for legal entities.

They also plan to punish for the operator’s refusal to provide a person with information about the processing of his data. Fines: from 1,000 to 2,000 rubles for citizens, from 4,000 to 6,000 rubles for officials; from 10,000 to 15,000 rubles – for individual entrepreneurs; from 20,000 to 40,000 rubles – for legal entities.

Appointment of those responsible for organizing data protection

The operator must appoint a person responsible for operations with confidential data.

The responsible person is obliged:

  • monitor compliance with legislation in the field of personal data protection by the operator and employees;
  • inform employees about the rules for processing confidential data;
  • receive and process requests from personal data subjects.

In Russian organizations that operate in EU countries, a data protection officer (DPO) must be appointed.

The responsible person can be an employee - the head of the company, legal department, other departments, or a third party - an independent expert or firm.

Do you all need to register with Roskomnadzor?

There may be a feeling that for a long time now all employers need to run to Roskomnadzor and register as a personal data operator. However, it is not. Here are the exceptions:

  • the collection of personal data of a citizen by the operator is carried out in connection with the establishment of labor relations;
  • personal data is collected for the purpose of concluding an agreement, without subsequent transfer and distribution to third parties, it is also provided for the use of personal data only for the execution of an agreement with a citizen;
  • processing of personal data that is in the public domain;
  • collecting the last name, first name and patronymic of citizens without indicating a telephone number or e-mail;
  • personal data is collected for the purpose of allowing a citizen to enter the territory of the operator collecting the data once, or in similar cases;
  • collection, processing and storage of personal data is carried out on paper without the use of automation tools. By the way, you can store your paper archive, including personnel documents and personal data, outside the office. This way you can avoid their loss and unauthorized access to information.

In all other cases, registration is required!

Don’t forget that Delis Archive has a “New Year’s” promotion - we give useful gifts to current and future clients!

What should you consider when developing a document?

When developing regulations, it is necessary to rely on the following principles established by Federal Law No. 152:

  • the collection of personal data and their subsequent processing can be carried out only for purposes related to the employment of workers, their promotion, the organization of training, ensuring safety, and monitoring the quality of the work they perform;
  • You can only receive personal data from the employee himself; if the source of the data is a third party, it is necessary to obtain additional consent for data processing from the employee himself;
  • the employer must independently and at his own expense organize a system for collecting and storing data;
  • All employees must be familiar with the procedure for processing their personal data against signature.

How to develop and implement a regulation?

Employees of human resources and legal services, as well as heads of departments whose activities involve working with personal data, should take part in the development of the document. Development of an application is a separate area of ​​work on the regulation, which should be entrusted to lawyers: they will prepare sample documents, taking into account all the features of the current legislation.

To approve the finished document, an order is issued, which is signed by the head of the enterprise. The provision begins to apply from the day the order is signed, unless the latter sets another date for the document to enter into force.

Rating
( 2 ratings, average 5 out of 5 )
Did you like the article? Share with friends:
For any suggestions regarding the site: [email protected]
Для любых предложений по сайту: [email protected]