To a question on performance of the requirement of the Federal Law #152 “About personal data” at performance of design works “under key”
At performance of design works “turnkey” it is necessary to work with the personal data as developers of the design documentation, and customers. Статьи
It is known that on July, 27th, 2006 has been accepted the Federal Law # 152 “About the personal data” for maintenance of protection of the rights and freedom of the person and the citizen at processing of its personal data, including protection of the rights to inviolability of a private life, personal and family secret. One of the reasons of acceptance of the given law was served by the numerous facts of thefts of bases of the personal data in state and commercial structures, their universal sale.
It is necessary to notice that terms on execution of requirements federal law
# 152B are prolonged till January, 2011
Let's consider the term “the personal data”.
Definition of the personal data (PD) met and to an adoption of law, for example, in “The list of data of confidential character” confirmed by the decree of the President of the Russian Federation # 188 from March, 6th, 1997:
To the confidential information concern: data on the facts, events and circumstances of a private life of the citizen, allowing to identify its person (the personal data), except for the data which are subject to distribution in mass media in cases established by federal laws.
However the law has added it. Now, the personal data – any information concerning the physical person defined or defined on the basis of such information (the subject of the personal data), including its surname, name, patronymic, year, month, birth date and birth place, the address, family, social, a property status, education, a trade, incomes, other information.
Thus, personal given are, first of all, nameplate data, data on the marital status, data on education, numbers of an INN, the insurance certificate of the state pension insurance, the medical insurance, data on labour activity, social and a property status, data on incomes. Such data is practically in each organisation.
At receipt for work are a data of a staff department of the employer which the worker specifies in a personal card, the autobiography, other documents filled at a conclusion of employment agreement.
At receipt of the child in a kindergarten, school, institute, other educational institutions the set of questionnaires and forms in which the data as the child (for example, the given birth certificates), and his parents (is specified up to a place of work, a post) also is filled.
At treatment passage to medical institutions it is necessary to specify not only nameplate data, but also data on privileges, medical insurances, data on the previous treatments, results of analyses. In many medical institutions out-patient/stationary cards are duplicated in electronic form.
And all this data, according to the present legislation, is subject to protection.
Let's consider, with what it is necessary to begin protection and whether it is required.
Confidentiality of the personal data – obligatory for observance by the operator or other got access to personal the given person the requirement not to suppose their distribution without the consent of the subject of the personal data or presence of other lawful basis.
The Operator – a state structure, municipal body, legal or the physical person, organizing and (or) carrying out processing of the personal data, and also defining purposes and the maintenance of processing of the personal data.
The Information system of the personal data (ISPD) – the information system representing set of the personal data, containing in a database, and also an information technology and the means, allowing to carry out processing of such personal data with use of means of automation or without use of such means.
Processing of the personal data are actions (operation) with PD, including gathering, ordering, accumulation, storage, specification (updating, change), use, distribution (including transfer), depersonalization, blocking, destruction of the personal data.
The operator at processing of PD should take all necessary organizational and technical measures for protection of the personal data against wrongful or casual access to them, destructions, changes, blockings, copyings, distributions of the personal data, and also from other wrongful actions.
What it is necessary to make to protect the personal data?
First of all, it is necessary to define what information systems Pdn is also what type of PD in them are processed.
Let's consider classification of information systems of the personal data.
To understand, how much the problem of protection of PD is essential, and also to a choice of necessary methods and ways of protection of PD, the operator needs to spend classification ISPD. The classification order is defined order Federal Technical and Export Control of Russia, FSB of Russia and Mininformsvjazi of Russia #55/86/20 from February, 13th, 2008.
So, the operator forms the commission (the order of the head of the organisation) which after the analysis of the initial data makes the decision on assignment ISPD of a corresponding class. During classification are defined:
- a category of the processed personal data;
- volume of the processed personal data;
- type of information system;
- dtructure of information system and a site of its means;
- modes of processing of the personal data;
- modes of differentiation of access rights of users;
- presence of connections to networks of the general using and (or) to networks of the international information exchange.
According to to the order #55/86/20, all information systems (IS) share on typical and special.
Typical information systems – information systems in which maintenance only is required to confidentiality of the personal data.
Special information systems – information systems in which without dependence from necessity of maintenance of confidentiality of the personal data it is required to provide at least one of characteristics of safety of the personal data, distinct from confidentiality (security from destruction, changes, blockings, and also other unapproved actions).
In practice leaves that typical IS practically is not present, as in most cases besides confidentiality it is necessary to provide also integrity and availability of the information. Besides, without fail to special systems should be carried:
- Information systems in which the personal data, concerning states of health of subjects of the personal data is processed;
- Information systems in which acceptance on the basis of exclusively automated processing of the personal given decisions generating legal consequences concerning the subject of the personal data or otherwise mentioning its right and legitimate interests is provided.
So, by results of the analysis of the initial data the commission appropriates to system of the personal data a corresponding class:
- a class 1 (C1) – information systems for which infringement of the set characteristic of safety of the personal data processed in them, can lead to considerable negative consequences for subjects of the personal data;
- a class 2 (C2) – information systems for which infringement of the set characteristic of safety of the personal data processed in them, can lead to negative consequences for subjects of the personal data;
- a class 3 (C3) – information systems for which infringement of the set characteristic of safety of the personal data processed in them, can lead to insignificant negative consequences for subjects of the personal data;
- a class 4 (C4) – information systems for which infringement of the set characteristic of safety of the personal data processed in them, does not lead to negative consequences for subjects of the personal data.
Results of classification are made out by the Certificate of classification ISPD in which are specified type ISPD (typical, special), appropriated ISPD a class and conditions on which basis the decision was accepted.
As it has already been told, classification is necessary for the further choice of methods and protection frames PD processed in ISPD as in documents Federal Technical and Export Control and FSB to each class are established the requirements on protection ISPD about which we will talk a bit later.
Let's consider decrease in class IS of the personal data.
The question on, whether has sense separately to involve IT lawyers if it is possible to organise the tender for rendering of services in activity reduction in conformity with requirements of the legislation and forces of licensees Federal Technical and Export Control the Russian Federation on technical protection of the confidential information, the accredited attestative centers on safety requirements to provide rendering of such services is rather debatable. Key sense that having carried out the scrupulous legal analysis and a substantiation of work with each requisite of the personal data, and also, having opened technology of the automated processing personal given in the correct image in the standard, design and organizational-administrative documentation, it is possible to lower a class of your IS PD essentially.
Let's consider some ways of decrease in a class of your IS PD for the purpose of decrease in the majority of accompanying expenses.
The way 1
First of all operators process the personal data which allow to identify the person (for example the citizen of the Russian Federation) or the person of the participant of this or that register opened according to the current legislation of the Russian Federation. If attentively to read the legislation, for example, about the documents identifying the person of the citizen of the Russian Federation or the foreign citizen in territory of the Russian Federation it is possible to conclude rather interesting fact what even (at least its first page) we should show our passport of the citizen of the Russian Federation very much to a considerable quantity of people (militias, to cashiers in shop at payment of purchase by a bank card, to operators in banks, to managers at the airports, to security guards and many other things). Thus, very few people from these people is responsible for safety of this data under the law or under any instructions and in general them somehow processes, except visual identification of the person. Whereas it is possible to speak about closeness of this data? At the further studying of some federal acts the part of the data should be simply open by all at performance of certain actions.
Besides definition of an openness of the data, it is necessary to understand that is concrete for your operations on processing of PD allows is unique to identify subject of PD. For example, if your client potentially can have some contracts (to receive some services). Then, as the identifier insufficiently simply to know the identifier of the person. For identification of the subject it is necessary to know the service identifier. Numbers of accounts, phones, numbers of contracts and so on – the decision and a substantiation for operator of PD can be the such identifier of services.
