The right to protection of personal information. Protection of personal data in the Russian Federation: Problems and prospects

Information that specifically identifies a person must be protected from anyone who could use it for personal gain. The term “privacy” itself appeared in the USA at the end of the 19th-20th centuries; it is impossible to decipher it into Russian, but approximate essence expressions “a person’s right to be left alone.” In Europe and America, personal data is now vigorously protected and treated with respect and understanding. In the Russian legal structure, information protection is only just being introduced, it is constantly being adjusted, amendments are being made to documents that narrow or expand the range of human rights relating to his identification as a citizen. Anyone can expect non-disclosure of their data, except as required by law.

Basic documents regulating civil rights regarding personal data:

1) Constitution of the Russian Federation

2) Labor Code

3) Federal Law No. 152

4) Decree of the President of the Russian Federation No. 188

Personal data in the Constitution of the Russian Federation

Article 23 of the Constitution regulates the right of a citizen:

• on personal secrets (affecting one individual)
• family secret (meaning a circle of people who are relatives)
• professional secret (related to a certain range of professions)
• confidential communication, including correspondence and all types of conversations carried out through technical devices, incl. telephone, telegraph, mail, internet
• control of disseminated information about yourself
• defense of honor
• protection good name(this means protecting your reputation from falsifications associated with it, slander and slander)
• protection of personal data (collection, storage and use of personal data without the consent of the persons to whom this data relates is prohibited)
• inviolability of home

All this can be attributed to privacy person protected by the state.

Personal data in the Labor Code of the Russian Federation

The Labor Code of the Russian Federation states that the volume of data, its storage and distribution is carried out only with the consent of the employee. No information can be transferred to third parties without specifying the reason and obtaining written confirmation of consent. Any data can be used by the manager and HR department only for:

• control over the implementation of legislation and legal acts
• ensuring employee advancement up the career ladder
• assistance in mastering educational programs
• control over the safety of property and performance of labor duties

Specific data related to special categories(race and nationality, views, including political, philosophical, intimate, health) can only be obtained if the company’s activities come into contact with these areas of human life. When carrying out activities affecting the interests of an employee (hiring, transfer to another position, dismissal), the employer does not have the right to use only those personal data that appeared as a result of electronic receipt and computer automated processing. An employee has the right to know:

1) within what time frame information about him will be processed,

2) for what purposes the data will be used,

3) which data area will be affected by the employer

4) to which persons information about him can be transferred

5) reasons for transferring data to third parties

6) data storage period

The employer should not influence an employee in order to waive his right to preserve and protect secrets provided for by the Constitution of the Russian Federation.

Confidentiality of personal data in Presidential Decree No. 188

Decree No. 188 published a list of data that can be classified as confidential. According to it, all information about personal and private life (facts, events, relationships and circumstances), as well as information about professional and commercial activities, details of legal proceedings and investigative procedures, official secrets and information about discoveries and inventions must remain confidential, i.e. not subject to disclosure, subject to compliance with the legislation and the Constitution of the Russian Federation.

Personal data in Federal legislation

152 The Federal Law “On the Protection of Personal Data” is based on the Constitution of the Russian Federation on human rights, as well as external treaties of the Russian Federation with other states. According to it, all personal data must be stored and processed by certified systems and methods to protect their safety and confidentiality. PD operators can be considered any bodies and representative offices, individuals and legal entities whose activities are directly or indirectly related to the processing and storage of data about citizens.

The rules for processing personal data do not apply to relationships where the information is used for family and personal needs, archival and court documents, to work with the register of individual entrepreneurs, or if the information is related to state secrets. In all these cases, the storage and use of data may take place in accordance with the procedure established by other regulatory enactments.

According to Federal Law No. 152, data must be provided and processed to the extent required to achieve the purpose of collecting this data. Merging two information bases is not possible if they are processed for unrelated purposes. Basically, all issues of data processing relate to automated systems, but there is a clause of the law that regulates specific conditions for the storage and use of information without automation, according to which data can be processed when regulated by special regulations.

The federal law provides for open sources of information in which personal information about a person will be posted, determined by the purpose of creating open source(for example, a directory). A citizen has the right to refuse the dissemination of any data about him, may not provide some part of the total amount of requested information, and may also request exclusion of his personal data from the general list.

Personal data according to Federal Law 152 is divided into 4 categories, according to which the data is classified according to the degree of openness regarding the views and private life of a person

There is also another type of information about a person - biometric data, i.e. information about the physiological structure of a particular citizen. Biometric data is used during investigative and search work, international travel of citizens, as well as in cases provided for by the Criminal Code of the Russian Federation.

Databases are also divided into groups according to the volume of data processed in the system

1 group - up to 1000 people

Group 2 - 1000-100000 people

Group 3 - from 100,000 people

The federal law also regulates the activities of PD operators, the rights and obligations of citizens in relation to personal data, life cycles identification information, levels of security and confidentiality of personal data.

