The concept and types of personal data. Is it legal to create public databases of personal data? Publicly available personal data what relates to them

08.01.2021

Advice

At the very end of 2015, the author of this article took part in the discussion of an interesting topic, which was devoted to the need to create a unified public database of unscrupulous job seekers. Our company decided to investigate this issue.

The reasoning behind the need to create such databases is simple - there are many inadequate applicants who do not come for interviews, lie in their resume, etc., so why not take care of creating a database of such comrades for the general benefit of all HR.

No not like this. The potential benefits can easily be offset by the negative that will inevitably arise from the misuse of data from the database, unreasonable inclusion / exclusion of people in such databases, and of issues of reputation, honor and dignity of people included in the database.

Since 2006, the federal law "On Personal Data" has been in effect in Russia, which unambiguously defines the conditions under which such databases can exist. So:

2. Article 6 of the Federal Law "On Personal Data" determines that "the processing of personal data is carried out with the consent of the subject of personal data to the processing of his personal data."

3. Article 7 of the federal law "On personal data" determines that "Operators and other persons who have gained access to personal data are obliged not to disclose to third parties and not to distribute personal data without the consent of the subject of personal data, unless otherwise provided by federal law."

4. Article 8 of the Federal Law “On Personal Data” determines that: “1. For the purpose of information support, publicly available sources of personal data (including directories, address books) may be created. With the written consent of the subject of personal data, publicly available sources of personal data may include his last name, first name, patronymic, year and place of birth, address, subscriber number, information about the profession and other personal data reported by the subject of personal data. 2. Information about the subject of personal data must at any time be excluded from publicly available sources of personal data at the request of the subject of personal data or by decision of a court or other authorized state bodies. "

5. Finally, article 13.11. Of the Code of Administrative Offenses of the Russian Federation, determines that “Violation of the procedure for collecting, storing, using or disseminating information about citizens (personal data) established by law - entails a warning or the imposition of an administrative fine on citizens in the amount of three hundred to five hundred rubles; for officials - from five hundred to one thousand rubles; for legal entities - from five thousand to ten thousand rubles. "

In other words and shorter:

1. Any data relating to an individual (including just a phone number) is personal.

2. It is necessary to obtain consent for the processing of personal data, which can be withdrawn at any time.

3. If someone has legal access to personal data, then it is prohibited to disclose it to anyone or share with someone without the consent of the subject of personal data, unless otherwise provided by applicable law.

5. For violation of the established procedure for collecting and storing personal data, liability is provided.

Conclusion

The conclusion is very simple and straightforward - the creation of a single public database of negligent job seekers is possible only with the written consent of these most negligent workers, which, naturally, nullifies the likelihood of the legal creation of such a base. For those who nevertheless decide to create such bases and share them with their comrades, our company recommends that they familiarize themselves with the punishments in force at the moment.

Commentary on the Federal Law of July 27, 2006 N 152-FZ "On personal data" Petrov Mikhail Igorevich

Article 8. Publicly available sources of personal data

Public sources of personal data

Commentary on Article 8

1. Within the meaning of the commented Law, sources of personal data are recognized as publicly available, access to which is not limited and does not require the prior consent of the subjects of personal data. Publicly available sources of personal data can be used by any person at their discretion, subject to the restrictions established by federal laws with respect to the dissemination of such information.

The creation of publicly available sources of personal data is due to the need for information support. An analysis of the current legislation allows us to note that the number of publicly available sources of personal data currently includes: reference books, address books, encyclopedias, documents accumulated in open collections of libraries and archives, information systems of state authorities, local governments, public associations, organizations, of public interest or necessary for the realization of the rights, freedoms and duties of citizens. At the same time, modern science and practice have not yet been able to develop effective criteria with the help of which it would be possible to clearly distinguish between public and confidential segments of information.

The creation of publicly available sources of personal data, which must include the last name, first name, patronymic, year and place of birth, address, subscriber number, information about the profession and other personal data provided by the subject of personal data, is carried out with the obligatory consent of the latter. In addition, the subject of personal data has the right to require persons disseminating such information to indicate themselves as a source of such information.

