Working with personal data documents. Introduction of the Regulations into force. Personal data: special information

Since the end of summer, the Personal Data Law has been in effect in new edition. The rules for obtaining and protecting information have changed. For the employer, this means only one thing - additional paperwork. In this article we will talk about how to draw up regulations on working with personal data of employees and appoint someone responsible for organizing work with personal data.

To enter the process, an individual must provide the necessary documentation to the Port Authority's Government Services Group, where they will receive a protocol number through which they can track progress. If the driver waterway acts or resides in a place that is not subject to the jurisdiction of the original issuing authority, it may request a transfer of jurisdiction.

If you are interested in working on board, check out our courses. For more information, fill out our contact form. This work is the result of an academic study developed during the completion of a postgraduate course in Strategic Knowledge Management and Business Analytics, promoted by the Pontifical Catholic University of Paraná, in agreement with the Company of the Ministry of Finance and with the central objective of proposing a decision evaluation model information technologies based on the concept of intellectual capital.

What is personal data

Federal Law No. 152-FZ of July 27, 2006 “On Personal Data” (hereinafter referred to as Law No. 152-FZ) defines Personal Information as any information directly or indirectly related to to an individual (to the subject of personal data). This is stated in paragraph 1 of Art. 3 of Law No. 152-FZ.

According to Part 1 of Art. 85 Labor Code Personal data of an employee means information relating to a specific employee, which is necessary for the employer in connection with labor relations. It's about about data such as:

Knowledge management as a segment of academic research has provided organizations with a new vision of their resources and alerted the business performance of their "intangible assets", concepts of knowledge and intellectual capital as economic and important assets for developing competitive strategies.

Unlike the capabilities provided by the program and professional level teachers, central theme is relatively new because the underlying concepts and assumptions have not yet been consolidated due to the limited number of publications and studies on such issues.

Full Name;
Date and place of birth;
address;
Family status;
position (profession);
salary, other income;
ownership of real estate, cash deposits, etc.;
education, qualifications, professional training, information on advanced training;
habits and hobbies, including harmful ones (alcohol, drugs, etc.);
biography facts and previous work activity(place of work, amount of earnings, criminal record, military service, work in elected positions, public service and etc.);
physiological characteristics, health;
business and other personal qualities;
other information.

Scroll personnel documents, which contain personal data of employees, is given in table. 1 on p. 76.

Composition and measures of intellectual capital. An organization's intellectual capital consists of variables related to the type of business and the relevant economic sector. The formulation of its composition requires development in subsequent stages. The first step is to identify the variables that characterize the organization and that contribute to achieving its goals and mission. In the second step, variables must be selected to obtain the final and priority set. The third step is fundamental because it requires critical analysis this choice of variables with respect to measurability.

Table 1. Documents containing personal data of employees

N	Document	Intelligence
1	Questionnaire, autobiography, personal personnel records sheet (to be completed upon admission to work)	Personal and biographical information employee
2	Copy of the document, identification document employee	Full name, date of birth, address registration, marital status, family composition
3	Personal card (form N T-2, approved by the Resolution Goskomstat of Russia dated 01/05/2004 N 1)	FULL NAME. employee, place of birth, family composition, education, and identification document details personality
4	Employment history	Information about work experience, previous places of work
5	Copies of certificates of conclusion marriage, birth of children	Family composition, changes in family position
6	Military registration documents	Information about the employee’s attitude towards military duty required to the employer to implement military registration of employees
7	Certificate of income from previous places of work	Full name, information about the amount of income and withheld personal income tax
8	Education documents	Confirms the qualifications of the employee, justify the occupation of a certain positions
9	Mandatory documents pension insurance	Full name, personal data
10	Employment contract	Information about the employee's position, salary, place of work, workplace, as well as other employee personal data
11	Orders for personnel	Information about admission, transfer, dismissal and other events, related to work activities employee

Personal data processing operator

According to Law N 152-FZ, the person (legal or individual) who organizes and (or) carries out the processing of personal data, determines its composition, the purposes of processing, and the actions performed with personal data is called operator(Clause 2 of Article 3 of Law No. 152-FZ). In our case, this is the employer.