11:00 04/06/2014

Most of us regularly share our address, full name, email and number mobile phone. This personal data is required when issuing discount cards, purchasing SIM cards for smartphones, registering on online store sites, etc. Often we are also asked to take a copy of the passport pages; they find out our marital status and source of income.

How legitimate is such curiosity from outsiders? How to protect your personal data from unnecessary distribution and associated risks? About this in the next issue of our column.

Do you want to get a job? Tell me everything about yourself

“I recently went for an interview at a large company, and the first thing they did was ask me for my passport in order to make a copy of the pages with personal data, registration, marital status- despite the fact that they haven’t even talked about hiring me yet!” - Muscovite Irina is indignant on one of the forums on the Internet. How frank should we be with an employer, especially a potential one, and what data are we obliged to provide him? This question arises often, and this is what the law says.

First of all, in order to cool the ardor of overly curious individuals and organizations, it is provided: the amount of personal data that is “extorted” from a citizen must correspond to the purposes of obtaining this data and should not be excessive (see Part 5 of Article 5 of the Federal Law of July 27, 2006 No. 152-FZ "On Personal Data", current edition- dated July 23, 2013).

If we are talking about labor relations, then we look at Article 65 of the Labor Code (LC) of the Russian Federation. The employer has the right to require a strictly specified list of documents: passport, work book(except for cases when an employment contract is concluded for the first time), an insurance certificate of state pension insurance, military registration documents (for those liable for military service and persons subject to conscription military service), document on education (when applying for a job that requires special knowledge or special training). Other documents can be added to this list only in cases expressly provided for by law, and not at the will of a particular employer.

Article 86 of the Labor Code of the Russian Federation additionally emphasizes that the employer does not have the right to receive and process the employee’s personal data about his membership in public associations. And also the boss does not have the right to find out from his employees information that relates to special categories of personal data. This is information about racial, nationality, political views, religious or philosophical beliefs, health status, intimate life(Part 1 of Article 10 of the Law “On Personal Data”).

Trade and services: curiosity knows no bounds

Trade and service organizations are especially actively hunting for our personal data. It is difficult to find a person who has never received an SMS message or phone call with good news about another profitable promotion, sale, etc. Do we always consciously subscribe to such mailings? Most likely no.

Meanwhile, the Law “On Personal Data” provides: the processing of personal data for the purpose of promoting goods, works, services on the market by making direct contacts with potential consumers using means of communication is permitted only with the prior consent of the citizen. Moreover, the use of such data is considered not consented to unless the operator proves that consent has been obtained. And part 2 of Article 15 emphasizes: the operator is obliged to immediately stop using personal data if a citizen requests it.

Such norms can be used to combat annoying traders and representatives of other organizations imposing their invaluable services. And if slow-witted operators continue to annoy us, we file a complaint with Roskomnadzor (see above).

Anna Dobryukha, lawyer

At present it is safe to say that Russian state On this path, it was faced with a number of problems that needed to be solved, among which the most prominent was ensuring the protection of the private life of a citizen.

Shkilev Nikolay Alexandrovich

INTRODUCTION

Provisions of the Constitution Russian Federation indicate a decisive transition of the state to the path of building a democratic society, where main value is a person. At present, we can say with confidence that the Russian state on this path has encountered a number of problems that require solutions, among which the protection of the private life of a citizen stands out.

Part one of Article 24 of the Constitution of the Russian Federation contains a rule according to which “the collection, storage and dissemination of information about the private life of a person without his consent is not permitted.” This provision of the Constitution of the Russian Federation has a fundamental, system-forming character and should determine the meaning and content of a significant number of regulatory legal acts different levels, highlighting the category “private life” and its derivative “personal data”.

The separation of the category “personal data” from the more general category “private life” is primarily associated with the spread of automated systems for processing and storing information, primarily computer databases, which can be accessed remotely through technical communication channels. It was these systems, which essentially revolutionized the structuring, storage and retrieval of necessary data, that created the preconditions for the problem of protecting confidential personal information.

The development of this problem raises a natural need to ensure reliable protection of information resources and processes, and streamline social relations in this area. Our state is just beginning to develop and implement an integrated approach to ensuring the protection of personal data in the legislative and executive fields. In this regard, it is especially important that the approach being developed covers the entire range of problems, and is not reduced to considering only their technical component.

It should be noted that the legislator is in favor of last decade did not ignore the emerging information environment under consideration, having adopted a number of system-forming legislative acts, among which we can highlight the Federal Law “On Information, Informatization and Information Protection”, as well as the Federal Law “On Participation in International Information Exchange” - Art. 11 “Information about citizens (personal data)” of the Law “On Information, Informatization and Information Protection”. Chapter 14 of the Labor Code of the Russian Federation is devoted to the protection of personal data of workers. International standards: - ISO 17799 - according to information security;- ISO 15489 - on document management.

