Article 86 of the Labor Code of the Russian Federation. General requirements for the processing of employee personal data and guarantees of their protection
1. Article 86 of the Labor Code of the Russian Federation establishes the general principles underlying the processing of personal data by the employer or his representative, defines the purposes of processing the employee’s personal data: compliance with laws and other regulations, assistance in employment, training and career advancement, ensuring personal safety workers, monitoring the quantity and quality of work performed and ensuring the safety of property.
Implementing the general requirements for the processing of personal data enshrined in Art. 86 of the Labor Code of the Russian Federation, the employer is based on the principles of processing personal data enshrined in Art. 5 of the Law on Personal Data: legality of the purposes and methods of processing personal data and integrity; compliance of the purposes of processing personal data with the goals predetermined and stated when collecting personal data, as well as with the powers of the operator (in relation to labor relations, the operator should be understood as the employer); compliance of the volume and nature of the processed personal data, methods of processing personal data for the purposes of processing personal data; the reliability of personal data, their sufficiency for the purposes of processing, the inadmissibility of processing personal data that is excessive in relation to the purposes stated when collecting personal data; the inadmissibility of combining databases of personal data information systems created for incompatible purposes.
The Law on Individual Accounting stipulates that the goals of individual (personalized) accounting are: creating conditions for assigning labor pensions in accordance with the labor results of each insured person; ensuring the reliability of information about length of service and earnings (income) that determine the size of the labor pension when it is assigned; creation of an information base for the implementation and improvement of the pension legislation of the Russian Federation, as well as for the appointment of labor pensions based on the insurance length of the insured persons and their insurance contributions; developing the interest of insured persons in paying insurance contributions to the Pension Fund of the Russian Federation; creating conditions for monitoring the payment of insurance premiums by insured persons; information support for forecasting the costs of paying labor pensions, determining the tariff of insurance contributions to the Pension Fund of the Russian Federation, calculating macroeconomic indicators related to compulsory pension insurance; simplification of the procedure and acceleration of the procedure for assigning labor pensions to insured persons (Article 3 of the Law).
The Employment Law established the obligation of the employer, when making a decision to liquidate an organization, reduce the number or staff of the organization’s employees and possible termination of employment contracts with employees, to notify the employment service authorities in writing about this no later than 2 months before the start of the relevant activities and indicate the position , profession, specialty and qualification requirements for them, terms of payment for each specific employee, and if the decision to reduce the number or staff of the organization’s employees may lead to mass layoffs of workers - no later than 3 months before the start of the relevant measures ( Article 25 of the Law).
The employer has the right to process the personal data of employees in order to form the organization’s personnel reserve (Article 86 of the Labor Code of the Russian Federation).
2. Personal data is reflected in the personal file of a municipal employee.
A personal file is opened for a municipal employee, to which are attached documents related to his entry into the municipal service, its completion and dismissal from the municipal service. The personal file of a municipal employee is kept for 10 years. When a municipal employee is dismissed from municipal service, his personal file is stored in the archives of the local government body, the election commission of the municipality at the last place of municipal service. Upon liquidation of a local government body, an election commission of a municipal formation, in which a municipal employee filled a position of municipal service, his personal file is transferred for storage to a local government body, an election commission of a municipal formation, to which the functions of the liquidated local government body, an election commission of a municipal formation are transferred, or to their legal successors. Conducting the personal file of a municipal employee is carried out in the manner established for maintaining the personal file of a state civil servant (Article 30 of the Law on Municipal Service).
In municipalities, in accordance with municipal legal acts, a personnel reserve may be created to fill vacant positions in the municipal service (Article 33 of the Law on Municipal Service).
3. The article states that all personal data must be obtained from the employee himself. Thus, a person applying for the position of judge, according to Art. 5 of the Law on the Status of Judges has the right to apply to the relevant qualification board of judges with an application to recommend him for the vacant position of a judge.
In addition to the specified application, the following must be submitted to the qualification board of judges: the original document identifying the applicant as a citizen of the Russian Federation, or a copy thereof; a questionnaire containing biographical information about the applicant; the original document confirming the legal education of the applicant, or its certified copy; originals of the work book, other documents confirming the applicant’s work activity, or copies thereof; a document confirming that the applicant has no diseases that would prevent him from being appointed to the position of judge; information about the results of passing the qualification exam; characteristics from places of work (service) for the last 5 years of labor (service) experience, and in the case of work (service) during the specified period (in whole or in part) not in a legal specialty, also from places of work (service) in a legal specialty for the last 5 years of such work (service). The reference must be issued to the applicant for the position of judge within 7 days from the date of his application; information about the income of the applicant, about the property belonging to him by right of ownership, and the obligations of a property nature of the applicant, as well as information about the income of the spouse and minor children of the applicant, about the property belonging to them by right of ownership, and the obligations of a property nature of the spouse ) and minor children of the applicant in accordance with Appendices 1 and 2 to the Law on the Status of Judges.
