Again on the protection of personal data or preparing for verification by Roskomnadzor
Good day to all! In this article, I would like to once again raise the topic of personal data protection (hereinafter we will call them PD), as well as the topic of protection against regulators. The peak of debate on the topic of PD protection has long passed. These peaks usually occurred at the approach of the next “most recent date” of putting 152-ФЗ into full force. As a result, the “most recent deadline” has come, the active debate has subsided, but the law “On Personal Data” lives on, regulators arrange checks and punish violators. Therefore, the topic will be relevant for a long time.
I must say right away that in this article there will be mainly organizational information rather than technical information. “And why do we need such information?” - the reader will ask. I explain: it just so happened that the heads of both large and not very organizations do not like to build long logical chains and delve into the essence of the issue, which lies far from their competence. Therefore, when it becomes necessary to ensure the protection of personal data, a relationship is quite logical in their opinion: “Protection of personal data” -> “Protection of information” -> “Information technology” -> “Put the issue of personal data protection on IT-employees”. And do not care that the lion's share can be entrusted to lawyers and personnel officers in this matter, but as the bearded joke says: "who does not like to load lumin, they will go to load iron".
A typical example of the disclosure of
personal data of a special category (information about intimate life) So, why here I still will not consider the technical protection of personal data.
There are several reasons:
- So much information on the Internet and it is more or less unambiguous.
- This topic is quite capacious and deserves a separate article, in this opus I still want to touch on organizational issues.
- The organizational aspects are checked by Roskomnadzor, and the technical ones are checked by FSTEC. The FSTEC inspects much less about the protection of personal data, if only because the Roskomnadzor has a department in each region, and the FSTEC has one in the Federal District.
- In connection with the cancellation of Government Decision No. 781, which regulates the technical protection of personal data, and its replacement with PP No. 1119, the regulatory documents of the FSTEC of Russia and the FSB of Russia were in a "suspended" state. They should not be used in theory, since they were issued in pursuance of the canceled resolution No. 781, but on the other hand, the documents of the FSTEC of Russia should be canceled by the FSTEC of Russia itself. Therefore, it is better to consider the technical protection of PDs in detail after the release of new documentation from regulators.
- IT-technicians are nevertheless much closer to the technical protection of PD and it is easier for them to figure it out, but when the bosses take up “paper” work, many may need help and clarifications.
A little bit about yourself
I considered it necessary to first tell a little about myself so that the reader understands that everything written below is based on personal experience in organizing the protection of personal data in various organizations, and is not the quintessence of various forum debates on the Internet (there are “experts” sometimes they write that the hair stands on end, and not only on the head).
I am the head of the department of one of the companies in the Far East that outsource enterprises in the field of information security. Of course, the protection of personal data is one of our most requested services. I have been working in this direction since 2008. Among the clients there are both small organizations and fairly large state ones (departments, government apparatuses, legislative assemblies, etc.) and commercial ones (mobile operators, Internet providers, private medical clinics).
Roskomnadzor’s inspections were carried out for some clients with a view to fulfilling the requirements of legislation in the field of PD protection and so far the result is 100% successful inspections. I also have personal experience representing the interests of the organization during such an audit.
So, you have been appointed responsible for organizing PD processing, and besides, you learned that you are included in the inspection plan of Roskomnazdor for the coming year. Where to begin?
And so, it happened: the head, not really bothering, signed an order which said "I.I. Ivanov, the system administrator of LLC Horns and Hooves, to ensure that the protection of personal data in our acquired organization is Feng Shui." What to do first?
First of all, you need to find out if your organization is in the registry of personal data operators . To do this, in the search it is enough to drive the company TIN. If there is no such notice, then you need to file it (but you need to consider that if the notification has not been submitted earlier - this is already an occasion for the regulator to fine your organization).
If the notification is still present, you need to clarify its content. It often happens that a notice was filled out by some Vasya Pupkin from the personnel department from the bulldozer back in 2007, which was also fired long ago. In this case, it is quite natural that the content of many fields does not correspond to reality. At the same time, the practice of punitive measures just suggests that most of the instructions are issued by Roskomnadzor precisely in connection with the discrepancy of the notification to what is really happening in the organization. For example, in the column “Categories of processed personal data” it says “Name, passport data, address of residence, phone number”, and you also process health information.
To make changes to the notification on the personal data portal also existsspecial form . Here we must remember that the changes will not be taken into account if you do not send a paper letter to your territorial office of Roskomnadzor afterwards. The same applies to the initial notice.
Well, with a notice figured out, then what?
Then you need to publish and approve in your organization a bunch of documents (instructions, regulations, orders, magazines, etc.). Here it must be remembered that the documents should regulate not only automated processing but also “analog” as well.
The list of documents as such does not exist, there is only a list of aspects that you should describe in them.
The first step is to appoint a person responsible for organizing the processing of personal data (this person is now required to be indicated in the notification of the operator). This person with us will be responsible mainly for "paper" questions. It is also required to appoint a security administrator for personal data. He will be responsible for the technical side of the issue. Both that and another can be appointed by one order. Here I want to note right away that it is strongly recommended that all formulations be agreed with the text of the law, since the inspectors very often find fault with them. For example, if you call the person responsible for organizing the processing of personal data simply responsible for the processing of personal data, then with a probability of 99.9% the regulator will ask you to make changes to the document during the verification process.
Further, many people forget about this, but Roskomnadzor requires: in all offices in which PDs are processed on paper, storage locations (safe, cabinet, shelving) and those responsible for maintaining the confidentiality of PD in this office must be defined. Simply put, we issue an order in which we write "In office No. 1, approve a safe deposit box as the storage location, and appoint such and such a person responsible."
Next, you must appoint a commission for the classification and commission for the destruction of PD. These commissions should include: the chairman of the commission and at least two members of the commission. Both commissions in their composition can be 100% identical.
Further, it is necessary to determine the persons authorized to the processing of personal data. These are employees who work with PD as employees of the organization, and clients, subscribers and other categories of entities. Moreover, the document should indicate which employee has access to what data, he processes this data using automation tools or not, and in the case of automated processing, his role in the system (user, administrator, etc.). It should be noted here that each employee who is allowed to process personal data must sign an agreement on non-disclosure of personal data.
The next step is to determine the categories of personal data that we are subject to protection. This is also done by separate order. There is also such a moment here that many people forget, but Roskomnadzor asks during inspections - personal data is a special case of information of a confidential nature, therefore such a list should also be approved by a separate order. What may relate to confidential information is determined by decree of the President of the Russian Federation No. 188 of March 6, 1997. We simply rewrite the items related to your organization in your order and you’re ready.
Finally, you must approve the organization’s main document governing the protection of PD. Usually such a document is called the "Regulation on the processing and protection of personal data." Here you describe the basic concepts from the legislation, the goals and legal grounds for processing personal data, the rights and obligations of the operator, the rights and obligations of the subject of personal data.
You will also have to develop a number of magazines, you must show Roskomnadzor that you conduct regular (and not just one-time) activities to protect PD. This will be helped by, for example, the “Journal of information security briefing” and the “Journal of accounting measures to monitor the protection of personal data”. Necessarily (Roskomnadzor will definitely ask) there should be a journal of registration of applications of citizens-subjects of personal data on the exercise of their legal rights. Also, do not forget to get a checkbook of inspections of legal entities by regulatory authorities before checking.
Summing up the implementation of organizational documentation for the protection of personal data in your organization, I repeat once again, there is no strict list of documents. You can create one large document called “Policy regarding the protection of personal data”, in which describe everything that I listed above, or you can break it into many small documents. You can issue several different orders, or you can appoint all the responsible, determine the persons allowed to process PD, etc. with one single order.
But, nevertheless, for an example I will give a standard list of documents that we usually implement with our clients:
- a list of confidential information;
- information security administrator instructions;
- an order to appoint persons responsible for organizing the processing of personal data and a list of measures to protect personal data;
- a list of personal data to be protected;
- an order on the approval of places of storage of personal data;
- instruction of users of the personal data information system;
- an order to appoint a commission for the destruction of personal data;
- the procedure for backing up and restoring the operability of hardware and software, databases and information security tools;
- plan for internal audits of the personal data protection regime;
- an order to commission the personal data information system;
- a journal for recording media of an information system of personal data;
- a logbook of measures to control the protection of personal data;
- a register of applications of citizens-subjects of personal data on the exercise of their legal rights;
- rules for processing personal data without the use of automation;
- provision on the delimitation of access rights to processed personal data;
- act of classification of information system of personal data;
- instructions for anti-virus control in the personal data information system;
- instructions for organizing password protection;
- journal of periodic testing of information security tools;
- form of the act of destruction of documents containing personal data;
- personal data non-disclosure agreement;
- information security logbook;
- information security briefing journal;
- instruction for the user to ensure safety in case of emergency;
- an order on the list of persons allowed to process personal data;
- Regulation on the processing and protection of personal data;
- action plan to ensure the security of personal data;
- model of security threats in the personal data information system.
Here, something like this, again, the list can be much wider or much narrower, it all depends on what will be written in each of the documents, it is the content that is important here. Samples of all documents are quite easy to google.