This analysis involves evaluating information sources. On fourth and final stage it is necessary to measure the variables that make up intellectual capital. This dimension of intellectual capital can be useful for managing an organization that views knowledge as a core resource of its business.

These authors present practical concepts about intellectual capital and intangible assets. The authors provide models that can be used by executives and managers to improve productivity, profitability, and long-term organizational success.

Processing of personal data- any action performed with them. Operations for processing personal data:

collection;
recording;
systematization;
accumulation;
storage;
clarification (update, change);
extraction;
usage;
transmission (distribution, provision, access);
depersonalization;
blocking;
deletion;
destruction of personal data.

Regulations on working with personal data

The procedure for processing personal data by the operator may be established in the Regulations on working with personal data of employees (hereinafter referred to as the Regulations). There is no unified form of the document. Let's consider how to draw up this document taking into account the requirements of Law N 152-FZ. The regulation consists of several sections. They are presented in table. 2. It also briefly indicates the information that the sections should contain. Detailed information is presented in a fragment of the Regulations on personal data of employees, which is given on p. 80.

The monetary value of an intangible. The monetary value of intangible assets can be related to a company's ability to outperform an average competitor with similar tangible assets. This type of asset does not appear on the balance sheet because it is not marketable. Market value is higher because it reflects how much the buyer will have to invest to create the asset. The monetary value of intangible assets should be of interest to executives and managers because it is a measure that allows comparison of the performance of other companies in the sector, divisions, or divisions of the company itself.

Table 2. Structure of the Regulations on personal data of employees

N	Duty	Section Contents
1	General provisions	Purpose of adoption of the Regulations
		Issues governed by the Regulations
		Links to regulations. Point to on the basis of which documents is it compiled? Position. In organizations where government officials work civil servants, reference is given to: - Federal Law of July 27, 2004 N 79-FZ "On the state civil service of the Russian Federation"; - Decree of the President of the Russian Federation dated May 30, 2005 N 609 “On approval of the Personal Data Regulations state civil servant Russian Federation and maintaining his personal affairs"; - regulatory acts of a constituent entity of the Russian Federation
2	Basic concepts. Composition of personal employee data	Basic concepts. Definitions of concepts are given "personal data", "processing of personal data", "use of personal data", the storage period for documents, etc. is indicated. It must be stated separately what applies to personal data in a specific company with taking into account its features (data used in work, for example, information about working on sensitive objects, on obtaining access to state secret, about health compliance for professions associated with heavy and harmful conditions, etc.)
		List of documents of the organization that contain personal data
3	Receipt personal data workers	Procedure for obtaining personal data. Indicates that the data is received and processed based on the written consent of the employee. Indicates cases where consent is not required
4	Usage personal data	Purposes of use personal information employees
5	Treatment personal data	Conditions observed when processing personal data employee data
6	Broadcast personal data (Access to personal data)	The procedure for transferring personal data internally organizations (internal access), third parties and government agencies (external access)
7	Responsibility for violation of norms, regulating processing and protection personal data	Identifies those who are responsible for violation of storage and use rules personal data

Fragment of the Regulations on personal data of employees

Introduction of the Regulations into force

The motivation for the method was the need to help new knowledge-intensive companies, since investors are reluctant to invest in companies that have few tangible assets as collateral. The team adapted the method used to estimate the value of brands. Economic benefits are promoted by brands such as price, range of distribution, greater opportunity to launch new products, which give owners more return on assets than competitors who do not own brands. The method requires calculating a premium that characterizes monetary value intangible assets.

The regulation on personal data is approved by the head of the company and put into effect by order of the organization (a sample is given on p. 90). A record of approval of the Regulations must be made in the register of local regulations.