The adoption of the Federal Law “On Personal Data” was the response of the legislative branch of government to one of the most pressing challenges modern Russia- uncontrolled circulation of private information of citizens, disrespect for private data in general, as well as widespread dissemination of personal records of Russians in the form of databases. Thus, the Federal Law has enormous social significance.

According to a study by the ROMIR Monitoring holding, conducted in January 2006 by order of RIO-Center, Russian citizens fully and completely support the legislative initiative of the authorities. For example, only 3.4% of respondents are confident in the security of their personal data, and the opposite point of view - that is, confidence in the complete defenselessness of their private information - is held by 24.4% of citizens. At the same time, 74.1% of respondents supported the uncompromising fight against the distribution of pirated copies of databases of the traffic police, telecom operators, BTI and other organizations, and 63.3% of citizens believe that the state is simply obliged to control the collection of personal data commercial structures. Note that the study is based on a representative sample consisting of 1.6 thousand citizens permanently residing in the country from 43 constituent entities of the Russian Federation. In other words, it is obvious that from a social point of view in the country the need for legislative regulation of the collection and processing of personal information citizens.

All this suggests that the executive and judicial branches of government can and should enthusiastically take over the baton of legislators. and as of January 30, 2007, law enforcement agencies and courts can begin to prosecute and convict persons guilty of the illegal dissemination of personal data. However, the most serious consequences of the new Federal Law will have to be faced by commercial companies, which may lose their license to process private information of citizens if they violate the requirements of the law.

1. Brief legal analysis of the Federal Law “On Personal Data”

1.1. Basic concepts and terms of the law

Before moving on to the examination of the requirements of the Federal Law “On Personal Data,” we will consider the basic concepts of this regulatory act. List of most important terms along with explanations, is presented in the table below (see Table 1). A complete listing of the concepts of the Federal Law can be found in Article 2. full text law.

First of all, you should pay attention to the definition of the term “personal data” (see Table 1). Further in the text, phrases such as private information, personal information, private records of citizens, etc. will be used as a synonym for this concept. In all these cases, we will talk specifically about personal data protected by the Federal Law. It is also important to note that Russian legislators have made the category of personal data as broad as possible. According to InfoWatch experts, the concept of private information protected by law in Russia is much broader than in Europe or the USA.

Table 1.

Basic concepts of the Law “On Personal Data”

Analysis of the main definitions of the Federal Law allows us to draw a number of important conclusions. Firstly, absolutely all organizations are subject to the regulation, since each organization is in the care of personal data of at least its employees, and often also private information of clients, partners, contractors or customers. Secondly, confidentiality of information is a mandatory requirement, and by this the Federal Law understands protection from dissemination (synonymous with the word “leak”). Thus, the Law “On Personal Data” affects the activities of absolutely all commercial companies and government agencies, which must now take care of protecting personal data from unauthorized distribution, that is, from leakage.

1.2. Basic provisions of the law

Let's consider the main provisions of the Federal Law "On Personal Data", which representatives of business and the public sector must now take into account. First of all, it should be noted 5 tbsp. law - “Principles for the processing of personal data”, according to which the purposes of processing private information must correspond to the purposes predetermined and stated when collecting personal data, as well as the powers of the operator. In practice, this means that the organization is obliged to notify citizens directly during the collection of personal information about why it needed this information and what it will do with it. Moreover, having once declared its goals, an organization cannot simply change them without informing citizens.

Part 2 of Article 5 specifies a very important requirement for personal data operators from the point of view of IT security. “Storage [of private information] should be carried out ... no longer than required by the purposes of their processing,” and “once the purposes of processing are achieved or the need to achieve them is no longer necessary,” sensitive information “is subject to destruction.” This means that, for example, an electronic store is obliged to destroy the personal information of its customers that was collected to make payment for a purchase. If the transaction has already been completed, the money has been received by the store, but the buyer's data (for example, credit card number, address, etc.) still remains in the company's database, then this is a violation of the law. The period during which personal data that has already become unnecessary must be destroyed is established by Part 4 of Article 21, three working days in length. Please note that we are talking here about personalized information. If the information is anonymized, that is, it cannot be determined from which citizen it belongs, then it is not necessary to destroy this data. In other words, the Federal Law does not prohibit the accumulation of anonymized samples for statistical research.

The basic concept of the new law is reflected in Article 6 (“Conditions for processing personal data”) and Article 7 (“Confidentiality of personal data”). Let's take a closer look at these articles.

