Inspections and plans of Roskomnadzor for 2018



    The grandfather of Roskomnadzor all year searches for personal data operators who, from the point of view of the law, “behave badly”, and writes them instructions. In this article, we would like to talk about how this happens, and to reveal a little more the plans of "grandfather" for 2018. It is wonderful if this helps someone to prepare in advance and avoid problems.

    Article 23 of the Federal Law of July 27, 2006 "On Personal Data" No. 152-ФЗ identifies two areas of activity of Roskomnadzor: protection of the rights of subjects of personal data; control and supervision of the compliance of the processing of personal data with the requirements of the law. To perform these functions, this article of the law gives Roskomnadzor certain powers. Consider the most important of them, in our opinion.

    Roskomnadzor:

    • Checks the information specified by the organization in the Notification;
    • may require the operator to destroy unreliable or illegally obtained personal data;
    • may limit access to information processed in violation of the law;
    • The right to appeal to the court in defense of the rights of the subjects of personal data and submit them to the court;
    • empowered to bring to administrative responsibility the persons guilty of violation of this Federal Law;
    • obliged to consider complaints and appeals on issues related to the processing of personal data, as well as make decisions on them within the limits of his authority.

    In practice, the main actions of Roskomnadzor in accordance with the federal law “On Personal Data” are as follows:

    • work with appeals and complaints of citizens;
    • carrying out control and supervisory measures;
    • maintaining the Register of personal data operators.

    Roskomnadzor considers complaints under the law dated 02.05.2006 No. 59-FZ “On the Procedure for Considering Appeals of Citizens of the Russian Federation”. Complaints can be addressed both in writing and through a special form on the website of Roskomnadzor or the State Service portal.



    The term for consideration of the appeal is 30 calendar days, with the exception of cases established by law. Now the Government is awaiting approval of a draft of a new Administrative Regulation. But at the moment, Roskomnadzor is conducting verification activities on the basis of the Administrative Regulation, approved by order of the Ministry of Telecom and Mass Communications of the Russian Federation No. 312 of 11/14/2011. As part of the control and supervision of the processing of personal data, Roskomnadzor carries out scheduled and unscheduled inspections.

    Scheduled Checks


    Scheduled inspections are carried out on the basis of the annual plan, it can be found at rkn.gov.ru/plan-and-reports , as well as in the annual plans of the territorial administrations for the next year.

    The inspection plan for the next year is usually posted on the sites of territorial offices in mid-December of the current year. Since since September 1, 2015, Roskomnadzor has not agreed on verification plans for personal data with the Prosecutor’s Office, the latter’s website does not have an audit in all consolidated audit plans on this topic. The current Administrative Regulation says that the territorial administration of Roskomnadzor is obliged to notify you of a scheduled inspection no later than within three business days before it begins.

    We analyzed the data already posted and available on the Roskomnadzor website. Here are some interesting results:

    In total, measures are planned to organize and conduct control (supervision) in respect of about 900 PD operators. Geographically, these are the most diverse organizations "from Kliningrad to Vladivostok." To identify the most “verifiable” industries, we used information about the main type of activity of companies in OKVED.


    The plans are led by the “traditional” sectors for ILV inspections: education, medicine, tourism, financial services and management companies.

    About 38% of operators in the audit plans are state organizations. Accordingly, commercial organizations account for more than 62% of events. Almost 99.8% are legal entities, not individual entrepreneurs.

    To somehow describe the size of the companies that will be subject to verification in 2018, we used the information on the size of their registered capital as an indirect sign.


    The ILV plans for companies of all sizes

    The subject of verification of Roskomnadzor are:

    • personal data processing activities;
    • documents, the nature of the information in which implies or allows the inclusion of personal data in them;
    • personal data information systems.

    Accordingly, Roskomnadzor does not check the availability and condition of technical protection of personal data information systems. Its main task is to verify the legal basis for the processing of personal data. Contrary to popular belief, provisions, instructions, orders and other documents are not the most important subject of inspections. The authorized body is more interested in the personal data itself and the correspondence of the volume of this data to the processing purposes.

    A notice of a scheduled audit usually states that the person being verified must submit:

    • a copy of the document on the appointment of an official or authorized representative that will represent the interests of the legal entity at the audit;
    • documents, the nature of the information in which implies or allows the inclusion of personal data in them. Roskomnadzor usually refers to such documents statements, profiles, magazines, etc .;
    • documents confirming the destruction of personal data to achieve the processing goal. Unfortunately, not all personal data operators understand that in each case of personal data processing there is (or should be) a processing goal, upon reaching which data must be destroyed; written consent of personal data subjects to the processing of their personal data;
    • documents confirming compliance with the requirements of the legislation of the Russian Federation when processing personal data, including special categories and biometric personal data;
    • documents confirming the location of the databases (information systems) of personal data. This requirement appeared when the legislation was amended to localize the personal data of Russians; documents confirming the familiarization of employees directly involved in the processing of personal data with the legislation and local acts of the operator on the processing of personal data;
    • local acts of the operator governing the procedure and conditions for the processing of personal data.

