Scientific research work on the protection of personal data. Coursework: Legal protection of personal data in Russia

11.05.2021

Send your good work in the knowledge base is simple. Use the form below

Students, graduate students, young scientists who use the knowledge base in their studies and work will be very grateful to you.

Hosted at http://www.allbest.ru/

Protection of personal information

Introduction

Why is it necessary to protect personal data?

The need to ensure the security of personal data in our time is an objective reality. Information about a person has always been of great value, but today it has become the most expensive commodity. Information in the hands of a fraudster turns into a weapon of crime, in the hands of a dismissed employee - into a means of revenge, in the hands of an insider - a product for sale to a competitor ... That is why personal data needs the most serious protection.

The need to take measures to protect personal data (hereinafter referred to as PD) is also caused by the increased technical capabilities for copying and disseminating information. The level of information technology has reached the point where the self-protection of information rights is no longer an effective remedy against attacks on privacy. Modern man is no longer physically able to hide from all the variety of explicitly or implicitly applied to him technical devices collection and processing technologies of data about people.

With the development of electronic commerce and accessible means of mass communication, the possibilities of abuse associated with the use of collected and accumulated information about a person have also increased. Means of integration and rapid processing of personal data have appeared and are effectively used by attackers, creating a threat to the rights and legitimate interests of a person.

Personal data protection is a business requirement

Today it is hardly possible to imagine the activity of an organization without processing information about a person. In any case, the organization stores and processes data about employees, customers, partners, suppliers and other individuals. Leakage, loss or unauthorized change of personal data leads to irreparable damage, and sometimes to a complete stop of the organization. Imagine the work of a financial or telecommunications company that has lost at least part of the information about its customers. How long will such a company exist on the market?

Personal data protection is a legal requirement

Understanding the importance and value of information about a person, as well as taking care of the observance of the rights of its citizens, the state requires organizations and individuals to ensure reliable protection of personal data. The legislation of the Russian Federation in the field of personal data is based on the Constitution of the Russian Federation and international treaties of the Russian Federation and consists of the Federal Law of the Russian Federation of July 27, 2006 N 152-FZ "On Personal Data", other federal laws that determine the cases and features of the processing of personal data, industry-specific normative acts, instructions and requirements of regulators.

Legislation

In 1981, the Council of Europe adopted the Convention for the Protection of Persons with regard to Automatic Processing of Personal Data. On November 25, 2005, the State Duma ratified this Convention (FZ of December 19, 2005 No. 160-FZ “On Ratification of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data”), imposing on the Russian Federation the obligation to bring it into line with the norms of the European legislation activities in the field of protecting the rights of PD subjects. The first step in the implementation of the undertaken obligations was the adoption of Federal Law No. 152-FZ of July 27, 2006 "On Personal Data". The law came into force in January 2007.

Law No. 152-FZ defined high-level requirements, which were then specified in by-laws of the Government of the Russian Federation and the Ministry of Communications, regulatory and methodological documents of regulators of the Federal Service for Technical and Export Control (FSTEC of Russia), the Federal Security Service of the Russian Federation (FSB of Russia) and the Federal services for supervision in the field of communications and mass communications (Roskomnadzor).

Each of these acts and documents is devoted to certain areas and topics of legislation and will be disclosed in the future as the material is presented. The purpose of Russian legislation in the field of PD is to ensure the protection of the rights and freedoms of a citizen in the processing of his personal data, including the protection of the rights to privacy, personal and family secrets. The legislation regulates relations related to the processing of PD carried out by state authorities, local governments, legal entities and individuals.

encryption security personal data

Personal data

In accordance with Law No. 152-FZ, personal data is any information that can be used to uniquely identify an individual (PD subject). In this regard, personal data may include last name, first name, patronymic, year, month, date and place of birth, address, family, social, property status, education, profession, income, other information belonging to the PD subject.

The composition and content of personal data is determined by PD1 operators depending on the purposes of their processing. For example, the list of personal data for the recently popular customer loyalty systems of a company, as a rule, includes contact information necessary to contact customers and information about the services provided. The composition of this information should not be redundant, while remaining sufficient to “understand” the client’s preferences, his financial capabilities, “track” his purchasing history, etc.

Differences between Russian and international legislation The United States, Great Britain and Canada, as well as Russia, have developed technical regulations that translate the provisions of upper-level legislation into specific tips and recommendations for the protection of personal data. In the UK, in 1998, the Data Protection Act 1998 was adopted. Its technical implementation - the draft standard "Specification for the management of personal information in compliance with the Data Protection Act 1998" (BS 10012) should receive the status of an official document in June 2009. In parallel with the British, their version of the PD security standard was released in the USA. The US Government Draft Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) (SP 800122) governs the implementation of The Privacy Act of 1974 and the Privacy Protection Act of 1980. Canada has released the "Privacy Code" - a set of documents for the implementation of legislation on the protection of information about individuals (The Privacy Act and PIPEDA).

Canadian, English and American standards, in contrast to the documents of Russian regulators, give more general recommendations for ensuring the security of personal data and do not prescribe how exactly personal data should be protected. Moreover, the same American standard recommends depersonalizing personal data whenever possible in order to get away from various protective measures that reduce the usability of information.

There are cases when the purposes, composition and content of PD are clearly defined by legislative and regulatory legal acts. This applies to areas where the relationship between PD subjects and operators needs strict regulation. At the same time, in some cases2 the subject of personal data is obliged to provide the operator with information about himself.

For example, the functioning of certain sectors of the economy is associated with the need to ensure security. Thus, FZ-16 "On transport security" determines the need to create a unified state information system for ensuring transport security. Such a system should consist of centralized databases of personal data on passengers, including the following data:

· Full Name;

· Date and place of birth;

type and number of the identity document by which the travel document (ticket) is purchased;

point of departure, point of destination, type of route (non-stop, transit);

the date of the trip.

The regulation of the composition and content of PD relates to relations related to a person's labor activity. If we are talking about the personnel system, the composition of personal data includes information provided for by the unified form of accounting for personnel T-2, approved by Decree No. 1 of the State Statistics Committee of Russia dated 01/05/2004. Such information includes:

· Full Name;

· Date of Birth;

· citizenship;

the number of the insurance certificate;

· Knowledge of foreign languages;

data on education (number, series of diplomas, year of graduation);

data on acquired specialties

· marital status;

information about family members (degree of relationship, full name, year of birth, passport data, including registration and place of birth);

the actual place of residence;

· Contact Information;

data on military duty;

data on current labor activity (date of commencement of labor activity, personnel transfers, salaries and their changes, information on incentives, data on advanced training, etc.).

Other regulations governing relations in the field of human activity and determining the purposes of processing, the composition and content of PD include FZ-179 "Labor Code of the Russian Federation", FZ-27 "On Individual (Personalized) Accounting in the System of Compulsory Pension Insurance", FZ- 129 "On State Registration of Legal Entities and Individual Entrepreneurs", etc.

What information about employees of state organizations to collect and how to process them is determined by Decree of the President of the Russian Federation of May 30, 2005 N 609 “On Approval of the Regulation on Personal Data of a State Civil Servant of the Russian Federation and Maintaining His Personal File”. Its specificity exists in various sectors of the economy.

Certain frameworks for the processing of personal data for financial institutions are established by Federal Law-218 “On Credit Histories”, for air transport - the Air Code, for trade organizations (Online stores, etc.) - Decree of the Government of the Russian Federation of September 27, 2007 N 612 "On approval of the Rules for the sale of goods by remote means", for the tourism business - Decree of the Government of the Russian Federation of July 18, 2007 N 452 "On approval of the Rules for the provision of services for the sale of a tourist product", etc.

It is impossible not to mention the Federal Law-143 "On acts of civil status", in which the state clearly defines what information about the individual should be collected, stored and processed throughout his life.

Legislation defines various categories of personal data. These may include publicly available PD, special PD categories, PD categories processed in information systems ah personal data (hereinafter ISPD), biometric PD and others.

Public PD

Publicly available data is data to which access is granted to an unlimited number of persons with the consent of the PD subject or which, in accordance with federal laws, are not subject to confidentiality requirements. Such data may include last name, first name, patronymic, year and place of birth, address, subscriber number, information about the profession and other personal data. The sources of such information are, for example, directories, address books, etc. Information about a PD subject may be excluded from public sources at any time at the request of the subject or by decision of a court or authorized state bodies.

Special categories include personal data relating to race, nationality, political views, religious or philosophical beliefs, health status, intimate life. Their processing is only allowed in the following cases:

the PD subject has given his consent in writing to the processing of his personal data;

personal data is publicly available;

personal data relate to the state of health of the PD subject and obtaining his consent is impossible, or the processing of personal data is carried out by a person professionally engaged in medical activities and is obliged, in accordance with the legislation of the Russian Federation, to maintain medical secrecy;

processing of personal data of members (participants) of a public association or religious organization, provided that personal data will not be disseminated without the written consent of the PD subjects;

· the processing of personal data is carried out in accordance with the legislation of the Russian Federation on security, on operational-search activities, as well as in accordance with the penitentiary legislation of the Russian Federation, or is necessary in connection with the administration of justice.

