The regulation on the protection of personal data of employees is the basic document of the organization, which forms the legal basis for all work with this kind of data. The article we propose will tell about the content of this provision and work with it.
Regulation on the processing of personal data - legal requirements
Part 1 of Article 18.1 of the Law “On Personal ...” dated July 27, 2006 No. 152-FZ indicates that organizations or other entities (individual entrepreneurs, state or municipal authorities) that work with personal data of citizens are required to take necessary and sufficient measures to to ensure the fulfillment of the requirements of both the Federal Law No. 152 itself and the by-laws adopted for its implementation. At the same time, the organization has the right to choose the list of measures necessary for the fulfillment of such duties independently.
The same part 1 of article 18.1 of Federal Law No. 152 contains an approximate (but not exhaustive) list of measures that an organization can use when working with personal data. Paragraph 2 of Part 1 of Article 18.1 of Federal Law No. 152 indicates that one of the possible measures is the publication internal documents, which will determine the organization's policy in the field of working with personal data, as well as other regulations that determine the specific procedure for the work of employees of the organization with such information.
It should be noted that the policy of the organization is mainly a declarative document, which designates only common features measures that will be taken by the organization to comply with the law. Legal basis for the processing of personal data in the organization is the regulation on personal data of employees.
An analysis of Article 18.1 of Federal Law No. 152 shows that the adoption of such a provision is not mandatory requirement. At the same time, when conducting an audit of compliance with security measures when working with personal data, the organization, in accordance with part 4 of Article 18.1 of Federal Law No. 152, must present such a document to the inspectors or otherwise confirm the fact of compliance with the norms of Federal Law No. 152. Thus, the existence of such a provision can be regarded as indisputable evidence of compliance with the requirements for working with personal data, so it is still desirable for an organization to develop it. At the same time, in pursuance of the requirements of Part 2 of Article 18.1 of Federal Law No. 152, this provision must be available for public review or posted on the organization's website.
Don't know your rights?
Contents of the provision, sample 2017
The list of issues that must be resolved in the regulation is contained in Article 18.1 of the Federal Law No. 152. As a rule, they are included in the following order:
- General provisions. Here are indicated:
- goals and objectives of the provision;
- references to other regulatory acts of the organization (orders, instructions, regulations);
- the situations in which this provision applies;
- persons responsible for the implementation;
- definitions of terms used in the document, etc.
- List and procedure for applying technical, legal and other measures aimed at protecting personal data. This section reflects:
- issues of access to personal data carriers,
- how to work with them
- requirements for computer technology, which is used to work with information, etc.
- The procedure for informing (instructing) employees of the organization who will be allowed to work with personal data.
- The frequency and list of activities carried out within the framework of the internal or external control for compliance with the regulations.
- The scope of responsibility of employees for violation of the requirements of the regulation.
- An assessment of possible harm and a list of measures that can minimize it or completely eliminate the likelihood of it being caused.
When developing the position of the organization, the following rules should also be taken into account:
- the provisions put into effect by the Decree of the Government of the Russian Federation “On Approval ...” dated September 15, 2008 No. 687 (if the organization processes data manually using paper or electronic media);
- requirements for working with automation equipment established by the Decree of the Government of the Russian Federation “On Approval ...” dated November 1, 2012 No. 1119 (when using computer technology, data transmission over the Internet).
You can find a sample regulation on the protection of personal data 2017 on our website.
Features of working with position
At direct work with the provision on the protection of personal data of employees, it should be remembered that the list of persons responsible for such work (or those with access to data) is approved by a separate order. In addition, if the organization uses unified paper forms of accounting (books, registers, file cabinets, etc.), for their use, in accordance with paragraph 7 of Regulation No. 687, the publication of appropriate instructions for working with them is additionally required. At the same time, it is worth remembering that in addition to processing employee data, an organization often requires the collection and storage of data from customers and other citizens, so the provision can be extended to work with their personal data.
Summing up, we note that the development of the regulation is a kind of insurance during inspections of the organization by Roskomnadzor and other regulatory authorities. In addition, the regulation allows you to streamline the activities of employees when working with personal information, which will increase the degree of protection, and efficiency, and accuracy of processing.
Since July 1, 2017, liability for violations when interacting with personal data of individuals has been significantly tightened. This follows from the provisions of Federal Law No. 13-FZ of February 7, 2017). The changes will affect all employers, without exception, who are associated with the processing of personal data of employees and individual contractors. Moreover, it can be said that the amendments apply to almost the entire business community that interacts with the personal data of individuals (for example, site owners that collect personal data of visitors). How to prepare for change? Will fines increase? Who will detect violations in the processing of personal data? Let's figure it out.
Personal data: special information
Personal data of employees is any information necessary for the employer in connection with labor relations and relating to a specific employee (clause 1, article 3 of the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”).
At the employer (organization or individual entrepreneur), the personal data of employees, most often, are summarized in their personal cards and personal files. At the same time, almost every HR manager or HR specialist knows that personal data can only be obtained personally from employees. If personal information can only be obtained from third parties, then Russian law obliges to notify the employee about this and obtain written consent from him (clause 3 of part 1 of article 86 Labor Code RF).