The Qualification Board of Judges organizes verification of the authenticity of the specified documents and information. In this case, the qualification board of judges has the right to apply to the relevant authorities with a request to verify the accuracy of the documents and information submitted to it, which are obliged to report the results of the inspection within the period established by the board, but no later than 2 months from the date of receipt of the specified request.
4. The Law on Personal Data identifies a special category of personal data relating to race, nationality, political views, religious or philosophical beliefs, health status, intimate life, the processing of which is not permitted, except in cases where: 1) the subject of the personal data has given consent in writing to process your personal data; 2) personal data is publicly available; 3) personal data relates to the health status of the subject of personal data and their processing is necessary to protect his life, health or other vital interests or the life, health or other vital interests of other persons, obtaining the consent of the subject of personal data is impossible; 4) the processing of personal data is carried out for medical and preventive purposes, in order to establish a medical diagnosis, provide medical and medical and social services, provided that the processing of personal data is carried out by a person professionally engaged in medical activities and obliged in accordance with the legislation of the Russian Federation to maintain medical confidentiality, and in other cases (see Art. 10).
5. Data about the private life of an employee (information about life activities in the field of family, household, personal relationships) related to issues of labor relations can be obtained and processed by the employer only with the written consent of the employee. For example, whether the woman is a single mother or has a disabled child under the age of 18.
When hiring, concluding an employment contract, or filling out personal data, the employer does not have the right to receive and summarize information about the employee’s religious beliefs, membership in public associations, or trade union organizations.
Resolving a number of issues in accordance with the provisions of the Labor Code (for example, Article 82) requires the employer to take into account the reasoned opinion of the elected body of the primary trade union organization when terminating an employment contract with a trade union member in cases of reduction in the number or staff of employees (Clause 2, Part 1, Article 81 of the Labor Code ), inconsistency of the employee with the position held or the work performed due to insufficient qualifications confirmed by certification results (clause 3, part 1, article 81 of the Labor Code), repeated failure by the employee to fulfill work duties without good reason, if he has a disciplinary sanction (clause 5, part 1 Article 81 of the Labor Code). It follows from this that the employer has the right to have information about the employee’s membership in a trade union, since his dismissal for the above reasons requires the implementation of a certain procedure.
6. The employer’s decision-making taking into account the employee’s personal data cannot be based solely on the use of information obtained through automated processing or through electronic receipt. The employer takes into account the employee’s business qualities, his conscientious and effective work.
About what is meant by an employee’s business qualities (see comments to Article 64 of the Labor Code of the Russian Federation)
7. Based on Art. 16 of the Federal Law of July 27, 2006 N 149-FZ “On information, information technologies and information protection” (SZ RF. 2006. N 31 (part I). Art. 3448) information protection is the adoption of legal, organizational and technical measures aimed at: 1) ensuring the protection of information from unauthorized access, destruction, modification, blocking, copying, provision, distribution, as well as from other unlawful actions in relation to such information; 2) maintaining the confidentiality of restricted information; 3) implementation of the right to access information. The owner of the information, who is the employer, is obliged to ensure: 1) prevention of unauthorized access to information and (or) transfer of it to persons who do not have the right to access information; 2) timely detection of facts of unauthorized access to information; 3) preventing the possibility of adverse consequences of violating the procedure for access to information; 4) preventing influence on technical means of information processing, as a result of which their functioning is disrupted; 5) the possibility of immediate restoration of information modified or destroyed due to unauthorized access to it; 6) constant monitoring of ensuring the level of information security.
8. The Law on Personal Data, establishing measures to ensure the security of personal data during their processing, indicates that the operator, when processing personal data, is obliged to take the necessary organizational and technical measures, incl. use encryption (cryptographic) means to protect personal data from unauthorized or accidental access, destruction, modification, blocking, copying, distribution of personal data, as well as from other unlawful actions (Article 19).
