What should be the policy regarding the processing of personal data in accordance with the law?

On 1.07.2017, amendments to the Code of Administrative Offenses and Federal Law No. 152 came into force. In accordance with them, all organizations, institutions, enterprises need to develop and approve a special document - the Policy regarding the processing of personal data .

Relevance of the issue

New requirements of the law are aimed at protecting citizens from unauthorized access and illegal use of their personal information. The legislator paid special attention to socially significant objects: preschool educational institutions and schools.

The policy regarding the processing of personal data allows the implementation of the principles of legality, confidentiality and security of information.

The legislation provides for periodic inspections of subjects for compliance with the actual level of protection with established requirements. Monitoring is carried out by territorial divisions of Roskomnadzor.

A policy regarding the processing of personal data is a document consisting of several sections. They provide information about the entity that collects and processes the data, and about third parties involved in this process, measures to protect information, links to regulatory documents, and the rights of personal data carriers. The following will describe a sample policy for the processing of personal data .

Title page

At the top right should be the stamp of approval. It contains: the name of the position, full name of the head and his signature, as well as the seal of the organization.

In the center, with a slight indent from the neck, the name of the document is indicated. For example, it could be like this:

"The policy of LLC __" in relation to the processing of personal data and information on measures taken to protect them. "

As a rule, the text of the document begins with the title page.

The General Provisions of the Policy regarding the processing of personal data provides information about the document itself. Its key tasks are:

1. Disclosure of the main categories of personal information, goals, methods, principles of their processing, obligations and rights of the enterprise in the process of using data.
2. Protecting the confidentiality of personal information.

The sample Policy regarding the processing of personal data also contains an indication of the general availability of the document.

Organization Details

As an entity that collects and processes personal information, any enterprise, organization, including providing operator services, can act . The policy regarding the processing of personal data contains information on:

1. The name of the subject. It is given in full and abbreviated form.
2. INN
3. Actual address.
4. Phone, fax.

The Operator’s Policy regarding the processing of personal data also includes information on the number, date and reason for entering them into a single register.

Regulatory framework

This section of the Organization’s Policy regarding the processing of personal data provides guidance on the legal documents that guide the company when working with personal information. The main regulatory acts include:

• Constitution of the Russian Federation.
• Labor Code of the Russian Federation.
• Civil Code of the Russian Federation.
• Federal Law No. 160.
• Federal Law No. 152.
• Federal Law No. 210.
• Federal Law No. 326.
• Federal Law No. 149.

In order to implement the Policy regarding the processing of personal data, the company adopts a number of local acts. Among them are the Lists:

• Personal information being processed.
• Information systems used when working with information.
• Employees with access to personal data.

In addition, the following are approved:

• Rules for processing information.
• Classification acts of information systems.
• Models of possible threats to the security of personal data during their processing.

Information Objectives

The Policy regarding the processing of personal data must contain a closed list of tasks implemented by the organization. Information processing should be carried out for:

1. Ensuring the implementation of the state policy on social support and social services for citizens, including those belonging to the category of those in special need. Among them: the poor, pensioners, people with disabilities of any group, large families, minors, etc.
2. Registration of employment contracts, civil law agreements, contracts with contractors and the fulfillment of their conditions.
3. Organization access control.

Information Categories

The policy regarding the processing of personal data provides for the work with personal information:

• employees
• recipients of services, their relatives, representatives.

The sources of this information are its carriers themselves.

Information Principles

According to the Policy regarding the processing of personal data , the entity working with information is required to comply with the provisions of Article 5 of the Federal Law No. 152.

If the organization does not work with biometric data, this should be indicated in the Policy. Biometric information characterizes the biological and physiological characteristics of a person, according to which his personality is established.

Other fundamental principles for working with personal information include:

1. Non-use of special categories of information related to national / racial affiliation, religious, political views, philosophical beliefs, intimate life, health status.
2. Exclusion of cross-border transmission of information (to another state, to a foreign citizen or legal entity).
3. The transfer of information to third parties is carried out exclusively with the consent of the carrier on the basis of an agreement.
4. Formation of publicly available sources of personal data (directories, address books) communicated by a citizen. Information, in accordance with the Privacy Policy regarding the processing of personal data , is included in them only with his consent.

Third parties involved in working with personal data

To implement the requirements of the law, to achieve the goals of working with personal information, in the interests and with the consent of the media, information is transmitted:

• FTS.
• FIU.
• The subjects of the system of electronic interagency interaction.
• Branches of private pension funds.

Security measures

This section of the Policy regarding the processing of personal data is considered one of the most significant.

An entity working with personal information of citizens is required to take all legal, technical and organizational measures to prevent accidental or unlawful access, alteration, destruction, copying, blocking, distribution and other illegal actions with it.

The organization should appoint employees responsible for organizing the work with information.