The use of personal data from publicly available sources implies, in turn, the exclusion of the possibility of making a profit.

In the case of processing publicly available personal data, the operator is responsible for proving that the processed personal data is publicly available.

2. In order to protect the rights and legitimate interests of the subject of personal data, the legislator provides for the possibility of revoking personal data used in publicly available sources. Their exclusion can be carried out both at the request of the subject of personal data himself, and by a court decision or by a specially authorized state body.

Article 74-1. Processing of personal data in violation of the legislation on the protection of personal data (1) Failure to comply with the requirements for ensuring the security of personal data when processing them in personal data information systems shall result in a fine

Article 85. The concept of employee personal data. Processing of personal data of an employee Personal data of an employee is information required by an employer in connection with labor relations and concerning a specific employee.

Article 88. Transfer of personal data of an employee When transferring personal data of an employee, the employer must comply with the following requirements: do not disclose the personal data of an employee to a third party without the written consent of the employee, except in cases where

Article 5. Principles of personal data processing Commentary to article 51. With the commented article, the legislator establishes the fundamental principles in working with personal data, the collection and processing of which is carried out on legal grounds. The last

Article 6. Conditions for the processing of personal data Commentary on article 61. Compliance with the principles of processing personal data presented in the previous article is not the only condition that guarantees the protection of the rights and legitimate interests of citizens whose

Article 7. Confidentiality of personal data Commentary to article 71. Ensuring the confidentiality of personal data in the process of their processing, along with the established principles of working with them and obtaining consent to processing is a prerequisite,

Article 9. Consent of the subject of personal data to the processing of his personal data Commentary to article 91. The commented article defines the procedure, conditions and grounds for obtaining the consent of the subject of personal data to their processing. The legislator emphasizes that

Article 10. Special categories of personal data Commentary on article 101. The commented article identifies special categories of personal data and establishes a general prohibition on their processing. A special category of personal data includes information that discloses

Article 12. Cross-border transfer of personal data Commentary to article 121. The draft law defines the principles of cross-border transfer of personal data. These principles are harmonized with the main international legal acts in the field of personal data, which

Article 15. Rights of subjects of personal data when processing their personal data for the purpose of promoting goods, works, services on the market, as well as for the purpose of political campaigning Commentary to article 151. The commented article by its content appeals to the provisions of article 150 of the Civil Code

Article 16. Rights of subjects of personal data when making decisions on the basis of exclusively automated processing of their personal data Commentary to Article 161. The commented article defines the rights of subjects of personal data in relation to making

Article 20. Obligations of the operator when contacting or receiving a request from the subject of personal data or his legal representative, as well as the authorized body for the protection of the rights of subjects of personal data Commentary to Article 201. The norms of the commented article in

Article 21. Obligations of the operator to eliminate violations of the law committed during the processing of personal data, as well as to clarify, block and destroy personal data Commentary to Article 211. The provisions of the commented article determine the procedure

Article 22. Notification of the processing of personal data Commentary to Article 221. The procedure for notification of the processing of personal data within the meaning of the commented Law is one of the guarantees of compliance with the rights and legitimate interests of subjects of personal data in

Is it legal to create public databases of personal data?

At the very end of 2015, I took part in the discussion of an interesting article in LiveJournal, which was devoted to the need to create a unified public database of unscrupulous job seekers.

I must say that the idea is not new and, for sure, a number of companies have internal databases of applicants. With the help of such databases, personnel officers filter out unsuitable candidates with the most minimal investment of time. If we theoretically assume that such a base can appear at the disposal of all HRs in the country, then how much better it would be for everyone. Well, right? Thank God no, not like that. As the commentators of this article correctly noted, the potential benefits can easily be overridden by the negative that will inevitably arise from the misuse of data from the database, the unreasonable inclusion / exclusion of people in such databases, and of issues of reputation, honor and dignity of people included in the database.

Fortunately, since 2006, the federal law "On Personal Data" has been in effect in Russia, which unambiguously defines the conditions under which such databases can exist:

In other words and shorter:

1. Any data relating to an individual (including just a phone number) is personal.

2. It is necessary to obtain consent for the processing of personal data, which can be withdrawn at any time.

4. A written consent form is provided especially for those wishing to create publicly available sources of personal data.

5. For violation of the established procedure for collecting and storing personal data, liability is provided.

"Person" - data that relate to a person, personality, biological organism.

What is, how to collect, where to store, how to protect?

Is a fingerprint card personal data or not?

There is no personal information in it.

personal data - any information relating to a specific or determined on the basis of such information an individual (subject of personal data), including his last name, first name, patronymic, year, month, date and place of birth, address, family, social, property status , education, profession, income, other information;

Address is registration at the place of residence or place of stay.

Conditional classification of personal data.

1) by the degree of openness:

publicly available personal data - personal data, access to an unlimited number of persons to which is provided with the consent of the subject of personal data or to which, in accordance with federal laws, the requirement of confidentiality does not apply.

Publicly available personal data is data for which voluntary consent is given and posted in the public domain.

Often, some site owners ask for registration information that they don't want to provide.

Confidential information - information is provided strictly for specific purposes. Sometimes it can be collected without the knowledge of the person.

The Ministry of Internal Affairs stores information in information centers

2) by accessory

- personal - belong from birth

- service - in the course of work, service - class rank, etc.

3) by the method of providing

- voluntarily provided information

- provided in a general manner in accordance with the law (compulsory)

- collected without the consent of the citizen in accordance with the law

4) data by nature

- biometric (fingerprint information)

Basic concepts used when working with personal data.

- processing of personal data- actions (operations) with personal data, including collection, systematization, accumulation, storage, clarification (update, change), use, distribution (including transfer), depersonalization, blocking, destruction of personal data;

- dissemination of personal data - actions aimed at transferring personal data to a certain circle of persons (transfer of personal data) or at acquaintance with the personal data of an unlimited number of persons, including the disclosure of personal data in the media, posting in information and telecommunication networks or providing access to personal data which - in any other way;

- use of personal data - actions (operations) with personal data performed by the operator in order to make decisions or perform other actions that generate legal consequences in relation to the subject of personal data or other persons or otherwise affect the rights and freedoms of the subject of personal data or other persons;

- blocking of personal data - temporary suspension of the collection, systematization, accumulation, use, distribution of personal data, including their transfer;

Information posted on the Internet often cannot be blocked.

Most personal data:

- stored on a computer

- posted on the Internet

It's hard to control placement

- destruction of personal data - actions as a result of which it is impossible to restore the content of personal data in the personal data information system or as a result of which tangible carriers of personal data are destroyed; - situations when archives were burning

anonymization of personal data

- depersonalization of personal data - actions as a result of which it is impossible to determine the belonging of personal data to a specific subject of personal data;

— personal data information system - an information system, which is a collection of personal data contained in a database, as well as information technologies and technical means that allow the processing of such personal data using automation tools or without using such tools;

— confidentiality of personal data- a mandatory requirement for the operator or other person who has gained access to personal data to prevent their dissemination without the consent of the subject of personal data or other legal basis;

— cross-border transfer of personal data - the transfer of personal data by the operator across the State Border of the Russian Federation to the authority of a foreign state, an individual or legal entity of a foreign state;

- publicly available personal data - personal data, access to an unlimited number of persons to which is provided with the consent of the subject of personal data or to which, in accordance with federal laws, the requirement of confidentiality does not apply.

Processing of personal data.

1) the legality of the purposes and methods of processing personal data and good faith;

2) compliance of the purposes of processing personal data with the purposes predetermined and declared in the collection of personal data, as well as the powers of the operator;

3) the correspondence of the volume and nature of the processed personal data, methods of processing personal data to the purposes of processing personal data;

4) the reliability of personal data, their sufficiency for the purposes of processing, the inadmissibility of processing personal data that are redundant in relation to the purposes stated when collecting personal data;

5) the inadmissibility of combining databases of personal data information systems created for incompatible purposes.

If once someone filled out a fingerprint card, then it is in the information center in their databases. We cannot, for example, combine databases on ordinary citizens and persons who have committed crimes.

1) with the consent of the owner of personal data

2) without the consent of the owner of personal data.