    In total, approximately 31 documents are requested , of the main and significant ones the following can be distinguished (the items concerned both automated processing and non-automated):

    • PD Processing Notification
    • Document defining the person responsible for organizing PD processing
    • The list of employees allowed to process PD
    • The document defining places of storage of PD
    • Information about the processing of special and biometric PD categories
    • Information on the implementation of cross-border transfer of PD
    • Standard forms of documents with PD
    • PD destruction procedure
    • Procedure for transferring PD to third parties
    • Typical consent form for PD processing
    • The order of accounting of appeals of PD subjects
    • The list of personal data information systems (ISPDn)
    • Documents governing data backup in ISPD
    • List of used information protection tools
    • Access matrix
    • Threat Model
    • A document defining security levels for each ISPD in accordance with PP-1119 dated 01.11.2012 “On approval of requirements for the protection of personal data during their processing in personal data information systems”
    • Journal of accounting for machine carriers PD

    The audit plan includes legal entities that have submitted a Notification on the processing of personal data to the registry of operators, and those who have not. That is, they can check everyone. The term for carrying out both scheduled and unscheduled inspections may not exceed 20 business days.

    Unscheduled inspections of Roskomnadzor


    Unscheduled inspections are documentary and field. Documentary documents are held in the form of a request by Roskomnadzor for the necessary documents and your submission of these documents by the time specified in the request. The operator is notified of an unscheduled inspection no later than 24 hours before it begins by any available means. This is usually done by telephone or fax.

    Such checks can be carried out in most cases for the following reasons:
    • if the deadline for the operator to fulfill the previously issued order to eliminate the identified violation has expired. Usually, after a scheduled inspection, Roskomnadzor conducts an unscheduled one to find out how the violation has been eliminated. Such a check is rarely offsite. It is carried out in documentary form, that is, Roskomnadzor will ask you for information on eliminating violations, and you must provide the necessary documents;
    • if the service or its territorial bodies received an appeal from citizens, legal entities, individual entrepreneurs, information from public authorities, local authorities, from the media. In 2011, approximately 1,500 complaints were received by the service. In 2016, approximately 33,000;
    • by order of the head of Roskomnadzor or the head of the territorial administration.
    • upon detection as a result of systematic observation of violations of mandatory requirements

    Systematic Observation Activities


    Another type of control is systematic observation measures. The main difference is that
    activities are carried out without interaction with audited entities. In recent years, this is the most popular form of control over the processing of personal data. The popularity of such events is due to the fact that the labor costs of territorial administrations for their implementation are much less than planned inspections, and the efficiency is much greater. For a short period of time, each territorial department of Roskomnadzor can check dozens or even hundreds of organizations, starting as a rule with checking their websites.

    The concept of “systematic observation activities” was added in 2015. Systematic observation is dangerous because no one is obliged to notify the company about it. According to the results, if violations are detected, an unscheduled check is carried out in accordance with the "Administrative Regulations". Systematic monitoring activities are carried out on the basis of an order of the head of the territorial body and are fixed in the annual plan of the territorial administration for the next year.

    The most popular violation detected during systematic monitoring events is the absence on the website of a document defining the operator’s policy regarding the processing of personal data if the website reveals a case of collecting personal data (for example, an application form, registration or feedback with a specific set of requested information) .

    Roskomnadzor may also request legal grounds for posting someone’s personal data. Such requests have already been received, for example, in educational organizations, when they posted on their website personal data about students and their successes in olympiads. So, by posting the personal data of your employees or other persons on the site, monitor compliance with the requirements of the law .

    What to look for


    The processing of personal data is the daily activity of any legal entity. We constantly work with the data of our employees and clients (patients, students, buyers, applicants, website users, borrowers, policyholders, visitors, viewers, etc.). We process the same data of the same person in different cases. And the consent taken in one case - may not extend to another.

    Accordingly, in order to prevent negative consequences, we must pay attention to the legal basis for the processing of personal data in each specific processing case, that is, to understand whether we have contracts, consents or even regulatory acts that Roskomnadzor recognizes as a legal basis for processing during verification personal data. A check may occur at any time. For example, you have a website. You collect data on it through various forms. Accordingly, you can be checked during systematic observation events, or if any visitor to your site lodges a complaint against you. Also, your client or employee (the former may also) may be dissatisfied with you, who have the opportunity to complain to Roskomnadzor, and he, in turn, is obliged to respond to such complaints.

    Administrative liability for violation of legislation in the field of personal data is established by article 13.11 of the Administrative Code of the Russian Federation. Penalties for legal entities for each violation established by Article 13.11 vary from 15,000 to 75,000 rubles.

    Inspections by the State Labor Inspectorate


    In the Labor Code of the Russian Federation, chapter 14 is called: “Protection of the employee’s personal data”. The State Labor Inspectorate carries out control and oversight measures to comply with the requirements of the entire Labor Code and, accordingly, cannot bypass Chapter 14. The inspections pay attention to the requirement of paragraph 8 of Article 86:
    “Employees and their representatives should be familiarized with the documents of the employer establishing the procedure for processing personal data of employees, as well as their rights and obligations in this area.”
    Thus, they check the availability of such a document and the fact that all employees are familiarized with it.