If there is a trade union

If the company has a trade union, the Regulations must be agreed upon with it. To do this, the draft regulations are sent to the elected body of the trade union (Article 372 of the Labor Code of the Russian Federation). He must express his opinion (in writing) no later than five working days from the date of receipt of the project. If the union does not agree with the project or has proposals for its improvement, the administration has two options. The first is to agree. The second is to conduct additional consultations with the trade union within three days after receiving a reasoned opinion in order to achieve a mutually acceptable solution. If this does not help, a protocol of disagreement should be drawn up. After this, the administration has the right to adopt the Regulations without taking into account the demands of the trade union. However, he will be able to appeal the Regulations or begin the procedure for a collective labor dispute in the manner prescribed by Chapter. 61 Labor Code.

Calculate your pre-tax income for three years. Divide income by assets to obtain return on assets: 29%. Over the same period of three years, obtain the average return on industry assets. For the pharmaceutical industry this figure is 10%. Calculate "excess income". Multiply income by asset by the company's average tangible assets. The result shows the average profit that the pharmaceutical company should have with this material cost. Now subtract this amount from that company's pre-tax income that we obtained in step 1.

Familiarization of employees with the Regulations

Employees must be familiar with the Regulations against signature (clause 8 of Article 86 of the Labor Code of the Russian Federation). This fact can be fixed:

in the text employment contract each employee (list of local regulations with which the employee is familiar with before signing the contract);
- a sheet for familiarizing yourself with the Regulations (sample on p. 91);
- a logbook for familiarizing employees with local regulations (sample on p. 91).

Sample sheet for familiarization with local regulations

Calculate the average interest rate income taxes for three years and multiply this amount by excess income. Subtract the excess return to get the after-tax value. This is an award of intangible assets. Calculate the net present value of the premium.

To do this, divide the premium by an appropriate percentage, such as the company's cost of capital. As can be seen, the calculation of intangible assets was based on historical, current and future variables, taking into account the pharmaceutical sector indices.

N p/p	Name of local regulatory act	date	Signature
1	Internal labor regulations LLC "Black Forest"	03.10.2011	Evstakhov
2	Regulations on remuneration, bonuses and social security of employees of Cherny LLC forest"	03.10.2011	Evstakhov
3	Information security instructions, approved by Order dated June 15, 2008 N 1	03.10.2011	Evstakhov
4	Statement on personal data	03.10.2011	Evstakhov
5	Provision on liability workers for damage caused to Black Forest LLC	03.10.2011	Evstakhov

Fragment of the introduction logRegulationsabout personal data

Note. Personal data storage period

Local regulations (regulations, instructions) on personal data must be stored permanently. As for employee statements of consent to data processing (they will be discussed in future issues), and other employee documents, they are stored for 75 years. This is stated in the List approved by Order of the Ministry of Culture of Russia dated August 25, 2010 N 558.

Measures in line with Stewart's vision. Human capital measures are measures that relate to specialized employees or the activities they perform and that add value from the customer's perspective. Innovation, employee relations, hierarchical position in the organization, turnover of people, professional experience, individual and team learning are human capital outcomes that can be measured.

There are measures that allow us to assess knowledge, that is, the level of knowledge of people in an organization. However next questions suggest that qualitative responses can be classified and measured. Where do they least like to work? Measures of structural capital are measures aimed at depicting structural intellectual assets, categorized by the accumulated value of a company's knowledge stocks, and measures of organizational effectiveness, that is, the extent to which a company's systems enhance and improve the performance of its personnel.

Administrative responsibility

Administrative measures (mainly fines, disqualification in in this case not applicable) for the enterprise and its officials for violation of the procedure for obtaining, processing, storing and protecting personal data of employees are given in table. 3.

Table 3. Responsibility for violating the procedure for obtaining, processing, storing and protecting personal data of employees

Technical kit: trade secrets, formulas, own test results, etc.; Marketing kit: copyright, company name and logo, guarantees, advertising, packaging design and copyright, trademark registration, etc.; Set of knowledge and skills: database, standard quality control manuals, asset management process, security systems, licenses, exclusive articles, proprietary management information systems, etc.

