Applications 

Personal data from open sources. What personal data is publicly available. What is an operator and subject of personal data

“Person” - data that relates to a person, personality, biological organism.

What is it, how to collect it, where to store it, how to protect it?

Is a fingerprint card personal data or not?

It contains no personal information.

personal data - any information relating to an individual identified or determined on the basis of such information (subject of personal data), including his last name, first name, patronymic, year, month, date and place of birth, address, family, social, property status , education, profession, income, other information;

Address is registration at the place of residence or place of stay.

Conditional classification of personal data.

1) according to the degree of openness:

publicly available personal data - personal data that is accessible to an unlimited number of persons with the consent of the personal data subject or to which, in accordance with federal laws, is not subject to confidentiality requirements.

Public personal data is data to which voluntary consent is given and is posted in the public domain.

Often, some site owners ask for registration information that they don't want to provide.

Confidential information – information is provided strictly for specific purposes. Sometimes it can be collected without the person's knowledge.

The Ministry of Internal Affairs stores information in information centers

2) by affiliation

- personal - belongs from birth

- official - in the course of work, service - class rank, etc.

3) by method of provision

— voluntarily provided information

- provided in a general manner in accordance with the law (compulsory)

— collected without the consent of a citizen in accordance with the law

4) by the nature of the data

— biometric (fingerprint information)

Basic concepts used when working with personal data.

— processing of personal data— actions (operations) with personal data, including collection, systematization, accumulation, storage, clarification (updating, changing), use, distribution (including transfer), depersonalization, blocking, destruction of personal data;

— distribution of personal data- actions aimed at transferring personal data to a certain circle of persons (transfer of personal data) or to familiarize themselves with personal data of an unlimited number of persons, including the publication of personal data in the media, posting in information and telecommunication networks or providing access to personal data to any -or in any other way;

— use of personal data — actions (operations) with personal data performed by the operator for the purpose of making decisions or performing other actions that give rise to legal consequences in relation to the subject of personal data or other persons or otherwise affect the rights and freedoms of the subject of personal data or other persons;

— blocking of personal data— temporary cessation of the collection, systematization, accumulation, use, dissemination of personal data, including their transfer;

Information posted on the Internet often cannot be blocked.

Most personal data:

- stored on a computer

- posted on the Internet

It’s difficult to control placement

— destruction of personal data— actions as a result of which it is impossible to restore the content of personal data in the personal data information system or as a result of which material media of personal data are destroyed; — situations when archives were on fire

depersonalization of personal data

— depersonalization of personal data— actions as a result of which it is impossible to determine the ownership of personal data to a specific subject of personal data;

personal data information system- an information system, which is a collection of personal data contained in a database, as well as information technologies and technical means that allow the processing of such personal data using automation tools or without the use of such tools;

confidentiality of personal data— a requirement for the operator or other person who has gained access to personal data to comply with the requirement not to allow their distribution without the consent of the subject of personal data or the presence of another legal basis;

cross-border transfer of personal data— transfer of personal data by the operator across the State Border Russian Federation an authority of a foreign state, an individual or legal entity of a foreign state;

— publicly available personal data— personal data, access to an unlimited number of persons to which is provided with the consent of the subject of personal data or to which, in accordance with federal laws, is not subject to confidentiality requirements.

Processing of personal data.

1) the legality of the purposes and methods of processing personal data and integrity;

2) compliance of the purposes of processing personal data with the goals predetermined and stated when collecting personal data, as well as with the powers of the operator;

3) compliance with the volume and nature of the personal data processed, methods of processing personal data for the purposes of processing personal data;

4) the reliability of personal data, their sufficiency for the purposes of processing, the inadmissibility of processing personal data that is excessive in relation to the purposes stated when collecting personal data;

5) inadmissibility of combining databases created for incompatible purposes information systems personal data.

If at some time someone filled out a fingerprint card, then it is in the information center in their databases. We cannot, for example, combine databases of ordinary citizens and those who have committed a crime.

1) with the consent of the owner of personal data

2) without the consent of the owner of the personal data.

This applies to persons occupying certain position and position: military personnel, corpses

Confidentiality of personal data:

When not required:

1) in case of depersonalization of personal data;

2) in relation to publicly available personal data.

- the operator who collects and processes personal data.

— limit access within your own organization

The operator is personally responsible for the dissemination of personal data

— establishing access restrictions both indoors and online (pass system, card identification system)

For local networks– system login+ password

You can restrict access using biometric information: fingerprint, retina.

- about race

- about political views

- about religious or philosophical beliefs

- about the state of health

- about intimate life

Their processing is possible only with the consent of the subjects.

1) the presence of written consent of the subject for their processing

2) if the subject of personal data has made them publicly available

3) if this information refers to information necessary to protect the life, health and other vital interests of a person

Such information may be provided for medical and preventive purposes - for example, a viral infection.

Features of the processing of personal data in state or municipal information systems for processing personal data.

- applies only to civil servants and municipal employees.

The state body has its own status, there is independent systems processing information about state or municipal employees.

1) it is established what information is needed within its competence

2) there is also the Federal Law “On the State Civil Service”, that is, it is regulated not only by the legislation on personal data.

Information that characterizes the physiological characteristics of a person and on the basis of which his identity can be established (biometric personal data) can only be processed with written consent of the subject of personal data, except for the following cases:

1) committing a crime

Processing of biometric personal data can be carried out without the consent of the subject of personal data in connection with the administration of justice, as well as in cases provided for by the legislation of the Russian Federation on security, the legislation of the Russian Federation on operational investigative activities, the legislation of the Russian Federation on civil service, the criminal executive legislation of the Russian Federation Federation, the legislation of the Russian Federation on the procedure for leaving the Russian Federation and entering the Russian Federation.

- collecting information from a suspect is illegal

Processing of cross-border information.

It can be demanded, in order to protect the citizens of the country to which it is transferred, that it is collected only with the written consent of the subject.

Rights of the subject of personal data.

1) The right of the subject of personal data to access his personal data

You can't call information Center Ministry of Internal Affairs (main information center and zonal information center)

2) The rights of personal data subjects to the processing of their personal data in order to promote goods, works, services on the market, as well as for the purposes of political propaganda

The accuracy of the information will be verified by others.

3) making decisions based solely automated processing personal data. A person may not trust automated processing. You can require that fingerprints be stored not only in the computer, but also on paper.

— Labor Code of the Russian Federation - there is a chapter devoted to personal data.

FEDERAL LAW ON STATE FINGERPRINT REGISTRATION IN THE RUSSIAN FEDERATION dated July 25, 1998 N 128-FZ

Public personal data is

Personal Information- any information relating to a specific or determined on the basis of such information to an individual, including:

His last name, first name, patronymic,

Year, month, date and place of birth,

Address, family, social, property status, education, profession, income,

other information (see Federal Law-152, Article 3).

For example: passport data, financial statements, medical records, year of birth (for women), biometrics, other personal identification information.

IN public sources of personal data (address books, lists and other information support) with written consent of an individual may include his last name, first name, patronymic, year and place of birth, address, subscriber number and others personal data (see Federal Law-152, Article 8).

Personal data refers to information limited access and should be protected in accordance with the legislation of the Russian Federation. When developing system security requirements, personal data is divided into 4 categories.

What is the operator and subject of personal data?

Personal data operator- this is, as a rule, an organization, or more precisely a state or municipal body, legal or individual, organizing and (or) carrying out the processing of personal data, as well as determining the purposes and content of the processing of personal data.

Subject of personal data is an individual.

The operator is responsible for the protection of the subject’s personal data in accordance with the current legislation of the Russian Federation.

How to classify a personal data information system?