The internal control / audit of compliance of the processing of information with the requirements of the Federal Law No. 152, as well as the regulatory documents adopted on its basis, including local acts, is mandatory. All employees working with personal information of citizens should be familiar with their provisions.

Before the commissioning of the information system, an assessment of the effectiveness of measures taken to ensure the protection of information should be carried out.

Facts of unauthorized access to personal data should be detected promptly. If they are detected, the organization is obliged to take measures to restore the changed or destroyed information.

Access to personal data should be carried out in accordance with legislation and other acts , including local ones. The organization must ensure registration and accounting of actions performed with personal information of citizens. A mandatory legal requirement is to establish control over measures taken to protect data and information systems.

Job descriptions define the responsibilities of employees working with personal information.

Rights of personal data carriers

Citizens have the right to receive information about the processing of their personal information. A storage medium may require clarification, destruction or blocking, if they:

• outdated
• are incomplete / inaccurate;
• obtained in a wrong way;
• are not necessary for the stated processing purposes.

The information carrier has the right to take measures to protect its interests within the framework of the current legislation.

Restriction of rights

It is allowed only in cases provided by law. The rights of citizens to access their personal data are limited if:

• The processing of information, including that obtained during operational investigative, intelligence or counterintelligence activities, is carried out to ensure security, state defense and order.
• The bodies that detained persons suspected / accused of crimes and applied preventive measures to the subjects work with personal information. The exception is the cases enshrined in the CPC.
• Data processing is aimed at countering the laundering (legalization) of illegally obtained income, as well as at suppressing the financing of terrorism.
• Work with information is carried out to ensure the safe functioning of the transport infrastructure, protect the rights and interests of the individual, state and society in the transport sector.

Important points

The Policy on the processing of personal information should fix the measures that a citizen can take to protect his rights. In particular, the entity may apply directly to persons working with his personal data.

The organization should consider any complaints and appeals, carefully study them. If necessary, an internal investigation of violations is conducted. The organization is obliged to take all measures to immediately eliminate identified violations, punish those responsible and resolve conflicts in pre-trial procedure.

The carrier of personal information may challenge the actions / inaction of the organization, its employees by contacting the body authorized to exercise the functions of protecting the rights of subjects of personal information. He may also demand compensation for moral or material damage in a judicial proceeding.

Contact Details

The Policy should contain information about the persons responsible for organizing work with personal information. It may be the head of the department for the reception of citizens, organizational and technical work and social support. His F.I.O., position, phone number must be indicated. At the discretion of the organization’s management, the contact information may contain an email address. mail.

In addition, information on the supervisory authority should be indicated in this section of the Policy:

1. Mailing address.
2. Name.
3. Official site.
4. Email Address mail.
5. Phone numbers.

Final provisions

This section provides information about the developers of the Policy and the person who controls its implementation in the organization. The first is usually the legal department of the company. Monitoring the implementation of the provisions is assigned to the head of the organization or his deputy. F. I. O. and the position of the responsible person must be indicated in the document.

Approval Order

The developed draft Policy is submitted to the head for approval. Approval of the document is carried out by order of the director. This act is drawn up according to the standard model adopted in accordance with the nomenclature of cases, on the basis of the Instructions for record keeping.

The Order contains the following information:

1. Name of company.
2. Document's name.
3. Date of compilation, number.
4. Preamble.
5. Text.
6. Effective Date
7. F. I. O. Head of the enterprise, signature.
8. Signatures of persons familiar with the order.

The preamble, as a rule, usually looks as follows:

"In accordance with clause 2 of Article 18.1 of the Federal Law No. 152" On Personal Data ", Government Decision No. 211 of 03/21/2012, normative acts adopted on their basis, I order ..."

The content of the text may be as follows:

"Approve the Policy" ___ "regarding the processing of personal data."

Operators must post the approved document on the region’s official website in the "Register of Social Service Providers" section. In this regard, the order indicates the following:

“To the head of the department for work with citizens (F. I. O.), within 10 days from the date of approval, publish the Policy on the official website (name of the region) in the section“ Register of social services providers ”.

Additionally

If an organization has previously approved a policy, it should be reviewed and amended if necessary. The revised document must be approved again. At the same time, the order on the basis of which the Policy in force before the changes was adopted must be canceled. An order is issued for this. In it, you can simultaneously cancel the previously existing order and approve the adjusted policy.

Conclusion

Recently, the issue of ensuring the protection of personal information has been given increased attention. This is due to the rapid development of computer technology, the emergence of new opportunities for dishonest users. Each organization working with personal data must guarantee its security to the media.

The provisions of the Policy should be brought to the attention of all employees. The requirements stipulated by the document are binding on all departments of companies, institutions, enterprises and other persons involved in working with personal information of citizens. Violation of regulations entails liability in accordance with applicable law.