Home » Legislation

Employee personal data: millions of fines for leakage


Personal data – key concepts

An employer is constantly faced with the issue of personal data.

Even when a potential employee does not yet work in the organization, but only sends a resume, he is already making his personal data available to the employer. Constant work with personal data occurs during personnel records management - the organization communicates with the outside world every day, the personnel service processes a huge array of documents and all of them contain someone’s personal information.

Personal data is any information relating directly to a specific person . This is information that can be used to identify a person.

Receiving, storing, clarifying, adjusting and other actions with data is their processing. Personal data is most often processed by human resources services.

A processor is any organization that collects and stores data. That is, absolutely any organization.

Read also:  Severance pay in case of staff reduction: calculation of the amount and terms of payment
Valentina Mitrofanova will tell you what's new in labor legislation this week. Watch the new episode of Personnel Review.

What is personal data

Art. 3 of the Law of July 27, 2006 No. 152-FZ enshrines the concept of personal data: this is any information that directly or indirectly relates to a specific individual:

The list of human characteristics is unlimited. Many other data can also identify a citizen. And the employer has the right to rely only on those that characterize the employee as a party to the employment contract.

Legal basis

The following informs about personal data in the Russian legal field:

  • Constitution of Russia.
  • Labor Code.
  • Federal Law “On Personal Data” No. 152-FZ.
  • Code of Administrative Offences.
  • Criminal Code.

The Constitution guarantees that every citizen has the right to personal, family or professional secrets, has the right to control the dissemination of information about this, and to suppress this dissemination. If the data is disseminated in bad faith, then the citizen has the right to count on the protection of honor and dignity.

The Labor Code states that a personnel officer or manager can collect personal data of an employee only for clear and adequate purposes. The Labor Code of the Russian Federation clearly prohibits storing excessive amounts of data “just in case.”

Federal Law No. 153-FZ notes the need to maintain complete data security and outlines the rights, obligations and responsibilities of citizens and processing operators.

The Code of Administrative Offenses of the Russian Federation and the Criminal Code establish liability for violation of these norms.

Categories of information

There are many types of information:

  1. Factual.
  2. Predictive.
  3. Explanatory (evaluative).
  4. Presumable.
  5. Regulatory.
  6. Logical.
  7. Explanatory.
  8. Instrumental.

Taking into account the procedure for providing information or disseminating it, it is divided into:

  • which can be freely distributed;
  • provided by agreement of the parties participating in the relevant relationship;
  • which, according to federal laws, is subject to provision or distribution;
  • the distribution of which in the Russian Federation is limited or prohibited.

Based on this, we can conclude that personal information belongs to the fourth category of information.

Employee personal data is information that is provided to the employer upon employment. All information provided is protected and processed in accordance with current legislation. But the disclosure of this information is prohibited and punishable by law.

What data is considered personal?

Regulatory acts establish two important concepts that the manager and responsible employee of the personnel service must keep in mind in order not to incur huge fines and lawsuits on themselves and the organization.

  1. Redundancy.
  2. Goal setting.

That is, the employer has the right to collect only the data that is necessary for the implementation of the labor process, and only for the purpose of supporting this process.

What data is personal:

Read also:  What is the date to formalize the dismissal of an employee after sick leave?
  • Full Name;
  • date, place of birth;
  • biometrics – fingerprints, DNA, iris, height, weight, photographs and videos of a person, if he can be identified there;
  • registration or actual residence address;
  • marital status, family composition;
  • biographical information;
  • professional information – education, qualifications, position, work experience, previous places of work;
  • information about income and property;
  • TIN and SNILS numbers; contacts – phone, email;
  • information about military service;
  • medical information and diagnoses.

What information is considered personal data

Common personal data:

  • Last name, first name, patronymic of an individual. In this perspective, an individual acts as a subject of personal data.
  • Date and place of birth.
  • Registration and residence address.

The employee's personal data is concentrated in the information system (IS). It can be digital or analog (computer database or personal file in a paper folder). At the same time, legal requirements apply to personal data regardless of the technical implementation of the information system. There are different ways to process an individual’s personal information – collection, classification, clarification, etc.

The concept of personal data applies not only to citizens, but also to legal entities, regardless of the organizational and legal form (firms, companies, organizations, commercial enterprises, etc.). Their peculiarity is that they are used to identify not a specific person, but a specific company. Official information about the company is needed when concluding contracts, etc.

