White Paper on Federal Law No. 152 - a book that can be referenced in matters of personal data processing
This document is a guide describing the actions of organizations that must be taken by responsible persons to comply with the legislation governing relations related to the processing of personal data.
In preparing the facts and logical conclusions were used , made on the basis of the current regulatory legal acts of the Russian Federation, forming the "borders" of the legal field, in which it is necessary to perform any operations with information about facts, events and circumstances of a citizen’s private life, allowing directly or indirectly identify his personality.
Each of us is simultaneously a subject of personal data and an operator,independently or jointly with other persons who process personal data. For this reason, although this white paper format has a business focus, it will be useful and relevant also to government bodies, local authorities, municipal authorities and individuals.
The effect of Federal Law No. 152-ФЗ “On Personal Data”, which regulates the processing (use) of personal data (hereinafter PD), does not apply to relations arising from the processing of personal data by individuals exclusively for personal and family needs, if they are not violated rights of subjects of personal data.
However, knowledge of this law can help everyone avoid such a violation of other people's rights and ensure the protection of their rights and freedoms of man and citizen during the processing of personal data, including the protection of the rights to privacy, personal and family secrets.
It is the protection of the rights of PD subjects that is the main goal of Law 152-ФЗ and the function of the authorized body, which is the federal executive body that exercises control and supervision functions in the field of communications and mass communications (Roskomnadzor).
Perhaps if previously you were not familiar with the legislation governing the relations related to the processing of personal data, then after reading the first few paragraphs, you already have questions.
One of the main goals of this book is to eliminate confusion and provide an understanding of the legislation in the field of personal data, to clearly describe the process of bringing the personal data information system in accordance with the requirements of the law.
I hope that this book will bring you closer to achieving these goals and will help minimize the risks of possible fines on the part of regulatory authorities and avoid other negative consequences associated with the violation of the rights of personal data subjects.
This book will be interesting both to readers who begin to study this issue “from scratch”, and who have basic knowledge.
It is especially relevant for:
- organization management - for all decision makers;
- managers and employees of IT services - for all those who build and maintain the work of IT infrastructure;
- HR specialists - for those who cannot help working with personal data of employees;
- newcomers to the profession and those who are just preparing to devote themselves to a career in the field of information security.
Chapter 1. A Brief History of the Question
Back in 1981, the Council of Europe published a convention on the protection of the individual in handling personal data. The purpose of the Convention is “to guarantee in the territory of each country to every individual, regardless of his nationality and place of residence, the observance of his rights and fundamental freedoms, and especially his right to privacy in terms of automated processing of personal data (Article 1).
According to Part 1 of Article 3 “The Parties undertake to apply this Convention in relation to automated filing cabinets and for the automated processing of personal data in the public and private sectors”.
It is worth noting that the opinion of the Council of Europe on personal data was not and is not the only one in the world. For example, China and the United States can see a slightly different approach.
For the USSR at that time, the issue of processing with the help of automation was not relevant due to the weak penetration of computer technology into the economy. Later, due to economic problems, the sphere of protecting confidential information in Russia had a significant lag in the development of the legislative framework and public awareness.
As a necessary step for joining the WTO, Russia signed the Convention in November 2001. Thus, only 20 years after the publication of the Convention in Russia, a movement began towards the creation of a legal framework for the processing of personal data. The Convention was formally adopted, but in fact did not work due to the lack of Russian regulations.
Once again, lawmakers returned to this issue in 2005, when Federal Law No. 160-FZ of December 19, 2005 “On Ratification of the Council of Europe Convention on the Protection of Individuals with Automatic Processing of Personal Data” was adopted.
The year 2006 was significant, when in order to restore order in the field of intellectual property and protect personal data, including the fulfillment of one of the conditions for Russia's entry into the WTO, two federal laws were adopted.
- Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”
- Federal Law of July 27, 2006 No. 149-FZ “On Information, Information Technologies and the Protection of Information”