What should be the policy regarding the processing of personal data in accordance with the law?

Since July 1, 2017 amendments to the Code of Administrative Offenses and Federal Law No. 152 have come into effect. In accordance with them, all organizations, institutions, enterprises need to develop and approve a special document - Policy regarding the processing of personal data.

Relevance of the issue

The new requirements of legislation are aimed atprotection of citizens against unauthorized access and illegal use of their personal information. The legislator paid special attention to socially significant objects: Dow, schools.

Policy regarding the processing of personal data allows to ensure the implementation of the principles of legality, confidentiality and security of information.

Legislation provides for periodic inspections of subjects to ensure that the actual level of protection meets the established requirements. Monitoring is carried out by territorial units Roskomnadzor.

Policy regarding the processing of personal data Is a document consisting of several sections. They provide information on the entity collecting and processing data, and on third parties involved in the process, information protection measures, references to regulatory documents, and the rights of bearers of personal information. Next, a sample policy for the processing of personal data will be described.

Title page

On the upper right there should be the neck of the statement. It contains: the name of the post, the manager's full name and signature, as well as the organization's stamp.

In the center, with a small indent from the neck is indicated the name of the document. For example, it can be this:

"The policy of LLC" __ "regarding the processing of personal data and information about the measures being implemented to protect them."

As a rule, the text of the document begins with the title page.

In the General provisions of the Policy regarding the processing of personal information on the document itself. Its key tasks are:

1. Disclosure of the main categories of personal information, goals, methods, principles of their processing, duties and rights of the enterprise in the process of using the data.
2. Ensuring the protection of the confidentiality of personal information.

A sample of the Policy regarding the processing of personal data also contains an indication of the public availability of the document.

Organization Details

As an entity that collects and processes personal information, any enterprise, organization, including service provider operator. Policy regarding the processing of personal data contains information about:

1. The name of the subject. It is given in full and short form.
2. INN.
3. The actual address.
4. Phone, fax.

AT The operator's policy regarding the processing of personal data information on the number, date and basis of their entry into the single register is also included.

Normative grounds

In this section The organization's policies regarding the processing of personal data provides guidance on the legal documents that guide the company when working with personal information. The main regulatory acts include:

• Constitution of the Russian Federation.
• TC RF.
• Civil Code of the Russian Federation.
• FZ No. 160.
• FZ No. 152.
• FZ No. 210.
• FZ No. 326.
• FZ No. 149.

In order to implement Policies regarding the processing of personal data company takes a number of local acts. Among them are:

• Personal information being processed.
• Information systems used when working with information.
• Employees who have access to personal data.

In addition, it is approved:

• Rules of information processing.
• Acts of classification of information systems.
• Models of possible threats to the security of personal data during processing.

Objectives of working with information

AT The policy regarding the processing of personal data There should be a closed list of tasks implemented by the organization. Data processing should be carried out for:

1. Ensuring implementation of state policy forsocial support and social services for citizens, including those belonging to the category of especially needy. Among them: the poor, pensioners, the disabled of any group, large families, minors, etc.
2. Registration of labor contracts, civil-law agreements, contracts with contractors and fulfillment of their terms.
3. Organization of the admission regime.

Information categories

Policy regarding the processing of personal data provides work with personal information:

• employees;
• recipients of services, their relatives, representatives.

The sources of this information are the carriers themselves.

Principles of working with information

According to The policy regarding the processing of personal data, the entity working with the information is required to comply with the provisions of Article 5 of Federal Law No. 152.

If the organization does not work with biometricdata, the Policy should specify this. Biometric information characterizes the biological and physiological characteristics of a person, according to which his personality is established.

Other fundamental principles of working with personal information include:

1. Non-use of special categories of information relating to national / race, religious, political views, philosophical beliefs, intimate life, health.
2. Elimination of cross-border transfer of information (to another state, to a foreign citizen or legal entity).
3. The transfer of information to third parties is carried out exclusively with the consent of the carrier on the basis of an agreement.
4. Formation of publicly available sources of personal data (directories, address books) communicated by a citizen. Information, in accordance with Privacy Policy regarding the processing of personal data, is included in them only with his consent.

Third parties involved in working with personal data

To implement the requirements of legislation, achieve the objectives of work with personal information, in the interests and consent of the media, the information is transmitted:

• FTS.
• FIU.
• Subjects of the system of electronic interdepartmental interaction.
• Offices of non-state pension funds.

Security measures

This section Policies regarding the processing of personal data is considered one of the most significant.

The subject, working with personal information of citizens,must take all legal, technical and organizational measures to prevent accidental or unlawful access, alteration, destruction, copying, blocking, dissemination and commission of other unlawful actions with it.

In the organization should be appointed employees responsible for organizing the work with information.