According to Article 6, the main condition for the processing of private information is the consent of the owner of the personal data, that is, the citizen himself. There are a number of exceptions to this condition. For example, some private information of senior officials and candidates for elected office is publicly available. Journalists are also allowed to process personal data if it does not violate the rights and freedoms of the subject of sensitive information. For businesses, two important exceptions, in which it is not necessary to ask a citizen’s consent to process his personal information, are clauses 2.2 and 2.5 of Article 6. According to the first of them, “processing [of private data] for the purpose of fulfilling a contract, one of the parties to which is the subject of personal data,” is permitted. According to the second, “processing of personal data is necessary for the delivery of postal items by postal organizations, for telecommunication operators to make payments to users of communication services for the services provided, as well as for the consideration of claims of users of communication services.” However, in all other cases, the business is simply obliged to ask the citizen for permission to process his personal information.

The law also provides for the possibility of outsourcing the processing of personal information. In this regard, Part 6.4 states: “If the operator, on the basis of a contract, entrusts the processing of [private information] to another person, an essential condition of the contract is the obligation of the specified person to ensure confidentiality ... and security of personal data during their processing.” Thus, the requirement for confidentiality comes to the fore personal information citizens, which is guaranteed by Art. 7. law.

Under Article 7, “operators and third parties who gain access to personal data must ensure the confidentiality of such data.” There are only two exceptions to this requirement: if the information is anonymized or publicly available, then it is not necessary to protect it.

It can be summarized that a business must obtain the consent of the owner of private data to process this information and ensure the confidentiality of personal information. Moreover, according to Article 9, the company must obtain the citizen’s written consent to process his personal records, which in the event of conflict situations must be presented in court. Please note that the consent must indicate the purpose of processing personal data, a list of the data itself and actions with it, and the period during which the consent is valid (as well as the procedure for its revocation).

1.3. Personal data security requirements

Business representatives should pay special attention to Article 19, which regulates measures to ensure the security of personal data during their processing. According to Article 19 Part 1, the operator “is obliged to take the necessary organizational and technical measures, including the use of encryption (cryptographic) means, to protect personal data” from a number of threats. Among them, the law identifies “illegal or accidental access, destruction, modification, blocking, copying, distribution, as well as other unlawful actions.” In other words, the business needs to ensure monitoring of all transactions that insiders carry out with the private data of clients and employees. Moreover, it must be active monitoring, that is, one that allows you to block actions that violate security policy.

According to Article 19 Part 2, the Government of the Russian Federation must establish requirements for “ensuring the security of [personal data] during their processing in personal data information systems, requirements for material media of biometric personal data and technologies for storing such data outside personal data information systems.” Control over the implementation of these requirements, according to Article 19 Part 3, will be entrusted to the “federal executive body authorized in the field of countering technical intelligence and technical protection of information.” Finally, Article 19 Part 4 allows “the use and storage of biometric personal data outside of personal data information systems... only on such tangible media and using such storage technology that ensure the protection of this data from unauthorized or accidental access, destruction, modification, blocking, copying, distribution.”

1.4. Responsibility for violations of the law

If the requirements of the Law “On Personal Data” are violated, the perpetrators (according to Article 24) bear civil, criminal, administrative, disciplinary and other liability provided for by the legislation of the Russian Federation. Moreover, Article 17 allows citizens to sue personal data operators and demand compensation for losses and/or compensation for moral damages in cases where the operator violates the requirements of the Federal Law.

In addition, new provisions of the Labor Code of the Russian Federation should be considered. In October 2006, Federal Law No. 90-FZ dated June 30, 2006 “On Amendments to the Labor Code of the Russian Federation...” came into force. This regulatory act introduces the most numerous changes to the Labor Code over the entire period of validity of the Code. Let's consider two changes to the Labor Code concerning private information.

First of all, the new law equates the disclosure of personal data of another employee, which became known in connection with the performance of official duties, to the disclosure of a secret protected by law. As a result, such misconduct may result in dismissal. The corresponding point is stated in the “Termination” section employment contract» TK. In addition, the list of individual labor disputes established by Article 391, subject to consideration directly in the courts, is supplemented by disputes based on statements by employees about unlawful actions (inaction) of the employer in the processing and protection of the employee’s personal data. The corresponding provision is enshrined in the section “Consideration and resolution of individual labor disputes”. Thus, the employer has the right to fire an employee who leaks personal data of other company employees. However, the employee himself can sue his company if it does not take care of the private information of its personnel, as required by law.

1.5. Critical dates

From the examination of the Federal Law “On Personal Data” presented above, it follows that organizations will have to adopt whole line technical and organizational measures to meet new regulatory requirements. The following table (see Table 2.) shows a number of critical dates, by which the business and public sector are obliged to bring their business processes and IT systems into compliance with the Federal Law.