    Administrative liability for violation of these requirements is provided for in Article 5.27. KoAP - a fine in the amount of from 30,000 to 50,000 rubles.

    Inspections of the FSTEC and the FSB


    Article 19 of the federal law “On Personal Data” establishes measures to ensure the security of personal data during its processing.

    Part 3 of Article 19 says that the Government of the Russian Federation establishes the levels of protection of personal data when they are processed in personal data information systems (hereinafter - ISPDn) and the requirements for the protection of personal data in ISPDn. Thus, we have got Government Decision No. 1119 of November 1, 2012, defining these requirements.

    In part 4 of Article 19, it is established that the composition and content of the requirements required by the Government, organizational and technical measures to ensure the security of personal data, when they are processed in ISPD, are established by the FSTEC and the FSB within their powers. In fulfillment of this requirement, we have appeared:

    • Order of the FSTEC of Russia dated February 18, 2013 No. 21 “On approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems”;
    • Order of the Federal Security Service of the Russian Federation of 10.07.2014 No. 378 "On approval of the composition and content of organizational and technical measures to ensure the security of personal data when they are processed in personal data information systems using the cryptographic protection of information necessary to fulfill the protection requirements established by the Government of the Russian Federation."

    In fact, the FSB and the FSTEC shared powers in this area, where the FSB defines measures to protect ISPDs using cryptographic means in them, and the FSTEC determines measures for all other security issues.

    In Part 8 of Article 19 of the Federal Law “On Personal Data”, an important point is fixed:
    “Control and supervision of the implementation of organizational and technical measures to ensure the security of personal data established in accordance with this article when processing personal data in state personal data information systems is carried out by the federal executive body authorized in the field of security and the federal executive body authorized in the field of countering technical intelligence and technical protection of information, within their full urine and without the right to familiarize yourself with personal data processed in personal data information systems. ”

    It turns out that the FSB and FSTEC can only check organizations that operate state information systems. For other information systems, control is not fixed in the law. It is only said that the FSTEC and the FSB

    “By a decision of the Government of the Russian Federation, taking into account the significance and content of the processed personal data, they may be empowered to monitor the implementation of organizational and technical measures ..., when they are processed in personal data information systems operated in the course of certain activities and which are not state personal data information systems ... "

    Inspections by the FSTEC and the FSB can be both planned and unscheduled.

    As part of the checks, the FSB draws attention to:
    • the presence of an intruder model and threats developed taking into account the requirements of the FSB;
    • organizational measures established in accordance with the order of the FSB No. 378 (appointment of responsible persons, local acts, the procedure for admitting employees to ISPD, physical protection of facilities, etc.);
    • the availability of cryptographic information protection means, the procedure for their accounting and operation;
    • documentation for cryptographic information protection tools (licenses, certificates, forms, etc.).

    As part of the inspections, the FSTEC draws attention to:
    • the presence of an intruder model and threats, acts of establishing security levels for ISDN;
    • the availability of information protection tools, the procedure for their accounting and operation;
    • documentation of information security tools (licenses, certificates, forms, etc.);
    • organizational measures established in accordance with the order of the FSTEC of Russia No. 21 (appointment of responsible persons, local acts, the procedure for admitting employees to ISPD, physical protection of facilities, etc.);
    • certification test materials (in GIS).
    • For violation of these requirements, liability is established in accordance with article 13.12 of the Code of Administrative Offenses of the Russian Federation:
    • for the use of non-certified information systems, databases and data banks, as well as non-certified means of information protection, if they are subject to mandatory certification - a fine of up to 25,000 rubles for legal entities;
    • for violation of information protection requirements (with the exception of information constituting a state secret) established by federal laws and other regulatory legal acts of the Russian Federation adopted in accordance with them - a fine of up to 15,000 rubles for legal entities.

    Conclusion


    After the entry into force of amendments to Article 13.11 of the Code of Administrative Offenses of the Russian Federation, control and supervision will not change dramatically, but due to a significant increase in fines, the approach of organizations to fulfilling the requirements of the law and preparing for inspections will change. If earlier organizations believed that it was easier to do nothing and you could wait for a probable check and pay a small fine (up to 10,000 rubles), now companies will fight for their rights, which means that it will positively affect the rather controversial court practice on given questions.

    The worst cases are those organizations for which the beginning of inspections falls at the very beginning of the year. They have a minimum amount of time to prepare for inspection or observation. However, it is worth remembering that PD processing can also be carried out by a person on behalf of the operator. With automated processing, you can contact us and save yourself at least part of the headache on the issue of compliance and reduce your costs. We offer several solutions that allow you to get closer to the image of the "ideal operator", the main one is "Cloud ФЗ 152" .

    Sources:
    rkn.gov.ru
    fstec.ru
    www.fsb.ru
    www.anti-malware.ru

    Also popular now: