Any entity that carries out activities related to processing and storage of personal data (hereinafter referred to as PD), including through the use of a TSACS (Ticket Sales and Access Control System), must implement a personal data protection system to comply with the requirements of the federal legislation of the Russian Federation.
WHAT IS PERSONAL DATA?
According to Federal Law No. 152 FZ On Personal Data in force from January 27, 2007, aiming at ensuring the protection of human rights and freedoms, personal data is all and any information related to an identified individual or an individual being identified.
- Last name, first name, patronymic (if any);
- Date and place of birth;
- Address (domicile);
- Education, profession;
- An image of a person (photo and video) that allows identification and is used by the operator for this purpose (Roskomnadzor's Explanations of August 30, 2013 On Attributing Photo and Video Images, Fingerprint Data and Other Information to Biometric Personal Data and the Specifics of Processing the Same);
- Marital status, children, family ties;
- Background and employment history (place of work, criminal record, service in the army, work in elected positions, in public service, etc.);
- Financial standing. Wage information is also classified as personal data (letter of Roskomnadzor dated 07.02.2014 No. 08KM-3681);
- Business and other personal qualities that are evaluative in nature;
- Other information that can identify a person.
1. The system must be isolated from other information systems at the physical or logical level.
2. Access to the system should be restricted to a limited number of people defined in a document to be approved.
3. Password policy for all servers and workstations, developed and approved in the organization shall be applied to this system.
4. Data communication over open channels (the Internet) (between offices, branches) shall be VPN protected.
5. Information system must be protected with Firewall.
6. Restriction of the software environment, i.e. ensuring that only software that is allowed for use in the information system is installed and/or run, or excluding the possibility of installing and/or running software that is prohibited for use in the information system.
7. Information system shall use the differentiation of user rights.
BASIC STEPS
when developing a set of personal data processing documents:
Submit a notification to Roskomnadzor that the entity is a PD Processing Operator.
The application shall be submitted electronically on Roskomnadzor's website.
The instructions for submitting an application are included in the «Подача уведомления в Роскомнадзор (инструкция).docx» (Submitting a notification to Roskomnadzor (instructions) package at https://pd.rkn.gov.ru/operators-registry/notification/form/.
Rules (provision) for personal data processing should be developed and approved.
The provision should describe the principles of PD processing at the organization and is a general document that contains the templates of corporate documents, e.g.Consent to PD processing and other documents.
Employees who will work with personal data in the organization must be familiar with this provision.
Assign persons responsible for working with personal data and those responsible for ensuring the security of personal data.
Such a responsible person can be either an individual or a department.
In the latter case, the head of such department shall be personally responsible.
This assignment must be brought to the attention of all the employees specified in the instrument of appointment, which must be confirmed by their respective signatures.
Develop and adopt a personal data processing policy.
This document is public and will need to be posted after approval on the web site or in any place accessible to users.
Develop a consent to personal data processing (for the web site) and post it on the web site:
• Consent to personal data processing;
• Personal data processing policy;
• Public offer agreement.
Develop the necessary minimum set of documents in the organization and comply with PD processing procedures.
(The package of documents is specified in the Appendix)
LIABILITIES FOR VIOLATION OF 152-FZ:
- General liability when sanctions are imposed on the law violator;
- Administrative liability including fining, suspension of activity, prohibition to hold certain positions;
- Criminal liability, i.e. deprivation of liberty for a period determined by the legislation in a particular case;
- Disciplinary liability is imposed on an employee in the form of a remark, reprimand, or dismissal.
Please also note that when ordering the processing of personal data by a third party, a Commission Contract shall be signed between these organizations.
APPENDIX
- Minimum list of documents1. Order of appointment of the commission2. List of personal data being processed.
3. List of personal data information systems.
4. List of information resources being protected.
5. List of persons allowed to process personal data.
6. Controlled Area Order.
7. Personal data information system threat model.
8. Act of Security Level Determination.
9. Regulations on Personal Data.
10. Instructions:- Personal Data Information System User Manual
- Personal Data Information System administrator instructions
- Personal Data Information System security manager instructions
- And other instructions provided for by law
12. Personal Data Processing Policy.
13. Commission Contract for data processing by third parties.
14. Logs:- Request log
- Media accounting log
- And other logs provided for by law
- Order on the appointment of responsible persons
- Order of employees authorization
- Order of personal data protection work
- Order of internal audits
- And other orders provided for by law
17. Action plan for checking the personal data information system and employees' compliance with personal data processing procedure