Critical dates of the Law “On Personal Data”

conclusions

Putting together all the above requirements of the Federal Law “On Personal Data”, a number of conclusions can be drawn. First of all, absolutely every organization must now take care of the security of private information of staff and clients. In other words, Russian companies will now have to deal with a new class of information. If earlier, when classifying data into commercial organization It was enough to take into account three main categories of information (public, confidential, secret), but the new Federal Law practically requires the creation of another class of information - personal data (clients, employees, etc.). However, it is obvious that a change in classification principles entails a modification of the IT security policy. Therefore, a business needs to supplement its set of policies with at least one new one - a policy for the use of personal data. This policy should describe all cases when private information may be provided to third parties (strictly in accordance with the provisions of the Federal Law), and prohibit the dissemination of this information in all other situations. In addition, the policy should specify procedures for the destruction of personal data that is no longer needed.

2. Brief analysis of the Federal Law “On Personal Data” in matters of information technology.

2.1 IT security requirements

According to the requirements of regulatory documents, work to ensure the security of personal data is an integral part of the work when creating information systems for their processing. Those. information systems in which personal data are processed, which must necessarily contain a subsystem for protecting this data

Heads of organizations, specialists in the field of IT and information security should familiarize themselves with the main provisions of the new Federal Law in the field of personal data protection. According to Part 2 of Article 5, “storage [of private information] should be carried out... no longer than required by the purposes of their processing,” and “once the purposes of processing are achieved or the need to achieve them is no longer necessary,” sensitive information “is subject to destruction.” This means that, for example, an electronic store is obliged to destroy the personal information of its customers that was collected to make payment for a purchase. If the transaction has already been completed, the money has been received by the store, but the buyer's data (for example, credit card number, address, etc.) still remains in the company's database, this is a violation of the law. The period during which personal data that has become unnecessary must be destroyed is established by Part 4 of Article 21, three working days in length. Please note that we are talking here about personalized information. If the information is anonymized, that is, it cannot be determined from which citizen it belongs, then it is not necessary to destroy this data. In other words, the Federal Law does not prohibit the accumulation of anonymized samples for statistical research.

The law also provides for the possibility of outsourcing the processing of personal information. In this regard, part 6.4 states: “If the operator, on the basis of a contract, entrusts the processing of [private information] to another person, an essential condition of the contract is the obligation of the specified person to ensure confidentiality... and security of personal data during their processing.” Thus, the requirement for confidentiality of citizens’ personal information, which is guaranteed by Article 7, comes to the fore. law. According to this article, “operators and third parties gaining access to personal data must ensure the confidentiality of such data.” There are only two exceptions to this requirement: if the information is anonymized or publicly available, then it is not necessary to protect it.

However Special attention Business representatives should pay attention to Article 19, which regulates measures to ensure the security of personal data during their processing. According to Article 19 Part 1, the operator “is obliged to take the necessary organizational and technical measures, including the use of encryption (cryptographic) means, to protect personal data” from a number of threats. Among them, the law identifies “illegal or accidental access, destruction, modification, blocking, copying, distribution, as well as other unlawful actions.” As Oleg Smoliy points out, Chief Specialist Security Directorate of Vneshtorgbank, it follows that business representatives need to ensure monitoring of all operations that internal violators carry out with the private data of clients and employees. Moreover, it must be active monitoring, that is, one that allows you to block actions that violate security policy.

Meanwhile, according to Article 19 Part 2 of the Federal Law “On Personal Data”, the Government of the Russian Federation must establish requirements for “ensuring the security [of personal data] during their processing in personal data information systems, requirements for material media of biometric personal data and technologies for storing such data outside personal data information systems.” Control over the implementation of these requirements, according to Article 19 Part 3, will be entrusted to the “federal executive body authorized in the field of countering technical intelligence and technical protection of information.” In other words, the adoption of the law (even with the requirements for the security of private information specified in it) is only the first step on a long path towards the civilized handling of personal data. The next step should have been the appointment or creation of an authorized body and clear formalization of requirements for the protection of personal information. Please note that the authorized body itself has already been selected. This is the Federal Service for Technical and Export Control. However, any formalized requirements from the FSTEC of Russia in terms of the protection of personal data have not yet been made public.

We also note that according to Article 24, perpetrators bear civil, criminal, administrative, disciplinary and other liability provided for by the legislation of the Russian Federation. Moreover, Article 17 allows citizens to sue personal data operators and demand compensation for losses and/or compensation for moral damages in cases where the operator violates the requirements of the Federal Law. Those. Leakage of private information of citizens can easily provoke a whole series of lawsuits and litigation, which will lead to serious legal costs, publicity and deterioration of reputation.

2.2. How much will you have to change your IT system in accordance with the Federal Law?

With proper funding and specification of the requirements of the regulatory act, the implementation of protective measures in accordance with the Federal Law should not present great difficulties for Russian organizations. Of course, in some cases it will be necessary to introduce new products and solutions. However, it can already be argued that these security measures need to be implemented without the participation of supervisory authorities, since protecting the confidentiality of personal data and classified information in a company is the key to its successful activities.