The way 2
The companies have got used to collect a considerable quantity of the information from some categories of subjects of PD (for example from own employees, students of HIGH SCHOOL and others). Simply reflex necessity of filling of the same personal card of the employee (form Т-2) could be the reason for data gathering. However, if to think of sense and validity of inclusion of the information on parents of the worker in its data how to prove this necessity. Whether many companies ever used such information in a life? If yes, whether that they can find the bases of use of such information in federal laws? In our opinion in very considerable quantity of situations the superfluous quantity of the personal data which can to be collected simply gathers, and in exceptional cases to receive them on the paper carrier and not to bring them in information system. Legally prove each requisite of the collected and processed personal data and you will see that many of them superfluous. The correct termination of their processing will essentially simplify model of threats for your company.
The way 3
Divide the personal data of subjects which you store and process in IS PD, on separate parts. For example, separately work with the identification data of the subject and separately work with the additional data of the subject, connecting them among themselves any internal identifier. In many cases to have in one place both the identifying and additional data simply is not present logic and legal necessity then what for to complicate to itself a problem? Having divided this data at stages of their processing you can lower a class of each knot IS and, thereby, lower a total class IS PD as a whole.
The way 4
Any actions should be proved something. For example, expenses for actions on creation of measures of protection of the information should be proved a possible damage which can put to the operator or subject of PD incident of safety with the personal data. The substantiation stage joins in the majority of standard documents as an obligatory stage at statement of tasks for creation of system of protection. As it appears, effective enough way of decrease in those or other expenses for protection of PD is absence of a commensurable damage from incident with this data. So, for example, what sense to spend hundred thousand roubles for protection and workplace certification when on it are in unit of time displayed only the identification data and only one subject? The principle of economic validity is a base principle and finds reflexion even in state standards. In this connection, key council for IT lawyers will be revealing of processed portions of the personal data in various knots of IS PD and a damage estimation at occurrence of incident proceeding from the operating civil, administrative and criminal legislation of the Russian Federation. Thus, it is expedient to weigh a possible damage with level of probability of occurrence of this or that incident.
The way 5
The important stage at reduction of the activity in conformity with legislation requirements under the personal data is construction of model of threats. Model of threats it is necessary to build under requirements Federal Technical and Export Control the Russian Federation and at use of means of the cryptographic information under requirements of FSB of the Russian Federation. What can in details worked model of threats give to us? And that there is no necessity to apply a number of protection frames of the information if threat realisation is almost improbable. Certainly, it is possible to be protected from possible falling of a meteorite on a building in which you process the personal data or that will pull out a server through a hole in a metre wall of a building. Whether but so it is necessary and how much it is probable for you? The answer to these questions and proved from the various points of view (with physical, logic, likelihood, legal, economic and others) the estimation, can simplify considerably to you a problem.
The way 6
Frequent error is crudity of construction of the user interface of information systems and discrepancy of this construction to the real problem solved by the user. For example, if under the law the operator of bank at first has to identify the client, and then carry out bank operations, what for to provide for all operators possibility of display of the list of the found clients by results of its inquiry. In emergency such possibility can be only at one user in bank branch. The function specified above in an example, can be blocked at level of DBMS, thereby cleaning necessity for creation of special protection frames of the information on set of subjects simultaneously which cannot leave storehouse of the data. Similar examples is creation of complex screen forms on which it is displayed “at once all”. Yes, in certain cases it is more convenient, but after all it is possible to reconstruct the part of the user interface connected with the personal data and not to suppose on a workplace of one-stage processing of the personal data 1й and 2й of a category. Similar rules of division should operate and for data transmission from workplaces of users to a server. Here it is important to notice that to realise the above-stated recommendations often enough it is not necessary to copy all information system, and it is possible to execute some small updatings only.