Individuals

Personal information for this category of subjects includes:

  • FULL NAME;
  • Date and place of birth;
  • citizenship;
  • registration and residence address;
  • decision on total or partial incapacity;
  • marital status + information about family members;
  • education;
  • place of work;
  • salary, insurance and tax deductions;
  • military duty.

There are features of classifying various data as personal for individuals:

  • Phone number. Refers to PD if information about the owner is in a publicly available source (for example, contacts for direct contact are indicated on the deputy’s website).
  • Verification parameters for authorization on various Internet services are personal data by definition and are not subject to disclosure to third parties.
  • Photo and video recordings. They relate to personal data only in a situation where they can be used to identify an individual. An exception is photo or video filming taken at events of a mass nature. If a recording discredits the honor, dignity or business reputation of a person, he, in accordance with Part 1 of Article 152 of the Civil Code of the Russian Federation, may demand a refutation.

Personal Information

Enterprise employees

Personal information in this case includes information that the employee must provide when applying for a job. In the main part, they coincide with personal data for individuals and are intended to be entered into the employee’s personal file. Due to the fact that the employee fills out a standard form, the information system may contain information not related to the performance of his work.

In addition to the personal information of individuals, the personal dossier of an enterprise employee must include:

  • job title;
  • TIN;
  • application for a job;
  • salary;
  • SNILS;
  • length of service (+ at this enterprise);
  • certificates of incentives and penalties from the administration;
  • information about the vacation used;
  • medical certificates and/or documents on medical examination (if required by working conditions).

The employer does not have the right (and this is stated in the laws):

  1. Transfer personal data to third parties without the consent of the employee (data protection).
  2. Request information about an employee's health status without consent. The exception is situations when this is directly related to the employee’s performance of his functions.

The employer's responsibility is:

  • Protect the PD at its disposal from third-party access and allow only specially authorized employees to view it, providing them with data within their competence.
  • A warning to third parties to whom employee information is shared that it may only be used for the specific purposes requested. The law prohibits the unauthorized distribution of personal data and those responsible may be held accountable.
  • Secure in an appropriate manner (for example, with a signature on a special form) the obligation to maintain confidentiality by the persons to whom the PD is transferred.

Employee personal data

State or municipal employees

In addition to the array of information required for an employee of an enterprise, personal data for this category of workers includes:

  • experience + length of service;
  • job title;
  • class rank (if any);
  • category according to the tariff schedule;
  • academic degree, awards, promotions;
  • clearance to work with classified materials;
  • certificates of certification and advanced training;
  • criminal record certificate;
  • medical certificates, copies of sick leave.

Legal entities

This category of information includes:

  • name of company;
  • legal and actual address;
  • license numbers;
  • OGRN;
  • TIN;
  • checkpoint;
  • current account number and other bank details.

Categories of personal data

There are usually four categories of personal data, although there is no such classification in the laws:

Read also:  Rights and obligations of an employee upon dismissal of his own free will
  1. Public . Full name, date and place of birth, profession, contacts can be used in open sources. For example, in directories and telephone books, if the data subject has given his consent.
  2. Biometric . Allows you to identify a person based on physiological parameters. Data is collected exclusively with the consent of the citizen and for purposes justified by law.
  3. Special . Race, nationality, political and religious views, philosophical views and details of intimate life. The processing of such data is prohibited, unless the subject has agreed to this in writing or when he himself has publicly published it, making it publicly available.
  4. Others . Not included in these categories.

PD categories

Law No. 152-FZ divides information according to information content, complexity of use and level of disclosure. Categories of personal data that cannot be used without consent: anonymized, general and special, biometric data.

General personal information about a person

These include basic information about a specific individual:

  • Full Name;
  • Date and place of birth;
  • registration and residence address;
  • phone number;
  • TIN;
  • passport data – series, date of issue, etc.;
  • SNILS;
  • place of work;
  • salary amount.

Personal information classified as a general type is recorded in the citizen’s basic documents (passport, work book, etc.). In many cases, indirect permission is enough to process them. Such simplified cases are typical for filling out online forms with a minimum of information, when a tick in the appropriate box is enough for the subject instead of written confirmation. Here, data transfer occurs through open communication channels.

Some of this information is not personal information if used independently of others. The current position of Roskomnadzor is that using only one telephone number (without correlating it with the owner’s last name) there is no possibility of identifying an individual. For this reason, non-personalized SMS distribution is not a violation of the law.