The joint order of the FSTEC, the FSB and the Ministry of Information Technologies and Communications of the Russian Federation dated February 13, 2008 N 55/86/20 "On Approval of the Procedure for Classifying Personal Data Information Systems" defines the following categories of personal data that are processed in ISPD:

Categorization of personal data during processing in ISPD can also be carried out according to the parameter "volume of processed personal data". This refers to the number of subjects whose data is processed in the information system. This parameter can take the following values:

1. The information system simultaneously processes personal data of more than 100,000 PD subjects or personal data of PD subjects within a constituent entity of the Russian Federation or the Russian Federation as a whole.

2. The information system simultaneously processes personal data from 1,000 to 100,000 PD subjects or personal data of PD subjects working in a sector of the economy of the Russian Federation, in a public authority residing within a municipality.

3. The information system simultaneously processes data from less than 1,000 PD subjects or personal data from PD subjects within a specific organization.

Biometric personal data

Biometric personal data is information that characterizes the physiological characteristics of a person and on the basis of which his identity can be established. Biometric personal data is processed in accordance with Article 11 of the Federal Law of the Russian Federation of July 27, 2006 N 152-FZ "On Personal Data". They can only be processed with the written consent of the PD subject. The processing of biometric personal data without the consent of the PD subject may be carried out in connection with the administration of justice, as well as in cases provided for by the legislation of the Russian Federation on security, on operational-search activities, on public service, on the procedure for leaving the Russian Federation and entering the Russian Federation, criminal - executive legislation.

Based on the definition of biometric PD, these include photographs and video images of PD subjects. This is confirmed by representatives of regulators, in particular the Federal Service for Technical and Export Control. Photos of PD subjects can be processed in access control systems and access control systems, video images - in video surveillance systems, etc.

Personal data operator

According to Law No. 152-FZ, personal data operators are a state body, a municipal body, a legal entity or an individual organizing and (or) carrying out the processing of personal data, as well as determining the purposes and content of the processing of personal data.

PD processing means actions (operations) with personal data, including collection, systematization, accumulation, storage, clarification (updating, changing), use, distribution (including transfer), depersonalization, blocking, destruction of PD.

Based on the definition, we can conclude that without exception, organizations or companies, regardless of their form of ownership, are personal data operators, since they at least collect, systematize, store and clarify information about their employees in accordance with Russian law (Labor Code RF). In addition, many companies, in the course of their activities, process information about their customers, partners, suppliers and subcontractors that they need to perform the functions in accordance with their purpose.

In what cases the PD operator has the right not to notify Roskomnadzor The operator has the right to process the following personal data without notifying the authorized body for the protection of the rights of PD subjects (Roskomnadzor):

Relating to PD subjects, which are connected with the operator by labor relations;

received by the operator in connection with the conclusion of an agreement to which the PD subject is a party, if personal data is not distributed, and is also not provided to third parties without the consent of the PD subject and is used by the operator solely for the execution of the specified contract and the conclusion of contracts with the PD subject;

Relating to members (participants) of a public association or religious organization and processed by the relevant public association or religious organization, acting in accordance with the legislation of the Russian Federation, to achieve the legitimate goals provided for by their constituent documents, provided that personal data will not be disseminated without consent in writing of PD subjects;

are publicly available personal data;

· including only last names, first names and patronymics of personal data subjects;

necessary for the purpose of a single pass of the PD subject to the territory where the operator is located, or for other similar purposes;

personal data included in information systems that, in accordance with federal laws, have the status of federal automated information systems (hereinafter referred to as IS), as well as in state ISPDs created in order to protect state security and public order;

processed without the use of automation tools in accordance with federal laws or other regulatory legal acts of the Russian Federation that establish requirements for ensuring the security of personal data during their processing and for observing the rights of PD subjects.

At the same time, there is an erroneous opinion that if there is no need to register as a PD operator with Roskomnadzor (and such cases are provided for by law), then the company is not a PD operator and the obligations provided for by law do not apply to it. Moreover, in this way companies try to justify their inaction in the field of personal data security. If the company does not make any efforts to protect personal data, this is clearly regarded as “failure to comply with the requirements of Russian law”.

Obligations of the PD Operator

Russian legislation imposes certain obligations on PD operators, the main of which are:

1. Ensuring the security of personal data processing, which means the obligation to "take the necessary organizational and technical measures to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, distribution of personal data, as well as from other illegal actions."

2. Notifying nature of the processing of personal data. In accordance with Article 22 of the Law, the operator, prior to the processing of personal data, is obliged to notify the authorized body for the protection of the rights of PD subjects (Roskomnadzor) of his intention to process personal data.

3. Roskomnadzor enters information about the operator into the register of operators. The information contained in the register, with the exception of information about the means of ensuring the security of personal data during their processing, is publicly available.

4. Upon receipt of personal data (including from third parties), the PD operator, prior to the start of processing, must obtain written permission from the subject of these PD for their processing (except in cases where personal data was provided to the operator on the basis of federal law or if they are publicly available ).

5. The operator is obliged to provide the PD subject, upon request, with all available information about him, the purposes and conditions of processing, methods for protecting his personal data. The operator must also destroy or block the relevant personal data, make the necessary changes to them upon the provision by the PD subject or his legal representative of information confirming that the personal data that relate to the relevant subject and processed by the operator are incomplete, outdated, unreliable, illegal obtained or not necessary for the stated purpose of the processing.

Moreover, the PD operator is obliged to provide evidence of obtaining the consent of the PD subject to the processing of his personal data, and in the case of processing public personal data, he is obliged to prove that the processed PD is public.

6. Control and supervision of the activities of personal data operators by state bodies. This means the obligation of the operator to report to the authorized body for the protection of the rights of PD subjects, at its request, the information necessary for the implementation of the activities of this body. The state has endowed Roskomnadzor, FSTEC and FSB3 with the functions of control and supervision.

Failure to comply with the requirements of the law?.. What are the consequences?..

The law provides for civil, criminal, administrative, disciplinary and other liability for violation of its requirements. Thus, the Code of Administrative Offenses provides for a maximum fine of 500,000 rubles for failure to comply with a legal order of Roskomnadzor (Article 19.5 of the Code of Administrative Offenses). The same Code provides for the suspension of the organization's activities for up to 90 days when carrying out activities to protect personal data without a license (Article 19.20 of the Code of Administrative Offenses).

The Criminal Code refers to a fine of 300,000 rubles, compulsory work for up to 1 year, arrest for up to 6 months and deprivation of the right to hold a position for up to 5 years in case of protection of personal data without a license in cases where if this act caused major damage to citizens (Article 171 of the Criminal Code).

In case of systematic and gross violations, Roskomnadzor has the right to apply for the revocation of licenses for the main type of activity.

Processing of personal data

Russian legislation defines the basic principles for the processing of personal data4. These include, in particular:

· The operator of personal data determines the purposes of their processing in accordance with their powers.

· The volume and nature of the processed personal data must correspond to the purposes of their processing.

· It is unacceptable to combine personal data created for different purposes (for example, into one database).

· Personal data is subject to destruction upon achievement of the goals (loss of the need for) their processing.

Great importance in the Law is given to the conditions for processing personal data5. Thus, the processing of personal data can be carried out by the operator only with the written consent of the PD subjects.

In what cases is the consent of the PD subject not required for the processing of information about him?

The consent of the PD subject is not required in the following cases:

the processing of personal data is carried out on the basis of other federal laws, for example, some federal laws provide for cases of mandatory provision by the subject of personal data of their personal data in order to protect the foundations of the constitutional order, morality, health, rights and legitimate interests of others, to ensure the defense of the country and the security of the state;

the operator and the subject of PD are bound by an agreement to perform actions that require the processing of personal data of this subject, for example, an agreement under which a travel company (operator) has the right to use the personal data of the subject to book a hotel;

the processing of personal data is necessary to protect the life, health or other vital interests of the PD subject, if obtaining his consent is impossible, for example, hospitalization of a person in case of an accident;

the processing of personal data is necessary for the delivery of postal items by organizations postal service, for the implementation by telecommunication operators of settlements with users of communication services for the rendered communication services, as well as for consideration of claims of users of communication services;

the processing of personal data is carried out for the purposes of the professional activities of a journalist or for the purposes of scientific, literary or other creative activities, provided that the rights and freedoms of the PD subject are not violated;

· processing of personal data subject to publication in accordance with federal laws, including personal data of persons holding public office, public civil service positions, personal data of candidates for elected state or municipal positions.

There are two types of personal data processing: automated and non-automated. These types of PD processing will be discussed in the following sections of the article.

Life cycle of personal data

The processing of personal data requires the creation of a special regime in which the technology for their processing, the procedure and conditions for the existence of PD at each stage of their life cycle are clearly defined. This provides for the development and implementation of procedures for their collection, acceptance, accounting, registration, storage, use, destruction, etc. Of great importance in this case is the storage period of PD, as well as the availability of a system for monitoring the processing of PD at all stages of their life cycle.