This applies to persons occupying a certain position and position: military personnel, corpses

Confidentiality of personal data:

When not required:

1) in the case of anonymization of personal data;

2) in relation to publicly available personal data.

- the operator who collects and processes personal data.

- restrict access within your own organization

The operator is personally responsible for the dissemination of personal data

- establishing access restrictions both in the premises and in the network (access system, card identification system)

For local networks - system login + password

You can restrict access by biometric information: fingerprint, retina.

- about race

- about political views

- about religious or philosophical beliefs

- about the state of health

- about intimate life

Their processing is only possible with the consent of the subjects.

1) the subject's written consent to their processing

2) if the subject of personal data has made them publicly available

3) if this information relates to information necessary to protect the life, health and other vital interests of a person

Such information can be provided for medical and preventive purposes - for example, a viral infection.

The peculiarity of processing personal data in state or municipal information systems for processing personal data.

- applies only to civil servants and municipal employees.

The state body has its own status, there are independent systems for processing information about state or municipal employees.

1) it has been established what information is needed within its competence

2) there is also the Federal Law "On the State Civil Service", that is, it is regulated not only by the legislation on personal data.

Information that characterizes the physiological characteristics of a person and on the basis of which it is possible to establish his identity (biometric personal data) can be processed only with the consent in writing of the subject of personal data, except for the following cases:

1) commission of a crime

The processing of biometric personal data may be carried out without the consent of the subject of personal data in connection with the administration of justice, as well as in cases stipulated by the legislation of the Russian Federation on security, the legislation of the Russian Federation on operational-search activities, the legislation of the Russian Federation on public service, and the penal legislation of the Russian Federation. Federation, the legislation of the Russian Federation on the procedure for leaving the Russian Federation and entering the Russian Federation.

- collecting information from a suspect is illegal

Processing of cross-border information.

It can be required in order to protect the citizens of the country where it is transferred, it is collected only with the written consent of the subject.

Rights of the subject of personal data.

1) The right of the subject of personal data to access his personal data

You cannot call the information center of the Ministry of Internal Affairs (main information center and zonal information center)

2) The rights of personal data subjects to the processing of their personal data in order to promote goods, works, services on the market, as well as for the purpose of political campaigning

The accuracy of the information will be verified by others.

3) making decisions based solely on automated processing of personal data. A person may not trust automated processing. You can demand that fingerprints are stored not only in the computer, but also on paper.

- Labor Code of the Russian Federation - there is a chapter on personal data.

FEDERAL LAW ON STATE DACTYLOSCOPIC REGISTRATION IN THE RUSSIAN FEDERATION of July 25, 1998 N 128-FZ

Publicly available personal data is

Personal Information - any information related to a certain or determined on the basis of such information natural person , including:

His last name, first name, patronymic,

Year, month, date and place of birth,

Address, family, social, property status, education, profession, income,

— the other information (see FZ-152, Article 3).

For example: passport data, financial statements, medical records, year of birth (for women), biometrics, other personal identification information.

IN public sources of personal data (address books, lists and other information support) with written consent an individual may include his last name, first name, patronymic, year and place of birth, address, subscriber number and others personal data (see FZ-152, Article 8).

Personal data refers to information of limited access and must be protected in accordance with the legislation of the Russian Federation. In the formation of requirements for the security of systems, personal data is divided into 4 categories.

What is the operator and the subject of personal data?

Personal data operator - it is, as a rule, an organization, or rather, a state or municipal body, legal entity or individual, organizing and (or) carrying out the processing of personal data, as well as determining the purposes and content of the processing of personal data.

Personal data subject Is an individual.

The operator is responsible for protecting the personal data of the subject in accordance with the current legislation of the Russian Federation.

How to classify the personal data information system?