9. Regulations on ensuring the security of personal data during their processing in personal data information systems, approved. Decree of the Government of the Russian Federation of November 17, 2007 N 781 (SZ RF. 2007. N 48 (part II). Art. 6001) (hereinafter referred to as the Regulations of November 17, 2007 N 781), establishes requirements for ensuring the security of personal data when processing them in information systems of personal data, which are a set of personal data contained in databases, as well as information technologies and technical means that allow the processing of such personal data using automation tools.
Technical means that allow the processing of personal data are understood as computer facilities, information and computing complexes and networks, means and systems for transmitting, receiving and processing personal data (means and systems for sound recording, sound amplification, sound reproduction, intercom and television devices, manufacturing means, replication of documents and other technical means of processing speech, graphic, video and alphanumeric information), software (operating systems, database management systems, etc.), information security tools used in information systems (clause 1 of the Regulations dated November 17, 2007 N 781).
The security of personal data is achieved by excluding unauthorized information, incl. accidental access to personal data, which may result in destruction, modification, blocking, copying, distribution of personal data, as well as other unauthorized actions. The security of personal data during their processing in information systems is ensured using a personal data protection system, including organizational measures and information security means (including encryption (cryptographic) means, means of preventing unauthorized access, information leakage through technical channels, software and hardware impacts on technical means of processing personal data), as well as information technologies used in the information system. Hardware and software must meet the requirements established in accordance with the legislation of the Russian Federation to ensure the protection of information. To ensure the security of personal data during their processing in information systems, protection is provided for speech information and information processed by technical means, as well as information presented in the form of informative electrical signals, physical fields, media on paper, magnetic, magneto-optical and other basis (p 2 Regulations of November 17, 2007 N 781).
When applying Article 86 of the Labor Code of the Russian Federation, it should be taken into account that methods and means of protecting information in information systems are established by the Federal Service for Technical and Export Control and the Federal Security Service of the Russian Federation within the limits of their powers. The adequacy of the measures taken to ensure the security of personal data during their processing in information systems is assessed during state control and supervision (clause 3 of the Regulations of November 17, 2007 N 781).
Information systems are classified by state bodies, municipal bodies, legal entities or individuals organizing and (or) carrying out the processing of personal data, as well as determining the purposes and content of the processing of personal data (hereinafter referred to as the operator), depending on the volume of personal data processed by them and security threats vital interests of the individual, society and the state (clause 6 of the Regulations of November 17, 2007 N 781).
The exchange of personal data during their processing in information systems is carried out through communication channels, the protection of which is ensured through the implementation of appropriate organizational measures and (or) through the use of technical means (clause 7 of the Regulations of November 17, 2007 N 781).
The placement of information systems, special equipment and security of premises in which work with personal data is carried out, the organization of a security regime in these premises must ensure the safety of personal data carriers and information security means, and also exclude the possibility of uncontrolled entry or stay of unauthorized persons in these premises ( clause 8 of the Regulations of November 17, 2007 N 781).
Possible channels of information leakage during the processing of personal data in information systems are determined by the Federal Service for Technical and Export Control and the Federal Security Service of the Russian Federation within the limits of their powers (clause 9 of the Regulations of November 17, 2007 N 781).
The security of personal data when processed in the information system is ensured by the operator or the person to whom, on the basis of an agreement, the operator entrusts the processing of personal data (hereinafter referred to as the authorized person). An essential condition of the contract is the obligation of the authorized person to ensure the confidentiality of personal data and the security of personal data during their processing in the information system (clause 10 of the Regulations of November 17, 2007 N 781).
When processing personal data in the information system, the following must be ensured: a) implementation of measures aimed at preventing unauthorized access to personal data and (or) their transfer to persons who do not have the right to access such information; b) timely detection of facts of unauthorized access to personal data; c) preventing influence on technical means of automated processing of personal data, as a result of which their functioning may be disrupted; d) the possibility of immediate restoration of personal data modified or destroyed due to unauthorized access to it; e) constant monitoring of ensuring the level of security of personal data (clause 11 of the Regulations of November 17, 2007 N 781).
