Personal data security levels: requirements and features

Personal data - information, the disclosure of which may harm a person whose personal information suddenly became known. In addition, the disclosure of such data, intentionally or accidentally, introduces a certain measure of responsibility for the person who has declassified such information.

Therefore, personal data needs a certain kind of protection. Which one? This is set according to the level of security of personal data. What they are, what classifications are introduced here, what are the most important requirements for each level, we will consider in this article.

Legislative regulation

Personal data protection levels were established by Government Decision No. 1119 (2012). They replaced replaced classes of information systems in the field of personal, personal data.

Thus, 4 levels of personal data protection were introduced for their processing in information systems. The decree also established the requirements for each of them.

On the basis of what information systems can be attributed to a particular level of security? First of all, one must rely on the type of personal information that such an information system processes, a variety of current threats, as well as the number of personal data subjects that are processed directly in this system. An important fact is the personal information of which contingent is processed in a particular case.

Levels

How to deal with the levels of personal data security? It is necessary to refer to paragraph 5 of the above Resolution No. 1119. Four categories are distinguished here:

• 1 level of personal data security. These are special ISPDn (decryption of abbreviation - personal data information systems). What is being processed here? Information regarding the national, racial affiliation of a person, his political views, philosophical convictions, religious views, state of health, details of intimate life.
• 2 level of security of personal data. This includes already biometric ISPDn. In such systems, information that characterizes the biological, physiological characteristics of the citizen will be processed. Based on them, it is quite possible to determine the identity of this person. They are used by the operator to establish the identity of a particular subject of personal information. In this vein, data that belongs to special ones (i.e., to the first level of security) should not be processed.
• 3 level of security of personal data. These are publicly available ISPDs. What does it mean? It processes personal information about the subjects of personal information obtained only from publicly available sources. The latter must be created in strict accordance with Art. 8 Federal Law "On Personal Data".
• 4 level of security of personal data. These are other ISPDn. That is, those information systems that are not indicated in the previous three levels belong to the level.

Relationship form

How to deal with the levels of personal data security? It is necessary to refer to the classification presented above.

In addition, the processing of personal information will also vary in the form of relations between the organization using ISPD, the subject of personal information. There are two types of such relationships:

• Processing of personal information of employees (such entities that are associated with this organization by official, labor relations).
• Processing of personal data of those persons who do not appear to be employees of this organization.

Number of subjects

The determination of the level of security of personal data is carried out on the basis of the first classification in the article. However, Government Decision No. 1119 represents 2 categories of ISPDs - by the number of entities whose personal information is processed in such a system.

Only two groups stand out here:

• Less than 100 thousand subjects.
• Over 100 thousand subjects.

Classification by type of actual threats

Only four levels of security of the personal data information system are distinguished. In addition to them, Decree No. 1119 divides ISDN according to the types of actual threats that can be encountered there when processing personal data of entities:

• The first type of threat. They are associated with the presence of certain undocumented, undeclared features that exist in the software used in the information system.
• The second type of threat. The presence of any number of undeclared features in the application software directly used in ISPD.
• The third type of threat. The presence of any undocumented features in the software that is used in ISPDn.

Classification Application Issues

We got acquainted with the act of determining the level of security of personal data. But this document still leaves after reading a lot of unresolved issues. His most annoying spaces are:

• The document does not regulate the installation of the type of actual threats. Also, the requirements of PP No. 1119 do not offer any methods and techniques for their neutralization.
• Previously, operators had the opportunity to choose the classification of a special or typical ISDN according to the threat model description. Today, such an opportunity does not exist.
• Since the level of security is currently determined based on the relevance of existing threats, the system operator can not always carry out such a procedure on their own. He will need to seek help from a consultant, a higher authority, and so on.

How many levels of personal data protection are allocated today in Russia? Four. In connection with all the indicated difficulties, in practice, operators strive to follow the path of least resistance. That is, they determine the 3rd type for any threat, where it is not necessary to study the undeclared capabilities of the system and application software used for the information system.