Employers are not entitled to receive and process personal data that is not directly related to labor activity person. That is, it is impossible to collect information, for example, about the religion of employees. After all, such information is a personal or family secret and can in no way be connected with the implementation job duties(clause 4 of part 1 of article 86 of the Labor Code of the Russian Federation).
Having received personal data, the employer, by virtue of the requirements of the law, is obliged not to distribute or disclose them to third parties without the consent of the employee (Article 7 of the Federal Law of July 27, 2006 No. 152-FZ).
Personal data can be understood as any information directly or indirectly related to a specific individual (subject of personal data) - paragraph 1 of Article 3 of the Federal Law of July 27, 2006 No. 152-FZ. Examples of such information may be surname, name, patronymic, date and place of birth, place of residence, etc.
How employers are required to protect personal data
In order to protect and limit access to personal data, the employer must ensure high-quality and modern system their protection. How exactly to do it? This question is decided by each employer independently. At the same time, the procedure for receiving, processing, transferring and storing personal data should be fixed in local act organizations, for example, in the Regulations on the processing of personal data of employees (Articles 8, 87 of the Labor Code of the Russian Federation, clause 2 of Part 1 of Article 18.1 of the Federal Law of July 27, 2006 No. 152-FZ).
Also, the employer must officially appoint an employee who is responsible for working with personal data (part 5 of article 88 of the Labor Code of the Russian Federation). It can be, for example, an employee of the personnel department who interacts with personal files, obtains the consent of employees for processing, maintains employee cards, etc.
Checks of the employer on the processing of personal data by him are carried out by divisions of Roskomnadzor. Order of the Ministry of Telecom and Mass Communications of Russia dated 11/14/2011 No. 312 approved Administrative regulation performance by Roskomnadzor of the functions of exercising state control (supervision).
What liability applies to employers
For violation of the procedure for obtaining, processing, storing and protecting personal data of employees, disciplinary, material, administrative and criminal liability is provided (Article 90 of the Labor Code of the Russian Federation, Part 1 of Article 24 of the Federal Law of July 27, 2006 No. 152-FZ). Let's look at each of these types of responsibility.
Disciplinary responsibility
Disciplinary liability for violations when working with personal data can be held accountable for employees who, by virtue of labor relations are obliged to comply with the rules for working with personal data, but violated them (Article 192 of the Labor Code of the Russian Federation). That is, you can hold accountable, for example, the manager of the personnel department, who is entrusted with the relevant work. For a disciplinary offense of collecting, processing and storing personal data, the employer may punish his employee by applying one of the following penalties to him (part 1 of article 192 of the Labor Code of the Russian Federation):
- comment;
- rebuke;
- dismissal.
Material liability
An employee's material liability may arise if, in connection with a violation of the rules for working with personal data, an organization has caused direct actual damage (Article 238 of the Labor Code of the Russian Federation). Suppose that the responsible employee of the personnel department allowed gross violation– disseminated personal data of employees on the Internet. The workers, having learned about this, filed a lawsuit against the employer, which ruled: “to pay the injured workers monetary compensation- 50,000 rubles each. In such a situation, the employer has the opportunity to impose on the guilty employee of the personnel department a limited liability within the limits of his average monthly earnings (Article 241 of the Labor Code of the Russian Federation). Recovery of the damage caused can be carried out by order of the head no later than one month from the date of the final determination of the amount of damage caused by the employee. If the monthly period has expired, then you will have to recover the damage through the court. This procedure is provided for in Article 248 of the Labor Code of the Russian Federation.
Violation 1: processing of personal data for “other” purposes
From July 1, 2017, the processing of personal data in cases not provided for by law, or the processing of personal data that is incompatible with the purposes of collecting personal data are independent types of administrative violation (part 1 of article 13.11 of the Code of Administrative Offenses of the Russian Federation). Let's give an example: an employer organization collects personal data of employees and transfers this data to third-party companies for advertising purposes (names, telephone numbers, regions of residence, income level are transferred). Then advertising firms begin to send various spam and promotional offers. If such actions of the employer do not reveal the criminal corpus delicti, then it will be possible to apply administrative responsibility. From July 1, 2017, the administrative penalty may be as follows:
- or warning;
- or fines.
Violation 2: processing personal data without consent
Processing of personal data by the employer, according to general rule, is possible only with the written consent of the employees. Such consent must include the following information (Part 4 of Article 9 of the Law of July 27, 2006 No. 152-FZ):
- Full name, address of the employee, details of the passport (other document proving his identity), including information about the date of issue of the document and the issuing authority;
- the name or full name and address of the employer (operator) receiving the consent of the employee;
- purpose of personal data processing;
- a list of personal data for the processing of which consent is given;
- the name or full name and address of the person carrying out the processing of personal data on behalf of the employer, if the processing is entrusted to such a person;
- a list of actions with personal data for which consent is given, general description methods used by the employer to process personal data;
- the period during which the consent of the employee is valid, as well as the method of its withdrawal, unless otherwise specified federal law;
- employee's signature.
From July 1, 2017, the processing of personal data without the consent of the employee in writing, or if the written consent does not contain the information indicated above, this is an independent administrative violation provided for in Part 2 of Article 13.11 of the Code of Administrative Offenses of the Russian Federation. Penalties are possible for it:
Violation 3: access to the privacy policy
The operator of personal data (for example, an employer or a website) is obliged to publish or otherwise provide unrestricted access to a document defining its policy regarding the processing of personal data, to information about the implemented requirements for the protection of personal data. An operator that collects personal data on the Internet (for example, through a website) is obliged to publish on the Internet a document that defines its policy regarding the processing of personal data and information about the requirements for the protection of personal data that are being implemented, as well as provide access to specified document. This is provided for by paragraph 2 of Article 18.1 of the Law of July 27, 2006 No. 152-FZ.
Many Internet users face this obligation in practice. So, for example, when you leave any application on the sites and indicate your full name and e-mail, you can pay attention to the link to such documents: “Personal Data Processing Policy”, “Personal Data Processing Regulation”, etc. . However, it is worth recognizing that some sites neglect this and do not provide any link. And it turns out that a person leaves a request on the site, does not know for what purposes the site collects personal data.
Some employers also post available vacancies on their websites and invite candidates to fill out an “About Me” form. In such cases, the website must also provide access to the "Personal Data Processing Policy".
Since July 1, 2017, in part 3 of article 13.11 of the Code of Administrative Offenses of the Russian Federation, an independent offense has been singled out - failure by the operator to publish or provide unlimited access to a document with a policy on the processing of personal data or information on their protection. Liability under this article may look like a warning or administrative fines:
Violation 4: withholding information
The subject of personal data (that is, the individual who owns this data) has the right to receive information regarding the processing of his personal data, including the content (part 7 of article 14 of the Law of July 27, 2006 No. 152-FZ) :
- confirmation of the fact of processing personal data by the operator;
- legal grounds and purposes of personal data processing;
- the purposes and methods used by the operator for processing personal data;
- the name and location of the operator, information about persons (excluding employees of the operator) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the operator or on the basis of federal law;
- processed personal data relating to the relevant subject of personal data, the source of their receipt, unless a different procedure for the submission of such data is provided by federal law;
- terms of processing personal data, including the terms of their storage;
- the procedure for the exercise by the subject of personal data of the rights provided for by this Federal Law;
- information about the performed or proposed cross-border data transfer;
- the name or surname, name, patronymic and address of the person who processes personal data on behalf of the operator, if the processing is or will be entrusted to such a person;
- other information provided for by the Federal Law or other federal laws.
I APPROVE ____________________________________ (name of the position of the head of the enterprise) ____________________________________ (full name, signature) "__" ___________ ___
REGULATION on the processing and protection of personal data of employees 1
1. GENERAL PROVISIONS
1.1. This Regulation establishes the procedure for obtaining, recording, processing, accumulating and storing documents containing information related to the personal data of employees of the enterprise. Employees are persons who have labor contract with the enterprise.
1.2. The purpose of this Regulation is to protect the personal data of employees of the enterprise from unauthorized access and disclosure. Personal data is always confidential, strictly protected information.
1.3. The basis for the development of this Regulation is the Constitution of the Russian Federation, the Labor Code of the Russian Federation, and other current regulatory legal acts of the Russian Federation.
1.4. These Regulations and amendments to it are approved by the head of the enterprise and introduced by order for the enterprise. All employees of the enterprise must be familiarized with this Regulation and amendments to it against signature.
2. CONCEPT AND COMPOSITION OF PERSONAL DATA
2.1. The personal data of employees is understood as information necessary for the employer in connection with labor relations and relating to a particular employee, as well as information about the facts, events and circumstances of the employee's life, allowing to identify his personality.
2.2. The composition of the employee's personal data:
Autobiography;
Education;
Information about labor and general experience;
Information about the previous place of work;
Information about the composition of the family;
Passport data;
Information about military registration;
Information about the employee's salary;
Information about social benefits;
Speciality;
Position held;
The size wages;
Having a criminal record;
Residence address;
Home phone;
Originals and copies of orders on personnel;
Personal files and work books of employees;
Grounds for orders on personnel;
Copies of reports sent to the statistical authorities;
Copies of education documents;
The results of a medical examination for fitness for work;
Photos and other information related to the personal data of the employee;
Belonging of a person to a particular nation, ethnic group, race;
Habits and hobbies, including harmful ones (alcohol, drugs, etc.);
Marital status, presence of children, family ties;
Religious and political beliefs (belonging to a religious denomination, membership in a political party, participation in public associations, including in a trade union, etc.);
Financial situation (income, debts, ownership of real estate, cash deposits, etc.);
Business and other personal qualities that are evaluative;
Other information that can identify a person.
From this list, the employer has the right to receive and use only the information that characterizes the citizen as a party to the employment contract.
2.3. These documents are confidential. The confidentiality regime of personal data is removed in cases of depersonalization or after ____ years of storage period, unless otherwise provided by law.
3. OBLIGATIONS OF THE EMPLOYER
3.1. In order to ensure the rights and freedoms of man and citizen, the employer and his representatives, when processing the personal data of the employee, must comply with the following general requirements:
3.1.1. The processing of personal data of an employee may be carried out solely for the purpose of ensuring compliance with laws and other regulatory legal acts, assisting employees in employment, training and promotion, ensuring the personal safety of employees, controlling the quantity and quality of work performed and ensuring the safety of property.
3.1.2. When determining the scope and content of the processed personal data of an employee, the employer must be guided by the Constitution of the Russian Federation, the Labor Code of the Russian Federation and other federal laws.
3.1.3. All personal data of the employee should be obtained from him. If the employee's personal data can only be obtained from a third party, then the employee must be notified of this in advance and written consent must be obtained from him. The employer must inform the employee about the purposes, intended sources and methods of obtaining personal data, as well as the nature of the personal data to be obtained and the consequences of the employee's refusal to give written consent to receive them.
3.1.4. The employer does not have the right to receive and process the personal data of the employee about his political, religious and other beliefs and privacy. In cases directly related to issues of labor relations, in accordance with Art. 24 of the Constitution of the Russian Federation, an employer has the right to receive and process data on the private life of an employee only with his written consent.
3.1.5. The employer does not have the right to receive and process the employee's personal data on his membership in public associations or his trade union activities, except as otherwise provided by federal law.
3.1.6. When making decisions affecting the interests of the employee, the employer does not have the right to rely on the employee's personal data obtained solely as a result of their automated processing or electronic receipt.
3.1.7. The protection of the employee's personal data from their unlawful use or loss must be ensured by the employer at his expense in the manner prescribed by federal law.
3.1.8. Employees and their representatives must be familiarized against signature with the documents of the enterprise that establish the procedure for processing personal data of employees, as well as their rights and obligations in this area.
3.1.9. Employees must not waive their rights to maintain and protect secrecy.
4. EMPLOYEE RESPONSIBILITIES
The employee is obliged:
4.1. Transfer to the employer or his representative a set of reliable documented personal data, the list of which is established by the Labor Code of the Russian Federation.
4.2. In a timely manner, within a reasonable time, not exceeding 5 days, inform the employer about changes in their personal data.
5. RIGHTS OF THE EMPLOYEE
The employee has the right:
5.1. For full information about their personal data and the processing of this data.
5.2. Free access to their personal data, including the right to receive copies of any record containing the employee's personal data, except as otherwise provided by the legislation of the Russian Federation.
5.3. To access medical data with the help of a healthcare professional of your choice.
5.4. Require the exclusion or correction of incorrect or incomplete personal data, as well as data processed in violation of the requirements defined labor law. If the employer refuses to delete or correct the personal data of the employee, he has the right to declare in writing to the employer his disagreement with the appropriate justification for such disagreement. The employee has the right to supplement personal data of an evaluative nature with a statement expressing his own point of view.
5.5. Require the employer to notify all persons who were previously informed of incorrect or incomplete personal data of the employee about all exceptions, corrections or additions made to them.
5.6. Appeal in court any illegal actions or inaction of the employer in the processing and protection of his personal data.
5.7. Designate your representatives to protect your personal data.
6. COLLECTION, PROCESSING AND STORAGE OF PERSONAL DATA
6.1. The processing of personal data of an employee is the receipt, storage, combination, transfer or any other use of personal data of an employee.
6.2. All personal data of the employee should be obtained from him. If the employee's personal data can only be obtained from a third party, then the employee must be notified of this in advance and written consent must be obtained from him.
6.3. The employer must inform the employee about the purposes, intended sources and methods of obtaining personal data, as well as the nature of the personal data to be obtained and the consequences of the employee's refusal to give written consent to receive them.
6.4. The employee provides the employer with reliable information about himself. The employer checks the accuracy of the information by comparing the data provided by the employee with the documents available to the employee. The submission by the employee of false documents or false information when applying for a job is the basis for terminating the employment contract.
6.5. When applying for a job, an employee fills out a questionnaire and an autobiography.
6.5.1. The questionnaire is a list of questions about the employee's personal data.
6.5.2. The questionnaire is filled out by the employee himself. When filling out the questionnaire, the employee must fill in all its columns, give full answers to all questions, avoid corrections or strikethroughs, dashes, blots in strict accordance with the entries contained in his personal documents.
6.5.3. Autobiography - a document containing a description in chronological order of the main stages of the life and activities of the hired employee.
6.5.4. The autobiography is compiled in any form, without blots and corrections.
6.5.5. The questionnaire and CV of the employee must be kept in the personal file of the employee. The personal file also stores other personal records related to the personal data of the employee.
6.5.6. The personal file of the employee is drawn up after the issuance of an order for employment.
6.5.7. All documents of the personal file are filed in the cover of the sample established at the enterprise. It indicates the surname, name, patronymic of the employee, the number of the personal file.