Measures to ensure the security of personal data during their processing in information systems include: a) identifying threats to the security of personal data during their processing, forming a threat model based on them; b) development, based on the threat model, of a personal data protection system that ensures the neutralization of alleged threats using methods and methods for protecting personal data provided for the corresponding class of information systems; c) checking the readiness of information security tools for use with drawing up conclusions on the possibility of their operation; d) installation and commissioning of information security means in accordance with operational and technical documentation; e) training of persons using information security tools used in information systems on the rules of working with them; f) accounting of the information protection means used, operational and technical documentation for them, personal data carriers; g) accounting of persons authorized to work with personal data in the information system; h) control over compliance with the conditions for the use of information security tools provided for in the operational and technical documentation; i) investigation and drawing up conclusions on facts of non-compliance with the storage conditions of personal data carriers, the use of information security measures that may lead to a violation of the confidentiality of personal data or other violations leading to a decrease in the level of security of personal data, development and adoption of measures to prevent possible dangerous consequences similar violations; j) description of the personal data protection system (clause 12 of the Regulations of November 17, 2007 N 781).
To develop and implement measures to ensure the security of personal data during their processing in the information system, an operator or an authorized person may appoint a structural unit or official (employee) responsible for ensuring the security of personal data (clause 13 of the Regulations of November 17, 2007 N 781 ).
Persons whose access to personal data processed in the information system is necessary to perform official (labor) duties are allowed to the relevant personal data on the basis of a list approved by the operator or an authorized person (clause 14 of the Regulations of November 17, 2007 N 781) .
Requests from users of the information system for personal data, including the persons indicated above, as well as the facts of providing personal data on these requests are registered by automated means of the information system in the electronic log of requests. The contents of the electronic log of requests are periodically checked by the relevant officials (employees) of the operator or authorized person (clause 15 of the Regulations of November 17, 2007 N 781).
If violations of the procedure for providing personal data are detected, the operator or authorized person immediately suspends the provision of personal data to users of the information system until the causes of the violations are identified and these causes are eliminated (clause 16 of the Regulations of November 17, 2007 N 781).
Information protection means intended to ensure the security of personal data during their processing in information systems are accompanied by rules for the use of these means, agreed upon with the Federal Service for Technical and Export Control and the Federal Security Service of the Russian Federation within the limits of their powers (clause 19 of the Regulations dated November 17 2007 N 781).
10. Measures to ensure the security of personal data during processing carried out without the use of automation tools include:
- The processing of personal data, carried out without the use of automation tools, must be carried out in such a way that, for each category of personal data, it is possible to determine the storage locations of personal data (tangible media) and establish a list of persons processing personal data or having access to it (clause. 13 Regulations of September 15, 2008 N 687);
- it is necessary to ensure separate storage of personal data (tangible media), the processing of which is carried out for various purposes (clause 14 of the Regulations of September 15, 2008 N 687);
- When storing material media, conditions must be observed to ensure the safety of personal data and prevent unauthorized access to them. The list of measures necessary to ensure such conditions, the procedure for their adoption, as well as the list of persons responsible for the implementation of these measures are established by the operator (clause 15 of the Regulations of September 15, 2008 N 687).
11. The Law on Personal Data, defining the responsibilities of the operator, establishes that he has the right to carry out without notifying the authorized body for the protection of the rights of personal data subjects (based on Article 23 of the Law, such a body is the federal executive body exercising control and supervision functions in the field information technologies and communications) processing of personal data relating to subjects of personal data who are connected with the operator by labor relations (Article 22).
12. The basic principles of personal data protection are enshrined in Council of Europe Convention No. 108 “On the protection of individuals with regard to automated processing of personal data”. (Strasbourg, January 28, 1981) (Collection of documents of the Council of Europe in the field of protecting human rights and combating crime. M., 1998. P. 106 - 114).
These principles reflect the requirements for:
- data quality (obtained and processed legally, registered for a specific and legitimate purpose and not used contrary to this purpose, etc.);
- special categories of data (personal data reflecting racial origin, political opinions, religious beliefs or other principles, as well as those relating to health or sexual life, are subject to automated processing only if the law provides appropriate guarantees; a similar rule applies to personal data nature associated with a criminal conviction);
- data security (adequate security measures have been taken to protect personal data recorded in automated filing cabinets from accidental or unauthorized destruction or accidental loss, as well as from unauthorized access, modification or distribution);
- additional guarantees for the person (any person should have the opportunity to: find out about the existence of an automated file cabinet of personal data, its purpose; receive at an appropriate time, after any period and without special costs, confirmation of the presence or absence of personal data relating to him in the automated file cabinet, and also receive this data in proper form; demand, if necessary, correction or erasure of data if they were processed in violation of the provisions of the law, etc.).