In order to attribute typical Personal data information system (PDIS) for a particular class requires:

II. Define volume personal data processed in the information system:

volume 3— data is simultaneously processed in the information system less than 1000 subjects personal data or personal data of personal data subjects within a specific organization;

volume 2 from 1000 to 100,000 subjects personal data or personal data of subjects of personal data working in the economic sector of the Russian Federation, in a government body, living within a municipality;

volume 1— personal data is simultaneously processed in the information system more than 100,000 subjects personal data or personal data of subjects of personal data within a subject of the Russian Federation or the Russian Federation as a whole;

III. Based on the results of the analysis of the initial data typical ISPDn is assigned one of the following classes(see table):

Class 4 (K4) - information systems for which violation of the specified security characteristics of personal data processed in them does not lead to negative consequences for the subjects of personal data;

Class 3 (K3) - information systems for which a violation of the specified security characteristics of personal data processed in them may lead to minor negative consequences for the subjects of personal data;

Class 2 (K2) - information systems for which a violation of the specified security characteristics of personal data processed in them may lead to negative consequences for the subjects of personal data;

Class 1 (K1) - information systems for which a violation of the specified security characteristics of personal data processed in them can lead to significant negative consequences for the subjects of personal data.

Judgment Day delayed until January 1, 2011

Personal data information systems created before the entry into force of Federal Law of the Russian Federation No. 152 “On Personal Data” must be brought into compliance with the requirements of this Federal Law no later than January 1, 2010 (see Federal Law No. 152, Article 25).

This means that personal data operators who fail to comply with the very stringent requirements of Federal Law No. 152 will, from January 1, 2010, face appropriate civil, administrative, disciplinary, and perhaps (God forbid) criminal penalties. responsibility .

All information systems that have already been put into operation after February-April 2008 (from the moment of distribution of methodological documents by the FSTEC of Russia and the FSB of Russia), but do not comply with the requirements of Russian legislation in the field of personal data, may incur the specified liability earlier, for example, tomorrow morning .

Note. Changes to the Criminal Code of the Russian Federation, significantly tightening liability for violations affecting privacy, will also come into force on January 1, 2010.

But as always happens, personal data operators did not move much, and few managed to do everything that was required. On December 16, 2009, the State Duma adopted in the third reading amendments to Articles 19 and 25 of the Law “On Personal Data” (152-FZ). The deadline for bringing personal data information systems (PDIS) into compliance with this law was postponed by a year - until January 1, 2011. In addition, the law obliging the operator to use encryption (cryptographic) means to protect data when processing personal data was excluded from the law.

Mandatory requirements for the protection of personal data information systems

Basic mandatory requirements for organizing an information security system depending on the class of a typical ISPD:

For class 4 ISPD:

The list of measures to protect personal data is determined by the operator (depending on the possible damage)

For class 3 ISPD:

Declaration of conformity or

Obtaining a license from FSTEC of Russia for activities related to technical protection of confidential information (for distributed ISPDn K3 systems)

For class 2 ISPD:

Mandatory certification for information security requirements

Obtaining a license from FSTEC of Russia for activities related to technical protection of confidential information for distributed systems

For class 1 ISPD:

Mandatory certification for information security requirements

Measures must be implemented to protect personal data from PEMIN

Obtaining a license from FSTEC of Russia for activities related to technical protection of confidential information

Procedure for protecting the personal data information system

Sequence of actions when fulfilling legal requirements for the processing of personal data:

1) Notification to the authorized body for the protection of the rights of personal data subjects about your intention to process personal data using automation tools;

2) Pre-project survey of the information system - collection of initial data;

3) Classification of the personal data processing system;

4) Construction of a private threat model in order to determine their relevance to the information system;

5) Development of a private technical specification for a personal data protection system;

6) Design of a personal data protection system;

Responsibility for violations of personal data processing

Persons guilty of violating the requirements of Federal Law 152-FZ “On Personal Data” bear:

- criminal (see Criminal Code of the Russian Federation, Art. 137, 140, 155, 183, 272, 273, 274, 292, 293),

Administrative (see Code of the Russian Federation on Administrative Offenses, Articles 5.27, 5.39, 11.13-13.14, 13.19, 19.4-19.7, 19.20, 20.25, 32.2),

Disciplinary (see Labor Code of the Russian Federation, Art. 81; Art. 90; Art. 195; Art. 237; Art. 391)

and other responsibility provided for by the legislation of the Russian Federation (see by-laws on working with personal data, which are published in the constituent entities of the Russian Federation, departments and organizations).