The way 7
The computer network, on the one hand, is a basis for construction distributed the multilink information systems allowing essentially to simplify work of employees and clients of the company, and, on the other hand, often is a corner stone at studying of safety issues of their use. Whether and so it is necessary for us to transfer in one stage on a network a set of the personal data 1й or 2й to a category? There can be we can divide them, having led to a class of the transferred data 3ей or even 4й to a category? Then the general class IS will be essentially lowered.
Also it is necessary to notice that application of means of enciphering on algorithms of GOST, often considered Federal Technical and Export Control as only extreme means, sometimes is more simple in introduction and operation. Thus, it is not required to you of any licences for carrying out a call of methods of certificated FSB SKZI regarding the functions which are in its documentation. Such works in often meeting opinion of representatives of FSB do not concern licensed activity as you simply use in the documentary way checked up by them and known for it certificated the tool and its public coordinated documentation.
The way 8
Attentively study technical characteristics and nameplate data of the used equipment, cables and other constructive elements with which work of your IS PD is anyhow connected. The majority of them have the certificate of conformity confirming their passport characteristics. A problem of your experts only will collect all documents together, formally to compare to legislation requirements on leak of the data on technical communication channels. As a result you will see what more often easier to fulfil operational requirements to the computer, than to apply specialised protection frames from leaks of the data on technical channels.
The way 9
Very many modern information systems are under construction on a basis multilink architecture. That is, the information passes multistage processing, moving from an input place to a storage place, from one subsystem to another. Certainly, if your subsystems or links in architecture I co-operate among themselves in a mode of real time synchronously (i.e. function performance in one subsystem synchronously causes function performance in another), proceeding from operating understanding of standards and the legislation, such association of subsystems will be considered uniform IS. But after all in very many cases it is possible to offer real synchronous interaction and to make data transmission asynchronously in a pseudo-real mode. Such variant will not worsen business of characteristics of the decision, however will allow at due level and detail of the design documentation to speak about two various IS, for one of which the data is unloaded and on it work with them comes to an end, and already another IS loads this data and works with them. It presumes to depart from the characteristic “distributions” and it is essential to your IS PD to simplify demanded protection of transfer unloaded and then the loaded data.
The way 10
It can sounds is not modern, but sometimes leaving from the automated processing of any site of all set of the personal data is capable to facilitate essentially a life to operator of PD. The council propagandised as FSB of the Russian Federation and Federal Technical and Export Control of Russian Federation, about processings of part of PD on paper carriers in some cases can reduce a class of used IS PD, it is essential to lower expenses for the organisation of system of protection and sometimes even to simplify work of the experts working with this data according to norms of the legislation. We suggest not to reject this council as proceeding from our practice in certain cases it can render you rather effective effect.
Simultaneously with transfer of the information into paper carriers, it is expedient to analyse rather interesting exception which is specified subitem 2 of item 2 of the key law #152 that law action does not extend on the organisation of storage, acquisition, the account and use of documents of Archival fund of the Russian Federation containing the personal data and other archival documents according to the legislation on archival business in the Russian Federation. Construction and an archive effective utilisation in the organisation performing design works, according to the archival legislation presumes to simplify realisation of requirements of the legislation about PD for performance of a part of operations with a part of the personal data.
1. Anashkin A. How to comply with the requirements of the federal law # 152 “About the personal data”. – 2010 [http://daily.sec.ru/dailypblshow.cfm?pid=24558]
2. Luzhetsky M. 10 ways to reduce class IS of personal data [http://www.softmart.ru/site/pdf/1 0ways2fz152.pdf]
3. The federal law from 07/27/2006 #152 (from 12/27/2009) “About the personal data” [http://base.consultant.ru/cons/cgi/online.cgi?req=doc;base=LAW;n=95593]
The author: Челябэнергопроект
Comments of experts of Челябэнергопроект: