The Law on the Protection of Personal Data refers to information that can be used to identify an individual. It applies to business entities working with these citizens. It is established here that he must protect information systems and have documents that would confirm the compliance of the latter with regulatory requirements.
Reason for adoption
They served as the need to remove trade barriers in the implementation of trade with EU countries. The confidentiality of personal data during the exchange is guaranteed by states that are able to ensure it. A similar law was passed in Norway and France over a century ago. At the end of 2005, the State Duma of Russia ratified the CE Convention "On the Protection of the Person ...", which is associated with the automatic processing of the data in question.
Classification of information storage and processing systems (ISHO)
According to the Law on the Protection of Personal Data, any system that stores and processes such data must have a class that will determine the protection to be implemented. ISHO classified into:
The latter need licensing in order to operate them. An example of such systems are those that store data on the health of a particular citizen, as well as those based on which decisions can be made that have some legal consequences. The class of such systems is determined on the basis of the security threat model of the data type in question according to the regulatory and methodological documents of certain regulators.
Adoption of law
The Federal Law "On Personal Data" dated July 27, 2006 No. 152- was adopted in 2006, and entered into force on January of the following year. Several times were postponed to bring the information systems created in the past to the information considered in the article to the requirements of this law. Ultimately, it was determined that they, created before the beginning of 2011, should have been brought to the legal requirements of this document no later than 1.07.2011.
Changes since the end of 2015
Since September this year, the operator’s duties in collecting personal data have been charged with their processing and storage in relation to Russian citizens using databases located within our country. Later, clarifications were issued by the Ministry of Communications on the controversial interpretations and definitions of this provision.
Changes adopted in 2017
At the beginning of last year, the State Duma adopted a regulatory act on toughening penalties for violating the law "On Personal Data" in the form of an increase in fines. If data is collected in cases not provided for by law or if the processing is carried out for purposes incompatible with the legislative ones, the fine for individuals is 1-3 thousand rubles, for legal entities - 30-50, for their officials - 5-10 thousand rubles.
Before accepting the information in question, it is necessary that the subject of personal data gives consent to the processing of his personal data. If it was not received, then a fine of 3000-5000 rubles is imposed on citizens, 15,000-75,000 rubles on legal entities, while only 10-20 thousand rubles are imposed on their officials.
If the operator, working in municipal or state bodies, does not comply with the requirements for anonymization of data, then the official is punished with a payment in the amount of 10-15 thousand rubles. If he refuses to provide information to a particular citizen about the processing of the information considered by him, a warning is imposed or a fine of 1-2 thousand rubles for individuals, 10-15 for entrepreneurs, 20-40 thousand rubles for legal entities, 4000-6000 rubles . upon imposing a fine on officials. The latter are highlighted separately in this article, since economic entities in most cases try to avoid paying fines by shifting them to mitigate the blow on these individuals.
Principles for the processing of personal data
- The latter should be carried out on a legislative basis using the principle of justice.
- Those data that are subject to processing must be specific.
- They should also be concise.
- If incomplete and inaccurate information is received, the operator must clarify or delete it.
Security Entities
They can be almost any person. In the event that the personnel department inspector or secretary collects information identifying employees, including their full name, phone numbers, addresses, birth dates, this is personal information that should be protected. The value of this information is increasing every day. It can be used to obtain loans, blackmail certain individuals, and other illegal activities.
Personal data account for a large share of all possible sources of information leakage. In connection with this law "On the protection of personal data", the following obligations are assigned to the operator in collecting personal data:
- records;
- accumulation;
- systematization;
- storage;
- extraction;
- clarification (if necessary) of the identifying information in question for individuals who are citizens of the Russian Federation when using databases located in the spaces of our state.
Special categories of data under consideration
There is an Order of the FSTEC, the Federal Security Service and the Ministry of Communications of the Russian Federation from 2008, according to which the investigated information is divided into several categories. The first of these includes special categories of personal data.
These include the provision of the following information:
- about the health of a citizen;
- about his intimate life;
- about national and racial affiliation;
- criminal record;
- political views;
- about philosophical and religious beliefs.
The 86th article of the Labor Code provides special requirements for receiving and processing the information in question regarding the political and other beliefs of the employee, information about his private life, membership in trade unions and public organizations. However, the law under consideration does not imply classifying the last two categories as special.
Responsibility for non-compliance
Business entities working with personal data have risks due to the receipt of civil lawsuits in the courts from subjects of similar information, which is especially true when the latter is leaked. Fines may be imposed on them, uncertified remedies may be confiscated. In addition, they may be prohibited from processing information under investigation.
In Art. CAO 13.11 amended the violation of the law in this area. The consent of the subject to the processing of personal data in some cases should be written. If this condition is violated, then a fine of 3,000-5,000 rubles is imposed on citizens, 15,000-75,000 rubles on legal entities, and 10-20 thousand rubles on their representatives in the form of officials. The same penalty in the form of compulsory payment is applied in the event of a change in the composition of information for the processing of which consent has been obtained from a particular subject.
Protocols on violation of this article of the Code of Administrative Offenses are compiled by Roskomnadzor or its territorial branches. Earlier, when applying to the court, the prosecutor’s bodies were built into the chain, which are currently excluded from the process, which should accelerate its passage. This is a negative point for business entities and positive for the state, since the limitation period for cases related to the protection of the information in question is only 3 months, and when the prosecutor's office was in the chain, many economic entities managed to evade responsibility.
Finally
The law "On the protection of personal data" was adopted by the legislative body in 2006. However, to date, there are no effective and inexpensive ways to protect personal information from leaks and other threats. Most of the business entities engaged in outsourcing in this area are not involved in protection, but in collecting documents to obtain the appropriate licenses. The requirements of this law are designed to remove barriers to international trade with EU countries. The amendments adopted in 2017 indicate that, most likely, it will be used to replenish the budget.