To test whether an asset has a market value, a basic test must be performed asking whether the product or service differentiates its product or service from another; has value for other companies; and if someone pays for it. To answer these questions, it is necessary to analyze the uniqueness of each intangible asset, breadth of use, profit growth, legal status, life expectancy, etc.

Responsible for organizing work with personal data of employees

The person responsible for collecting, processing, and storing personal data of employees is appointed by the head of the organization. To do this, an order should be issued (a sample of which is given on p. 92).

The same order may establish a list of persons who have access to personal data. The specified list is not prohibited from being approved by a separate order of the manager.

The next step is to assess the relative strengths each asset compared to other comparable assets. For each evaluation factor, a score from 0 to 5 must be assigned - using values related to the market share attributable to cash flow etc. Regardless of where you can get these values - from relative value compared to the five best comparable assets.

Through customer equity measures, an organization assesses customer satisfaction to the extent that a link can be demonstrated between increased customer satisfaction and improved performance. financial results. Satisfied customers demonstrate at least one of three measurable characteristics: loyalty, increased business, and immunity to the persuasive powers of their rivals.

As a rule, the following employees are appointed responsible for organizing work with personal data of employees (their receipt, processing, storage, protection, etc.):

head of the HR department;
(senior) HR inspector;
HR Director;
Deputy Head of Department (HR Director);
HR specialist.

A new position may also be introduced.

Quality data, savings information from general processes such as inspection or electronic data interchange, stock price and availability help determine value intimate relationships between a company and its customers or its suppliers. Customer loyalty can be measured by assessing the relationship established between the organization and the customer, as a loyal customer can reward efforts to maintain their satisfaction. The method is based on the idea that "increasing the customer index and maintaining five percentage points increases the customer average from 25% to 100%."

To fulfill its obligations under labor, tax and accounting laws, the employer must use and operate with the employee’s personal data. However, the personal data law requires the employer, who in this case is the “personal data operator” and performs the “processing of personal data,” to ensure the security of this information.

Here's how the calculation is calculated. This period will depend on planning and business cycles. Monitor multiple samples - some new clients, some of which have long history, - to discover the volume of enterprises that the company provides annually and the costs of maintaining them.

Be sure to analyze the full range of costs and benefits for your clients. On the cost side: in the first year, deduct the costs of acquiring new customers, such as the administrative costs of installing a device, and in subsequent years, calculate the costs of customer service, as an example - customer service. These costs will be less than the customer's original acquisition cost. If you find that you have no customer retention costs, that's a significant piece of information.

Rules established Federal law dated July 27, 2006 No. 152-FZ “On Personal Data” (hereinafter referred to as the Law on Personal Data), apply not only to those organizations that deal with client bases data. All organizations that have at least one employee must comply with the requirements of this law. This is due to the fact that legislators also include as personal data the information that an enterprise receives from its employees when hiring them. This means that the organization is obliged to protect them in full accordance with the law.

From a revenue perspective, get specific numbers that show long-term customer behavior - earnings per customer in the first year, second year, etc. Not the average for all clients in each year. Choose a discount rate - if you want an annual return on assets of 15%, use this percentage because the client's capital is an asset.

Apply a discount rate to annual profits, adjusted based on the likelihood that the customer will leave your company. This information can provide benefits such as determining how much to spend on customer acquisition, analyzing customers by segment, and determining which customers to target the business and which customers to allocate using economic levers to ensure customer satisfaction. Repeat business is worth investing in. To analyze this proposition, you need to go back to the values and calculate how much customer value would increase if customer retention rates increased by 5%.

What data is personal?

According to the Labor Code of the Russian Federation, personal data of employees means information necessary for the employer in connection with labor relations and relating to a specific employee.