FSTEC - federal Service on technical and export control.

PEMIN- Side Electromagnetic Radiation and Interference

Protection of personal information

In December 2014, the State Duma adopted in the third reading a bill on storing personal data of citizens processed on the Internet on servers in Russia. According to Roman Chuichenko, a member of the information policy committee, the main goal of the bill is to strengthen information security country and its citizens. This measure was taken due to the complication of the international situation. This bill will come into force on September 1, 2015.

The entry into force of the new regulation on the protection of personal data requires that personal data operators provide:

  • timely detection of unauthorized access to personal data;
  • preventing impact on technical means those carrying out automated processing of personal data;
  • the ability to promptly respond to the fact of unauthorized access and immediately restore personal data in cases of their destruction or modification;
  • constant monitoring of the level of security of personal data.

Categories of personal data

Processing of ISPD can also be carried out according to the parameter “volume of personal data processed”, which assumes the number of subjects processed in the information system and can take the following values:

  • simultaneous processing of more than 100 thousand subjects of personal data (performed both within the subject of the Russian Federation and in the Russian Federation as a whole);
  • simultaneous processing of personal data from 1 to 100 thousand subjects (performed in a government agency working in the field of the Russian economy);
  • simultaneous processing of personal data of less than 1 thousand subjects (performed within a specific organization).

Division into categories allows not only to determine the class of ISPD, but also to establish a set of measures to ensure the security and protection of personal data on the Internet, when processed in information systems.

Employee personal data

Every employee has the right to protect their personal data (clause 9 of Article 86 of the Labor Code of the Russian Federation).

In accordance with Art. 89 of the Labor Code of the Russian Federation, each employee can exercise his right to the protection and protection of personal data through the following actions:

  • free free access to your personal data, including obtaining a copy of any record containing the employee’s personal data;
  • determining a personal representative to protect your personal data;
  • obtaining complete information about personal data and their processing;
  • issuing demands for the exclusion or correction of personal data containing incorrect information or if it was processed in violation of legal requirements;
  • appealing in court against the employer’s unlawful actions, as well as his inaction in processing and protecting personal data.

Composition of the employee’s personal data

Based on clause 2 of Article 86 of the Labor Code of the Russian Federation, the volume and content of the employee’s personal data are determined by the employer in accordance with the Constitution of the Russian Federation, the Labor Code and other federal laws. As a rule, the activities of any organization require the employer to use two main types of documents in document flow:

  1. Documents that are provided by the employee when concluding an employment contract (Article 65 of the Labor Code of the Russian Federation). This category includes documents containing a photograph of the employee, full name, information about place and date of birth, citizenship, marital status, place of registration, education, specialty (passport, insurance certificate of state pension insurance, military ID, etc.).
  2. Documents that are generated by the employer independently (primary accounting documentation for recording labor and its payment). This category includes orders or instructions on hiring an employee, terminating an employment contract, rewarding an employee, a personal card, and documents on remuneration.

Protection of personal data, liability for violation of laws

Let us note that some sanctions for violation of certain offenses apply to both individuals and officials, as well as legal entities.

In accordance with Article 150 of the Civil Code of the Russian Federation, the inviolability of private life, personal and family secrets is among the inalienable intangible rights that are protected by current laws.

Let us note that the rights and obligations of an employee that are directly related to the personal data of other employees are determined by the terms of the employment contract and the composition of local regulations establishing the employee’s labor functions and the list of his job responsibilities.

Administrative responsibility Violation of the procedure for collecting, storing and distributing personal data entails a warning or a fine in the amount of: from 300 to 500 rubles - for individuals; from 500 to 1000 rubles - for officials, from 5 to 10 thousand rubles - for legal entities(Article 13.11 of the Code of Administrative Offenses of the Russian Federation). Administrative liability for the dissemination of information protected by law in the performance of official and professional duties entails a fine in the amount of: from 500 to 1000 rubles - for individuals, from 4 to 5 thousand rubles - for officials (Article 13.14 of the Code of Administrative Offenses of the Russian Federation) .