On final stage The study respondents were asked to talk about their plans to implement technological solutions to protect personal data. It turned out that 71% of organizations have already planned the purchase and implementation of this type of product. At the same time, only 16% of companies have all necessary solutions already now, and 13% do not burden themselves with worries, because they do not believe that the Federal Law will work in practice. However, if the government continues to tighten the screws, then these 13% will automatically turn into guilty companies that are feverishly searching for and implementing remedies.

2.3.Plans for the introduction of new IT products to comply with Federal Law

Summing up, it can be noted that the overwhelming majority of experts (94%) are convinced that Russia simply needed a law “On Personal Data”. At the same time, 40% of surveyed professionals do not believe that the law will work in practice. What is the problem? It turns out that the requirements of the law are insufficiently specific (49%) and there is a lack of money to implement adequate protection systems (20%). Thus, the authorized body (FSTEC of Russia) needs to develop formal requirements for the security of personal data as quickly as possible and publish an official standard that will consolidate the provisions of the Federal Law “On Personal Data”. The current requirements of this law were considered by a majority (79%) to be quite feasible for implementation. Moreover, 71% of organizations have already planned to introduce new IT products to achieve compliance with the provisions of the law.

However, this is only one side of the coin - with its help, the state is trying to prevent leaks at the level of those sources from which information leaks. Meanwhile, there is one more important aspect: illegal circulation of personal data. After all, you don’t even have to go far to buy a private database on CD for a fairly modest price. Obviously, in this regard, responsibility falls on the executive authorities, who now have the legal opportunity to open a case against illegal sellers. True, it is precisely at this stage that we so need law enforcement practice, which Russia, apparently, will have to develop for years.

So, a necessary condition processing of personal data is the consent of the subject of personal data, except in special cases.

Federal law obliges operators to comply with requirements for the confidentiality of personal data (with the exception of publicly available and anonymized personal data), including using cryptographic means.

In general, requirements for ensuring the security of personal data are established by Federal legislation, Decrees of the Government of the Russian Federation and other by-laws. Monitoring compliance with requirements for ensuring the security of personal data is carried out by the Federal Security Service and the Federal Service for Technical and Expert Control.

At the stage of designing an information system or during its operation, it is necessary to categorize personal data. Based on the category of personal data, as well as the characteristics of the information system associated with threats to the security of personal data, the information system is assigned a certain class, which determines the requirements for the protection of the data processed in it.

The classification of personal data information systems is carried out on the basis of regulatory documents of the FSTEC.

Measures to protect personal data, in particular, should include:

• Identification of threats to the security of personal data during their processing, development of a threat model;
• Development of a protection system based on a threat model using methods corresponding to the class of the information system;
• Checking the readiness of protective equipment for use with drawing up conclusions on the possibility of operation;
• Installation and commissioning of protective equipment, as well as training of employees in their use;

It is important to note that, in accordance with the requirements of regulatory documents, security measures used in personal data information systems (including means of protection against unauthorized access, cryptographic means of protection, means of protection against leaks through technical channels) must in the prescribed manner be assessed for compliance with the requirements of the FSB and FSTEC.

And according to the requirements, the exchange of personal data during their processing must be carried out through communication channels, the protection of which is implemented using organizational or technical measures.

In accordance with Law No. 152-FZ, the range of legal entities whose automated systems must contain information security subsystems is significantly expanding. These include medical institutions, investment and trust companies, other structures that attract funds from the public, as well as all legal entities whose automated systems in one form or another manage the personal affairs of employees.

From the day the Federal Law “On Personal Data” came into force (January 30, 2007), the requirements for processing, including the protection of personal data, described in the law are mandatory for personal data operators.

It should be noted that the Federal Law concerns not only newly created personal data processing systems. Personal data information systems created before the law came into force must be brought into compliance with the requirements of the Federal Law “On Personal Data” no later than January 1, 2010.

Federal Law of the Russian Federation dated July 27, 2006 N 152-FZ “On Personal Data” states: “When processing personal data, the operator is obliged to take the necessary organizational and technical measures, including the use of encryption (cryptographic) means, to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, distribution of personal data, as well as from other unlawful actions.” Let's consider how, in accordance with current legislative and regulatory acts, to competently approach the issue of introducing new data protection tools.

To do this, you must first determine the requirements for implementing a data protection system.