The Personal Data Law expands and clarifies the concept.

Personal data – any information relating to an individual identified or determined on the basis of such information (subject of personal data), including his last name, first name, patronymic, year, month, date and place of birth, address, family, social, property status , education, profession, income, other information.

Thus, each employer, when concluding an employment contract, receives information related to personal data.

This information is contained in the following documents presented by the employee upon hiring:

passport;
military ID (for those liable for military service);
certificate of assignment of TIN;
pension insurance certificate;
educational documents (including additional education, if the employee provides them upon hiring or is required when performing certain job functions);
driver's license and car documents, if required in connection with the employee's job function;
a medical certificate confirming the completion of a medical examination (medical record), if required in connection with the performance of the employee’s labor function.

The use of the above data by an enterprise in its activities (collection, systematization, accumulation, storage, clarification, destruction, use, distribution and transfer) is interpreted by law as “processing of personal data.” All these operations are performed to one degree or another in any organization and in any enterprise.

Particular attention must be paid to the concept of transfer of personal data, since a number of restrictions are imposed on the employer in connection with it.

Thus, the employer does not have the right:

disclose personal data to a third party without the written consent of the employee, except in cases where this is necessary in order to prevent a threat to the life and health of the latter, as well as other cases provided for by the legislation of the Russian Federation;
disclose the employee’s personal data for commercial purposes without his written consent;
request information about the state of health, with the exception of information that relates to the issue of the employee’s ability to perform a job function.

In addition, the employer must comply with the following requirements:

warn persons receiving the employee’s personal data that such data can only be used for the purposes for which they were communicated, and require confirmation from these persons that this rule is observed. Persons receiving personal data are required to maintain confidentiality;
allow access to personal data of employees only to specially authorized persons, and they should receive only those personal data that are necessary to perform specific functions; transfer personal data to employee representatives in the manner established by the legislation of the Russian Federation, and limit this information only to those personal data that are necessary for the said representatives to perform their functions.

Documents for working with personal data

In order to protect yourself when checking the safety of personal data, the company must have the following documents that can be presented upon request of the inspectors:

provisions on personal data;
order on the appointment of those responsible for working with personal data;
order on the appointment of those responsible for ensuring the security of personal data;
statements from employees regarding consent to the processing of personal data.

Statement on personal data

In pursuance of the legislation of the Russian Federation, in order to ensure the protection of the rights and freedoms of employees, each organization is obliged to develop and adopt a regulation on personal data of employees (hereinafter referred to as the Regulation). This document determines exactly what information is subject to processing and storage at this enterprise.

The regulation relates to management documentation and is approved by order of the organization. Its content must be developed in accordance with the Constitution of the Russian Federation, the Civil and Labor Codes of the Russian Federation, Federal Law dated July 27, 2006 No. 149-FZ “On information, information technologies and information protection”, Federal Law dated July 27, 2006 No. 152-FZ “ About personal data."

The Regulations should contain the following sections:

General information.
Basic concepts and composition of personal data of employees.
Collection, processing and protection of data.
Data transfer and storage.
Access to personal data of employees.
Responsibility for violation of the rules governing the processing and protection of personal data.

All employees included in the list of persons authorized to work with personal data must be familiarized with the Regulations against their signature.

List of processed employee data

Next, you will need to approve a document containing a list of personal data that is actually used in the organization’s activities. When drawing up such a document, do not forget to include in it all the information that the employee provides in writing about himself when applying for a job, as well as that used in the future when preparing personnel documentation.

This list should include:

application for a job;
employee profile;
personal card;
private bussiness;
employment contract;
orders;
employment history;
materials of certification commissions.

If the organization has an internal document flow containing information about employees (for example, reports and materials that are prepared for shareholders, founders, the parent organization, etc.), then these reports also need to be included in the list. In addition, the list must contain documents containing information about employees that the organization submits to various government bodies (tax and labor inspectorates, statistical authorities).

note

Fines are assessed for one violation, and where there is no system for protecting personal data, the inspection commission is most often faced with massive violations, as a result of which the total amount of the fine becomes quite impressive.

The next stage of work is the preparation and approval of a list of persons authorized to work with personal data. This document is approved by order of the manager and delivered for signature to all employees indicated in it. By the way, the manager’s order to appoint someone responsible for working with personal data and ensuring its protection is the first thing inspectors will want to see. This responsibility can be either a specific person or a department. In the latter case, the head of such a unit bears personal responsibility.

The agency authorized to monitor compliance with the personal data regime is the Federal Service for Supervision of Communications, Information Technologies and Mass Communications (abbreviated as Roskomnadzor). The department transfers all materials on those inspections where violations are found to the prosecutor's office.

When to familiarize a new employee with the Personal Data Regulations

Familiarize your future employee with the Regulations on Personal Data before signing an employment contract (Article 68 of the Labor Code of the Russian Federation). You can confirm that the employee has read the Regulations by signing:

in the text of the employment contract;
in the sheet for familiarizing yourself with the Statement on Personal Data;
in the journal of familiarization with local acts.

The regulation on personal data is a local regulatory act that must be present in the organization (Article 87 of the Labor Code of the Russian Federation). Otherwise, the company may be brought to administrative liability (Article 5.27 of the Code of Administrative Offenses of the Russian Federation).

Employee consent to the processing of personal data

You need to obtain consent if:

the request for information about the employee came from a third party;
the employer sends requests to other organizations;
the employer processes information about those included in the personnel reserve;
the processing of personal data of the employee’s relatives exceeds the established volume (more data is required than indicated in the personal card).

Personal data is confidential information, which means it should not be accessed free access, otherwise it ceases to be such. In this regard, the employer has the right to transfer such information about employees to other persons only with their written consent.

An exception to the rule is situations where the life and health of workers are at risk. In addition, the law provides for the processing of an employee’s personal data without the consent of the person being inspected, if he is a law enforcement officer.

The statement of consent is addressed to the employer represented by general director. However, the latter has the right to entrust the processing of personal data to other employees of the organization (Part 3 of Article 6 of the Law on Personal Data). Most often these are personnel officers and accountants. Consent can be issued both on paper and in in electronic format. However, in this case it must be signed with an electronic signature (Part 4 of Article 9 of the Law on Personal Data). There is no unified consent form. It can be designed in any form.

The heading must indicate that this is consent to the processing of personal data, and not anything else.

Next, the full name of the person being checked is written down by hand, then the series and number of the passport, who issued it. After which the name of the organization to which the person being inspected gives permission to perform the inspection is indicated. Subsequently, it is necessary to indicate the grounds for verification.

Be sure to describe in detail what exactly the person being tested gives his consent to. At the end of the document there must be a signature of the person being verified.

An employee who has given consent to the processing of his personal data has the right to withdraw such consent at any time (Part 2 of Article 9 of the Law on Personal Data).

If the employee does not agree

If the employee does not agree to the processing of personal data, explain the consequences.

Explain to the employee that without his consent it is impossible to issue a VHI policy, congratulate him on his birthday, give gifts to children on holidays, use his full name when creating an email address, on business cards, or post information on the company portal. As a rule, given such arguments, employees change their position and consent to data processing.

An employer has the right to process an employee’s personal data without his consent, provided that the volume does not exceed that established by law. For example, to fulfill the terms of an employment contract. Without the consent of an employee, it is possible to process his personal data in cases that provide for a collective agreement, local acts of the employer adopted in the manner established by Article 372 of the Labor Code of the Russian Federation.

Storing personal data of employees

Federal Law No. 242 of July 21, 2014 “On amendments to certain legislative acts of the Russian Federation in terms of clarifying the procedure for processing personal data in information and telecommunication networks” provides for storage exclusively on Russian servers. Employees' personal information contained in their personnel files must be retained by the organization for 75 years.