10:29 Personal Data (short faq) | ||||||||||||||||||||
What is personal data?Personal Information - any information relating to a specific or identified on the basis of such information individual, including: - his last name, first name, - year, month, date and place of birth, - address, family, social, property status, education, profession, income, - friend information (see the FL-152, p. .3). For example: passport data, financial statements, medical records, date of birth (for women), biometrics, other identifying information of a personal nature. B public sources of personal data (address books, lists and other information support) with the written consent of thean individual can be included his last name, first name, year and place of birth, address, subscriber number, and other personal information (see the FL-152, Article 8). Personal Information related to restricted information and should be reserved in accordance with Russian law. When forming the security requirements of systems personal data are divided into 4 categories. What is the operator and the subject of personal data?Operators of personal data - This is usually an organization - or rather, state or municipal agency, person or entity that organizes and (or) engaged in the processing of personal data, as well as defining the purpose and content of the processing of personal data . The subject of personal data - This is a natural person. Operator is responsible for the protection of personal data subject in accordance with Russian legislation. How to classify information systems of personal data?In order to carry sample personal data information systems (ISPDn) to a particular class should be: I. Define Categories processed personal Data: • Category 4 - anonymous, and (or) public personal information; • category 3 - personal data to identify the subject of personal data; • Category 2 - personal data to identify the subject of personal data and to obtain additional information about him, except for personal data, category 1; • Categories 1 - personal data relating to race, national origin, political opinions, religious or philosophical beliefs, health or sex life. II. Define volume of personal data processed in the information system: • volume of 3 - in the information system simultaneously processed data less than 1000 subjects personal data or personal information of subjects of personal data within your organization; • volume of 2 - in the information system at the same time process personal data from 1000 to 100 000 entities personal data or personal information of subjects of personal data, working in the industry of the Russian Federation, an organ of state power residing within the municipality; • volume 1 - in the information system at the same time process personal data more than 100 000 subjects personal data or personal information of subjects of personal data within the subject of the Russian Federation or the Russian Federation as a whole; III. According to the analysis of initial data template ISPDn assigned one of the following: class (see Table.): • Class 4 (K4) - information systems, for which violation of a given characteristics of the security of personal data processed by them, does not lead to negative consequences for the subjects of personal data; • class 3 (R3) - information systems, for which a given violation of the safety performance of personal data processed by them, may result in minor adverse effects on the subjects of personal data; • class 2 (K2) - information systems, for which violation of a given characteristic security of personal data processed by them, may lead to negative consequences for the subjects of personal data; • class 1 (K1) - information systems, for which violation of a given characteristic security of personal data processed by them, can lead to significant negative consequences for the subjects of personal data.
See the Procedure for the classification of personal data information systems, introduced Order of the Federal Technical Committee (Federal Technical and Export Control), Russia, Russian Federal Security Service, Ministry of Communications Russia N 55/86/20. Doomsday delayed until January 1, 2011personal data information systems that were created before the effective date of the Federal Law № 152 "On personal data" must be brought into compliance with the requirements of federal law not later than 1 January 2010 (see the FL-152, item 25). This means that operators of personal data that were not able to fulfill very stringent requirements FZ-152, from January 1, 2010 will bear the appropriate civil, administrative, disciplinary, and perhaps (God forbid) and criminal responsible. All the information systems already put into operation after the February-April 2008 (after mailing guidance documents FSTEK Russia and the Russian Federal Security Service), but do not meet the requirements of Russian legislation on personal data, may incur liability specified above, for example, tomorrow morning. Note. Changes to the Criminal Code, substantially toughen responsibility for violations involving personal privacy, too, will come into force on 1 January 2010. UPDATE: But as always happens, the operators of personal data is not particularly moving, and very few people manage to do all that is required. 