6.5.8. Each file is accompanied by two ______ size color photographs of the worker.
6.5.9. All documents received in the personal file are arranged in chronological order. Sheets of documents filed in a personal file are numbered.
6.5.10. A personal file is maintained throughout the entire working life of an employee. Changes made to the personal file must be confirmed by relevant documents.
7. TRANSFER OF PERSONAL DATA
7.1. When transferring personal data of an employee, the employer must comply with the following requirements:
Do not disclose the personal data of the employee to a third party without the written consent of the employee, except when it is necessary in order to prevent a threat to the life and health of the employee, as well as in cases established by federal law;
Do not share personal information about an employee commercial purposes without his written consent;
Warn persons receiving employee personal data that the data may only be used for the purposes for which it is disclosed, and require these persons to confirm that this rule has been observed. Persons receiving personal data of an employee are required to maintain confidentiality. This provision does not apply to the exchange of personal data of employees in the manner prescribed by federal laws;
Allow access to the personal data of employees only to specially authorized persons, while these persons should have the right to receive only those personal data of the employee that are necessary to perform specific functions;
Do not request information about the health status of the employee, with the exception of information that relates to the issue of the employee's ability to perform a labor function;
Transfer personal data of an employee to employee representatives in the manner prescribed by the Labor Code of the Russian Federation, and limit this information only to those personal data of an employee that are necessary for the specified representatives to perform their functions.
8. ACCESS TO EMPLOYEE'S PERSONAL DATA
8.1. Internal access (access within the enterprise).
The following persons have the right to access personal data of an employee:
Head of the enterprise;
Head of the Human Resources Department;
Heads of structural divisions in the direction of activity (access to personal data only of employees of their division) in agreement with the head of the enterprise;
When transferring from one structural unit in another, the head of the new division may have access to the employee's personal data in agreement with the head of the enterprise;
Accounting staff - to the data that is necessary to perform specific functions;
The worker himself, the data carrier.
8.2. external access.
Personal data outside the organization may be submitted to state and non-state functional structures:
Tax inspections;
Law enforcement agencies;
bodies of statistics;
insurance agencies;
military registration and enlistment offices;
Social insurance bodies;
pension funds;
Subdivisions of municipal governments.
8.3. Other organizations.
Information about an employee (including a dismissed employee) can be provided to another organization only upon a written request on the organization's letterhead with a copy of the employee's application attached.
8.4. Relatives and family members.
Personal data of an employee may be provided to relatives or members of his family only with the written permission of the employee.
9. PROTECTION OF PERSONAL DATA OF EMPLOYEES
9.1. In order to ensure the safety and confidentiality of personal data of employees of the organization, all operations for the design, formation, maintenance and storage of this information should be performed only by employees of the personnel department who carry out this work in accordance with their official duties set out in their job descriptions.
9.2. Answers to written requests from other organizations and institutions within their competence and powers granted are given in writing on the letterhead of the enterprise and to the extent that allows not disclosing excessive personal information about the employees of the enterprise.
9.3. Transfer of information containing information about the personal data of employees of the organization by telephone, fax, e-mail without the written consent of the employee is prohibited.
9.4. Personal files and documents containing personal data of employees are stored in lockers (safes) that provide protection against unauthorized access.
9.5. Personal computers containing personal data must be protected with access passwords.
10. RESPONSIBILITY FOR DISCLOSURE OF INFORMATION RELATED TO THE PERSONAL DATA OF THE EMPLOYEE
10.1. Persons guilty of violating the rules governing the receipt, processing and protection of personal data of an employee shall bear disciplinary, administrative, civil or criminal liability in accordance with federal laws.
1. General Provisions
1.1. aim of this Regulation is the protection of personal data of employees from unauthorized access, misuse or loss.
1.2. This Regulation has been developed on the basis of the articles of the Constitution of the Russian Federation, the Labor Code of the Russian Federation, the Code of administrative offenses Russian Federation, the Civil Code of the Russian Federation, the Criminal Code of the Russian Federation, as well as the Federal Law "On Information, Informatization and Information Protection"
1.3. Personal data is classified as confidential information. The confidentiality of personal data is removed in cases of depersonalization or after 75 years of storage, unless otherwise provided by law.
1.4. This Regulation is approved and put into effect by order CEO and is mandatory for all employees who have access to personal data of employees.
2. The concept and composition of personal data
2.1. Employee's personal data - information required by the employer in connection with labor relations and relating to a particular employee. Information about employees is understood as information about the facts, events and circumstances of an employee's life, which makes it possible to identify his personality.
2.2. The employee's personal data includes:
Personal and biographical data;
Education;
Information about labor and general experience;
Information about the composition of the family;
Passport data;
Information about military registration;
Information about the employee's salary;
Information about social benefits;
Speciality,
Position held;
Having a criminal record;
Residence address;
Home phone;
Place of work or study of family members and relatives;
The nature of relationships in the family;
The composition of the declared information on the presence of material assets;
Originals and copies of orders on personnel;
Personal files and work books of employees;
Grounds for orders on personnel;
Copies of reports sent to the statistical authorities.