Russia has ratified the Convention (Federal Law of December 19, 2005 N 160-FZ “On the ratification of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data” (SZ RF. 2005. N 52. Part I. Art. 5573)) with the following statements:
- 1) The Russian Federation declares that it will not apply the Convention to personal data: a) processed by individuals solely for personal and family needs; b) classified as a state secret in the manner established by the legislation of the Russian Federation on state secrets;
- 2) The Russian Federation declares that it will apply the Convention to personal data that is not subject to automated processing if the application of the Convention corresponds to the nature of the actions performed with personal data without the use of automated means;
- 3) The Russian Federation declares that it reserves the right to establish restrictions on the right of a personal data subject to access personal data about himself in order to protect state security and public order.
13. The protection of personal data of employees is devoted to the Code of Practice for the protection of personal data about employees, developed by ILO experts and officially approved by the Administrative Council in 1996 (see: Kiselev I.Ya. Comparative and international labor law. M., 1999. P. 510 - 513). Let us note that the main provisions of the said Code are reflected in Art. 86 Labor Code of the Russian Federation, 88, 89 Labor Code. At the same time, a number of provisions of the Code that have not received direct textual enshrinement in the Labor Code are also subject to use by the employer, which provides an effective guarantee of the protection of the employee’s personal data. These include: the collection of an employee’s personal data must not lead to discrimination; the employee’s personal data should not be used to control his behavior; all persons who have access to personal data are obliged to keep the information confidential; polygraphs and other equipment should not be used to determine the veracity of answers; in the case of a medical examination of an employee, the employer must be informed only of those findings that relate to the issue of the employee’s ability to perform the assigned job function; the findings should not contain information of a medical nature, with the exception of indications of suitability or medical contraindications for the proposed work, etc. .
The employee's personal data is classified as confidential information. It is the employer's responsibility to ensure that they are protected from misuse or loss.
14. The employer is obliged, when hiring, before concluding an employment contract, to acquaint the employee, against signature, with the internal labor regulations, other local regulations directly related to the employee’s work activity, and the collective agreement (Part 3 of Article 68 of the Labor Code). Thus, before concluding an employment contract, the employee becomes aware of the rules defining the procedure for processing personal data of employees with a given employer, the rights and obligations of the employer when processing personal data, the rights of employees ensuring the protection of personal data, etc.
15. Employees notify the employer of changes in last name, first name, patronymic, date of birth, which is reflected in the work book on the basis of a passport, birth certificate, marriage certificate, divorce certificate and other documents. If necessary, information about education, profession, and specialty is changed. If an employee is assigned a new rank (class, category, etc.) during the period of work, then a corresponding entry is made about this in the work book.
If the insurance certificate of state pension insurance is lost, the employee must contact the employer within a month from the date of loss to restore it (Article 7 of the Law on Individual Accounting).
16. In order to protect privacy, personal and family secrets, employees should not waive their right to process personal data only with their consent, as this may lead to moral and material damage.
On the employer's financial liability to the employee, see the commentary. to ch. 38.
17. In addition to measures to protect personal data established by law, employers, employees and their representatives develop joint measures to protect personal data of employees, which are reflected in the local regulations of the organization - a collective agreement, internal labor regulations (for example, the inadmissibility of storing certain information about employees on computers that are freely accessible).
Why do you need a regulation on working with personal data?
Norms Art. 87 of the Labor Code of the Russian Federation, as well as clause 2 of Art. 18.1 of Law No. 152-FZ requires employers to regulate transactions with the personal data of their employees. However, the noted legal acts, as well as other federal sources of law, do not clearly define exactly how this obligation should be fulfilled. In practice, this is most often done through the development and approval by the company of an internal corporate regulation on the personal data of hired employees.
Is the provision on personal data a binding document for the employer? The answer to this question was given by ConsultantPlus experts. Get trial access to the system and proceed to the material.
Find out which article of the Code of Administrative Offenses of the Russian Federation provides for a fine for violations when processing personal data by following the link.
Compiled by whom?
By concluding an employment contract, each employer gains access to unique information. This information is contained in the following documents:
- passport;
- military ID (for those liable for military service);
- TIN certificate;
- insurance certificate;
- educational documents;
- driver's license or car documents (if necessary);
- medical certificate confirming completion of a medical examination.
Personal data is any information that relates to a person identified or determined on the basis of this information.
Thus, when gaining access to this information and in accordance with the rules established by the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data,” all organizations that have at least one employee are required to comply with the protection of personal information about employees.
Attention! Consent to processing is drawn up by an employee of the HR department when hiring an applicant.