To be attributed typical personal data information system (ISPDN) to a particular class is necessary:

II. Define volume personal data processed in the information system:

volume 3 - the information system simultaneously processes data less than 1000 subjects personal data or personal data of subjects of personal data within a particular organization;

volume 2 from 1,000 to 100,000 subjects personal data or personal data of personal data subjects working in the industry of the economy of the Russian Federation, in a public authority residing within the municipality;

volume 1 - the information system simultaneously processes personal data more than 100,000 subjects personal data or personal data of subjects of personal data within a constituent entity of the Russian Federation or the Russian Federation as a whole;

III. Based on the results of the analysis of the initial data typical ISPD is assigned one of the following classes (see table):

Class 4 (K4) - information systems for which a violation of the specified security characteristics of personal data processed in them does not lead to negative consequences for the subjects of personal data;

Class 3 (K3) - information systems for which a violation of the specified security characteristics of personal data processed in them can lead to minor negative consequences for subjects of personal data;

Class 2 (K2) - information systems for which a violation of the specified security characteristics of personal data processed in them can lead to negative consequences for subjects of personal data;

Class 1 (K1) - information systems for which a violation of the specified security characteristics of personal data processed in them can lead to significant negative consequences for subjects of personal data.

Doomsday postponed until January 1, 2011

Personal data information systems created before the entry into force of the Federal Law of the Russian Federation No. 152 "On Personal Data" must be brought into compliance with the requirements of this Federal Law no later than January 1, 2010 (see FZ-152, Article 25).

This means that personal data operators who failed to comply with the very strict requirements of FZ-152, from January 1, 2010, will incur the corresponding civil, administrative, disciplinary, and maybe (God forbid) and criminal a responsibility .

All information systems that have already been put into operation after February-April 2008 (since the dispatch of methodological documents by the FSTEC of Russia and the FSB of Russia), but do not meet the requirements of Russian legislation in the field of personal data, may incur this responsibility earlier, for example, tomorrow morning ...

Note. Amendments to the Criminal Code of the Russian Federation, significantly toughening liability for violations affecting privacy, will also come into force on January 1, 2010.

But as always happens, the operators of personal data did not move much, and few managed to do everything that was required. On December 16, 2009, the State Duma adopted in the third reading amendments to Articles 19 and 25 of the Law "On Personal Data" (152-FZ). The deadline for bringing personal data information systems (ISPDN) in accordance with this law has been postponed for a year - until January 1, 2011. In addition, the law has removed the rule obliging the operator to use encryption (cryptographic) means to protect data when processing personal data.

Mandatory requirements for the protection of personal data information systems

The main mandatory requirements for the organization of an information security system depending on the class of a typical ISPD:

For ISPD class 4:

The list of measures to protect personal data is determined by the operator (depending on the possible damage)

For ISPD class 3:

Declaration of Conformity or

Obtaining a license from the FSTEC of Russia for technical protection of confidential information (for distributed systems ISPDN K3)

For ISPD class 2:

Mandatory certification for information security requirements

Obtaining a license from FSTEC of Russia for technical protection of confidential information for distributed systems

For ISPD class 1:

Mandatory certification for information security requirements

Measures must be taken to protect personal data from PEMIN

Obtaining a license from FSTEC of Russia for technical protection of confidential information

Procedure for protecting the personal data information system

The sequence of actions when fulfilling the requirements of the legislation on the processing of personal data:

1) Notification to the authorized body for the protection of the rights of personal data subjects about their intention to process personal data using automation tools;

2) Pre-design survey of the information system - collection of initial data;

3) Classification of the personal data processing system;

4) Building a private model of threats in order to determine their relevance for the information system;

5) Development of a private technical specification for a personal data protection system;

6) Designing a personal data protection system;

Responsibility for violations of personal data processing

Persons guilty of violating the requirements of Federal Law 152-FZ "On Personal Data" bear:

- criminal (see the Criminal Code of the Russian Federation, Articles 137, 140, 155, 183, 272, 273, 274, 292, 293),

Administrative (see the Code of Administrative Offenses of the Russian Federation, Articles 5.27, 5.39, 13.11-13.14, 13.19, 19.4-19.7, 19.20, 20.25, 32.2),

Disciplinary (see Labor Code of the Russian Federation, Article 81; Article 90; Article 195; Article 237; Article 391)

and other liability stipulated by the legislation of the Russian Federation (see bylaws on working with personal data that are published in the constituent entities of the Russian Federation, departments and organizations).

FSTEC - Federal Service for Technical and Export Control.