Violation of privacy, in particular personal data, by a person using his official position is punishable by:

  • a fine in the amount of 100 to 300 thousand rubles, wages or other income of the offender for 1-2 years;
  • deprivation of the right to hold certain positions for a period of 2 to 5 years;
  • arrest for a period of 4 to 6 months.

Confirmation of permission to process personal data is now asked when concluding contracts, filling out forms, or registering on websites. Most citizens automatically agree, although personal information about a person in the hands of unscrupulous persons is a powerful and dangerous weapon. The article talks about what you need to know about personal data, opening access to it to third parties.

Personal data: what is it, regulatory framework

The state regulates the field of personal data through a number of regulations. The basis is the Constitution of the Russian Federation, the basis is Federal Law No. 152 of January 27, 2006. The law explains what personal data is and what applies to it. This term means information that directly or indirectly characterizes the subject of personal data - an individual. In simple terms, they can be used to accurately determine that we are talking about a specific person.

There is an indirect mention of personal data in the Russian Constitution. Articles 23–24 of the Basic Law give citizens the right to privacy, inviolability and protection. Everything that is included in the concept of personal data belongs only to its owner and cannot be controlled by the government or third parties. Citizens themselves are free to manage this information, prevent its dissemination, or, conversely, pass it on to others. The state, for its part, guarantees and protects this opportunity.

Federal Law No. 152 determines who has the right to use personal data other than its carrier, under what conditions, according to what rules. Only operators with his permission can receive and process personal information about the subject. The citizen signs consent to verify his personal data when applying for a loan, filling out questionnaires or applying for a job.

Operators have access to the amount of data required to solve their problems. They have no right to keep or use them after the purpose has been achieved. For example, the employer must destroy records, questionnaires - everything that relates to the employee’s personal data after his dismissal. Otherwise, there is a risk of liability for

The norms of Federal Law No. 152 must be followed by all legal entities and individuals. Special rules apply when the PD:

  1. received for personal or family needs, if this does not infringe on the rights of 3 persons;
  2. contained in archival documents;
  3. constitute state secrets;
  4. are collected by judicial act.

Other legislative acts clarify the provisions on personal data in relation to different situations, introduce a system and classification of means of protection. For example, Chapter 14 of the Labor Code of the Russian Federation reveals the concept of employee personal data. This is information that allows you to characterize him as an employee of a certain organization (salary amount, length of service, qualifications, information from the Federal Tax Service and the Pension Fund, etc.), his business qualities. They must be used and kept to assist the employee in performing his job duties, increasing experience and knowledge, promoting careers, and protecting company personnel and property.

Classification of personal data

Federal Law No. 152 identifies several types of personal data. You can arrange them according to the degree of “secrecy”, difficulty in collecting and using by 3rd parties:

  • impersonal;
  • are common;
  • biometric;
  • special.

General personal data

General personal data is basic information about a person. These include:

Processing of personal data in the organization

The purpose of processing personal data in an organization is to formalize labor relations with the employee. Without signed consent to process personal data, the employer does not have the right to enter into an employment contract. Read more in this

  • place of registration and residence;
  • passport details;
  • education;
  • Contact details;
  • information about work;
  • amount of income, etc.

Not all of them individually can be classified as PD. For example, the law does not precisely determine whether I Is a phone number considered personal data?. Roskomnadzor, in response to requests from citizens, explained that it is impossible to accurately identify a person by number alone. By itself, it is not personal, but in conjunction with the owner’s full name and city of residence, it refers to PD. Therefore, non-personalized sending of SMS messages is not considered a violation of Federal Law No. 152.

General PD is contained in a passport, military ID, diploma, personal employee card, work record book, etc. Written permission is not necessary to obtain this data; indirect permission is sufficient, for example, a check mark next to the corresponding item in the online application form. The relative ease of access often brings problems to the subjects of personal data - ordinary citizens: from intrusive advertising to blackmail and forgery of loan applications.

The personal life of a citizen, which also includes different kinds secrets (medical, tax, adoption secrets and others) are protected from disclosure by Article 137 of the Criminal Code of the Russian Federation. You can read more in this.