PD processing time

Determining the timing of PD processing is extremely important because the Federal Law determines that “if the purpose of processing personal data is achieved, the operator is obliged to immediately stop processing personal data and destroy the relevant personal data within a period not exceeding three business days from the date the purpose of processing is achieved.”

Analysis of technological processes for processing PD

In their personal data protection projects, Jet Infosystems specialists pay great attention to taking into account technological processes for processing personal data (personal data life cycle) and obtaining information about existing procedures for processing personal data. To this end, they carry out the following activities:

analysis of documents defining technological processes for processing PD;

Conducting interviews with the customer's employees implementing PD processing procedures;

determination of the owner of the technological process of processing PD (correlation of the technological process with the structural subdivision of the customer and the ISPD used);

determination of procedures for collecting, receiving, recording and registering PD in information systems of personal data, storing, processing, issuing, copying and transferring PD, their destruction and control over these procedures.

Processing times are also determined on the basis of other regulatory legal acts. Thus, the requirements of labor, civil, pension legislation, industry regulations establish certain terms for the processing of personal data. For example, for T-2 cards, this is 75 years6 (Goskomstat Decree No. 1), and for information about the communication services provided to the subscriber, it is 3 years (Government Decree No. 538).

Non-automated processing of PD

Non-automated processing of personal data is carried out in accordance with the Decree of the Government of the Russian Federation of September 15, 2008 N 687 "On approval of the Regulations on the features of the processing of personal data carried out without the use of automation tools."

According to this Decree, the processing of personal data is considered carried out without the use of automation tools (non-automated), if such actions are carried out with the direct participation of a person.

The issue of separating human and automated processing is a problem for many organizations.

RF Decrees:

1. The processing of personal data contained in the personal data information system or extracted from such a system (hereinafter referred to as personal data) is considered carried out without the use of automation tools (non-automated), if such actions with personal data as the use, clarification, distribution, destruction of personal data in relation to each of the subjects of personal data are carried out with the direct participation of a person.

2. The processing of personal data cannot be recognized as being carried out using automation tools only on the grounds that personal data is contained in the personal data information system or has been extracted from it. Based on this, some organizations believe that all PD processing can be classified as non-automated, since in all cases there is a fact of "PD processing with the direct participation of a person." And this is a mistake. In this case, it is incorrect to consider this processing only as manual. For example, if the user entered data into a personal computer only to print it out and did not store the data on the computer, then this processing can be considered non-automated. If the user has saved this data in the form of a file and stores it on a computer, then this processing of PD should be considered as automated as well.

Personal data during their processing carried out without the use of automation tools should be separated from other information, in particular, by fixing them on separate tangible media, in special sections or on the fields of forms (forms). At the same time, it is not allowed to fix personal data on one material carrier, the purposes of processing of which are obviously incompatible. To process different categories of PD, a separate material carrier must be used for each of them.

The Decree determines what information should be included in the standard forms of documents containing personal data, the conditions for maintaining journals (registers, books) containing PD (for example, necessary for a single pass of a PD subject to the territory of the operator), describes the most important stages of the life cycle of personal data, fixed on a material carrier.

Automated processing of personal data

In order to define what is “automated PD processing”, it is necessary to introduce the concept of “automated PD file”, which means any set of data about PD subjects that is subject to automated processing (“Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data”, ETS No. 108, January 28, 1981).

"Automated processing of PD" means actions with "automated PD files", which includes the following operations carried out in whole or in part with the help of automation tools: storing data, performing logical and / or arithmetic operations with these data, modifying, destroying, searching or distributing them .

Ensuring the security of personal data

In accordance with Article 19 of the Federal Law "On Personal Data", the operator, when processing personal data, is obliged to take the necessary organizational and technical measures to protect them from unauthorized or accidental access to them, destruction, modification, blocking, copying, distribution, as well as from other illegal actions .

Ensuring the security of PD processed in personal data information systems

This section describes the requirements for ensuring the security of personal data during their processing in personal data information systems (PDIS), which are contained in Decree of the Government of the Russian Federation of November 17, 2007 N 781 "On approval of the Regulations on ensuring the security of personal data during their processing in information personal data systems”, and are also specified in the regulatory and methodological documents of the FSTEC and the FSB.

In what cases is PD security not required?

Ensuring security (in this case, confidentiality) in accordance with Russian law is not required only for anonymized and publicly available personal data.

Personal data may be anonymized if actions have been performed on them, as a result of which it is impossible to determine their belonging to a specific PD subject.

Personal data can be publicly available only with the written consent of the PD subject. They may include the last name, first name, patronymic, year and place of birth, address, subscriber number, information about the profession and other personal data provided by the PD subject.

Ensuring the security of personal data during their processing in ISPD is achieved by excluding unauthorized, including accidental, access to personal data, which may result in the destruction, modification, blocking, copying and distribution of personal data. The obligation to ensure the security of PD during their processing in ISPD is fully vested in the operator of personal data. In this regard, the operator must:

· take measures aimed at preventing unauthorized access (hereinafter referred to as UA) to PD and (or) their transfer to persons who do not have the right to access such information;

timely detect facts of unauthorized access to personal data;

Prevent impact on the technical means of automated processing of PD, as a result of which their functioning may be disrupted;

immediately restore PD modified or destroyed due to unauthorized access to them;

Carry out constant monitoring of ensuring the level of PD security.

Who should ensure the security of PD? ..

The security of PD during their processing in ISPD is ensured by the operator or the person to whom, on the basis of an agreement, the operator entrusts the processing of personal data (authorized person). In this case, the operator must conclude an agreement with an authorized person. An essential condition of this agreement is the obligation of the authorized person to ensure the confidentiality and security of PD during their processing in ISPD.

To develop and implement measures to ensure the security of personal data during their processing in information systems, the operator may appoint a structural unit or an official (employee) responsible for ensuring the security of personal data.

What is ISPD?

Personal data information systems are a set of information and software and hardware elements, the main of which are:

information technologies as a set of techniques, methods and methods of using computer technology in the processing of personal data;

technical means that process PD, which means computer equipment, information and computing systems and networks, means and systems for transmitting, receiving and processing PD (means and systems for sound recording, sound amplification, sound reproduction, intercom and television devices, means of manufacturing, replicating documents and other technical means of processing speech, graphics, video and alphanumeric information);

· software ( Operating Systems, database management systems, application software, etc.);

means of information protection;

Auxiliary technical means and systems, which include communication means and systems not intended for processing PD, but located in the premises in which ISPD is located (various telephone means and systems, computer equipment, means and systems for data transmission in a radio communication system , means and systems of security and fire alarms, warnings and alarms, control and measuring equipment, means and air conditioning systems, wired radio broadcasting network and reception of radio broadcasting and television programs, electric clocks7, electronic office equipment).

Terms and conditions for bringing ISPD in line with the law

Russian legislation defines the terms and conditions for bringing ISPD in compliance with the requirements for ensuring the security of PD.

For information systems of personal data that were in operation before the Federal Law of July 27, 2006 No. 152FZ “On Personal Data” came into force, their revision must be ensured to ensure the security of personal data in accordance with the requirements of the Legislation, before January 1, 2010 G.

For functioning ISPDs, the revision (modernization) of personal data protection systems (hereinafter referred to as PDPS) should be carried out if:

the composition or structure of the information system itself or the technical features of its construction have changed (the composition or structure of software, technical means of processing PD, topology of ISPD);

the composition of PD security threats in the information system has changed;

· the ISPD class has changed.

For newly created or modernized information systems, activities to ensure the security of PD are an integral part of the work on their creation or modernization. Manufacturers of applications that provide for the processing of information about individuals are required to implement in their
development of PD security requirements stipulated by Russian legislation.

Jet Infosystems, being a system integrator, develops and implements various computing systems and business applications in its projects. Such work is carried out taking into account the requirements of Russian legislation to ensure information security, including the protection of personal data.

What ISPDs exist?

Personal data is processed in a variety of applications. As the experience of Jet Infosystems in the implementation of projects for the DRP has shown, their number can vary from 3 to 5 in small and medium-sized companies, from 30 to 50 in large companies. Information systems of personal data may include:

· CRM-systems (data on clients - individuals and representatives of clients - legal entities);

billing systems (data on customers paying for services);

· automated banking systems (data on bank employees, clients, partners, etc.);

Automated medical systems (patient data, etc.);

· Call-centers (data about clients and employees, depending on the purpose of the call-center);

Personnel systems (data on employees of the organization);

Accounting systems (data on employees and clients of the organization);

Document management systems (data on employees of the organization, clients, partners);

· mail systems (data about employees of the organization, clients, partners, completed cards in address books of mail systems, etc.);

· automated systems of pass offices (visitor data).

From the point of view of ownership, information systems can be of the following types: ISPD of state and municipal bodies, legal entities and individuals organizing or carrying out the processing of personal data, as well as determining the purposes and content of the processing of personal data (except when the latter use these systems exclusively for personal and family needs).