Many probably noticed that there are many in the list of documents that govern the automated processing and protection of PD in information systems. Despite the fact that during the inspection Roskomnadzor pays more attention to the documentary support of PD protection than to the technical one, anyway - the more documents you provide for the protection of PD, the more pluses you get from the regulator’s karma.
Concluding the section on documents, I’ll note a few more points that you need to pay attention to. Firstly, a familiarization sheet should go to all of the above documents, and all persons affected by this document (whether it is an instruction or an order) must sign that they are familiar with the paper. Secondly, the line “When working with personal data, be guided by the Regulation on the processing and protection of personal data” should be entered in the job descriptions of all persons authorized to process personal data. And thirdly, in addition to internal documents, it is necessary to develop one public one. Usually he is called "Policy regarding the processing of personal data." Such a document should be posted on the website of the PD operator, or, if there is no website, on the information board in the office or in another public place.
Despite the fact that this moment is more related to technical protection (after all, certification is carried out when our information system is fully charged with information protection tools), I still wanted to say a few words about it. I just very often have to hear from regular customers that they were brainwashed that certification of personal data information systems is mandatory. Remember once and for all - it's all BAD! The provision on certification of information objects in black and white says that only objects containing state secrets and environmentally hazardous objects are subject to mandatory certification. Therefore, all this nonsense about the mandatory certification of ISPDn is just the machinations of unscrupulous integrators who want to cut the dough from a trusting client once again.
Certification of ISPDn may be mandatory only if your organization is subordinate to a higher authority, and this very top has sent you the instruction to certify all of its ISPDn.
Although, the head of the organization himself may wish to certify, because the certificate of conformity clearly confirms that your information systems are fully compliant with the law both in terms of documentary support and in terms of technical protection. In this case, it must be remembered that one of the conditions for the validity of the certificate is the invariability of the ISPDn operating conditions. That is, roughly speaking, you cannot change the monitor at the workplace or install additional software without the consent of the certification body, and this entails additional costs. It is also worth remembering that the certificate of conformity can be issued for a maximum of three years, and then - all over again.
Returning to our main topic - preparation for the inspection of Roskomnazdor, I want to say that for all five years of work in this area, inspectors have never required a certificate of conformity.
Instead of a conclusion
There are quite a few letters and, I think, it’s time to round off, especially since having completed the measures described above, we can say that you are almost ready to check Roskomnadzor. But still I’ll try to briefly formulate the main stages, the implementation of which will help you with a high degree of probability to get a positive conclusion based on the results of the audit and some other points that are not included in the article:
- Operator notification. It is necessary to check the availability of the notice, as well as the veracity of the information contained in it.
- Roskomnadzor will not check your personal data information systems, these functions are assigned to the FSTEC of Russia and the FSB of Russia (in the case of using encryption tools), so focus on document support, informing your employees.
- I think it’s not worthwhile to say once again that if a check of Roskomnadzor came to you, and in the personnel department of someone on the table there would be an unattended stack of photocopies of someone’s passports, it would be an epic file.
- If after all that has been read and after all the events held, you still have questions, do not be too lazy (and even more so do not be afraid and do not be shy) to call the regional department of Roskomnadzor. Ask your questions. As a rule, getting there is easy (compared to many other government agencies) and ILV workers go to a meeting and explain their vision of some controversial issues. In some cases, such a call is even vital, since our legislation can often be interpreted in two ways, and it even happens that the same ILV employee today has one point of view on a problem, and tomorrow another.
- It is better to collect consent for PD processing from all subjects. Yes, the law contains a list of cases when consent is not required, for example, when the operator and the subject are parties to a contractual relationship. BUT, here you must remember that the processing of biometric and special categories of personal data, as well as the transfer of personal data to third parties are carried out ONLY with the consent of the subject. In any case, providing consent to the processing of PD removes many different unpleasant questions from you. And if it is possible to collect these consents, it is better to do so. Here, by the way, as with the notification, you need to remember that the information specified in the consent must coincide with what and how you actually process.
- At the beginning of the audit, show the regulators that you are in every way ready to cooperate and correct the identified deficiencies during the audit itself. It is impossible to prepare perfectly, in any case there will be any comments. This is not scary, they can be eliminated during the verification process, which usually lasts 20 days. If the comments are eliminated, this will not negatively affect the content of the final protocol.
On this, probably, I will finish. As you can see, ILV checks are not as scary as they might seem at first glance. If readers have any questions or suggestions on the following articles on the topic of PD, I will try to answer everything and take everything into account.
UPD: Actual information in the latest article: habr.com/ru/company/ic-dv/blog/451708