2.3. These documents are confidential, although, given their mass character and a single place of processing and storage, they are not subject to a corresponding restriction.
3. Processing of personal data
3.1. The processing of personal data of an employee means the receipt, storage, combination, transfer or any other use of personal data of an employee.
3.2. In order to ensure the rights and freedoms of man and citizen, the employer and his representatives, when processing the personal data of the employee, must comply with the following general requirements:
3.2.1. The processing of personal data of an employee may be carried out solely for the purpose of ensuring compliance with laws and other regulatory legal acts, assisting employees in employment, training and promotion, ensuring the personal safety of employees, controlling the quantity and quality of work performed and ensuring the safety of property.
3.2.2. When determining the scope and content of the processed personal data of an employee, the employer must be guided by the Constitution Russian Federation, Labor Code and other federal laws.
3.2.3. Obtaining personal data can be carried out both by submitting them by the employee himself, and by obtaining them from other sources.
3.2.4. Personal data should be obtained from him. If the employee's personal data can only be obtained from a third party, then the employee must be notified of this in advance and written consent must be obtained from him. The employer must inform the employee about the purposes, intended sources and methods of obtaining personal data, as well as the nature of the personal data to be obtained and the consequences of the employee's refusal to give written consent to receive them.
3.2.5. The employer does not have the right to receive and process the personal data of the employee about his political, religious and other beliefs and private life. In cases directly related to issues of labor relations, data on the employee's private life (information about life in the field of family, household, personal relations) can be obtained and processed by the employer only with his written consent.
3.2.6. The employer does not have the right to receive and process the employee's personal data on his membership in public associations or his trade union activities, except as otherwise provided by federal law.
3.3. Employees may have access to the processing, transfer and storage of personal data of an employee:
Accounting;
Employees of the personnel management service;
Computer department staff.
3.4. The use of personal data is possible only in accordance with the purposes that determined their receipt.
3.4.1. Personal data cannot be used for the purpose of causing property and moral damage to citizens, making it difficult to exercise the rights and freedoms of citizens of the Russian Federation. Restriction of the rights of citizens of the Russian Federation based on the use of information about their social origin, racial, national, linguistic, religious and party affiliation is prohibited and punishable in accordance with the law.
3.5. The transfer of personal data of an employee is possible only with the consent of the employee or in cases expressly provided for by law.
3.5.1. When transferring personal data of an employee, the employer must comply with the following requirements:
Do not disclose the personal data of the employee to a third party without the written consent of the employee, except when it is necessary in order to prevent a threat to the life and health of the employee, as well as in cases established by federal law;
Do not disclose the employee's personal data for commercial purposes without his written consent;
Warn persons receiving employee personal data that the data may only be used for the purposes for which it is disclosed, and require these persons to confirm that this rule has been observed. Persons receiving personal data of an employee are required to maintain secrecy (confidentiality). This provision does not apply to the exchange of personal data of employees in the manner prescribed by federal laws;
Allow access to the personal data of employees only to specially authorized persons specified by the order of the organization, while these persons should have the right to receive only those personal data of the employee that are necessary to perform specific functions;
Do not request information about the health status of the employee, with the exception of information that relates to the issue of the employee's ability to perform a labor function;
Transfer personal data of an employee to employee representatives in the manner prescribed by the Labor Code, and limit this information only to those personal data of an employee that are necessary for the specified representatives to perform their functions.
3.5.2. The transfer of personal data from the holder or his representatives to an external consumer may be allowed to a minimum extent and only for the purpose of performing tasks corresponding to the objective reason for collecting this data.
3.5.3. When transferring personal data of an employee to consumers (including for commercial purposes) outside the organization, the employer must not disclose this data to a third party without the written consent of the employee, except when it is necessary to prevent a threat to the life and health of the employee or in cases where established by federal law.
3.6. All confidentiality measures during the collection, processing and storage of an employee's personal data apply to both paper and electronic (automated) media.
3.7. It is not allowed to answer questions related to the transfer personal information by phone or fax.
3.8. The storage of personal data must take place in a manner that excludes their loss or their misuse.
3.9. When making decisions affecting the interests of the employee, the employer does not have the right to rely on the employee's personal data obtained solely as a result of their automated processing or electronic receipt. The employer takes into account the personal qualities of the employee, his conscientious and efficient work.
4. Access to personal data
4.1. Internal access (access within the organization).
4.1.1. The following persons have the right to access personal data of an employee:
CEO of the organization;
Heads of structural divisions in the direction of activity (access to personal data only for employees of their division);
When transferring from one structural unit to another, the head of the new unit may have access to the employee's personal data;
The worker himself, the data carrier.
Other employees of the organization in the performance of their official duties.
4.1.2. The list of persons having access to the personal data of employees is determined by the order of the General Director of the organization.
4.2. external access.