ISPD classification

Classification of ISPD is carried out by the operator in accordance with the "Procedure for classifying information systems of personal data", approved by order of the FSTEC of Russia, the Federal Security Service of Russia and the Ministry of Information and Communications of Russia dated February 13, 2008 No. 55/86/20, as well as on the basis of regulatory and methodological documents of the FSTEC and FSB regulators.

The classification of information systems is carried out at the stage of creation or during their operation (for previously put into operation and modernized information systems) in order to establish the methods and ways of protecting information necessary to ensure the security of personal data.

The classification of information systems includes the following steps:

collection and analysis of initial data on the information system;

Assignment of the appropriate class to it;

· its documentation (drawing up and approval by the management of the organization of Classification Acts for specific ISPDs).

When classifying an information system, the following initial data are taken into account:

Tab. 1. Definition of a class of a typical information system

the volume of personal data being processed (the number of PD subjects whose personal data is processed in the information system - 1, 2, 3)9;

the security characteristics of personal data processed in the information system specified by the operator;

the structure of the information system;

availability of information system connections to public communication networks and (or) international information exchange networks;

mode of processing personal data;

the mode of differentiation of access rights of users of the information system;

location of technical means of the information system.

ISPD classification

Practice has shown that there are certain difficulties in classifying ISPDs by operators, since the competence of their own specialists is not always enough to perform this task.

Having experience in carrying out personal data protection projects, Jet Infosystems has formed its own approach to this type of work. At the same time, a distinctive feature is the “correct” classification of ISPD, which makes it possible to significantly minimize the costs of our customers for creating a personal data protection system.

In particular, this becomes possible by minimizing the storage and processing of personal data, separating/segmenting IS, reducing requirements for some segments, reducing the number of employees with access to personal data, depersonalizing some personal data, removing some of the data from ISPD.

In the course of analyzing the technological processes of processing PD, Jet Infosystems specialists develop recommendations for reducing the expected PDIS classes, which may include the following:

· Abstraction of PD - to make them less precise, for example, by grouping common characteristics;

· Hiding PD - delete all or part of the PD record;

· PD replacement - rearrange the fields of one PD record with the same fields of another similar record;

· Replacing data with an average value - replace the selected data with an average value for the PD group;

· Separation of PD into parts - use of cross-reference tables;

· PD masking - replacement of some characters in PD by others.

According to the security characteristics of personal data processed in the information system specified by the operator, ISPDs are divided into standard and special:

standard information systems - information systems that require only the confidentiality of personal data;

special information systems - information systems in which, regardless of the need to ensure the confidentiality of personal data, it is required to provide at least one of their security characteristics other than confidentiality (protection from destruction, modification, blocking, as well as other unauthorized actions).

According to the structure, information systems are divided into:

· on stand-alone (not connected to other information systems) complexes of hardware and software (automated workstations);

on complexes of automated workplaces, combined into a single information system by means of communication without the use of technology remote access(local information systems);

· on complexes of automated workplaces and local information systems, united into a single information system by means of communication using remote access technology (distributed information systems).

According to the availability of connections to public communication networks and international information exchange networks, information systems are divided into those with and without connections to such networks.

According to the mode of processing personal data in the information system, ISPDs are divided into single-user and multi-user.

According to the delimitation of user access rights, information systems are divided into systems without delimitation of access rights and with delimitation of access rights.

Information systems, depending on the location of their technical means, are divided into systems, all the technical means of which are located within the Russian Federation, and systems, the technical means of which are partially or wholly located outside the Russian Federation.

Classification of typical ISPDs

Based on the results of the analysis of the initial data, a typical information system is assigned one of the following classes:

class 1 (K1) - information systems for which a violation of a given security characteristic of personal data processed in them can lead to significant negative consequences for personal data subjects;

class 2 (K2) - information systems for which violation of the specified security characteristics of personal data processed in them can lead to negative consequences for personal data subjects;

class 3 (K3) - information systems for which violation of the specified security characteristics of personal data processed in them can lead to minor negative consequences for personal data subjects;

class 4 (K4) - information systems for which the violation of a given security characteristic of personal data processed in them does not lead to negative consequences for personal data subjects.

The class of a typical information system is determined in accordance with table No. 1.

Classification of special ISPDs

The class of a special information system is determined on the basis of a personal data security threat model in accordance with the regulatory and methodological documents of the FSTEC and FSB regulators.

Special ISPDs automatically include:

information systems in which personal data relating to the state of health of PD subjects are processed;

information systems in which, on the basis of exclusively automated processing of personal data, decisions are made that give rise to legal consequences in relation to the PD subject or otherwise affect his rights and legitimate interests.

Creation of threat models for special ISPDs

With regard to the main types of information systems, standard models of personal data security threats have been developed that characterize the onset of various types of consequences as a result of unauthorized or accidental access and the implementation of a threat to personal data. There are six such models in total and they are described in the FSTEC document “Basic model of personal data security threats during their processing in personal data information systems”, approved on February 15, 2008:

· a typical model of PD security threats processed in automated workstations that do not have a connection to public networks and (or) international information exchange networks;

· a typical model of threats to the security of personal data processed in automated workstations that have connections to public networks and (or) international information exchange networks;

· a typical model of PD security threats processed in local ISPDs that are not connected to public networks and (or) international information exchange networks;

a typical model of security threats to personal data processed in local ISPDs that have connections to public networks and (or) international information exchange networks;

· a typical model of PD security threats processed in distributed ISPDs that do not have a connection to public networks and (or) international information exchange networks;

· a typical model of PD security threats processed in distributed ISPDs that have connections to public networks and (or) international information exchange networks.

Based on the basic threat model and in accordance with the FSTEC regulatory document "Methodology for determining actual threats to the security of personal data during their processing in personal data information systems", approved on February 14, 2008, private threat models are developed in relation to specific ISPDs. In the course of such development, a list of current threats to specific information systems is compiled.

Using data on the class of ISPD and a list of current threats, based on the "Recommendations for ensuring the security of PD when they are processed in ISPD" and "Basic measures for the organization and technical security of PD processed in ISPD", approved by the FSTEC, specific organizational technical requirements for the protection of information systems from data leakage through technical channels, from unauthorized access. The selection of software and hardware means of information protection is also carried out, which can be used in the creation and further operation of ISPD.

What is subject to protection in ISPD?

To ensure the security of personal data during their processing, ISPD protects speech information and information processed by technical means, as well as information presented in the form of informative electrical signals, physical fields, paper, magnetic, optical and other media, in the form of information arrays and databases in ISPD.

To ensure protection against threats in relation to data, the concept of “personal data carrier (source) is used. This concept means an individual or a material object, including a physical field in which PD is reflected in the form of symbols, images, signals, technical solutions and processes, quantitative characteristics of physical quantities.

...

Send your good work in the knowledge base is simple. Use the form below

Students, graduate students, young scientists who use the knowledge base in their studies and work will be very grateful to you.

Posted on http://allbest.ru

National Research Institute for Continuing Professional Education

Test

Protection of personal data of employees

Discipline: Law on the protection of personal data

Done by: listener

Avakyan Raisa Yurievna

Teacher:

Lavrentieva Elena Yurievna

Moscow - 2017

INTRODUCTION

2.3 Ensuring the protection of personal data held by the employer

2.4 Responsibility for disclosure of personal data of an employee

CHAPTER 3

INTRODUCTION

In modern society, almost all people, perhaps with rare exceptions, carry out labor activities in various forms. When applying for a job, almost every citizen, at the request of the employer, provides numerous documents and fills out questionnaires that contain sections related not only to professional activities, but also affecting aspects of a person's private life.

The employer, already at the first correspondence acquaintance with a potential employee, intends to obtain maximum information about him, however, there is no clear criterion to distinguish between personal information that affects aspects of a person’s private life and information that characterizes a person directly as an employee, i.e. in terms of his business and professional qualities, level of education or qualifications, is a “stumbling block” that makes it difficult for the employer to determine the degree of permissible interference and the limits of intrusion into the privacy of the employee.

This circumstance gives rise to situations in which the lack of a clear understanding of what information must be recognized as the object of protection or in general the personal data of an employee leads to the impossibility of implementing the rules that determine the procedure and conditions for the collection, storage, use and dissemination of relevant information in the labor sphere.

For a long period of time, starting from 1993, when the Constitution of the Russian Federation was adopted, and up to the entry into force in 2002 of the Labor Code of the Russian Federation, in Russian legal science and, accordingly, in the legislation, personal data has traditionally been considered as a special institution for protecting the right to privacy, and all individuals (citizens) located on the territory of Russia were considered carriers of personal data, however, the legal design of Chapter 14 of the Labor Code "Protection of personal data of an employee", as well as recognition of the legal independence of the category "personal data of an employee" allowed the legislator to declare not only the emergence of a qualitatively new category in labor legislation, but also to designate a fundamentally new plane for research. The adoption by the State Duma of the Russian Federation in 2006 of two new federal laws “On Information, Informatization and Information Protection” and “On Personal Data” became a kind of evidence of the need to regulate the sphere of circulation of personal information that is practically uncontrolled by the state in modern conditions of development of society. All of the above suggests that the study is relevant.

To achieve this goal, it is necessary to solve the following tasks:

To study the regulatory and legal support for the protection of personal data of employees;

Consider the legal nature of personal data of employees;

Research the legal regulation of the processing of personal data of employees;

To study the legal framework for the storage, use and transfer of personal data of employees;

Analyze the protection of personal data stored by the employer;

Investigate liability for disclosure of personal data of an employee;

Conduct an analysis of law enforcement practice in the field of protection of personal data of employees;

Determine ways to improve legislation on the protection of personal data of employees.

The object of the thesis research is the totality of social relations that develop in the field of personal data protection within the framework of service and labor relations.

The subject of the study is the norms of labor, administrative and information law, as well as the doctrinal provisions of the relevant branch of legal sciences, which together form the institution for the protection of personal data in service and labor relations.

CHAPTER 1. THEORETICAL ASPECTS OF PROTECTION OF PERSONAL DATA OF EMPLOYEES IN LABOR LAW

1.1 Legal and regulatory support for the protection of personal data of employees

International acts, the Constitution of the Russian Federation, other federal laws provide for the protection of information about the personality and personal life of citizens from unreasonable familiarization with them or dissemination of this information without the knowledge (consent) of the person to whom this information relates.

Among the international acts protecting human rights and freedoms, the secrecy of his private and family life, we should first of all name the Universal Declaration of Human Rights of 1948, the Convention for the Protection of Human Rights and Fundamental Freedoms of 1950, the International Covenant on Civil and Political Rights of 1976 ., 1995 Commonwealth of Independent States Convention on Human Rights and Fundamental Freedoms.

Russia ratified the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of January 28, 1981, as amended on June 15, 1999. Federal Law of December 19, 2005 N 160-FZ // СЗ RF. 2005. N 52 (part I). Art. 5573. with a number of reservations:

1) Russia will not apply the Convention to personal data:

a) processed by a natural person solely for personal and family needs;

b) classified as a state secret in accordance with the procedure established by the legislation of the Russian Federation on state secrets;

2) will apply the Convention to personal data that are not subject to automated processing, if the application of the Convention is consistent with the nature of the actions performed with personal data without the use of automation tools;

3) reserves the right to establish restrictions on the right of the subject of personal data to access personal data about himself in order to protect the security of the state and public order.

On February 10, 2006, the President of the Russian Federation signed Decree N 54-RP "On the signing of an additional protocol to the Council of Europe Convention for the Protection of Individuals with regard to automated processing of personal data, concerning supervisory authorities and cross-border data transfer" of the RF Council of Laws. 2006. N 7. Art. 769 .

By Order of the Government of the Russian Federation No. 748-r dated June 9, 2005, the Concept for creating a system of personal registration of the population of the Russian Federation was approved. Bulletin of labor and social legislation of the Russian Federation. 2005. N 7. S. 35. personal private information protection

The Constitution of the Russian Federation establishes that the rights and freedoms of man and citizen are recognized and guaranteed in the Russian Federation in accordance with the generally recognized principles and norms of international law and in accordance with this Constitution (Article 17). Basic human rights and freedoms are not alienated and belong to everyone from birth (Part 2, Article 17).

The exercise of human and civil rights and freedoms must not violate the rights and freedoms of other persons (Part 3, Article 17).

The main current act regulating relations, to a certain extent related to the personal data of an employee and their protection, is the Federal Law of February 20, 1995 N 24-ФЗ “On Information, Informatization and Information Protection” of the RF SZ. 1995. N8. Art. 609 (hereinafter referred to as the Information Law).

Article 85 of the Labor Code formulates two basic concepts for this chapter:

1) personal data of the employee;

2) processing of the employee's personal data.

The personal data of an employee contain a number of features that distinguish them from other information about the employee (citizen, person). They contain information that is necessary specifically for the employer and precisely in connection with the labor relationship with a particular employee.

The personal data of an employee, primarily related to his labor activity, serve as the basis for determining his labor legal status, his position as a party to an employment contract with this employer.

Information about the identity of the employee, his work path, marital status are purely personal in nature, refer only to him, his life and work.

Giving a legal character to the specified information, the Labor Code formulates the concept of the employee's personal data (part 1 of article 85) and the concept of processing this data (part 2 of article 85).

The processing of the employee's personal data includes operations (actions) performed by the employer in the person of his authorized representatives (as a rule, personnel officers) for:

a) receiving

b) storage

c) combination

d) the transfer of personal data of the employee or their other use.

In the 1981 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (which is a member state of the Council of Europe), the concept of "personal data" includes any information relating to a natural person, either identified or who can be identified (Art. 2).

In accordance with Art. 2 of the Federal Law of February 20, 1995 No. 24-FZ "On Information, Informatization and Information Protection", information about citizens (personal data) means information about the facts, events and circumstances of a citizen's life, allowing to identify his personality. Personal identification is facilitated by the passport and the information contained in it.

Regulations on the passport of a citizen of the Russian Federation, a sample form and a description of the passport of a citizen of the Russian Federation were approved by Decree of the Government of the Russian Federation of July 8, 1997 N 828 with subsequent amendments to the SZ of the Russian Federation. 1997. N 28. Art. 3444; 1999. N 41. Art. 4918; 2001. N 3. Art. 242; 2002. N 4. Art. 330; 2003. N 27. Art. 2813; 2004. N 5. Art. 374. .

Fingerprint data can also be used to identify a person. For employees of bodies designed to combat crime, these data are of direct importance. In this regard, on July 25, 1998, the Federal Law "On State Fingerprint Registration in the Russian Federation" was adopted, as amended by the SZ RF. 1998. N 31. Art. 3806; 2000. N 46. Art. 4537. . For certain categories of persons in the civil public service, instructions have been adopted that provide for the obligatory nature and procedure for conducting fingerprint registration. For example, the Order of the State Committee of the Russian Federation for Control over the Circulation of Narcotic Drugs and Psychotropic Substances dated January 28, 2004 No. 18 approved the Instruction on the Procedure for Mandatory State Fingerprint Registration of Employees of Bodies Controlling the Circulation of Narcotic Drugs and Psychotropic Substances Bulletin of Normative Acts. 2004. N 11. S. 125.

1.2 Legal nature of employees' personal data

At present, modern technical means make it possible to collect and process significant amounts of socially significant information necessary for the life of a person, society and the state. The rapid development of computer technology makes it possible to access and use various data banks for almost any subject of information relations, while the speed of obtaining and disseminating information has increased significantly. Whoever owns the information owns the world, philosophers rightly believe. Information, being an indispensable condition for the life and social activity of people, the subject of their constant attention, exists as long as society exists. It accompanies any social relations, determines the decisions and actions of the individual. Currently, it is customary to talk about the existence of the so-called human information environment.

Now that information technologies have become universally available, they have spread to almost all areas of public activity related to information Bachilo I.L. Information law. Fundamentals of Practical Informatics: Textbook. M., 2001. S. 16 - 20; Gorodov O.A. Fundamentals of Russian Information Law: Textbook. SPb., 2003. S. 12. .

Bodies of power and administration, guided in the course of their activities by the interests of society and the state, collect the necessary information about each of us, form various electronic databases of personal data of citizens, and as a result, they have comprehensive information about our social and property status. Moreover, acting on the basis of legislative regulations, they have the right to demand and receive the necessary personal data from individuals, which often affects the sphere of private interests of a person. Officials generally know: where, with whom and in what conditions we live; where we work; what property we have; what income we receive, what expenses we bear, etc.

However, any systematized socially significant information can be used both for the benefit and to the detriment of people. The state has always sought to know as much as possible about the private life of its citizens and manage them on the basis of this knowledge. Even Plato in his treatise on the state of Plato. State // Collected. cit.: In 4 vols. T. 3. M., 1994. S. 79 - 420. wrote about the need to put people's behavior under the total control of the "all-seeing eye" of the state.

History shows that such attempts to use the personal (personal) data of citizens, information about their private lives have already been repeatedly made in the practice of various political regimes. Nevertheless, it should be recognized that the formation and use of electronic databases of personal data of citizens is an objective process that is now being carried out in many developed countries of the world, where various universal personal identifiers are also being created in parallel.

It is no coincidence that already in the 80s. of the last century in some countries of Western Europe, characterizing the information transparency of information about the personal life of citizens for authorities and administration, large public and private corporations, they began to use a special term - "glass people" Kozlova N. Glass people // RG. 2001. June 28. . Many foreign and domestic specialists in order to improve existing system identification of citizens is already being proposed to use fingerprint and genetic passports everywhere. Zhukov I. Information sucked from the finger is the most accurate // AiF. Petersburg. 2003. February. No. 9; Severov M. Is humanity doomed to a genetic census? // AiF. Petersburg. 2003. April. No. 17. . At the same time, they do not deny the existence of a potential danger of the functioning of such institutions of control, especially in terms of ensuring the confidentiality of the data to be recorded and used.

With the adoption of the new Labor Code of the Russian Federation, law enforcers are faced with the need to put into practice Chapter 14 "Protection of personal data of an employee." According to Art. 85 of the Labor Code of the Russian Federation, personal data of an employee - information necessary for the employer in connection with labor relations and relating to a particular employee. The Code establishes the basic requirements that must be observed when processing, that is, when receiving, storing, combining, transferring or any other use of an employee's personal data. At the same time, an obligatory condition for the legality of the emerging legal relations to obtain significant information is the participation of the employee himself in them.

In general, such a legislative definition of the employee's personal data seems to be unsuccessful, since the concept formulated in this way does not highlight the essential features of this type of information, does not define the limits of its possible demand and receipt.

In order to determine the essential characteristics of the legal regulation of the named institution, it is necessary to dwell on the issue of the legal nature of the employee's personal data: to establish what place the designated information resource occupies in the system of existing legal entities. In the legal literature, public relations that develop regarding the processing of personal data of employees and are regulated by the rules of law are called information labor relations, which constitute a separate institution of labor law Dvoretsky A.V. Protection of personal data under the legislation of the Russian Federation: Abstract of the thesis. dis. ... cand. legal Sciences. Tomsk, 2005. S. 7. . This emphasizes their special nature - they are formed about a special type of information.

Currently, the "profile" act of legislative regulation of relations in connection with the use of information resources is the Federal Law of February 20, 1995 N 24-FZ "On Information, Informatization and Information Protection" of the RF SZ. 1995. N 8. Art. 609. (hereinafter referred to as the Law on Information), which, on the basis of Art. 23 and 55 of the Constitution of the Russian Federation in Part 2 of Art. 10 divides information with restricted access into information classified as state secrets and confidential information.

Issues of protection and protection of state secrets are regulated by law RF Law of July 21, 1993 N 5485-1 "On State Secrets"; Decree of the President of the Russian Federation of February 11, 2006 N 90 "On the List of information classified as state secrets". . According to the Information Law, information about citizens (personal data), that is, information about the facts, events and circumstances of a citizen's life, allowing to identify his personality, is classified as confidential (Article 2, Part 5, Article 10, Part 1, Art. eleven). There is an officially approved List of confidential information Decree of the President of the Russian Federation of March 6, 1997 N 188 "On approval of the List of confidential information." . They are divided into: personal data (personal secret); official information (official secret) (Article 139 of the Civil Code of the Russian Federation); information related to commercial activities (commercial secret) Federal Law of July 29, 2004 N 98-FZ "On Commercial Secrets" // СЗ RF. 2004. N 32. Art. 3283.; professional information related to medical, notarial, lawyer, banking secrecy and other types of secrets; information constituting the secret of the investigation and legal proceedings; information constituting the secrecy of correspondence, telephone conversations, postal items, telegraphic and other messages; information about the essence of the invention, utility model, industrial design before the official publication of information about them. Thus, the Decree of the President of the Russian Federation emphasizes the special nature of the personal data of citizens, in connection with their allocation as a separate type of confidential information.

The main arrays of confidential information are studied in detail in the work of V.N. Lopatin, who revealed the existence of more than 30 types of restricted information Lopatin V.N. Legal foundations of information security: a course of lectures. M., 2000. .

At the same time, it is impossible not to take into account that the personal data of individual employees may constitute a state secret and, accordingly, belong to a different kind of information. So, according to part 5 of Art. 14 of the Federal Law of May 27, 2003 N 58-FZ "On the system of public service of the Russian Federation" SZ RF. 2003. N 22. Art. 2063. "personal data entered into the personal files and records of civil servants are personalized and, in cases established by federal laws and other regulatory legal acts of the Russian Federation, are classified as information constituting a state secret, and in other cases, information of a confidential nature" .

For example, in accordance with Art. 17 of the Federal Law of April 3, 1995 N 40-FZ "On the Federal Security Service" SZ RF. 1995. N 15. Art. 1269. "Information about employees of the federal security service who performed (performed) special tasks in special services and organizations of foreign states, in criminal groups, constitutes a state secret and can be made public only with the written consent of these employees and in cases provided for by federal laws ".

This circumstance in no way detracts from the legal significance of the employee's personal data, does not encroach on their isolation, but, on the contrary, contributes to more effective protection by the state. Thus, the same information can constitute both a state secret and confidential information related to the personal data of an employee. At the same time, personal data, in our opinion, may constitute an official or professional secret. Let us turn to the legal nature of these types of confidential information.

V.N. Lopatin refers to the number of information constituting an official secret the data of the preliminary investigation, as well as judicial secrecy Lopatin V.N. Legal protection and protection of the right to a secret // Legal world. 1999. No. 7. S. 40. . On the contrary, Yu.V. Francifirov points out the need to separate professional secrets and divide it into state, official, medical, investigative, banking, lawyer, as well as the secret of the meeting of judges Francifirov Yu.V. Contradictions between publicity and secrecy in criminal proceedings // Investigator. 2004. No. 3. S. 40. . In turn, I.L. Petrukhin Petrukhin I.L. Personal secrets (person and power). M.: Institute of State and Law of the Russian Academy of Sciences, 1998. S. 15. classifies medical, judicial protection and representation, confession, preliminary investigation, notarial acts as professional secrets.

The aforementioned Decree of the President of the Russian Federation, establishing the List of confidential information, does not define the criterion in connection with which it is possible to separate professional and official secrets. In addition, firstly, the list of confidential information is established only by federal law; secondly, when determining an official secret, a reference to civil law is not entirely appropriate, due to the fact that not in all cases an official secret represents commercial information.

E.L. Nikitin and A.A. Tymoshenko proposes to separate professional secrets and official secrets depending on the subjects of its possession.

The etymology of the word "official" implies an appeal to the concept of "service" (state or municipal) Nikitin E.L., Timoshenko A.A. To the question of the legal nature of the employee's personal data // Journal of Russian Law. - 2006. - No. 7. . They believe that it is appropriate to refer to the Federal Law of May 27, 2003 N 58-FZ "On the system of public service of the Russian Federation" SZ RF. 2003. N 22. Art. 2063, where in art. 1 The public service of the Russian Federation is defined as the professional activity of citizens of the Russian Federation to ensure the execution of the powers of state authorities of the Russian Federation and their officials.

Professional secrecy involves the receipt of confidential information by a person in connection with his activities to fulfill the obligations of an employment contract and a civil law contract, but precisely within the framework of professional activities. In this sense, official activity is already professional, as it is also aimed at the implementation of professional skills, however, due to the specifics of the legal status of employees, which implies the empowerment of certain powers, it can be distinguished separately.

Neither professional secrets nor official secrets cover information that becomes known to citizens when applying for judicial and other state protection. Therefore, it is appropriate to single out the secrecy of justice separately, and in its composition to state the existence of the secrecy of criminal, civil, administrative types of legal proceedings.

The secrecy of criminal proceedings includes investigative secrecy (data from the preliminary investigation (Article 161 of the Code of Criminal Procedure of the Russian Federation)) and judicial secrecy (Articles 241, 298 of the Code of Criminal Procedure of the Russian Federation). At the same time, it must be borne in mind that secrecy in criminal proceedings can have an internal and external character. At the same time, internal secrecy in the criminal process exists due to the established restriction on familiarization with the materials of the criminal case for individual participants in the criminal process, as well as data on the identity of witnesses and victims, classified in the manner prescribed by law (the same personal data).

The secret, in particular in criminal proceedings, acquires an external character due to the regulatory restriction on the coverage of preliminary investigation data in the media or the restriction established by an official of the investigating authorities on the disclosure of information to unauthorized persons (not participants in the criminal process) during the preliminary investigation, as well as during a closed court session.

Thus, it can be concluded that the Decree of the President of the Russian Federation under consideration does not clearly distinguish the types of confidential information, since the individual personal data of a person, including the personal data of an employee, designated separately, may be part of other confidential information.

At the same time, in the process of inclusion in the structure of another type of information of limited access, the personal data of the employee, firstly, continue to be protected by labor legislation, and secondly, they acquire the remedies inherent in other types of confidential information.

Personal data of a person in general and personal data of an employee in particular, along with other secrets protected by law (except for state secrets) are phenomena of the same order - information of a confidential nature.

In the provisions of some federal laws, the concept of confidential information is given more broadly, but at the same time, there is an unjustified separation of the concepts of other secrets protected by law and confidential information. In particular, Part 2 of Art. 10 of the Customs Code of the Russian Federation SZ RF. 2003. N 22. Art. 2066. already highlights state, commercial, banking, tax or other legally protected secrets and other confidential information.

According to V.N. Lopatin Lopatin V.N. Legal protection and protection of the right to a secret // Legal world. 1999. N 4. S. 32., a similar situation is also observed when considering the provisions of Art. 8 of the Federal Law of July 4, 1996 N 85-FZ "On Participation in International Information Exchange" SZ RF. 1996. N 28. Art. 3347. .

However, the literal interpretation of Part 2 of Art. 8 of the Law on Information (highlighting state secrets and other confidential information) does not lead to such a conclusion, since this legal source repeats the norm of the named Federal Law.

In order to achieve the unity of legal mechanisms for the protection of personal data, it is necessary to adopt a special federal law that would regulate the legal regime of personal data as a whole and establish a unified system for the protection of these data, organically including the personal data of employees (Chapter 14 of the Labor Code of the Russian Federation).

Currently, such a bill is being considered in the State Duma of the Russian Federation Shkel T. Russians will be coded // RG. Nov 22, 2005; Shkel T. Person under protection // RG. 2005. 25 Nov. . In addition, our state ratified the Federal Law of December 19, 2005 N 160-FZ "On Ratification of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data" // SZ RF. 2005. N 52. Part I. Art. 5573. Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data Collection of Council of Europe documents in the field of human rights protection and the fight against crime. M., 1998. S. 106 - 114. , which was joined by 33 European states.

The Directives of the European Parliament and the Council of the European Union of October 24, 1995 N 95/46 / EC on the protection of the rights of individuals with regard to the processing of personal data and on freedom of review of such information, as well as of July 12, 2002 N 2002 / deserve special attention. 58/E concerning the processing of personal data and the protection of privacy in the electronic communications sector.

They proclaimed legality as the fundamental principle of the processing of personal data and the need to harmonize the norms of the participating states to ensure an adequate level of protection of fundamental rights and freedoms and, in particular, the right to privacy in relation to the processing of personal data in the electronic communications sector Morozov A.V., Semizarova E.V. Problems of implementation of international law in the field of legal protection of individuals in the automated processing of personal data // Problems of legal informatization. 2005. N 5. S. 18. . Within the framework of the Council of Europe, the protection of personal data processed manually is also recognized. Directive CE 96/9 / CE "On the legal protection of databases" // Citizens' access to legal information (materials of international round tables). SPb., 1999. .

Similarly, the protection of personal data is carried out in the USA, Japan, Australia Sokolova O.S. Personal data as information of limited access: problems of legal regulation // Modern law. 2004. N 2. S. 21. .

In Germany, in 1977, a constitutional act was adopted - the Law "On the Protection of Personal Data", in the UK since July 1998 the Law "On the Protection of Information" has been in force, in Sweden - the Law "On the Protection of Information" (1973), in France - Law of January 6, 1978 "On Computer Science, Card Files and Freedoms", in Hungary - Law of 1992 "On Personal Data and on the Publication of Data of Public Interest", in Spain in 1999 the Organic Law came into force " On the protection of personal data "Protection of personal data: Experience in legal regulation / Author-comp. E.K. Volchinskaya. M.: Galeria, 2001. . The structure of special acts regulating public relations in the labor sphere also contains separate provisions regulating the protection of personal data. Thus, the Statute of Workers of 1970, adopted in Italy, establishes a rule according to which the employer is prohibited, both when hiring and in the course of labor relations, to collect information, including through third parties, about political and religious views and trade union orientation. employees, as well as circumstances that are not essential for assessing the professional suitability of employees Tikhomirova L.V. Protection of personal data of an employee: Educational and practical guide. M., 2002. S. 12. . Finally, within the framework of the CIS, at the fourteenth plenary meeting of the Interparliamentary Assembly of the CIS Member States (Resolution of October 16, 1999), the Model Law "On Personal Data" was adopted. Information Bulletin of the Interparliamentary Assembly of the CIS Member States. 2000. N 23. S. 315 - 326. .

So, in general, personal data of an employee can include any information about facts, events and other circumstances of the life and work of an employee, through which it is possible to identify his personality Anisimov A.N. Legal protection of personal data of an employee // Labor Law. 2003. N 9. S. 31. . The right to protect the personal data of an employee, in our opinion, is a manifestation of the constitutional right to privacy Belyaeva N.G. The right to privacy and access to personal data // Jurisprudence. 2001. N 1. S. 102. and constitutes the following set of rights: 1) the right to possess personal data; 2) the right to their protection; 3) the right to enjoy other related rights established by law (for example, the right to family secrets, to the protection of a good name).

It is typical for labor relations that personal data includes information that allows the employer to involve the employee in order to effectively perform the labor function. It may be contained in the documents provided by the employee upon employment:

In the document proving the identity of the employee;

In the employee's work book;

In the insurance certificate of the state pension insurance;

In documents of military registration (if any);

In documents on education, qualifications or the availability of special knowledge or training;

In medical documents;

In other documents containing information necessary to determine labor relations, including those provided additionally by the employee on his own initiative (CVs, certificates, certificates, diplomas of laureates of various competitions, etc.); in various orders on personnel, materials of internal audits and investigations, reports and analytical notes.

Most of these materials are contained in the main document of personalized accounting - a personal file, which consists of various kinds of documentation.

The legal regime of the named documentation is subject to legal regulation on a general basis and cannot be of a local nature, as E.M. Berkutova E.M. Berkutova Protection of personal data of an employee // Labor disputes. 2005. No. 2. pp. 3-5. . The reviewed list is open. As already noted, Additional Information can be presented by the employee on his own initiative during an oral conversation with a representative of the employer, as well as when filling out various kinds of questionnaires, questionnaires. When a citizen undergoes psychological testing when applying for a job in an organization, a personal data protection regime should also be established in terms of their results and information reported during such events.

In the Regulations on the personal data of a state civil servant of the Russian Federation and the conduct of his personal file Approved by Decree of the President of the Russian Federation of May 30, 2005 N 609 // СЗ RF. 2005. N 23. Art. 2242. It is indicated that the personal data of a civil servant is understood as information about the facts, events and circumstances of the life of a civil servant, allowing to identify his personality, and contained in the personal file of a civil servant or subject to inclusion in his personal file in accordance with the specified Regulation (for example, information from the decision on awarding state awards, conferring honorary, military and special ranks, awarding state prizes (if any)).

Summarizing the above, we can conclude that the employee's personal data are organically included in the person's personal data system, constitute a separate legal entity - the institution of labor law, are informational in nature, are subject to comprehensive legal protection by all methods and means established to protect state secrets and confidential information.

CHAPTER 2. FEATURES OF THE PROTECTION OF PERSONAL DATA OF EMPLOYEES IN LABOR LAW

2.1 Legal regulation of the processing of personal data of employees

Law No. 152-FZ "On Personal Data" quite broadly interprets such a concept as the processing of personal data, including the collection, systematization, accumulation, storage, clarification (updating, changing), use, distribution (including transfer), depersonalization , blocking, destruction of personal data.

In accordance with part 2 of article 85 of the Labor Code of the Russian Federation, the processing of an employee's personal data is the receipt, storage, combination, transfer or any other use of the employee's personal data (for example, the formation of a list of employees compiled according to certain criteria, a report on employees, etc. ).

In order to ensure the rights and freedoms of man and citizen, in accordance with Article 86 of the Labor Code of the Russian Federation, the employer and his representatives, when processing the personal data of an employee, must comply with the following general requirements:

1) the processing of personal data of an employee may be carried out solely for the purpose of ensuring compliance with laws and other regulatory legal acts, assisting employees in employment, training and promotion, ensuring the personal safety of employees, controlling the quantity and quality of work performed and ensuring the safety of property. Thus, for any other purposes of the organization, the processing of personal data is prohibited;

2) when determining the scope and content of the processed personal data of an employee, the employer must be guided by the Constitution of the Russian Federation, the Labor Code and other federal laws;

3) all personal data of the employee should be obtained from him. In the event that the employee's personal data can only be obtained from a third party, the employee must be notified of this in advance, as well as obtaining written consent from him. In the notice, the employer must inform the employee of the purposes, intended sources and methods of obtaining personal data, as well as the nature of the personal data to be obtained and the consequences of the employee's refusal to give written consent to receive them. Thus, the collection of information about the employee without his knowledge is not allowed;

4) the employer does not have the right to receive and process the personal data of the employee about his political, religious and other beliefs and private life. It should be noted that in cases directly related to issues of labor relations, the employer has the right to receive and process data on the private life of the employee, but only with his written consent;

5) the employer is prohibited from receiving and processing the employee's personal data on his membership in public associations or his trade union activities. The exception is cases provided for by the Labor Code of the Russian Federation or other federal laws. An example is membership in extremist public organizations;

6) when making decisions affecting the interests of the employee, the employer does not have the right to rely on the employee's personal data obtained solely as a result of their automated processing or electronic receipt. This ban is based on the fact that the data obtained can be used in the wrong context. In each situation, it is necessary to be guided by the information obtained by studying the entire volume of available documents and information;

7) the protection of the employee's personal data from their unlawful use or loss must be ensured by the employer at his expense in the manner established by the Labor Code and other federal laws;

8) employees and their representatives must be familiarized against signature with the documents of the employer establishing the procedure for processing the personal data of employees, as well as their rights and obligations in this area. Such documents may be the Regulations on personal data, Instructions for working with personal data, etc.;

9) employees should not waive their rights to maintain and protect secrets. If the local regulations of the employer on personal data or the employment contract contains a provision that the employee refuses to said rights, then in this part the document will be considered invalid;

10) employers, employees and their representatives must jointly develop measures to protect the personal data of employees. One of the main tasks in this case is the adoption of local regulations on personal data.