To formulate the basic basic requirements for the implementation of a data protection system, it is necessary to determine the answers to the following questions:

• What should serve as the entity “access object”, in other words, what should be an object (in general, a set of objects), when stored in which, the data should be encrypted and/or guaranteed to be deleted (naturally, we're talking about about automatic “transparent” for the user encryption of data “on the fly” when saving it to an object (and decrypting it accordingly), implemented by the system driver (similarly, guaranteed deletion). We will not consider approaches to the construction of SDS that involve the implementation of encryption and/or guaranteed manual deletion by the user, and even more so, the issues of implementing these functions at the application level - from specific applications; probably, we should not even explain why, if we are talking about effective means protection for corporate applications aimed at protecting personal data;
• What should serve as the entity “access subject”, in other words, whether when deciding on encryption (decryption) and/or guaranteed deletion of data when requesting access to an object, it should in principle be taken into account, and if so, how to take into account which user and which process accesses the object. In other words, you should control which users save data in encrypted form (respectively, their information is guaranteed to be deleted), or which data objects are saved in encrypted form (respectively, in which objects data is guaranteed to be deleted);
• What should serve as the essence of “encryption right”. The fact is that when constructing an information security system from NSD, two approaches to implementing a delimitation policy for access to resources are possible: by assigning attributes assigned to objects (here we can talk about the “encryption” and “guaranteed deletion” attributes), or by assigning access rights to objects for users. This question is closely related to the previous one;
• How to ensure collective access of users to encrypted data (this is one of the key tasks for corporate applications when protecting personal data, consisting in the fact that the data should be located on shared resource(as a rule, file objects separated on the network), and in encrypted form, and access rights to this data must be granted to several users, for example, remotely to a file server from workstations on a corporate network). Accordingly, we should talk about guaranteed deletion of data in collectively used resources. The important question here is whether (if so, how) any user identification is taken into account when generating the encryption key.

Let's consider these questions in order, and we will take into account, firstly, that both procedures, encryption and guaranteed deletion, are very resource-intensive and have an impact on the load of the computing resource (even when they are implemented at the system driver level, but if they are implemented on at the application level, the load on the computing resource increases significantly), secondly, on one computing device in corporate applications, as a rule, both open and confidential information is processed (and, sometimes, confidential information can also be categorized), i.e. Not all data should be additionally protected by encryption and guaranteed deletion.

Data of different confidentiality categories should be stored in different file objects (only in this case can different processing modes be implemented), both on the hard drive and on external drives, both on local and on shared networks ( at the same time, it is not possible to provide collective access to data - without the ability to separate file objects on the network). The main object for implementing the restrictive policy of access to resources is the “folder”. As for external drives (for example, Flash devices), sometimes it is allowed to write information to them only in encrypted form, i.e. in this case, the object of encryption should be the disk (however, depending on the type of information, it may be allowed to save data on one external drive, both in open and encrypted form, then the object of encryption again becomes a “folder”, for example, a directory on the drive) . The folder is also a required encryption object when using a shared resource (for example, hard drive on the server) when implementing collective access to data in a corporate network. In some specific cases, encryption of a separate file may be required; in particular, the entire database may be located in a separate file. Despite the particularity of these cases, their possibility - the object of encryption is a file - must also be implemented in the security tool.

Implementation requirement. Objects of cryptographic protection and guaranteed removal of residual information for corporate applications should be objects of any hierarchy level (disk, folder (directory, subdirectory), file) on the hard drive and on external drives, both local and shared on the network. In this case, the security tool should provide the ability to set any set of objects (for example, several directories to choose from, including those separated on the network) as objects of cryptographic protection and guaranteed removal of residual information

Despite the apparent obviousness of these requirements, in practice, means with very disabilities specifying protection objects, for example, only a local disk (the so-called “file safe”), or only local file objects can be assigned for data encryption, or, for example, a very strange solution is implemented in some protection tools in terms of guaranteed removal of residual information - if this mode is activated, then data in all file objects is guaranteed to be deleted (but what about the completely unjustified additional impact on the load of a computing resource in this case?). It is natural that similar means easier to use practical implementation However, a consequence of the implementation of such solutions is their low consumer cost in corporate applications.

Let's move on to consider the following two very important interrelated issues. Should the “user” entity be taken into account in any way when constructing a protection scheme, therefore, additional protection should be a privilege of the user (considered as his right) or an object (considered as an additional attribute of the file object). Note that access rights to objects in corporate applications should be considered as a user property, and not as an attribute of a file object. In this case, the opposite is true. A feature of corporate applications is that the same user must process both open and confidential information on one computer (if only open, then there is no need for additional data protection, but only confidential - in practice, as a rule, this does not happen ). Therefore, if additional data protection is considered as a user privilege (i.e., setting the appropriate mode for saving and deleting (modifying) data for an account), then in corporate applications this will mean that all data (both open and confidential) user should be encrypted and guaranteed to be deleted. It is pointless! Therefore, encryption and guaranteed deletion should be considered not as a privilege of the user (account), but as a property of the object, which is determined by the corresponding additional attributes: “encryption” and “guaranteed deletion” assigned to objects - when data is saved to this object, it is automatically encrypted, When deleting (modifying) an object, the data is guaranteed to be deleted.