4.2.1. The mass consumers of personal data outside the organization include state and non-state functional structures:
Tax inspections;
Law enforcement agencies;
bodies of statistics;
insurance agencies;
military registration and enlistment offices;
Social insurance bodies;
pension funds;
Subdivisions of municipal governments;
4.2.2. Supervisory and control bodies have access to information only in the area of their competence.
4.2.3. Organizations to which an employee can make transfers Money (Insurance companies, non-state pension funds, charity organisations, credit institutions) can access the personal data of an employee only with his written permission.
4.2.4. Other organizations.
Information about a working employee or already dismissed can be provided to another organization only with a written request on the organization's letterhead, with a copy of the employee's notarized application.
Personal data of an employee may be provided to relatives or members of his family only with the written permission of the employee himself.
In the event of a divorce, the former spouse (husband) has the right to apply to the organization with a written request for the amount of the employee's salary without his consent. (Criminal code of the Russian Federation).
5. Protection of personal data
5.1. The threat or danger of loss of personal data is understood as a single or complex, real or potential, active or passive manifestation of the malicious capabilities of external or internal threat sources to create adverse events, have a destabilizing effect on protected information.
5.2. The risk of being threatened by any information resources create natural disasters, extreme situations, terrorist actions, accidents technical means and communication lines, other objective circumstances, as well as persons interested and not interested in the emergence of a threat.
5.3. The protection of personal data is a strictly regulated and dynamic technological process, which prevents violation of the availability, integrity, reliability and confidentiality of personal data and, ultimately, ensures sufficiently reliable information security in the process of management and production activities companies.
5.4. The protection of the employee's personal data from their unlawful use or loss must be ensured by the employer at his expense in the manner prescribed by federal law.
5.5. "Internal Defense".
5.5.1. The main culprit of unauthorized access to personal data is, as a rule, the personnel working with documents and databases. The regulation of personnel access to confidential information, documents and databases is one of the main areas of organizational information protection and is intended to delimit powers between managers and specialists of the organization.
5.5.2. To ensure the internal protection of personal data of employees, a number of measures must be observed:
Restriction and regulation of the composition of employees, functional responsibilities which require confidential knowledge;
Strict selective and reasonable distribution of documents and information among employees;
Rational placement of employees' workplaces, which would exclude the uncontrolled use of protected information;
Knowledge by the employee of the requirements of regulatory and methodological documents on the protection of information and the preservation of secrecy;
Availability necessary conditions in a room for working with confidential documents and databases;
Determination and regulation of the composition of employees who have the right of access (entry) to the premises in which computer equipment is located;
Organization of information destruction procedure;
Timely detection of violations of the requirements of the permissive access system by the employees of the unit;
Educational and explanatory work with employees of the division to prevent the loss of valuable information when working with confidential documents;
Issuance of personal files of employees to the workplaces of managers is not allowed. Personal files can be issued to the workplace only to the General Director, employees of the personnel department and, in exceptional cases, with the written permission of the General Director, to the head of the structural unit. (for example, when preparing materials for employee certification).
5.5.3. Protection of personal data of an employee on electronic media.
All folders containing personal data of an employee must be protected with a password, which is reported to the head of the personnel management service and the head of the information technology service
5.6. "Outer Defense".
5.6.1. To protect confidential information, purposeful unfavorable conditions and insurmountable obstacles are created for a person trying to make unauthorized access and mastery of information. The purpose and result of unauthorized access to information resources can be not only the acquisition of valuable information and its use, but also their modification, destruction, introduction of a virus, substitution, falsification of the content of document details, etc.
5.6.2. An outsider is any person who is not directly related to the activities of the company, visitors, employees of other organizational structures. Unauthorized persons should not know the distribution of functions, work processes, the technology for compiling, processing, maintaining and storing documents, cases and working materials in the personnel department.
5.6.3. To ensure external protection of personal data of employees, a number of measures must be observed:
The procedure for receiving, recording and monitoring the activities of visitors;
Access control of the organization;
Accounting and procedure for issuing certificates;
Technical means of protection, signaling;
The order of protection of the territory, buildings, premises, vehicles;
Requirements for the protection of information during interviews and interviews.
5.7. All persons involved in the receipt, processing and protection of personal data are required to sign an obligation not to disclose the personal data of employees.
5.8. Where possible, personal data is anonymised.
5.9. In addition to the personal data protection measures established by law, employers, employees and their representatives may develop joint measures to protect the personal data of employees.
6. Rights and obligations of an employee
6.1. The consolidation of the rights of the employee, regulating the protection of his personal data, ensures the safety of complete and accurate information about him.
6.2. Employees and their representatives must be familiarized against receipt with the documents of the organization that establish the procedure for processing personal data of employees, as well as their rights and obligations in this area.
6.3. In order to protect personal data stored by the employer, the employee has the right to:
Request deletion or correction of incorrect or incomplete personal data.
Free access to your personal data, free of charge, including the right to receive copies of any record containing personal data;
Supplement personal data of an evaluative nature with a statement expressing his own point of view;
Designate your representatives to protect your personal data;
To preserve and protect their personal and family secrets.