Article 86 of the Labor Code is aimed at ensuring that personal data is used primarily in the interests of the employee: to determine his legal status in relation to the employer, the scope and content of the rights and obligations of the employee arising from the employment contract, and, accordingly, the counter rights and obligations of the employer.

Art. 86 of the Labor Code of the Russian Federation establishes a list of general requirements that an employer must comply with when processing personal data, should be supplemented with an indication of the prohibition of the employer from receiving the following information from a person entering a job and an employee:

Information constituting a state secret or other confidential information protected by law, which became known to the employee before the emergence of labor relations with the employer;

Information about the past political or social activities of the employee or person applying for a job;

Information about previous cases of bringing to criminal responsibility (with the exception of restrictions established for persons who get a job in the law enforcement bodies of the Russian Federation and justice, for work related to the upbringing, education of children, other socially significant work, as well as those related to the imposition of punishment in the form of deprivation of the right to hold certain positions or engage in certain activities);

Data on property status (exception for persons applying for elective positions);

Information about the nationality of the employee himself, his close relatives, relatives, close persons, other persons;

other similar data.

When determining the scope and content of the processed personal data of an employee, the employer must be guided by the Constitution of the Russian Federation, the Labor Code of the Russian Federation and other federal laws. This requirement directs the employer to comply with the restrictions established to protect the privacy of citizens. However, the line between the information required by the employer in connection with labor relations and information relating to the private life of a citizen is not clearly marked in any of the regulations. In fact, this question is left to the discretion of the employer.

Obtaining personal data must be carried out in accordance with the procedure established by law. By general rule all personal data should be obtained from the employee himself.

However, the law does not regulate the actions of the employer in case of refusal of the employee to provide the necessary data. The vagueness of the wording of the requirements of the Labor Code of the Russian Federation regarding the processing of personal data and the very definition of personal data, on the one hand, allows the employee to object to almost every request that it is illegal to ask about it. The exception is information that can be obtained from a work book, passport, education document, military ID and insurance certificate. Everything related to family, kindred, friendly, domestic, intimate and other personal relationships easily fits into the concept of "private life". On the other hand, it is quite difficult to reproach the employer for being interested, for example, in the marital status of an employee out of idle curiosity, and not in connection with labor relations.

In addition to circumstances of a family and domestic nature (the presence of a family, children, registered or actual marriage), the employer has the right to request information about the state of health, the presence of a disability, the age of the employee, the actual place of residence, about certain personal qualities that manifested themselves at the previous place of work and other public areas. Such data may include information about a criminal record or military service, which are information closely related to the public sphere.

If personal data can only be obtained from a third party, then the following conditions must be met:

1) notification of the employee by the employer of the intention to obtain personal data from a third party (indicating the purpose, alleged sources and methods of obtaining data, their nature, the consequences of the employee's refusal to give written consent to receive them);

2) obtaining the written consent of the employee to receive his personal data from a third party.

Unfortunately, the legislator does not explain what is meant by written consent. In this regard, obtaining written consent can be carried out in any form. For example, an employee can write the requested data in his own hand and submit it to the employer, who sometimes needs to make sure that the data submitted is correct. The norms of the new Labor Code of the Russian Federation need to detail the process of requesting personal data from an employee.

Thus, in world practice, it is considered commonplace to request an educational institution to confirm the education received by an employee, to award him a qualification category, his state of health, etc.

The absence in the law of a list of cases when an employer has the right to request personal data from third parties upon notification of an employee gives rise in practice to situations in which an employer, reporting on the consequences of an employee’s refusal to give written consent to receive personal data from third parties, can always “intimidate” the employee and obtain such consent, since the law does not guarantee the non-use of "repressive" measures on the part of the employer in case of refusal.

The Labor Code of the Russian Federation establishes a number of restrictions on the processing of personal data of a certain kind. Thus, the employer does not have the right to receive and process the employee's personal data about his membership in public associations or his trade union activities, except as provided by federal law (clause 4 of article 86 of the Labor Code of the Russian Federation), and also to report the employee's personal data for commercial purposes without his written consent (paragraph 2 of article 88 of the Labor Code of the Russian Federation). It should also be emphasized that the employer can independently assess the serious and imminent threat to the life and health of the employee, its degree, and in order to prevent such a threat, provide personal information to any third parties (Article 88 of the Labor Code of the Russian Federation).

Currently, in organizations, the following forms of collecting personal data of an employee can be distinguished:

interview;

questioning;

Posted on http://allbest.ru

testing.

The interview is inPosted on http://allbest.ru

programming questions to the candidate for the relevant position in such a way that they sufficiently fully reveal the pre-designated range of criteria necessary for occupying a particular position with a probable degree of reliability and reliability. It is advisable for the organization to develop a special form with a list of key issues. It should be remembered that there are questions that it is forbidden by law to ask an employee. Thus, Article 64 of the Labor Code of the Russian Federation establishes that an unreasonable refusal to conclude an employment contract is prohibited. Any direct or indirect restriction of rights or the establishment of direct or indirect advantages when concluding an employment contract depending on gender, race, skin color, nationality, language, origin, property, social and official position, place of residence (including the presence or absence of registration at the place of residence or stay), as well as other circumstances not related to the business qualities of employees, is not allowed, except as otherwise provided by federal law. It is forbidden to refuse to conclude an employment contract for women for reasons related to pregnancy or the presence of children.

Therefore, personnel officers should avoid incorrect questions related to discriminatory grounds. It is possible during the interview to clarify how many jobs the employee has changed; duration of work in a particular place; the name of the position held earlier; previous salary, etc.

Questioning is the use of a questionnaire in which a list of questions is highlighted, to which the applicant answers in writing. The most important points for which personnel workers usually look for answers: address, major discipline at a university, technical school, purpose of employment; time spent at previous places of work, positions; completed educational institutions; health restrictions; military service; awarded titles, etc. In questionnaires, questions about nationality, origin, social and property status should also be avoided. Questions should be aimed at identifying the business qualities of the future employee. It is undesirable for the applicant to remain convinced that his business qualities are fully consistent with the required ones, but they refused him because the property status, for example, the lack of his own apartment, low wages at the previous place of work caused the refusal to conclude an employment contract.

According to parts 5 and 6 of article 64 of the Labor Code of the Russian Federation, the employer is obliged to report the reason for the refusal to conclude an employment contract in writing. At the same time, the refusal can be appealed in court, and it is possible that the questionnaire will be the subject of judicial research and study, and it is quite possible that the representative of the employer in court will have to explain for what purpose certain questions were asked.

According to paragraph 11 of Article 81 of the Labor Code of the Russian Federation, an employment contract can be terminated by the employer in cases where the employee submits false documents or knowingly false information when concluding an employment contract. Therefore, it is advisable to provide in the questionnaire the employee’s mark opposite the clause: “I confirm the accuracy of the information set out above” or: “I am aware that the submission of deliberately false information may subsequently serve as a basis for terminating the employment contract.” However, here one should take into account the time gap between the applicant filling out the questionnaire and the direct conclusion of the employment contract.

And finally, let's touch on testing, which can also become a source of information about a future employee. Depending on the purpose, the following types of tests are usually distinguished, which are used when concluding an employment contract: for checking the level achieved (knowledge or skills), for learning ability, for interests, characterological tests. The test can have a dual use: to select applicants with the greatest chance of success, and to weed out applicants. In most cases, tests are more reliable and reliable in predicting negative results. Therefore, in modern management practice, they are used as a tool for initial screening and limiting the circle of applicants, while final choice produced using less formal methods.

2.2 Storage, use and transfer of personal data of employees

The employer must establish a procedure for the storage and use of personal data of employees in compliance with the requirements of the Labor Code and other federal laws. This provision is contained in Article 87 of the Labor Code of the Russian Federation.

The storage of information about the private life of a person should be carried out in such a way that it excludes the possibility of its loss or unauthorized access to it by unauthorized (third) persons. The use of personal data by bodies and persons who have legally received them should be carried out only in accordance with the tasks for which they were collected. As indicated in Part 2 of Art. 11 of the Law on Information, personal data cannot be used for the purpose of causing property and moral damage to citizens, making it difficult to exercise the rights and freedoms of Russian citizens. Restriction of the rights of citizens based on the use of information about their social origin, racial, national, linguistic, religious and party affiliation is prohibited and punishable in accordance with the legislation of the Russian Federation. The use of information about the private life of a person for mercenary or other illegal purposes, according to the logic and meaning of the legislative approach, should inevitably entail the application of measures of disciplinary, material, civil law, administrative or even criminal (in the event of significant harm to the rights and legitimate interests of citizens) liability for towards the culprit. In practice, this theoretical position causes the greatest difficulties in implementation.

...