Sample provision on personal data of employees

Regulations on personal data of employees - sample 2019 you will find in this article. What is the text of the provision taking into account all legal requirements? Let's give an example.

Personal data of employees - any information necessary for the administration in connection with labor relations and relating to a specific employee (Clause 1, Article 3 of the Law of July 27, 2006 No. 152-FZ).

The accounting and personnel departments store documents containing personal data of employees - salary statements, personal cards, personal files and others. All personal data of an employee can only be obtained from him.

See “Sample of consent to the processing of personal data for 2019”.

Personal Data Regulation: Structure

To prevent disclosure of personal data, create a reliable system for protecting it. The procedure for receiving, processing, transferring and storing such information is established in a local act of the organization, for example, in the regulation on working with personal data of employees. The regulations are approved by the director. Familiarize the employees with the document for signature (Article 8, clause 8, part 1, article 86, 87 of the Labor Code, clause 2, part 1, article 18.1 of the Law of July 27, 2006 No. 152-FZ).

In order to ensure compliance with the requirements for the procedure for processing personal data of employees and the protection of this information, the employer can develop and approve Regulations on working with personal data of employees. It may also be called, for example, the Regulation on the processing of personal data of employees, the Regulation on the protection of personal data, or even the Regulation on the personal data of employees.

The regulation on personal data refers to those local acts that must be present in the organization. The employer must, by local regulations (Regulations on Personal Data), determine the procedure for storing, processing and using personal data. The absence of a Regulation may be qualified by the state labor inspectorate as a violation of labor legislation. This conclusion is also confirmed by judicial practice (see Resolution of the Federal Antimonopoly Service of the Moscow District dated October 26, 2006 N KA-A40/10220-06 in case No. A40-20745/06-148-194).

The structure and content of the Regulations on the protection of personal data of employees (a sample is given below) is determined by the employer independently.

When developing the Personal Data Regulations, the employer must take into account, in particular, the following principles:

  • the processing of personal data of employees is carried out only for the purpose of complying with the legislation of the Russian Federation, assisting employees in finding employment, obtaining education and career advancement, ensuring the personal safety of employees, monitoring the quantity and quality of work performed and ensuring the safety of property;
  • All personal data of employees must be obtained from him himself. If any personal data of an employee can only be obtained from a third party, the employee must be notified in advance and written consent must be obtained from him;
  • the employer must, at his own expense, ensure the protection of employees’ personal data from unlawful use or loss;
  • The employer must, against signature, familiarize employees with the procedure for processing their personal data, as well as their rights and obligations in this area.

What employee data is personal?

Legislation determines what is included in a person’s personal data. This can be either information directly related to the employee or indirectly affecting him.

This includes:

  • Full personal data of the employee (full name).
  • Information about the place and date of his birth.
  • The address is actual and registered.
  • Social, family, property status.
  • The employee’s current education and profession.
  • Information about the employee’s income, etc.

In addition to the law on personal data, the composition of personal information is also determined by the Labor Code of the Russian Federation. It includes in the protected information information that allows you to identify a person as an employee. These are qualifications, specialization, education, the state of a person’s health (in some situations, for example, when working in hazardous conditions), and the presence of children.

The list of information that can be classified as an employee’s personal data is not closed, therefore each entity conducting business has the right to expand it, and these categories must be recorded in the Regulations of the enterprise.

Attention! There is information about the employee that should never be requested by the company administration, since it is purely personal. This includes, for example, religion and nationality. If someone tries to find out such information, it will be regarded as an attempt to invade the employee’s privacy.

Determining the level of security

The documents containing information about the requirements for the ZPD include the act of determining the level of security.

The act of determining the level of security does not apply to confidential documents. The operator is obliged to publish it or provide unrestricted access to it.

To determine the level of security at the enterprise, a commission is created, which should include someone responsible for organizing processing. The act must be approved by the head of the organization and signed by all members of the commission.

The act specifies:

  1. personal data processed in ISPD;
  2. volume of processed PD;
  3. level of security;
  4. type of current threats to ISPD.

Legal basis

The following informs about personal data in the Russian legal field:

  • Constitution of Russia.
  • Labor Code.
  • Federal Law “On Personal Data” No. 152-FZ.
  • Code of Administrative Offences.
  • Criminal Code.

The Constitution guarantees that every citizen has the right to personal, family or professional secrets, has the right to control the dissemination of information about this, and to suppress this dissemination. If the data is disseminated in bad faith, then the citizen has the right to count on the protection of honor and dignity.