16 December 2009 State Duma approved the third reading of amendments to articles 19 and 25 of the Law on Personal Data (152-FZ). Term reduction of personal data information systems (ISPDn) in accordance with the law suffered a year - until January 1, 2011 In addition, the law eliminated the rule obliging the operator in the processing of personal data to use encryption (cryptographic) means for data protection. Mandatory requirements for the protection of personal data information systemsThe mandatory requirements for the organization of information security systems, depending on the class model ISPDn: To ISPDn Class 4: The list of activities for the protection of personal data determined by the operator (depending on the possible harm) To ISPDn Class 3: • declaration of conformity or mandatory certification requirements for information security • license FSTEK Russia on activities for technical protection of confidential information (for distributed systems ISPDn K3) To ISPDn Class 2: • mandatory certification requirements for information security • must be implemented measures to protect personal data from PAMIN • license FSTEK Russia to work on technical protection of confidential information for distributed systems To ISPDn Class 1: • mandatory certification requirements for information security • must implement measures to protect personal data from PAMIN • license FSTEK Russia to work on technical protection of confidential information Procedures for the Protection of personal data information systemThe steps in implementing the requirements of legislation on personal data processing: 1 ) The notification to the authority to protect the rights of subjects of personal data of its intention to carry out processing of personal data with the use of automation; 2) Pre-inspection information system - collection of baseline data; 3) classification system for processing personal data; 4) Building a model private threats in order to determine their relevance to information system; 5) The development of private technical specifications for the system of protection of personal data; 6) Designing a system of protection of personal data; 7) Realization and implementation of a system of protection of personal data; 8) The requirements for engineering protection facilities, requirements for fire safety, protection, power and grounding, health and environmental requirements; 9) Certification (Certification) for safety information 10) Training of staff in the field of protection of personal data; 11) Escort (outsourcing) of personal data protection. When the qualification and certification is required?Certification information systems security requirements of information is required: - for ISPDn, in the case of personal data referring to state information resources (see "Special Requirements and recommendations for technical protection of confidential information," Technical Commission Russia, 2001) - in other cases - for ISPDn 1, 2 and 3 classes. To ISPDn Class 3 by the decision of the procedure mandatory certification could be replaced by the procedure of declaration of conformity (see "Highlights of the organization and maintenance of protection for personal data processed in the information systems of personal data" , FSTEK Russia, 2008, p.3.11). Unfortunately, the current process of declaration of conformity is not regulated. Means of protection of information used in ISPDn in due order, are in the process of conformity assessment (see "The situation on the security of personal data as they are processed in the personal data information systems, p.5), including certification to meet the requirements for information security (see "Highlights of the organization ...», 3.3). In this case, the software used for protecting information in ISPDn (information security tools, including built-in wide and application software), to be held, including certifications on the absence of undeclared capabilities (see "Highlights of the organization ...», pp. 4.2, 4.3). Note: 1) The operators ISPDn for events to ensure the security of personal data (confidential information) as they are processed in ISPDn 1 and 2 classes and distributed information systems class 3 must be licensed to carry out activities of technical protection confidential information in the prescribed manner. 2) Applicants for certification of information security solutions (developers of GIS, ISPDn or operators of personal data) must be licensed to carry out activities to develop and / or production means to protect confidential information. UPDATE: In connection with the issuance of the order FSTEK Russia on February 5, 2010 № 58 "On Approval of the methods and means of securing the personal data information systems" (registered by Ministry of Justice of Russia on Feb. 19, 2010 , registration number 16456, has been published: "Rossiyskaya Gazeta, March 5, 2010, № 46) do not use March 15, 2010 to ensure the security of personal data during their processing in the information systems of personal data The following guidance documents FSTEK Russia: • The main activities of the organization and technical security of personal data processed in the information systems of personal data, approved by the Deputy Director of Russian Federal Technical Committee on Feb. 15, 2008; • Recommendations to ensure the security of personal data during their processing in the information systems of personal data, approved by the Deputy Director of Russian Federal Technical Committee on Feb. 15, 2008 Responsibility for violations of personal data processingPersons guilty of violating the Federal Law 152-FZ "On Personal Data , are: - civil, - criminal (see Criminal Code of the Russian Federation, st.137, 140, 155, 183, 272, 273, 274, 292, 293), - administration (see the Code of the Russian Federation on Administrative Offences, Art. 5.27, 5.39, 13.11-13.14, 13.19, 19.4-19.7, 19.20, 20.25, 32.2), - disciplinary (see Labor Code of the Russian Federation, Art. 81; st.90; st.195; st.237; st.391) and other responsibility stipulated by Russian legislation (see the regulations on dealing with personal data, which are published in Russian regions, departments and organizations). Abbreviations used in this article: FSTEK - The Federal Service for Technical and Export Control. PAMIN - compromising emanations and Leads | ||||||||||||||||||||
|
| ||||||||||||||||||||
| Total comments: 2 | |
|
| |
