Policy for the processing of personal data of organizations and institutions

The policy of processing personal data is needed not only by the persons who provided personal information, but also by the employees who work with it. All citizens interacting with the company in one way or another can familiarize themselves with the governing document. Processing rules, a measure of responsibility, rights and obligations, prohibitions and much more hide the relevant legal documents.

The most important stage of functioning: regulatory framework

The primary document is the Constitution of the state, which speaks of the need to protect personal and family secrets. This document, which defines the policy for processing personal data, is the most important of its kind, as it formulates the basic principles and foundations for work.

A more detailed basis is provided by the Labor Code, which is of no less significance. A distinctive feature of the act is the determination of specific legal liability for the disclosure of classified information. As clarifying standards, the Civil Code, Tax Codes can be included in the sample policy for processing personal data.

The decisive in this area are federal laws, which are not only dedicated to the protection of personal information and personal data, but also relate to electronic signatures, licensed activities, as well as communications and individual insurance. Regulatory documents of this kind make it possible to properly organize a policy for the processing of personal data, to exclude the number of violations in this area.

As a final clause in legal documents, the names of local acts issued by the organization are indicated. As a rule, such documents on the personal data processing policy determine the complaint process in case of violations, the responsibility of employees.

Field of activity

Any constituent acts on the personal data processing policy contain the first chapter, the name of which is “scope”, “scope”, “general provisions” and the like. It defines incomprehensible provisions, goals, principles, as well as measures aimed at protecting the data of citizens and workers. This chapter defines the provisions of the parties: the information receiving company is the operator, and the client is the subscriber. Moreover, the special status of company employees may also be indicated here.

It is worth noting that the policy in the field of personal data processing is publicly available. However, the information that is directly provided by users is classified as secrecy. As a rule, terms are not indicated in the policy. According to an unspoken rule, this document is valid until it is replaced by an updated version.

Many managers use legislative terms to prevent violations, for example, in the Law on Personal Data, the necessary information is very clearly and clearly presented.

Closed bases

The next chapter of the personal data processing policy is devoted to the process of obtaining, storing and using information. As a rule, companies define two ways of maintaining documentation:

• using automated computer systems;
• personally, on paper.

You may be surprised, but in the age of advanced technologies, many organizations use the exclusively manual way of document management. Such a measure is necessary in order to store classified information, since it is much easier to crack a computer system than to get into a strictly guarded institution.

A sample policy for processing personal data may include the following actions: collection of information or its recording, systematization, storage and accumulation. As additional actions, the employer may provide for the possibility of updating information, the procedure for changing it, as well as the process of extraction and, without fail, destruction. A separate chapter focuses on the possibility of depersonalization and deletion of information in order to ensure security.

The policy of processing personal data in an educational organization, private company or unitary enterprise should determine the circle of entities that include:

• Persons who have entered into an employment contract and are in social relations of the corresponding kind.
• Candidates for the position.
• Other persons whose data processing is necessary in order to carry out the core business of the company.

A policy for the protection and processing of personal data is necessary to collect and store the following information:

1. Full Name.
2. Place of birth and actual residence.
3. Social and property status.
4. Documents: TIN, passport, others.
5. Education, marital status, place of work, income.
6. Contact information (phone, email).

The receipt of this data already implies the need to ensure complete confidentiality. Moreover, under the law, the list of obtaining information about the person can be expanded. In some ways, the provisions of the policy apply to state organizations, where the personal files of employees are classified as “Secret”.

Grounds for Data Elimination

The primary and main condition for the destruction of personal information is the termination of cooperation with the organization. Operators are required to ensure that sensitive information is removed from all archive systems. In addition, the legislative semantic model of the 2017 personal data processing policy indicates additional grounds for liquidation:

• The goal of obtaining data has been reached.
• The maximum monthly storage period has expired (in the absence of cooperation).
• Within 7 days, the company has an obligation to destroy the personal data of the person if a citizen or his representative provided evidence of the illegality of receiving information.
• Lack of legitimate activities to implement a personal data processing policy.
• Revocation of consent to the collection and storage of information by the entity.
• Expiration of limitation of labor and civil legal relations.
• Liquidation or reorganization of a legal entity that is engaged in obtaining personal information.
  

Content of the agreement with employees and customers

Without your consent, no one has the right to demand the provision of personal data from you. If you want to cooperate with a particular company, then you must provide official consent to the provision and processing of data. Contracts and agreements are the most popular documents confirming the absence of barriers on your part. Of course, the storage and processing of information is carried out on the basis of all the conditions of the contract, which may also include:

1. The goals and timing of the implementation of information in the database.
2. Obligations of the company, legal status of the client, employee.
3. Responsibility of the parties in case of violation of the provisions of the agreement.