Biometric PD

Biometric data is the physiological and biological characteristics of a subject: fingerprint images, blood type, height, eye color, weight, DNA analysis, etc. This also includes information that can be obtained from a photo or video recording of a person. Biometric PD is often necessary when receiving treatment or getting a job in government agencies, obtaining foreign passports and visas.

Special PD

Race and nationality, religion, philosophical beliefs, health status, criminal records, intimate life, sexual preferences are considered special data. They are contained in medical certificates, personal files, etc.

Special PD is required to participate in political activities and join the armed forces. Third parties can access this data only with the permission of the subject.

Why do we need a personal data law? See the answer in the video:

Anonymized PD

Anonymized PD is available to any interested person. Sources of information may be:

  • address books;
  • reference books;
  • registers;

Public information that is considered personal data is, for example, the income of politicians, representatives of federal or municipal authorities, and officials in senior positions.

The first meeting took place in November 2016 working group Administration of the President of the Russian Federation on the problem of using the provisions of Federal Law No. 152 to the so-called Big Data. This is the data that comes from the user to the network: IP address, authorization forms, browser history, information that gadgets and smart household appliances accumulate about the owner.

Big Data, on the one hand, directly or indirectly refers to a person, that is, they fall under the definition of PD. At the same time, legislators do not consider Internet data as the property of an individual, since he cannot control it.

Any questions you may have can be asked in the comments to the article.

At the very end of 2015, the author of this article took part in the discussion interesting topic, which was devoted to the need to create a single publicly accessible database of unscrupulous job applicants. Our company decided to look into this issue.

The argument for the need to create such databases is simple - there are many inadequate applicants who do not come to interviews, lie on their resumes, etc., so why not bother creating a database of such comrades for the general benefit of all HR.

It must be said that the idea is not new and, for sure, a number of companies have internal databases of applicants. With the help of such databases, personnel officers weed out unsuitable candidates with the most minimal costs time. If we theoretically assume that all HR in the country could have such a base at their disposal, then how much better it would be for everyone. Well, right?

No not like this. Potential benefits can easily be offset by the negativity that will inevitably arise from the misuse of data from the database, the unreasonable inclusion/exclusion of people in such databases, and issues of reputation, honor and dignity of people included in the databases.

Since 2006, the federal law “On Personal Data” has been in force in Russia, which clearly defines the conditions under which such databases can exist. So:

2. Article 6 of the federal law “On Personal Data” determines that “the processing of personal data is carried out with the consent of the subject of personal data to the processing of his personal data.”

3. Article 7 of the federal law “On Personal Data” determines that “Operators and other persons who have access to personal data are obliged not to disclose to third parties or distribute personal data without the consent of the subject of personal data, unless otherwise provided by federal law.”

4. Article 8 of the federal law “On Personal Data” determines that: “1. In order to information support publicly accessible sources of personal data may be created (including directories, address books). Public sources of personal data, with the written consent of the subject of personal data, may include his last name, first name, patronymic, year and place of birth, address, subscriber number, information about profession and other personal data reported by the subject of personal data. 2. Information about the subject of personal data must be excluded at any time from publicly available sources of personal data at the request of the subject of personal data or by decision of a court or other authorized government bodies.”

5. And finally, article 13.11. The Code of the Russian Federation on Administrative Violations determines that “Violation of the procedure established by law for collecting, storing, using or distributing information about citizens (personal data) - entails a warning or the imposition of an administrative fine on citizens in the amount of three hundred to five hundred rubles; for officials - from five hundred to one thousand rubles; for legal entities - from five thousand to ten thousand rubles.”

In other words and in short:

1. Any data relating to an individual (including just a telephone number) is personal.

2. To process personal data, you must obtain consent, which can be withdrawn at any time.

3. If someone has legal access to personal data, then it is prohibited to disclose it to anyone or share it with anyone without the consent of the personal data subject, unless otherwise provided by current legislation.