PEMIN - Spurious Electromagnetic Emissions and Inductions

Protection of personal information

In December 2014, the State Duma in the third reading adopted a bill on the storage of personal data of citizens processed on the Internet on servers in Russia. According to Roman Chuichenko, a member of the Committee on Information Policy, the main goal of the bill is to strengthen the information security of the country and its citizens. This measure was taken due to the complication of the international situation. This bill will enter into force on September 1, 2015.

The entry into force of the new regulation on the protection of personal data involves the provision of personal data operators by:

timely detection of unauthorized access to personal data;
prevention of impact on technical means that carry out automated processing of PD;
the ability to promptly respond to the fact of unauthorized access and immediate restoration of PD in cases of their destruction or change;
constant monitoring of the level of protection of personal data.

Categories of personal data

ISPD processing can also be carried out according to the parameter "volume of processed personal data", which assumes the number of subjects processed in the information system, and can take the following values:

simultaneous processing of more than 100 thousand personal data subjects (performed both within the constituent entity of the Russian Federation and in the Russian Federation as a whole);
simultaneous processing of personal data from 1 to 100 thousand subjects (performed by the state authority working in the field of the economy of the Russian Federation);
simultaneous processing of personal data of less than 1 thousand subjects (performed within a specific organization).

Division into categories allows not only to determine the class of ISPD, but also to establish a set of measures to ensure the security and protection of personal data on the Internet, when processed in information systems.

Personal data of the employee

Each employee has the right to protect his personal data (clause 9 of article 86 of the Labor Code of the Russian Federation).

In accordance with Art. 89 of the Labor Code of the Russian Federation, each employee can exercise his right to the protection and protection of personal data through the following actions:

free free access to your personal data, including obtaining a copy of any record that contains the employee's personal data;
determination of a personal representative to protect their personal data;
obtaining complete information about PD and their processing;
submission of requirements for the exclusion or correction of personal data containing incorrect information or if they were processed in violation of legal requirements;
appeal in court of the employer's illegal actions, as well as his inaction in the processing and protection of personal data.

The composition of the employee's personal data

On the basis of clause 2 of article 86 of the Labor Code of the Russian Federation, the volume and content of the employee's personal data are determined by the employer in accordance with the Constitution of the Russian Federation, the Labor Code and other federal laws. As a rule, the activity of any organization involves the use of two main types of documents by the employer in the workflow:

Documents that are provided by the employee when concluding an employment contract (Article 65 of the Labor Code of the Russian Federation). This category includes documents containing a photograph of an employee, full name, information about the place and date of birth, citizenship, marital status, place of registration, education, specialty (passport, insurance certificate of state pension insurance, military ID, etc.).
Documents that are generated by the employer independently (primary accounting documentation for labor accounting and payment). This category includes orders or orders for the admission of an employee, termination of an employment contract, incentives for an employee, personal card, documents on remuneration.

Personal data protection, liability for violation of the law

Note that some sanctions for violation of certain offenses apply both to individuals and officials, and to legal entities.

In accordance with Article 150 of the Civil Code of the Russian Federation, the inviolability of private life, personal and family secrets is one of the inalienable intangible rights protected by applicable laws.

Note that the rights and obligations of an employee that are directly related to the personal data of other employees are determined by the terms of the employment contract and the composition of local regulatory legal acts that establish the employee's labor functions and the list of his job duties.

Administrative responsibility violation of the procedure for collecting, storing and distributing personal data entails a warning or a fine in the amount of: from 300 to 500 rubles - for individuals; from 500 to 1000 rubles - for officials, from 5 to 10 thousand rubles - for legal entities (Article 13.11 of the Administrative Code of the Russian Federation). Administrative liability for the dissemination of information protected by law, in the performance of official and professional duties, entails a fine in the amount of: from 500 to 1000 rubles - for individuals, from 4 to 5 thousand rubles - for officials (Article 13.14 of the Administrative Code of the Russian Federation) ...

Violation of the inviolability of private life, in particular personal data, by a person using his official position provides for punishment in the form of:

a fine in the amount of 100 to 300 thousand rubles, wages or other income of the offender within 1-2 years;
deprivation of the right to hold certain positions for a period of 2 to 5 years;
arrest for a period of 4 to 6 months.