At the same time, it is impossible to provide for all life situations in regulatory documents. Often there are cases that are not directly regulated by law. Legal advice suggests that the continuation of public relations is possible upon receipt of the second consent of a person who is also executed in writing.

The 2017 personal data processing policy implies the need to consolidate registration data, thanks to which the company can be identified. Such a provision is mandatory in order to ensure the safety and security of citizens who provide personal information. Each subject of the relationship is assigned a registration number, thanks to which you can access specific information.

Information Security Measures

Any example of a personal data processing policy contains a section regarding information security. The operator, represented by the head and officer, takes all necessary measures to create a reliable information security barrier. Such measures also include:

• the appointment of employees who are responsible for the proper technical support;
• a prerequisite in contracts or agreements for ensuring data confidentiality;
• issuing detailed regulations at the local level;
• organization of access control, installation of security systems, physical protection of premises;
• restriction of access to confidential information;
• forecasting potential security threats;
• the active use of information security tools, including anti-spyware, stubs, and so on;
• the use of backup drives with a high level of security;
• providing backup in case of code breaking;
• organization and conduct of regular internal control.

Legal status of employees and customers

The policy for the processing of personal data in a preschool educational institution, municipal educational institution, other public and private organizations in one of the sections must include a chapter on the rights of residents. This status is possessed by persons providing personal data for use.

The priority right of the client is the ability to withdraw consent to the processing of information. A person can contact a representative or manager either in writing (by email) or in person. Residents can also get advice on:

1. Confirmation of the legal fact of the transfer of information.
2. Legal grounds.
3. The goals and activities that gave rise to the need to provide information.
4. Details and addresses of the legal entity in whose information system the information was received.
5. Terms of processing, storage, destruction.
6. The procedure for the exercise of their rights.
7. Information about the possibility or impossibility of transmission.
8. Fulfillment of clauses of an agreement or agreement.

Clarification of subject authority

The policy of the operator of the processing of personal data may provide for legislative clarification of possible issues that arise with residents. In the framework of the implementation of its legal status, the subject of legal relations may demand the destruction of his data, blocking, if any have lost their relevance, are outdated, changed. In addition, the illegality of the information received is an important reason for making a request for the seizure of information. In this case, the victim implements all legal ways to protect his rights.

Often there are situations when companies unreasonably engage in the collection of personal data. That is, legally, these actions are carried out correctly, but are not necessary to achieve the goal of the activity. In this case, persons who have mistakenly provided personal information must contact the law enforcement authorities, the prosecutor's office, the Federal Service for Supervision of the relevant area or the court. With the initiation of administrative or criminal proceedings, the subject has the right to compensation and compensation for non-pecuniary damage.

Organizational Aspects

The policy for processing personal data in an educational organization, private, municipal, state or otherwise, is identical, but some differences in the organizational form are still present.

Management activities are based on general and special documents, for example, in preschool and school institutions, in addition to the Federal Law "On Personal Data", the NPA "On Education" plays a significant role. Control over the proper execution of duties on the legitimate receipt and processing of information lies with both the head of the unit and the supervisory authorities.

An important role in the field of confidentiality is played by the information security department, which is created primarily in government bodies.

In the case of unlawful use of the provided data for personal purposes, responsibility lies with both the employee and the head of the unit, who has not exercised proper control. As practice shows, directly guilty persons are brought not only to disciplinary liability (dismissal), but also to administrative. As additional measures, persons carrying out direct processing of personal information are subject to material and civil liability.

Equally important is the person who is responsible for policy development. The completeness and reliability of the materials presented, philological literacy, as well as the affordable level of presentation of legal material form an understandable regulatory document. After drawing up the policy, it is approved and introduced into the work by the head of the branch, organization or other unit.

As a final clause, the document specifies clarifying data where customers, employees and other residents can provide information on violations committed by operators. The annual update of the policy in accordance with legislative changes, as well as the objectives of the legal organization allows you to not lose the document relevance.

The need for the publication of the Policy

Managers carry out activities in accordance with this document in order to organize compliance with legal standards by all operators. The need to interact with confidential information entails an increased risk of liability. You must admit that conducting regular consultations with employees is a very time-consuming process, requiring not only physical and mental efforts, but also time-consuming. And the presence of a regulatory document allows you to streamline your activities within the framework of peremptory prescriptions.

General ideas about the process of processing personal data can also be obtained by residents who do not have experience in legal matters. That is why it is important to draw up a policy in a simple and understandable language. Thus, the document allows you to optimize the activities of staff and dot all i in the minds of the subjects.