Implementation requirement. The possibility of additional data protection using encryption and guaranteed deletion methods must be considered as a property of the object, which is determined by the corresponding additional attributes: “encryption” and “guaranteed deletion”, set for the additionally protected object.

Now about collective access to resources. This is very important functionality. Without its practical implementation, it is impossible to provide not only common file storage for users, but also to fundamentally organize the exchange of protected data through the file system, not only on the network, but also locally, on one computer. Collective access to resources is a priori possible only if such an entity as the “encryption key” is uniform (the key is the same) for users who have the right to access the collectively used resource.

Taking into account the above, we can draw two very important conclusions: firstly, the security tool must provide the ability to set different encryption keys for various additionally protected objects (including on the same computer) - in the limit, each object has its own encryption key, Secondly, the encryption key should in no way be generated based on the identification data (ID and password) of the users, because otherwise, these data must be the same for accounts that are allowed access to shared objects (which is not allowed). Note that despite this seemingly obvious requirement, similar solutions implemented in practice exist.

Implementation requirement. The security tool must provide the ability to set different encryption keys for various additionally protected objects (including on the same computer) - in the limit, each object has its own encryption key, and the encryption key should in no way be generated based on identification data (identifier and password) users.

By way of comment, we note that in order to reduce the resource intensity of the security tool, taking into account the fact that confidential information of various categories can be processed on one computer, which, as a result, requires various additional security, it is advisable to provide the ability to encrypt data of various categories (various objects) using different encryption algorithms (in particular, using different encryption key lengths), respectively, it is guaranteed to delete data of various categories using different rules (in particular, with the ability to set for different objects various numbers cleaning passes - recording masking information, and in various ways assignments of masking information - masking information is the data that is written over the original data when an object is destroyed or modified, in other words, this is the data that remains on the media as residual information).

Now let us dwell on another important issue of implementing collective access, in in this case, remote access to additionally protected objects separated on the network. Simplified, we have the following system structure. At workstations, users process data that is stored in an object shared between users, located on a separate computer (file server). The question arises, where to carry out the data encryption procedure - on workstations, before saving it on the server, or on the server itself? Probably the answer to this question is obvious - at workstations. This is explained by the fact that with this solution, data is transmitted over the communication channel in encrypted form (otherwise, in open form).

Implementation requirement. When implementing collective access to additionally protected objects separated on the network, data encryption must be carried out on workstations on which users process data.

By way of comment, we note that such a solution is possible only if the security measure meets the implementation requirement, namely that the objects of cryptographic protection and guaranteed removal of residual information for corporate applications must be objects of any hierarchy level (disk, folder (directory) , subdirectory), file) on the hard drive and on external drives, both local and shared on the network (see above).

Conclusion

The operator's obligation, according to Article 19, is also ensuring the security of personal data during their processing. To avoid troubles, it is advisable for the operator organization to develop in advance and formalize in regulatory documents all organizational and technical information security measures that it is ready to take to protect personal data contained in its information systems.

The law stipulates that all operators processing personal data must notify the authorized body in advance (Article 22), which will keep records of operators in a special register. The authorized body, according to Article 23, is the Ministry of Information and Communications of Russia, which currently carries out “functions of control and supervision in the field of information technology and communications.” The notice will need to detail what you plan to do with the personal data. Any changes regarding the processing of personal data must also be reported to the authorized body.

It is allowed to process personal data without notifying the authorized body in the following cases:

• in the presence of labor relations;
• when concluding an agreement to which the subject of personal data is a party;
• if personal data relates to members (participants) of a public association or religious organization and is processed by the relevant public association or religious organization;
• if personal data is publicly available;
• if personal data includes only last names, first names and patronymics of the subjects;
• when issuing passes;
• if personal data is included in information systems that have, in accordance with federal laws the status of federal automated information systems, as well as in state information systems of personal data created to protect state security and public order;
• if personal data is processed without the use of automation tools.

In conclusion, we will give a number of recommendations to operating organizations. Complying with the requirements of the personal data law will not be so difficult if this work start now, without waiting for the first applications and complaints to arrive. You can start with the following obvious measures:

It is advisable to appoint a responsible employee to consider all issues related to the implementation of this law in the organization, and for large companies the creation of a special commission may be justified.

For all information resources of the organization containing personal data, it is necessary:

• determine their status (on the basis of what they were created: in accordance with the law, for the execution of a contract, on their own initiative, etc.);
• clarify and record the composition of personal data and their sources of receipt (from a citizen, from public sources, from third parties, etc.);
• establish storage periods and processing times for data in each information resource;
• determine processing methods;
• identify persons who have access to the data;
• formulate legal consequences;
• determine the procedure for responding to requests, possible options for responses and actions, assess the reality of compliance with the response deadlines established by law.