6.4. The employee is obliged:
Transfer to the employer or his representative a set of reliable, documented personal data, the composition of which is established by the Labor Code of the Russian Federation.
Timely inform the employer about changes in your personal data
6.5. Employees inform the employer about the change in last name, first name, patronymic, date of birth, which is reflected in work book based on the submitted documents. If necessary, data on education, profession, specialty, assignment of a new category, etc. are changed.
6.6. In order to protect privacy, personal and family secrets, employees should not waive their right to process personal data only with their consent, as this may result in moral, material harm.
7. Responsibility for disclosure of confidential information, related to personal data
7.1. Personal responsibility is one of the main requirements for organizing the functioning of a personal information protection system and a prerequisite for ensuring the effectiveness of this system.
7.2. Legal and individuals, in accordance with their powers, possessing information about citizens, receiving and using it, are liable in accordance with the legislation of the Russian Federation for violation of the protection regime, processing and procedure for using this information.
7.3. A manager who allows an employee to access a confidential document is personally responsible for this permission.
7.4. Each employee of the organization who receives a confidential document for work is solely responsible for the safety of the medium and the confidentiality of information.
7.5. Persons guilty of violating the rules governing the receipt, processing and protection of personal data of an employee shall bear disciplinary, administrative, civil or criminal liability in accordance with federal laws.
7.5.1. For non-fulfillment or improper fulfillment by the employee through his fault of the duties assigned to him to comply with the established procedure for working with confidential information, the employer has the right to apply disciplinary sanctions provided for by the Labor Code.
7.5.2. Officials responsible for maintaining the personal data of an employee are obliged to provide everyone with the opportunity to familiarize themselves with documents and materials that directly affect their rights and freedoms, unless otherwise provided by law. Unlawful refusal to provide duly collected documents, or untimely provision of such documents or other information in cases statutory or provision of incomplete or deliberately false information - shall entail the imposition of an administrative fine on officials in the amount determined by the Code of Administrative Offenses.
7.5.3. In accordance with the Civil Code, persons who illegally obtained information constituting an official secret are obliged to compensate for the losses caused, and the same obligation is imposed on employees.
7.5.4. Criminal liability for violation of privacy (including illegal collection or dissemination of information about the private life of a person constituting his personal or family secret without his consent), illegal access to legally protected computer information, illegal refusal to provide duly collected documents and information (if these acts caused harm to the rights and legitimate interests of citizens) committed by a person using his official position is punishable by a fine, or deprivation of the right to hold certain positions or engage in certain activities, or arrest in accordance with the Criminal Code of the Russian Federation.
-1Order on the protection of personal data of employees - sample this document presented in the article below. This order establishes the obligation of responsible persons to ensure the confidentiality of personal information, and also determines the degree of access to them for each official. Also in our article you will find brief information about the content of this document.
Order on the protection of personal data
Personal data (hereinafter referred to as PD) of an employee is any information that allows third parties to identify his personality. PD must be reliably protected from unauthorized access - violation of this rule entails the imposition on the physical or entity working with them, an administrative penalty.
To ensure data confidentiality, it is necessary to develop and implement a multi-level information protection system at the enterprise, an integral part of which is the creation of organizational documentation that determines the procedure for working with such information about employees. The order on the protection of personal data defines the key points of the policy of the enterprise's management in the field of the use of confidential information about the identity of employees, and also establishes a list of positions and persons occupying them, whose powers include the collection, storage and processing of data.
Sample order on personal data of employees
For clarity, we suggest that you familiarize yourself with a sample order on the PD of employees compiled by our specialists:
OOO Kompakt-M
Yekaterinburg
31.08.2017
Don't know your rights?
Order No. 11
on the protection of personal data of employees
In order to fulfill the requirements established by Ch. 14 of the Labor Code of the Russian Federation, as well as the federal law "On Personal Data" No. 152 of July 27, 2006,
I ORDER:
- Approve the Regulation on the protection of personal data and put it into effect on 09/01/2017.
- Approve the list of persons entitled to work with personal data of employees, as well as determine the completeness of the access granted:
- CEO Petrushin A.P. — access without restrictions;
- chief accountant E. P. Ivlikova — access without restrictions;
- Senior Human Resources Inspector Mironova O. S. - access without restrictions;
- accountants of the settlement group Nikonova N. Z. and Poletaeva V. G. - access without restrictions.
- To appoint the person responsible for ensuring the implementation of the process of collecting, processing and storing personal data of employees, the senior inspector for personnel Mironova O. S.
- To impose on the responsible person the obligation to familiarize the employees specified in paragraph 2 of the order with the Regulations on the protection of personal data of employees, and obtain from them a written obligation not to disclose the personal data of employees.
Director General of Kompakt-M LLC Petrushin A.P.: (signature).
So, the order on the protection of personal data contains a documented will of the head of the organization on the approval of the documentation that determines the procedure for working with such data, and establishes a list of persons who have access to work with them. All employees of the organization using PD in the course of their work activities must be familiarized with this order against signature.