It is mandatory to provideinternal control / audit of the compliance of processing of information with the requirements of Federal Law No. 152, as well as regulatory documents adopted on its basis, including local acts. All employees who work with personal information of citizens should be familiar with their provisions.

Prior to the commissioning of the information system, an assessment should be made of the effectiveness of measures taken to ensure the protection of information.

The facts of unauthorized access to personal data should be identified promptly. If they are found, the organization must take measures to restore the information that was changed or destroyed.

Access to personal data mustto be carried out according to the laws and other laws, including local acts. The organization must ensure registration and recording of actions performed with personal information of citizens. An obligatory requirement of the legislation is to establish control over the measures taken to protect data and information systems.

The job regulations define the duties of employees working with personal information.

Rights of personal data carriers

Citizens have the right to receive information about the process of processing their personal information. The data carrier may require their specification, destruction or blocking if they:

• are obsolete;
• are incomplete / inaccurate;
• received unlawfully;
• are not necessary for the stated treatment objectives.

The information carrier has the right to take measures to protect its interests within the framework of the current legislation.

Restriction of rights

It is allowed only in cases provided for by law. The rights of citizens to access their personal data are limited if:

• Information processing, including the one receivedat operatively-search, intelligence or counterintelligence activity, it is carried out for maintenance of safety, defensibility of the state and protection of the order.
• With personal information, the bodies that detained persons suspected / accused of crimes, who applied preventive measures to the subjects, work. The exceptions are the cases fixed by the Criminal Procedure Code.
• The processing of data is aimed at counteracting the laundering (legalization) of illegally obtained incomes, as well as in suppressing the financing of terrorism.
• Work with information is carried out to ensure the safe operation of transport infrastructure, protect the rights and interests of the individual, the state and society in the transport sector.

Important points

In the Policy on the processing of personal informationthe measures that a citizen can take to protect his rights must be fixed. In particular, the subject can address directly to persons working with his personal data.

The organization should consider any complaints andtreatment, carefully study them. If necessary, an internal investigation of violations is conducted. The organization is obliged to take all measures for immediate elimination of the revealed infringements, punishment of guilty parties and settlement of conflicts in a pre-judicial order.

The carrier of personal information can disputeactions / inactivity of the organization, its employees by applying to the body authorized to exercise the functions to protect the rights of subjects of personal information. He can also demand compensation for moral or material harm in the courts.

Contact Information

The Policy should contain information on thepersons responsible for the organization of work with personal information. They can be the head of the department for the reception of citizens, organizational and technical work and social support. Should indicate his name, position, phone number. At the discretion of the organization's management, contact information may contain the e-mail address. mail.

In addition, in this section of the Policy should be indicated information about the supervisory authority:

1. Mailing address.
2. Name.
3. Official site.
4. Email address mail.
5. Phone numbers.

Final provisions

This section provides information ondevelopers of the Policy and the person controlling its execution in the organization. The first is usually the legal department of the company. Control over the implementation of the provisions rests with the head of the organization or his deputy. The name and surname of the responsible person must be indicated in the document.

Order of approval

The developed draft of the Policy is transferredfor coordination. The document is approved by order of the director. This act is drawn up according to the standard model, adopted in accordance with the nomenclature of cases, on the basis of the Instruction on record keeping.

The Order contains the following information:

1. Name of company.
2. Document's name.
3. Date of issue, number.
4. Preamble.
5. Text.
6. Date of entry into force.
7. Name of the head of the enterprise, signature.
8. Signatures of persons familiar with the order.

The preamble, as a rule, usually looks as follows:

"In accordance with clause 2 of Article 18.1 of Federal Law No. 152" On Personal Data ", Government Decision No. 211 of 21.03.2012, adopted on their basis by regulatory enactments, I order ..."

The text content can be:

"Approve the Policy" ___ "regarding the processing of personal data."

Operators should place the approved document on the official website of the region in the "Register of Social Service Providers" section. In this regard, the order specifies the following:

"To the head of the department for work with citizens (F.I. O.) within 10 days from the date of approval to publish the Policy on the official website (the name of the region) in the section "Register of social service providers".

Additionally

If the organization has previously been approvedPolicy, it should be reviewed and, if necessary, amended. The revised document should be approved again. At the same time, the order, on the basis of which the Policy, which was in effect before the changes, was to be abolished. For this purpose, an order is issued. In it, you can simultaneously cancel the previously acting order and approve the corrected policy.

Conclusion

Recently, the issue of protectionpersonal information is given increased attention. This is due to the rapid development of computer technology, the emergence of new opportunities for unscrupulous users. Each organization that works with personal data must ensure that its carriers are safe.

The provisions of the Policy should beinformation of all employees. The requirements stipulated by the document are binding for all departments of companies, institutions, enterprises and other persons involved in working with personal information of citizens. Violation of regulations leads to responsibility in accordance with the norms of the current legislation.

</ p>