5. Liability is provided for violation of the established procedure for collecting and storing personal data.

Conclusion

The conclusion is very simple and clear - the creation of a single publicly accessible database of careless job seekers is possible only with the written consent of these same careless workers, which, naturally, reduces to zero the likelihood of the legal creation of such a database. For those who decide to create such databases and share them with friends, our company recommends that you familiarize yourself with the existing this moment punishments.

Commentary on the Federal Law of July 27, 2006 N 152-FZ "On personal data" Petrov Mikhail Igorevich

Article 8. Publicly available sources of personal data

Public sources of personal data

Commentary on Article 8

1. Within the meaning of the commented Law, sources of personal data are recognized as publicly available, access to which is not limited and does not require the prior consent of the subjects of personal data. Public sources of personal data can be used by any person at their discretion, subject to the restrictions established by federal laws regarding the dissemination of such information.

The creation of publicly available sources of personal data is due to the need for information support. An analysis of the current legislation allows us to note that the number of publicly available sources of personal data currently includes: directories, address books, encyclopedias, documents accumulated in open collections of libraries and archives, information systems of state authorities, local governments, public associations, organizations, of public interest or necessary for the implementation of the rights, freedoms and responsibilities of citizens. At the same time, modern science and practice have not yet been able to develop effective criteria with the help of which it would be possible to clearly distinguish between public and confidential segments of information.

The creation of publicly accessible sources of personal data, which include the surname, first name, patronymic, year and place of birth, address, subscriber number, information about profession and other personal data provided by the subject of personal data, is carried out with the mandatory consent of the latter. In addition, the subject of personal data has the right to demand that persons disseminating such information indicate themselves as the source of such information.

The use of personal data from publicly available sources implies, in turn, the exclusion of the possibility of making a profit.

In the case of processing publicly available personal data, the burden of proving that the personal data being processed is publicly available rests with the operator.

2. In order to protect the rights and legitimate interests of the subject of personal data, the legislator provides for the possibility of recalling personal data used in publicly available sources. Their exclusion can be carried out either at the request of the subject of personal data, or by decision of a court or a specially authorized government body.

Article 74-1. Processing of personal data in violation of the legislation on the protection of personal data (1) Failure to comply with the requirements for ensuring the security of personal data during their processing in personal data information systems entails a fine.

Article 85. The concept of employee personal data. Processing of an employee’s personal data Employee’s personal data is information necessary for the employer in connection with labor relations and relating to a specific employee. Processing of the employee’s personal data

Article 88. Transfer of personal data of an employee When transferring personal data of an employee, the employer must comply with the following requirements: not disclose the personal data of the employee to a third party without the written consent of the employee, except in cases

Article 5. Principles for processing personal data Commentary on Article 51. With the article commented on, the legislator establishes fundamental principles in working with personal data, the collection and processing of which is carried out on legally. Latest

Article 6. Conditions for processing personal data Commentary on Article 61. Compliance with the principles of processing personal data presented in the previous article is not the only condition guaranteeing the protection of the rights and legitimate interests of citizens whose

Article 7. Confidentiality of personal data Commentary on Article 71. Ensuring the confidentiality of personal data during their processing, along with established principles for working with them and obtaining consent to processing, is a mandatory condition,

Article 9. Consent of the subject of personal data to the processing of his personal data Commentary on Article 91. The article under comment defines the procedure, conditions and grounds for obtaining the consent of the subject of personal data to their processing. The legislator emphasizes that

Article 10. Special categories of personal data Commentary on Article 101. The article under comment identifies special categories of personal data and establishes a general ban on their processing. A special category of personal data includes information that reveals

Article 12. Cross-border transfer of personal data Commentary on Article 121. The bill defines the principles of cross-border transfer of personal data. These principles are harmonized with the main international legal acts in the field of personal data, which

Article 15. Rights of personal data subjects when processing their personal data for the purpose of promoting goods, works, services on the market, as well as for the purposes of political agitation Commentary on Article 151. The content of the commented article appeals to the provisions of Article 150 of the Civil Code

Article 16. Rights of personal data subjects when making decisions based solely on automated processing of their personal data Commentary on Article 161. The commented article defines the rights of personal data subjects in relation to the adoption

