In the modern world, when signing service or interaction agreements, they often come across such a concept as “personal data”. What do they mean by them? What data is personal and should not be made public? How are they protected from unauthorized persons?
Development issue
Initially, in 1976, the Committee of Ministers of the Council of Europe spoke about personal data and its security. Then he decided to develop an appropriate convention. In 1981, it was entitled “On the protection of individuals in the processing of personal data carried out at the international level” was open for signature. The Russian Federation acceded to this convention and ratified it only at the beginning of the zero years. After that, the process of forming the necessary regulatory framework on the use and protection of personal data was launched. The base for it was adopted by the State Duma in 2006. So, what about the personal data of an individual?
About legislation
Before considering what relates to the personal data of an individual, let's pay attention to the legal basis of this aspect of interactions. As the basic law, No. 152-ФЗ adopted in 2006 is used. It regulates all issues related to the receipt, use, transfer, as well as other actions that may be carried out with personal data. Their protection was also considered there. What is meant by personal data? This means any information related to a specific individual, and also helps to directly or indirectly establish his identity. The most common are the last name, first name, patronymic, date of birth, address of registration (and place of residence, if they differ), marital, social, property status and the like. If you are interested in a complete list of what relates to the personal data of an individual, then you must contact the law directly. Due to its large size (enough for a book), the article will list only the most important and frequently encountered points.
Division into categories
Depending on the degree of informational content, there are:
- First view. This personal data includes information about health, intimate life, philosophical beliefs.
- Second view. This is information by which a person can be identified and further information about him can be obtained. As an example, you can give the full name, address of residence, information about wages.
- Third view. This is information that only allows you to identify the subject. For example - first name, last name, date of birth.
- Fourth view. This is public and anonymous personal data. An example for the first case is the declaration of income of government officials. Anonymized information is one by which a specific person cannot be identified.
This is what relates to the personal data of an individual.
The need to keep track of innovations
The legislation is so arranged that it acts when a person knows about it. This applies solely to the protection of one’s rights. Some categories of people should constantly monitor their personal data, because what yesterday was quite normal and permissible already today is beyond the scope of the law. An example is the situation with the business.So, if the company has at least one employee or client who is an individual, then the law imposes serious obligations. So, it is necessary that in the processing of information confidentiality is respected. The employee’s personal data should not fall into the hands of third parties or organizations. In order to identify a person, it is enough to know his full name and any other personal information, such as address of residence, date of birth, phone number. Therefore, so that the employee’s personal data does not fall into the wrong hands and fines and other things follow, security should be thoroughly addressed.
How to be
So, you need to think over who can have access and to what extent. For example, a phone number and date of birth is a combination that is not recognized by personal data. Why? Yes, if only because identifying them as a specific person is not possible. Of course, if it is necessary for certain reasons to gain access, then special authorities can ignore the law “On the protection of personal data”, get a phone, take the data on the transfer from the operator and find out where some person was. But this is an unlikely scenario that occurs as an exception. And so, of course, the phone refers to the personal data of an individual, only if something significant is known about the person, the same
About data operators
In almost any organization, personal information is accumulated, stored and used in a certain way. Therefore, they want it or not, but from the point of view of the law, they are operators of personal data. What should be done in this case? Do you need personal data protection? How to comply with the requirements of the law? And you need:
- Get consent from the individual to the processing of personal data.
- Provide security when working with personal information.
- Establish liability for violation of the law.
In this case, it is necessary to take care of the personal data bases and the people who have access to them. Let's take a closer look at each item.
Consent
It must be remembered that the subject of personal data is an individual. And without his permission (or from the court at certain points) they should not fall into the hands of third parties, even if it is an ordinary staff member of the enterprise. Any operations with information are allowed only with the consent. Especially a lot of problems in this regard arose with recruitment agencies. After all, they are now formally forbidden to use accessible open databases, which can be found on the World Wide Web, because they did not receive consent from the potential employee to use their information. Although, formally, you do not need to receive written consent for processing. But there is a likelihood of a legal dispute, so it is highly desirable that this fact be in physical form in the form of paper.
Processing safety
The legislation provides that any personal data operator is required to take the necessary technical and organizational measures that will protect information from accidental or unlawful access to it by unauthorized persons. Particular attention is paid to the fact that they can be changed, destroyed, blocked, copied, distributed, or other illegal actions will be committed with them. This is stated in the first paragraph of article nineteen of the basic law. It is quite difficult to organize from a financial and organizational point of view. So, the structure should provide protection based on the identified threats, and also depending on the class of the information system where the data is stored. It is also necessary to develop work regulations and provisions to protect processing. In addition to the documentation work, it is necessary to work on improving the qualifications of employees who deal with data.We should not forget about the requirements for engineering and technical safety of the premises where information will be stored. In general, it must be recognized that this system is extremely cumbersome and very complicated. There are even complaints that some requirements are not even needed by the state.
What are you complaining about?
As a first example, we can recall the requirement to notify the authorized body in writing about the desire to process personal information. However, liability for violations is not established by law. You can also recall the requirement according to which each business entity that meets the conditions of the personal data operator was entered into the corresponding register. And this, as already noted above, almost every organization. There are doubts even that such a cumbersome norm will work in full even at large state enterprises. But the subjects of economic activity not only pay taxes and meet with administrative barriers, but are also obliged to pay for the implementation of this system at home. Which, of course, does not detract from the fact that personal data must be protected. But excesses must be avoided.
About liability
The right to control the implementation of the law belongs to Roskomnadzor. The same service is engaged in checks in this area. What awaits violators? The legislation provides for disciplinary, administrative, civil and criminal liability. In fact, there is only one practice. This is an administrative responsibility. Thus, the law provides that the official who committed the violation may receive either a warning or a fine of up to a thousand rubles. There is more demand from organizations - amounts from 5,000 to 10,000 are provided for them. The complexity of organizing data storage and at the same time a minor responsibility will probably lead to a known situation - the severity of laws is compensated by the non-enforcement. And this is a very bad state of affairs that needs to be fixed.
Conclusion
So it was examined what information relates to personal data, how it is protected and what is the responsibility for violations. Of course, this is an extremely important issue. But, alas, as often happens, the implementation is unsatisfactory. Legislation and requirements must be substantially modified. Of course, if we are talking about a bank, then it is necessary to ensure a high level of security. But if we talk about an enterprise that manufactures furniture, is this necessary here? A protected building or part of it, access for exclusively responsible employees? No, in this case, there is more than enough personnel officer, a safe with personal data (if he works in a common room with other people), a developed scheme of relationships and information transfer, as well as a certain level of access. That is why it is necessary to finalize existing legislation. Although, of course, it’s already good that the work is ongoing - you just need to direct the energy in the right direction. Well, let's hope that over time this process will become more perfect.