  • How does castration of a cat occur?
  • How to treat pyelonephritis
  • Homemade anti-aging hand mask

Biometric

This includes physiological and biological parameters of an individual:

  • fingerprinting (fingerprints);
  • blood type;
  • height;
  • weight;
  • eye color;
  • special signs associated with appearance (for example, acquired injuries).

This category also includes any audiovisual files - photographs of a specific individual, recordings from a voice recorder, video recorder, etc. The development of technology is widely used for biometric parameters - they are used in medicine, hiring in government agencies, issuing foreign passports. Often such data causes harm to the subject in his professional activities or personal life.

Special data

This category includes:

  • nationality;
  • political preferences;
  • religion;
  • having a criminal record;
  • medical diagnosis;
  • sexual orientation;
  • intimate life.

Such information is contained in special documents. They can be used to discriminate against a specific individual. For this reason, according to Article 10 of Law No. 152-FZ, access to information of this type for general cases is not allowed. Exceptions to this are situations where:

  • The subject gave written consent to the processing of PD.
  • The file of a particular person is studied to preserve the life/health of this person or third parties when obtaining permission is not possible (for example, a victim of a car accident is in a coma and urgently requires surgery). This case can be extended to all situations of diagnosis and provision of medical services, provided that this is carried out by an authorized employee and he maintains professional confidentiality.
  • These personal data became public at the initiative of the person to whom they belong (for example, a pop performer gives an interview to a TV channel about his sexual orientation). This also includes the processing of information in connection with the implementation of the All-Russian Population Census or the implementation of social assistance programs, labor or pension legislation.
  • Personal data about members of a public association or religious organization is processed (for example, this personal information may be collected by the municipality or state statistics bodies). The determining factor here is the non-dissemination of such information without the written consent of the subjects of personal data.
  • Retrieving the necessary personal information is related to the exercise of the constitutional rights of that individual or the administration of justice (by law, this is permitted, for example, by police officers or prosecutors). This also includes situations of implementation of legislation on defense, counter-terrorism, transport security, anti-corruption activities, etc.
  • This situation arises when it is necessary to implement legislative requirements on compulsory types of insurance, on citizenship of the Russian Federation and when checking parents who take in orphans.

PD categories

Anonymized PD

In accordance with Law No. 152-FZ, this includes information whose correlation with a specific person is impossible without clarification. This can be any of the components of the PD, devoid of other information, for example:

  • Last name, first name, patronymic of a person, his date, month, year of birth, street, house and apartment number are collectively personal data.
  • Each of this information separately (for example, only the first name, without the last name and other information) cannot be considered personal data.

Anonymization is an additional method of protection. It is often resorted to by government bodies authorized to process personal information about citizens, transferring an array of information for third-party study. Eg:

  1. As a result of the population census, the Federal State Statistics Service (Goskomstat) accumulates a large number of questionnaires containing personal data. This may include information about age, nationality, etc.
  2. By sending such data to other departments for analytical study based on their work profile, Goskomstat employees take measures to protect personal data. For this purpose, personal information is depersonalized. For example, a sample of data about individuals is transmitted to the Ministry of Social Protection of the Russian Federation, indicating their nationality, age and education, but without mentioning their first and last names.

Big Data

This includes information received on the Internet from a specific user or accumulated in his digital devices:

  • Computer IP address;
  • page browsing history;
  • authorization data on websites;
  • nicknames and avatars of forums or social networks.

The ambiguity of this category from a legal perspective is associated with the following features:

  • This information may directly or indirectly point to a specific person.
  • The owner himself cannot completely control them.
  • If desired, they can be falsified (for example, one person can register on a social network under the name of his friend and leave defamatory messages on his behalf).

Taking into account these circumstances, not all information from the Big Data category is PD. If they do not directly indicate a specific person, then, according to Roskomnadzor, they do not belong to the category of PD. Then they are not subject to the requirements of Law No. 152-FZ. Examples of such information:

  • Photo of a person. If it is accompanied by a first and last name, it is personal data, because it indicates a specific person.
  • Avatar (userpic) and nickname on the forum. These positions are not PD. They do not directly point to a specific person. There is an exception: when the picture shows a photo of a person with his first name, last name or other information.
  • The category of PD does not include the search queries of the computer user and information about his location, which are processed to provide him with contextual advertising and geotargeting (distribution of data depending on the geographic location of the individual).

How to collect, organize and store personal data

Step 1 . Issue a statement on personal data . Both federal law and common sense require this. The local act must specify all the rules for storing and processing data.

Step 2 . Approve the position . To do this, you need to issue a corresponding order signed by the manager and familiarize all employees with it. Employees must sign in a special journal or statement.

Step 3 . Appoint a specialist responsible for personal data . Most likely, this will be a HR employee. It is advisable that the work with personal data be specified in his employment contract. If the agreement has already been drawn up, you can issue an additional agreement to it. In the same order, it is necessary to identify the employees who will have access to personal data. All persons mentioned must sign a non-disclosure agreement.

Step 4 . Collect written consent from all employees for the processing of personal data . The written consent must list the specific data and the purposes for which it will be used. Goals should be reduced solely to maintaining the labor process.

Step 5 . Store data in strict order . Data can be stored both electronically and on paper. They must be absolutely inaccessible to third parties, replenished in a timely manner and, if necessary, adjusted.

Step 6 . Contact Roskomnadzor . This item is not required if you:

  • process information without the use of specialized software and databases (that is, if the operator processes the data array manually on a PC or on paper);
  • process data only of your employees and only for the purpose of drawing up and maintaining employment contracts (no more);
  • entered into an agreement with an individual as a contractor, supplier or non-staff specialist;
  • allowed a stranger who is not your employee into the territory of the enterprise once (for example, for an interview).

Processing of personal data

The organization needs to develop and approve a local regulatory act that establishes the procedure for processing information about employees. Each employee is introduced to this document upon signature.

Arbitrage practice

The prosecutor filed a lawsuit to force the organization to develop and adopt a local legal act establishing the procedure for storing and using personal data of employees. He motivated the requirements by the fact that during an inspection of the implementation of legislation regulating the collection, storage, use or dissemination of personal data, it was found that, in violation of the requirements of labor legislation, the procedure for storing and using personal data of employees in the organization was not developed. I believed that the absence of this local regulation could lead to unlawful access to personal data of unauthorized persons.

The prosecutor's request was satisfied by the court's decision. The court ordered the organization to develop and adopt a local legal act establishing the procedure for storing and using personal data of employees within 30 days from the date the court decision entered into legal force.

Transfer of an employee’s personal data to another person is permitted only with the consent of that employee, except in cases established by law. For example, an employer has the right to transfer information about an employee upon official requests from the court, prosecutor’s office, investigative and inquiry authorities.

IMPORTANT!

Read also:  Incorrect Numbering in the Work Book How to Correct

It is unacceptable to provide any information about an employee over the phone.

Arbitrage practice

D. filed a lawsuit to declare the employer’s transfer of his personal data to another person illegal and to recover moral damages.

At the court hearing, it was established that the organization in which D. worked entered into an agreement with the bank to implement a salary project. To issue plastic cards, the bank received application forms filled out and signed by employees with their personal data. D. did not sign the application form; he did not give consent to the transfer of his personal data.

The court satisfied the claims, despite the fact that D. actively used the received plastic card.

Responsibility for disclosure of personal data

There are great risks associated with incorrect or unsafe data storage. If an organization does something wrong, it will incur audits, inspections, administrative proceedings or criminal proceedings .

Administrative responsibility

An employer can pay a fine of up to 75 thousand rubles for:

  • collection and processing of redundant information;
  • lack of employee consent to data processing;
  • access of third parties to personal data of employees;
  • ignoring employee requests to delete his personal data (for example, after his dismissal).

Criminal liability

According to Article 137 of the Criminal Code of the Russian Federation:

  • Disclosure of employee data in the public space, publication in the media of information that constitutes his personal or family secret. A fine of up to 200 thousand rubles, imprisonment for up to 2 years and a ban on holding certain positions for up to 3 years.
  • The same thing with the use of official position - a fine of up to 300 thousand rubles, imprisonment for up to 5 years and a ban on holding a corresponding position for up to 6 years.

Definition of the concept

Worker information

What is personal data? This is the information that an employer requires from a specific employee when concluding an employment relationship (Chapter 14 of the Labor Code of the Russian Federation). According to Article 3 of the Federal Law, personal data is any information that relates to an individual , his full name, time and place of birth, address, existing property, marital status, education, income, etc.

Treatment

Processing of individual information of a worker is the process of obtaining, storing, combining, transferring personal information, as well as other options for its use.

Read more about the procedure for storing and using personal data of employees on paper and electronic media here, and find out more about documents on personal data of employees in this material.

Processing can be carried out solely to ensure compliance with laws and other regulations, assist the worker in employment, training and career advancement, ensure the capital's security, as well as control the quantity and quality of the work he performs and ensure the safety of property (Clause 1 of Article 86 Labor Code of the Russian Federation).

According to paragraph 3 of Art. 3 of the Federal Law “On Personal Data”, the processing of personal information is actions performed with individual data. What they include:

  • collection;
  • systematization;
  • accumulation;
  • storage;
  • clarification (update, change);
  • usage;
  • distribution (transmission);
  • depersonalization;
  • blocking;
  • deletion.

Important! Regardless of the number of functional operations listed in the legislation, legal regulation should apply to all stages of processing personal information: from receipt to deletion, without any exceptions or exceptions.

Read more about how to fill out an application for processing and other operations with an employee’s personal data here, and for more details about when an employee’s written consent to the processing of his personal data is required and how to complete this document, read this material.

Protection

To determine the protection of an employee’s personal information, it is worth considering this process in several aspects:

  1. These are guarantees that are enshrined in labor law (a list of norms by which relations regarding the personal information of a worker are regulated).
  2. This is a series of processes of an organizational and legal nature that are aimed at implementing legislative provisions and expressing the employer’s policies in this area.
  3. This is to ensure the subjective right of the worker to protect his personal information.

Read more about what the provision on the protection of personal data of an employee is here.

Protection requirements

Chapter 14 of the Labor Code provides requirements regarding data protection. The responsibility of the manager is established to take into account the requirements when processing information. The purpose of processing is to ensure legal provisions and assist a person in finding a job. To determine the scope of information, you must be guided by the basic law of the country, the Labor Code.

How is an employee’s personal data protected?

Receiving information is allowed only from the employee himself. When it is possible to obtain it from a third party, the person must inform the company management about this in advance. You will be required to sign a consent form. The employer does not process data classified as special. This is information about intimate life, race, etc.

Measures to protect information are taken by the company's management. Paid with company funds. The order of protection is reflected in the laws. Employees are familiarized with the documentation reflecting the data collection procedure against signature.

It has been established that a person should not be deprived of his powers in order to maintain a secret. The development of protective measures is carried out by employers together with employees. Exceptional situations are reflected in laws.

Subjects and Operators

There are two entities in the law: the subject and the PD operator.

The subject of personal data is the person whose personal data is processed by the PD operator.

A subject is an individual: the owner of an account on a social network, a website visitor, or a buyer in a store. For example, a client of an online store ordered a laptop, and to receive it, he chose courier delivery, leaving his last name, first name, address and telephone number. Using this data, it is possible to determine the identity of the buyer (PDN subject), and the store thus becomes an operator.

An operator is an individual or organization (public or private) that organizes the processing and processes personal data, and also determines the purposes of processing, the composition of the data and the actions performed with it.

For example, employers become operators when they come into contact with the personal data of employees. Even if there is only one employee, the employer is already an operator.

Working with personal data

The collection, processing and storage of personal information of employees is organized according to the following algorithm:

During the processing of personal information, it is ensured that it is not accessible to third parties and that it is corrected in a timely manner.

The employer does not have the right to contact the employee’s previous employer in order to find out how true the information presented in the applicant’s resume is (violates Article 7 of Law No. 152-FZ). This can only be done with the consent of the person being checked.

Rating
( 2 ratings, average 4.5 out of 5 )
Did you like the article? Share with friends:
You may also be interested
Fines for an individual entrepreneur for an unregistered worker and violation of migration and labor laws
How, according to the law, pay slips are issued in paper or electronic form - rules, procedure, fines
Article 86 of the Labor Code of the Russian Federation - General requirements for the processing of employee personal data and guarantees of their protection
Salary
“New Year’s” salary: how to pay employees before December 31 and not run into fines
changing the surname in the work book after marriage
How to correctly enter the changed surname of an employee in the work book
Failure to provide vacation for more than 2 years in a row: what are the penalties?
What the labor inspectorate checks and what fines the employer faces
How to correctly fill out an employee’s position in a work book
Help 2 Personal income tax: new form 2021, form, sample filling for an employee
Photo 3
Is it possible to correct the employee’s date of birth in the work book and how to do it correctly?
Why do you need a SZV-M certificate upon dismissal?
Confirmation of the employee's insurance record upon dismissal
Are fines at work legal under the Labor Code, and what deductions is the employer entitled to make?