Article 20. Obligations of the operator when applying or receiving a request from the subject of personal data or his legal representative, as well as the authorized body for the protection of the rights of personal data subjects Commentary on Article 201. The norms of the commented article in

Article 21. Obligations of the operator to eliminate violations of the law committed during the processing of personal data, as well as to clarify, block and destroy personal data Commentary on Article 211. The provisions of the commented article determine the procedure

Article 22. Notification of the processing of personal data Commentary on Article 221. The procedure for notification of the processing of personal data within the meaning of the commented Law is one of the guarantees of respect for the rights and legitimate interests of personal data subjects in

The subject's personal data is classified according to the amount of personal information about the person and the degree of importance. Any transactions with them are carried out strictly within the framework of legislative acts and are subject to protection. However, there is a category of publicly available personal data that carries only superficial and impersonal information about a person.

From this article you will learn:

  • what is publicly available personal data;
  • list of publicly available personal data;
  • features of working with publicly available personal data.

When creating any database, including a list of all employees of an enterprise, at the initial stage it is necessary to categorize personal data. All personal data of employees is divided into two groups - public and confidential.

Concept and classification of personal data

Personal data (PD) is various types of information, from full name, date of birth, marital and social status, to registration numbers of documents issued by government agencies and commercial authorities. The operator of personal data is a state, federal, commercial structure, legal entity or individual who has the rights to carry out various activities using personal data.

In labor relations, the owner/subject of personal data is the employee, and the operator is the employer, personnel and accounting departments involved in registering the employee for work and all issues related to personal matters and legal relations, calculation of wages, benefits, compensation, etc. The subject's personal data is necessary for the employer to connect them with labor relations/agreements (Articles 85, 86 of the Labor Code of the Russian Federation).

The processing of personal data refers to various operations provided for by the legislation of the Russian Federation. Types of PD processing include collection, systematization, accumulation, storage, updating, use, depersonalization, destruction, which are carried out according to the procedures established by regulations. State, federal, municipal bodies and organizations that have such a right by status can carry out transactions with personal data.

All PD are divided into the following sections:

  • Special personal data;
  • Biometric personal data.

When creating personal data information systems (ISPD), it is recommended to be guided by the Order of the FSTEC, FSB and the Ministry of Information Technologies and Communications of the Russian Federation No. 55/86/20 dated February 13, 2008 “On approval of the Procedure for classifying personal data information systems.” According to this regulatory act, PD is divided into categories:

  1. Category 1 – special data defining race and nationality, religious and political beliefs, facts of personal life and health status.
  2. Category 2 – data that makes it possible to identify the subject and obtain information about him Additional information with the exception of factors related to category 1. This section includes full name, home address, passport details, serial numbers documents (medical policy, pension certificate, SNILS, TIN), information from work and medical records.
  3. Category 3 – data allowing to identify the subject (first name, last name, date of birth).
  4. Category 4 – anonymized or publicly available personal data from which it is impossible to identify the subject.

Publicly available personal data: list

The list of publicly available personal data includes factors that do not contain information that allows a person to be identified in a database. Anonymized data includes:

  • First name, first name and patronymic;
  • Nickname/login of the subject on the Internet;
  • Email address(without reference to full name);
  • Position, place of work (without information about personal data).

Public data includes information about the subject that can be obtained from open sources of information, for example, telephone directory or address book. In such public databases data is entered with the written consent of the subject.

Public personal data: features

The peculiarity of publicly available personal data is that it can be posted in open sources of information. That is, if the organization’s contact directory contains contact information for officials, for example, those involved in training and hiring personnel, then such data is considered publicly available. When in printed edition If the names and surnames of members of the editorial board are indicated, then this information is also publicly available.

A feature of publicly available data that allows them to be correctly classified includes the following factor: the first three categories are, to one degree or another, necessary to include a subject in the ISPD, and the fourth category remains outside the requirements of information systems. If only the name and place of work are known about a person, then such information is publicly available.

When systematizing data, more accurate information will be required, which can only be obtained with the written consent of the subject to the processing of personal data. In this case, the operator assumes the responsibility to protect and comply with legally established rules for the processing and storage of personal data.