The Labor Code states that a personnel officer or manager can collect personal data of an employee only for clear and adequate purposes. The Labor Code of the Russian Federation clearly prohibits storing excessive amounts of data “just in case.”

Federal Law No. 153-FZ notes the need to maintain complete data security and outlines the rights, obligations and responsibilities of citizens and processing operators.

The Code of Administrative Offenses of the Russian Federation and the Criminal Code establish liability for violation of these norms.

Appointment of responsible persons

To regulate the work of the management and personnel officers of the enterprise, an order should be prepared to appoint responsible persons for the processing of personal information about employees.

This measure allows you to avoid disruptions in work and prevent abuse of documentation. Responsibility for the processing of personal information most often rests with a lawyer, specialist or head of the human resources department, as well as the company secretary.

To appoint responsible persons, an order is issued, which can be written freely on a regular sheet of paper or a form with the logo and company details of the enterprise. Government institutions use standard forms of administrative acts. The organization's accounting policies must indicate information about the format of orders.

The number and name of the order and the date of issue must be entered in a special journal. It should be kept by the head of the human resources department, a lawyer or the company secretary.

The signed and endorsed finished order is filed in a separate folder. Having lost its relevance, it is sent to the archive, where it is stored for a set period, after which it is disposed of.

What is required to collect information?

All documentation that relates to ensuring the safety of personal information can be divided into 3 groups:

  • Organizational.
    Defines the tasks, functions and scope of responsibilities of employees who check and are responsible for the collection, processing and preservation of confidential information of employees.

    These include:

    1. job descriptions;
    2. position;

  • notifications, letters;
  • acts, orders (on the admission of employees to work with PD).
  • Technological.
    Information from this group of documents determines the procedure and methods for implementing protection.

    These include:

    1. data processing instructions;
    2. lists.

  • Methodical.
    Detailed processing processes, procedure and rules for working with PD.

Important! All documents on the protection and processing of personal data must be approved by the head of the enterprise. They must contain confirmation of familiarization with the documentation and visa agreement with other persons.

Our website contains other materials on PD protection issues. After reading them, you will learn:

  • What authorized bodies exist to protect the rights of personal data subjects?
  • What is the PD processing and protection policy?
  • How to organize and implement data protection in various organizations?

Personal data – key concepts

An employer is constantly faced with the issue of personal data.

Even when a potential employee does not yet work in the organization, but only sends a resume, he is already making his personal data available to the employer. Constant work with personal data occurs during personnel records management - the organization communicates with the outside world every day, the personnel service processes a huge array of documents and all of them contain someone’s personal information.

Personal data is any information relating directly to a specific person . This is information that can be used to identify a person.

Receiving, storing, clarifying, adjusting and other actions with data is their processing. Personal data is most often processed by human resources services.

A processor is any organization that collects and stores data. That is, absolutely any organization.

Valentina Mitrofanova will tell you what's new in labor legislation this week. Watch the new episode of Personnel Review.

Who should be familiar with the document?

The PD provision is supported by an internal order, after which the act is signed into force in the enterprise or organization. The order is drawn up by the clerk and signed by the general director of the institution.

Remember: all employees who are already employed or are just getting hired should be familiarized with the document. Persons responsible for processing personal data must not only familiarize themselves with the Regulations, but also give an undertaking of non-disclosure.

Read more about the non-disclosure agreement and other documents here.

Documents documenting the processing of personal data may be subject to inspection by regulatory authorities. Therefore, the preparation of such acts should be taken with full responsibility.

How to protect an employee’s personal data from any abuse? Watch the detailed video:

Instructions for employees

In the daily life of the company, employees work with automation tools and software on personal computers. Therefore, in addition to the regulations, instructions can be developed that define the procedure for using information systems. The document includes the rules:

  • safe use of various programs and technical means;
  • use of logins and passwords;
  • providing access;
  • antivirus protection;
  • working with media;
  • other points.

Thus, you should carefully study the legislation establishing the rules for working with citizens’ personal information and correctly organize the process of collecting and protecting it. This will protect stakeholders and avoid legal liability.

How to organize information security in an enterprise is described in the video below.

Organizational and administrative documentation

  1. Regulations on the protection of personal data.
    It is the main document that regulates the activities of an enterprise in this area and determines the procedure for storing and using personal information in the company. This provision is approved by the head of the organization by order and is mandatory for all employees of the enterprise.
  2. Order on access to documents with personal information.
    It identifies all employees who have the right to work with such documentation. For each employee, it is specified what information he can work with. All persons mentioned in the order must familiarize themselves with this document against signature and sign on the familiarization sheet.
  3. Instructions for protecting personal data.
    Detailed rules that employees must follow. It is recommended to enter into a non-disclosure agreement with each employee who has access to personal information.

Attention! In order to avoid unauthorized access to personal information, a number of protective measures should be used, which includes the development of a set of specialized organizational and administrative documents for implementation in the work of the organization, which is inspected by the relevant authorities.

So, the package of documentation for the protection of personal data includes orders, notifications, job descriptions and regulations that regulate the procedure for collecting information, processing and storing information.

Access to the information

Of course, the operator (the one who carries out the processing) has access to the information. The subject himself has the right to contact the operator for information, including with a request to clarify, change or supplement it. The information is provided by the operator in an accessible form, and it should not contain information about other persons.

Article 14 of Federal Law No. 152 contains an exception when the PD subject’s access to his data may be limited. We are talking about cases of legalization of criminally obtained funds, when data was obtained during operational operations, and other cases.

Basic writing rules

When drawing up a local act, responsible persons can be guided by sample document samples that are freely available on the global network. At the same time, each item is carefully studied and modified in accordance with the characteristics of the functioning and structure of a particular organization. The main thing is to reflect in the document the key points of the employment contract , described below.

A cap

If the act was not coordinated with trade union organizations, only these institutions are indicated in the header:

  • name of the institution;
  • the inscription “Approved”;
  • employer's position with surname and initials;
  • order number and date of signing;
  • seal.

If the approval took place with the participation of a representative body of the labor collective, the name of the body, the name of the person responsible, and the date of approval are indicated.

General section

The section indicates:

  • state legislative acts that guided the employer when developing the provision;
  • procedure for approving the document and putting it into effect;
  • validity;
  • list of employees who are required to follow the Regulations.

Attention: in the initial section of the document you can indicate the basic definitions that will appear in the document.

Personal information criteria

The section determines which documents and information in them relate to personal data. Most often, this is the information presented when concluding an employment contract:

  • educational documents;
  • passport data, pension insurance card and TIN;
  • information about place of residence and registration;
  • family composition and health status of close relatives, if this involves the provision of certain conditions or guarantees;
  • the health status of the employee himself (for example, disability);
  • information about benefits.

Additional information may include the salary card number, employee email address, documents on completion of courses and advanced training, documents on ownership of real estate, orders for personnel.

Important! The employer does not have the right to request information from the employee regarding his political and religious beliefs or nationality.

Processing operations and the procedure for their implementation

This section describes the procedure for processing information - collection, recording, transfer, storage, editing, liquidation. In particular, it is required to indicate in which cases information is obtained only with the written consent of the employee, in which - from third parties, when written consent from the employee is not required.

The section includes a description of the purposes of operating personal data, how information is stored, what regime is in effect for data in written and electronic form, what measures are taken by the employer to protect personal data and limit access to it, who bears the financial costs of ensuring the safety of information.

A separate paragraph should describe the procedure for creating and maintaining personal files of employees, who has external access to information and on what basis.

When drawing up an employment contract, written consent to the processing of personal data should be obtained from the employee after he has read all the clauses of the Regulations.

Read more about how to fill out an application for processing and other operations with an employee’s personal data here.

Admission regulation

This is a list of positions that have the right to unlimited access to confidential information , as well as persons whose access to personal data is limited. The first group of persons includes the general director and the employee’s immediate supervisor, personnel department employees and the owner of the personal data.

Persons who may be granted access to personal information may be accounting employees, tax and statistical authorities, insurance authorities, military registration and executive authorities.

Responsibilities and rights of the employee

The rights of the employee who provided the information to the employer are specified separately. Such rights may be:

  • the right to receive copies of documents related to personal data;
  • the right to protection of family or personal secrets;
  • removing incorrect information from your personal file.

Emphasis should be placed on the employee’s obligation to provide only reliable information about himself and to promptly notify the HR department of changes in important data, in particular last name, first name, gender, marital status, education, disability designation, changes in family composition, place of registration and residence and other information.

Responsibility

The section contains an indication of the types of responsibility that lie with persons who have access to the processing of personal data , what legal consequences will result from a violation of the principles of working with personal data.

It should be remembered that the legislation provides for disciplinary, administrative, financial and criminal liability for violations in the field of personal data.

Rating
( 1 rating, average 5 out of 5 )
Did you like the article? Share with friends:
Для любых предложений по сайту: [email protected]