Required Requirements

We examined how to determine the level of security of personal data. Each of them must meet the requirements presented to it in Government Decision No. 1119. We list them:

• The establishment of a special regime for ensuring the security of the premises in which information systems are located. In particular, it should prevent uncontrolled stay, penetration into these spaces of persons who are not granted the right of such access. The requirement is mandatory for all levels.
• Ensuring the complete safety of personal information carriers. The requirement is mandatory for all levels.
• Approval by the operator’s management of the documentation defining the list of persons who need access to personal information processed in the information system to perform their own labor duties and official tasks. The requirement is mandatory for all levels.
• The use of such means and methods of information protection that have passed through measures to assess compliance with the requirements of Russian legislation in the field of ensuring personal data security. In such cases, when the use of such tools is necessary to neutralize, eliminate current threats. The requirement is mandatory for all levels.
• Appointment of an official who will be responsible for ensuring the security of personal information in the ISPD. The requirement is mandatory for levels 1, 2, 3.
• Restriction of access of individuals to the content of electronic messaging magazines. The requirement is mandatory for levels 1 and 2.
• Carrying out automatic registration in the electronic security journal of various changes in the powers of the operator’s employees to access personal information contained in the system. The requirement is mandatory for level 1.
• Creation of a special structural unit that will be responsible for ensuring the security of personal data in the information system. As an option, assignment of such security functions to one of the existing departments of the organization. The requirement is mandatory for level 1.

Protecting Typical Systems

Take the most common example - medical organizations. Most of them have standard ISPDn installed. In particular, they are used for personnel accounting, calculation of wages.

The subjects of the processing of personal information here are employees of medical institutions. The purpose of processing personal data in this case is to ensure compliance with each employee’s legislation in the field of labor and other relations with him.

Accordingly, in such information systems, neither special nor biometric types of personal information are processed. This means that the level of data security here should be determined only by the type of actual security threats identified in relation to this information system.

As for the majority of cases, threats to such systems are not relevant due to the presence of undeclared (or undocumented) capabilities in both application and system software. It follows that the operator needs to provide only the fourth level of security of personal information. In other words, it is necessary to implement the most minimal set of technical and organizational measures.

Federal Information Systems

Now let's turn to a more global example in the same Russian medical field. This is FRMR (decoding - Federal Register of Health Workers) - a system whose purpose is to collect, store, process accounting information of domestic medical personnel of the constituent entities of the Russian Federation. The Federal Register is also used to control the placement, relocation of data for paramedics.

Similarities and differences

But, as in the less complex information system described above, there is no processing of special or biometric personal information about citizens. Accordingly, the characteristics of FMRD and IP of conventional medical organizations in this area are similar. The Federal Register is required to provide the same level of information security - the fourth.

Although the categories of IP subjects, the processed data in both systems are almost the same, experts do not recommend combining them into one. Why? It's all for different purposes. In the first case, the system is created to fulfill the requirements of the Labor Code. In the second - to follow the requirements of the Ministry of Health.

Tasks of medical ISPD

Similar ISPDn are designed to solve a number of problems:

• The possibility of opening an electronic registry, maintaining electronic outpatient cards.
• Digital data processing of medical research data.
• Collection and storage of information on monitoring the condition of patients removed from medical devices.
• One of the means of communication between medical professionals.
• Analysis of both financial and administrative information.

Of course, for these tasks to be successfully implemented, it is necessary to properly organize the security of ISPDn.

Important factors

Thus, in order to stay at an appropriate level of security for medical ISDN, the system operator needs to pay attention to two important factors:

1. In the information system, special personal data can be processed - the diagnosis, current health status, indications of medical devices, etc.
2. Here, subjects of ISPD can be not only employees of a medical institution, but also patients of the organization.

If the number of subjects of such an information system is large, if a certain type of topical threats is found, then you need to stop at the 1st or 2nd level of personal information security.

We got acquainted with the levels of security of personal information, important characteristics for them. We examined with examples how to choose the right level, on which legislative acts to rely on.