All operations related to the processing of personal data in Information Systems of Personal Data (ISPDN), require compliance with Federal Law No.152-FZ “On Personal Data”. Any organization has to take certain technical and organizational security measures. Firstly, it is necessary to determine the level of ISPDN security, which is stipulated by Russian Government Decree No. 1119.
To understand how effectively the system mitigates the factors leading to unauthorized access and use of personal data, you need to determine the categories of personal data you are processing. This parameter will affect the assignment of information security systems to levels 1, 2, 3, or 4.
Personal Data categories
The separation of personal data is necessary to establish certain rules for the processing and protection of different types of information, as well as to impose penalties on organizations that violate them.
Current Russian legislation provides for four categories of personal data:
- public;
- biometric;
- special;
- other.
Public personal data
Such data is publicly available. It can be found in public resources, such as reference books, and other documents. The citizen must give his or her consent to the publication.This category includes:
- name, surname, and patronymic of the subject;
- age, date of birth;
- the place of residence;
- profession, education;
- e-mail, phone number, etc.
Remember that if an individual does not agree that information about him/her is publicly available, he/she has the right to demand its removal from the source.
Biometric personal data
Almost every company has a security system and video surveillance, as well as restricted access to the territory or particular areas. As a rule, an identifier of persons who have the right to stay in certain areas or perform certain actions are photos, fingerprints, or retinal images. These and other physiological features are biometric personal data. Their use necessarily requires the written consent of the owners.When working with such data, take into account that may be collected, supplemented, stored, etc. only until the purpose of the processing is achieved or the time limit prescribed in the signed authorization of the subject has passed.
Special Personal Data
According to Federal Law No 152-FZ "On Personal Data", this group includes:- gender and race;
- health-related information;
- intimate information, including sexual orientation;
- philosophical and religious beliefs;
- political views, etc.
While publicly available personal data allows you to identify the subject, special personal data does not. To process such data, one of the following conditions must be met:
- Obtaining written consent of the data subject;
- Use of information published in public sources by the citizen himself;
- The entry into force of international agreements;
- Execution of action within the framework of a judicial proceeding or a court decision;
- The occurrence of a risk to the life and health of the subject or surrounding people;
- The processing of information as part of the activities of a public or religious organization
Other personal data
There is no clear definition regarding the information that can be included in this group. Such personal data does not belong to the previous categories. In other words, to identify information as "other," the operator needs to ensure that it is not public, biometric, or special.Liability for violating the requirements of Federal Law No.152-FZ
Violation of the law on personal data can lead to certain penalties. If the operator fails to protect the information and it is accessed by intruders, it will be fined. The amount of the fine depends on the status of the operator:
- An individual - from 1,500 to 50,000 rubles;
- Official - from 6 000 to 800 000 rubles;
- Individual entrepreneur - from 10 000 to 3 000 000 rubles;
- Legal entity - from 30 000 to 18 000 000 rubles.
Other administrative sanctions also include:
- Prison terms of up to 5 years;
- The obligation to compensate for moral damage;
- Compulsory suspension or termination of personal data processing;
- Suspension or termination of the personal data controller's license.
If the collection, processing, and storage of personal data were performed without the consent of the individual, the offender is subject to the following fines:
- An individual - from 6,000 to 10,000 rubles;
- An official or private entrepreneur - from 20 000 to 40 000 rubles;
- A legal entity - from 30 000 to 150 000 rubles.
Personal data in the cloud
According to Federal Law 152, storing personal data in the cloud is not prohibited, but the data center of the cloud provider must be located in Russia. Data may be transferred abroad, but the initial recording, systematization, accumulation, storage, clarification (updating, changing) or extraction must be performed on a server physically located in Russia.
To organize the protection of personal data in the cloud provider must comply with legal requirements, which is confirmed by the certificate of compliance with Federal Law No 152. It is issued by supervisory authorities and confirms that the cloud infrastructure complies with FSTEC orders and that information is reliably protected.